Taxpayer Data At IRS Remains Vulnerable

← Back to Stories (view on slashdot.org)

Taxpayer Data At IRS Remains Vulnerable

Posted by kdawson on Tuesday January 13, 2009 @02:53PM from the do-as-i-say dept.

CWmike writes "A new Government Accountability Office report (PDF) finds that taxpayer and other sensitive data continues to remain dangerously underprotected at the IRS. The news comes less than three months after the Treasury Inspector General for Tax Administration reported that there were major security vulnerabilities in two crucial IRS systems. Two big standouts in the latest finding: The IRS still does not always enforce strong password management rules for identifying and authenticating users of its systems, nor does it encrypt certain types of sensitive data, the GAO said."

24 of 62 comments (clear)

Min score:

Reason:

Sort:

It's not the first time, it won't be the last. by GrpA · 2009-01-13 15:00 · Score: 5, Interesting

That reminds me of what happened in Australia with the taxation department a few years ago.
The ATO put everyone's tax details online and used their Tax File Number ( everyone who pays tax has one ).
Some bright spark noticed his TFN in the URL the day they launched their new service and changed the number only to find that it gave him access to someone else's data.
There were accusations of hacking and all, but it conveniently left out the discussion that it was a pretty obvious and blatant flaw.
The minister responsible was never held accountable. That's why these security breaches keep on happening over here.
I'm pretty sure that there's a similar situation in the US.
GrpA

--
Enjoy science fiction? "Turing Evolved" - AI, Mecha, Androids and rail-gun battles. What more could you want?
1. Re:It's not the first time, it won't be the last. by playerone · 2009-01-13 15:08 · Score: 4, Insightful
  
  The minister responsible was never held accountable. That's why these security breaches keep on happening over here.
  GrpA
  I am so angry that politicians are not accountable for their actions. It makes the implementation of democracy a farce because the people in power voted in by the public can basically do whatever the hell they want and walk away with a fat paycheck and pension without having to worry that if they do something seriously wrong they can be punished somehow.
  Such a rort.
  All it would take is some simple bad behavior = punishment laws for politicians but oh hold on its those same politicians that vote on the laws so of course they won't do that.
  Don't even get me started on being able to give yourself a payrise.
  P1
  
  --
  --Question Authority--
2. Re:It's not the first time, it won't be the last. by CDMA_Demo · 2009-01-13 15:28 · Score: 3, Informative
  
  In 2000: http://www.abc.net.au/7.30/stories/s146760.htm
3. Re:It's not the first time, it won't be the last. by CDMA_Demo · 2009-01-13 15:33 · Score: 3, Funny
  
  I am so angry that politicians are not accountable for their actions. It makes the implementation of democracy a farce because the people in power voted in by the public can basically do whatever the hell they want and walk away with a fat paycheck and pension without having to worry that if they do something seriously wrong they can be punished somehow.
  If you hit the bull's eye, the rest of the dominoes will fall like a house of cards, checkmate!
4. Re:It's not the first time, it won't be the last. by Anthony_Cargile · 2009-01-13 15:39 · Score: 4, Informative
  
  Some bright spark noticed his TFN in the URL the day they launched their new service and changed the number only to find that it gave him access to someone else's data.
  Really? They should have fired the webmaster for both putting that sensitive of information in the URL query string (HTTP GET), and for not managing sessions in the authentication process. It amazes me the query string vulnerabilities these sites have these days - the other day I pulled the /etc/passwd file from a guitar tab website (don't judge me) because I noticed the path in the query string to the ascii tabs used in the shtml, which a little directory traversal and lack of permissions aided. A few nodes requesting /dev/urandom could have crashed the whole fucking server because of the stupid webmaster!
  
  Yes, in 2000 we had no php or asp.net session management like we do today (where a 3 year old with the proper training could code a secure session), but we had perl, C, and even Java, so lack of a babying framework is no excuse for lack of security, especially something as obvious as that! Its just one of those raw nerves to me!
  
  I'm pretty sure that there's a similar situation in the US.
  Dear lord I hope not. If my information is still to this day in 2009 retrievable via changing a query string parameter (or cookie, or directory trversal, or even shell code via some obscure method) then I swear I'm going to start my own country, where we manage our own servers so little script kiddies can't get harvest information that easily (not really, don't need treason charges :).
  
  But seriously, especially if working with secure information retrievable publicly, please secure your site and check for server vulnerabilities and all (php registered globals, etc.). Sorry for all of that but it just absolutely bugs me when a simple bad web app can bring down information, security, or even a whole server deployment. Thats all.
  </rant></rave>
5. Re:It's not the first time, it won't be the last. by solafide · 2009-01-13 15:58 · Score: 2, Funny
  
  How many game metaphors can one cram into one post?
6. Re:It's not the first time, it won't be the last. by Klootzak · 2009-01-13 16:18 · Score: 2, Insightful
  
  I am so angry that politicians are not accountable for their actions. It makes the implementation of democracy a farce because the people in power voted in by the public can basically do whatever the hell they want and walk away with a fat paycheck and pension without having to worry that if they do something seriously wrong they can be punished somehow.
  That's a very Insightful comment...
  
  Politicians tend to say "If you pay peanuts you'll get monkeys", yet most businesses appear to operate on exactly this ideology.
  
  I don't know about you, but I've seen far more Monkeys working as politicians than as (relatively) low-seniority employees.
  
  --
  A Man's ethical behavior should be based effectually on sympathy, education, and social ties -- Albert Einstein
7. Re:It's not the first time, it won't be the last. by GFree678 · 2009-01-13 16:30 · Score: 4, Insightful
  
  There were accusations of hacking and all, but it conveniently left out the discussion that it was a pretty obvious and blatant flaw.
  Oh my God. Are you saying that changing one digit in a completely accessible URL is enough to be accused of hacking?
  Humanity is hopelessly lost when it comes to common sense.
8. Re:It's not the first time, it won't be the last. by SpaceLifeForm · 2009-01-13 17:03 · Score: 2, Funny
  
  And it was just a demo.
  
  --
  You are being MICROattacked, from various angles, in a SOFT manner.
9. Re:It's not the first time, it won't be the last. by dissy · 2009-01-14 00:43 · Score: 2, Funny
  
  then I swear I'm going to start my own country, where we manage our own servers so little script kiddies can't get harvest information that easily (not really, don't need treason charges :).
  
  Naa, treason would only apply if you tried to over throw -this- govt... as long as you start your country off their land, your good to go!
  PS, call me when the army of ninjas (marines) and pirates (navy) are in place, and hell, even i'd like to subscribe to your country (or news letter)
10. Re:It's not the first time, it won't be the last. by cloudmaster · 2009-01-14 03:27 · Score: 2, Insightful
  
  It /is/ hacking - and cracking. Just not the hard kind that requires significant knowledge or gains you the respect of your peers. :) Here in the US, that's "gaining access to data you aren't supposed to access". As an analogy, if you found that I left my car doors unlocked, and I found you sitting in my car, I'd probably proceed to issue you a beatdown whether you actually stole anything or not. I'd probably thank you if you just mentioned that you saw them to be unlocked. This is pretty much the same thing.
To answer my question by BadAnalogyGuy · 2009-01-13 15:05 · Score: 5, Informative

According to the IG's report, systems administrators and other privileged users are able to access, modify and delete taxpayer data with impunity because of a lack of monitoring capabilities in the two systems.
So it seems that the system allows for modification of taxpayer data. That's quite a bit different from just having it available.
1. Re:To answer my question by techno-vampire · 2009-01-13 15:10 · Score: 4, Insightful
  
  Not only that, it makes wholesale identity theft nice and easy.
  
  --
  Good, inexpensive web hosting
Re:What's the big secret? by networkBoy · 2009-01-13 15:10 · Score: 4, Interesting

I hope you're being funny.
If others knew what I make, I would get a pay cut. My pay has been negotiated between myself and management. There would be a brouhaha if others in similar, but less accountable, roles thought I was "paid too much" or some such.*
My pay is not something I would want broadcast. Also, I would not want marketers to know my pay, nor family (aside from my spouse).
-nB
* I say this who has worked their way up from the bottom, where I used to think I was mighty damn important, now I know my absolute value may be low but my relative value is higher. I don't expect others who are in the boat I was in to necessarily understand this, and would rather avoid the conflict.

--
whois gawk date unzip strip find touch finger mount join nice man top fsck grep eject more yes exit umount sleep dump
Solution by truthsearch · 2009-01-13 15:16 · Score: 3, Insightful

Suspend all income taxes for one year. Plenty of time to focus on the security holes and a temporary boost to the economy. Two problems easily solved.

--
Developers: We can use your help.
1. Re:Solution by ITEric · 2009-01-13 15:28 · Score: 2, Insightful
  
  Suspend all income taxes for one year. Plenty of time to focus on the security holes and a temporary boost to the economy. Two problems easily solved.
  Folks would still need to file a return to get whatever refunds of their payments, etc. that are due. It would surely boost the economy, but not help with the security issue.
  
  --
  The most exciting phrase to hear in science, the one that heralds new discoveries, is not 'Eureka!' but 'That's funny...
2. Re:Solution by need4mospd · 2009-01-13 17:04 · Score: 2, Insightful
  
  The solution is easier than that. Scrap the IRS entirely and move to a national sales tax. The government will no longer have the need to possess the information in the first place. The citizens become MUCH more aware of how much tax they are really paying by being reminded of it each purchase. Businesses and individuals no long have a complicated tax code to fumble through every year on April 15th. The nation saves $265 billion every year from the costs of doing taxes, not the taxes themselves, just the act of filling out paperwork and hunting for receipts.
  On top of all that, it takes the power away from the government! You say, "Oh our Congressman would never approve!" Really? There are 72+ cosponsors for a house bill that does this right now! And the people of America are pissed off enough now that we actually CAN make a difference if we raise our voices long enough to drown out American Idol.
  If you haven't looked at it in a while, the Fair Tax plan is looking better and better everyday. The research and the numbers are solid. All the myths and lies have been squashed. Do yourself a favor and read the actual website, not your favorite one-sided blog.
3. Re:Solution by Anonymous Coward · 2009-01-13 19:11 · Score: 2, Informative
  
  It would probably hurt Conservatives, as it has in Canada and Australia.
  When these countries eliminated business taxes and simply moved them to sales taxes, the cost of management increased. Instead of the easy double-checking verification of income taxes, businesses were more likely to hide their sales and evade taxation.
  It's just harder to hide your income than sales.
  You also had a significant rise in prices. Although the tax burden had not changed at all, businesses did not lower their prices when business-taxes were reduced, but still passed the sales taxes onto consumers. They blamed the higher prices on the Government since the taxes were more visible.
  The Fair-Tax plan is an extreme version with no chance of passing. The average earner only pays 13% income taxes, while the Fair Tax would need to charge 30%+ to generate the same revenues. Instead of high earners paying a larger proportion of taxes, the burden is pushed to those who have to spend most of their income to survive.
4. Re:Solution by charlener · 2009-01-13 19:59 · Score: 3, Insightful
  
  Aren't sales taxes inherently regressive? As in, they hurt those with lower income the most as it increases the proportion of their income spent on taxes compared to those with higher incomes.
  Most states at this point do not tax "necessary for life" stuff, such as basic food and medicines, though I believe clothes, etc continue to be taxed. Does this proposal mean taxation across the board on all things, or only "nonessential" things, or what?
  It doesn't seem just to tax sales on essential to life items, which leaves most of the burden on luxury items, which doesn't sound like it would be enough income generated to do much.
Re:What's the big secret? by Hatta · 2009-01-13 15:26 · Score: 2, Insightful

Care to post your tax return online and find out?

--
Give me Classic Slashdot or give me death!
Re:What's the big secret? by techno-vampire · 2009-01-13 16:01 · Score: 2, Insightful

I worked at one company where I'm sure I missed out on getting a transfer to a new department where I could have done a lot of good and learned new things because my new manager asked me how much I was getting. I could see from his expression that I'd lost out the moment he learned that I was making more than he was. Not only had I received a merit increase at one point, but our annual raises were a percentage, and even if my percentage was average, it still meant a bigger raise than the other techs got, and the gap just got bigger every year. Now, imagine what would happen if you were looking for a new job and your potential employer was able to learn what you were really getting instead of what you wanted him to think your salary/hourly was.

--
Good, inexpensive web hosting
Government Solutions Office by im_thatoneguy · 2009-01-13 16:37 · Score: 4, Interesting

What we need is a counterpart to the GAO.
The GAO should be able to exact fines from any agency for waste, insecurity etc etc.
All of this fine money should be funneled into a Government Solutions Office whose task is to spend that money back into the program to fix it.
GAO finds improper encryptions. Fines IRS. GSO hires a security expert to create new policies and purchase needed training.
Just a thought.
1. Re:Government Solutions Office by BlueStrat · 2009-01-13 18:09 · Score: 2, Insightful
  
  What we need is a counterpart to the GAO.
  The GAO should be able to exact fines from any agency for waste, insecurity etc etc.
  All of this fine money should be funneled into a Government Solutions Office whose task is to spend that money back into the program to fix it.
  GAO finds improper encryptions. Fines IRS. GSO hires a security expert to create new policies and purchase needed training.
  Just a thought.
  It sounds like a good idea, except getting Congress to give the GAO the powers it would need to be able to actually force a department like the IRS and similar formidable departments like Homeland Security to allow themselves to be fined, especially when some congress-critters' pet agency or department is threatened. I just don't think the bureaucratic fiefdoms and political power-players will allow any such reduction in their power.
  We're talking about the power players in D.C.. The two pillars there are money and power. The players there never ever part with one without gaining a significant profit on the other, which they then use to recover their investment, usually with profit. Anything that interferes with this is anathema, and is avoided completely or at best given lip service enough to let them continue business as usual until the crisis is past.
  It's a self-perpetuating system, and I just don't know what it would take to affect the kind of sweeping all-encompassing simultaneous reform across Congress, both political parties, lobbyists/lobbying, the courts/Justice Dept., and massive bureaucratic structures it would require to change the way things operate. It's particularly difficult and scary because of all the radical changes that would need to happen pretty much at once for it to not end up a more corrupt and unaccountable system than we have now.
  This is why I play blues, work on tube amps, and tinker with operating systems. I know there's a problem, and even some slight inkling of some of the causes, but I don't have any answers and nobody I've ever read of or heard from really does either.
  Cheers!
  Strat
  
  --
  Progressivism (aka US 'Liberalism'): Ideas so good they need a police/surveillance-state to enforce.
CTO? by gEvil+(beta) · 2009-01-14 01:59 · Score: 3, Insightful

Remember a month or so ago when so many people here were saying what a stupid idea it was that Obama wanted to create a CTO position for the government? Isn't this exactly the sort of thing that someone in that position would be involved in sorting out?

--
This guy's the limit!