Slashdot Mirror

← Back to Stories (view on slashdot.org)

Trojan Compromises Oregon Taxpayers

Posted by ryuzaki0 on from the but-the-internet-is-for-porn dept.

Blair writes "An employee at the Oregon Department of Revenue downloaded a trojan file from a porn site, possibly compromising up to 2,200 taxpayers. An information technology security officer with the state said, 'the released data likely involved names, addresses or Social Security numbers, or possibly in some cases all three.' I guess some of our public workers are having too much fun after all."

7 of 250 comments (clear)

  1. moron! by eobanb · · Score: 5, Insightful

    Forgive my crudeness, but...what an idiot!

    Actually there seem to be multiple failures in this. Running Windows, not employing some sort of web filtering software, lax rules on conduct...I don't know where to even begin.

    --

    Take off every sig. For great justice.

    1. Re:moron! by Anonymous Coward · · Score: 5, Informative

      We should list the failures. Otherwise we don't learn anything. Since events like this are occurring all over the place, there is obviously an issue with government security controls. I'll start:

      1. Allowing private data to be stored on a workstation that has access to the Internet.
      2. Failure to encrypt private data or a private key (presumably) when the computer is connected to the Internet.
      3. Allowing a user who has access to private data to access sites that do not have anything to do with official duties.
      4. Failure to log data packets sent on a secure computer (not every packet, but at least the bytes sent).

      All of these have the same root cause: the government and government employees did not consider the private data in their custody important enough to require rigorous controls and rigorous controls were not implemented. We could break down the problems into training issues, operational issues, etc., and politicians certainly will. But I would guess that the issue was due to a lack of political motivation to hold accountable every state IT group that has access to private data. Secure networks with access to classified or private information can be built, like the SIPRNET, but people didn't think the private data was important enough. It will change in Oregon (at least for the Dept. of Revenue) due to this incident, but elsewhere in the country people will carry on business as usual, until it affects them.

      Anyone want to guess how long it takes before Social Security numbers become worthless because of these data intrusions? We know the government isn't going to learn.

    2. Re:moron! by Anonymous Coward · · Score: 5, Informative

      Why do you assume there was no web filtering software?
      There was. Major player in the industry, updated every day.
      Virus software on the desktops set to update ever 2 hours.
      This was a zero day exploit from a non-obvious, not yet blocked web site.
      It reported back only via port 80.
      The trojan wasn't picked up by virus protection until after we reported it, which was after we discovered it.
      He might have been an idiot, but not a dumb one.
      As for rules on conduct, suprisingly, browsing porn is actually against the rules.
      You have to sign an Internet Use agreement before you can use the Internet.
      Windows? Well, we have no choice there.
      There were some things that the tech staff has asked for that we now are likely to change, but the tech stuff is much better than I've seen in the other agencies.

  2. Indicitive of a larger problem by mcpkaaos · · Score: 5, Insightful

    What was real data doing on a workstation with Internet access in the first place? One would think (hope?) that such data would be under heavy lock and key and only accessible by the software written to manage it or, when absolutely necessary, a trusted administrator with lotsa logging.

    It is absolutely amazing to me that this event was even possible.

    --
    It goes from God, to Jerry, to me.
    1. Re:Indicitive of a larger problem by KnowledgeFreak · · Score: 5, Informative

      Mod this guy up, he knows what he's talking about. I work with Data in the private sector and data like this cannot be on an unprotected machine.

      What he's saying is that the data should only be on an oracle or whatever database where only reporting applications can run pre-written reporting programs on it, Those program will then return reports to the idiot business people. Those reports will not return a soc. or other identifying info all at the same (and rarely that stuff at all).

      The reporting monkeys take *that* home. No one actaully gets to see the data. This is exactly what part of sarbanes oxley is forcing the private sector to do with customer credit card data and other sensitive info.

  3. From the I've-never-had-a-2,200-some-before dept. by NMerriam · · Score: 5, Funny

    Though on the bright side, porn site customers finally have a way to get screwed over the internet!

    --
    Recursive: Adj. See Recursive.
  4. No Lawyer Necessary - Only Patience. Here's How by Anonymous Coward · · Score: 5, Informative
    when information is leaked about your own private stuff, you should get a lawyer.

    A lawyer is unnecessary and expensive. It's easy to handle ID theft once you understand that the situation cannot be corrected immediately, that you shouldn't go ballistic, and that time and patience (and a few simple procedures) is all that's required to correct the situation:
    1. Write to the major credit bureaus and ask for a credit report from each. Explain that you're a victim of ID theft and they'll give you a free credit report.
    2. Ask the credit bureau to place a 7-year freeze on your credit report (not the 3-month freeze). That ensures that anyone who extends credit must contact you directly (usually by phone) prior to extending credit. Make sure the credit bureau has your phone number correct!
    3. If the ID theft resulted from something locally enforceable (stolen wallet, burglary), file an offense report with the local police and get a printed copy of the report.
    4. find any fraudulent/old accounts on your credit report. For old accounts, write to the address on the credit report informing the creditor and ask that the account be closed. For fraudulent accounts, notify the creditor of same and include a copy of the police report (above). For any fraudulent account _applications_, also notify the creditor that the application was fraudulent.
    5. In all cases, ask the creditor to notify the major credit bureaus of all updates/closure of accounts.
    6. Keep paper copies of all letters - use a separate paper file folder for each account or account application. Seems tedious, but you'll be glad you did, believe me.

    Above all, be patient, take your time (there's no rush, all changes are made at snail mail speed at best) and don't worry. Just go through the steps and everything can be corrected within about 180 days.

    After that, make sure you check your credit record with the major credit bureaus at least once a year. They'll send this for free. Follow the above steps whenever you see a fraudulent account or application. The Bad Guys won't be able to touch you.