Slashdot Mirror

← Back to Stories (view on slashdot.org)

Taxpayer Data At IRS Remains Vulnerable

Posted by kdawson on from the do-as-i-say dept.

CWmike writes "A new Government Accountability Office report (PDF) finds that taxpayer and other sensitive data continues to remain dangerously underprotected at the IRS. The news comes less than three months after the Treasury Inspector General for Tax Administration reported that there were major security vulnerabilities in two crucial IRS systems. Two big standouts in the latest finding: The IRS still does not always enforce strong password management rules for identifying and authenticating users of its systems, nor does it encrypt certain types of sensitive data, the GAO said."

8 of 62 comments (clear)

  1. It's not the first time, it won't be the last. by GrpA · · Score: 5, Interesting

    That reminds me of what happened in Australia with the taxation department a few years ago.

    The ATO put everyone's tax details online and used their Tax File Number ( everyone who pays tax has one ).

    Some bright spark noticed his TFN in the URL the day they launched their new service and changed the number only to find that it gave him access to someone else's data.

    There were accusations of hacking and all, but it conveniently left out the discussion that it was a pretty obvious and blatant flaw.

    The minister responsible was never held accountable. That's why these security breaches keep on happening over here.

    I'm pretty sure that there's a similar situation in the US.

    GrpA

    --
    Enjoy science fiction? "Turing Evolved" - AI, Mecha, Androids and rail-gun battles. What more could you want?
    1. Re:It's not the first time, it won't be the last. by playerone · · Score: 4, Insightful

      The minister responsible was never held accountable. That's why these security breaches keep on happening over here.

      GrpA

      I am so angry that politicians are not accountable for their actions. It makes the implementation of democracy a farce because the people in power voted in by the public can basically do whatever the hell they want and walk away with a fat paycheck and pension without having to worry that if they do something seriously wrong they can be punished somehow.

      Such a rort.

      All it would take is some simple bad behavior = punishment laws for politicians but oh hold on its those same politicians that vote on the laws so of course they won't do that.
      Don't even get me started on being able to give yourself a payrise.

      P1

      --
      --Question Authority--
    2. Re:It's not the first time, it won't be the last. by Anthony_Cargile · · Score: 4, Informative

      Some bright spark noticed his TFN in the URL the day they launched their new service and changed the number only to find that it gave him access to someone else's data.

      Really? They should have fired the webmaster for both putting that sensitive of information in the URL query string (HTTP GET), and for not managing sessions in the authentication process. It amazes me the query string vulnerabilities these sites have these days - the other day I pulled the /etc/passwd file from a guitar tab website (don't judge me) because I noticed the path in the query string to the ascii tabs used in the shtml, which a little directory traversal and lack of permissions aided. A few nodes requesting /dev/urandom could have crashed the whole fucking server because of the stupid webmaster!

      Yes, in 2000 we had no php or asp.net session management like we do today (where a 3 year old with the proper training could code a secure session), but we had perl, C, and even Java, so lack of a babying framework is no excuse for lack of security, especially something as obvious as that! Its just one of those raw nerves to me!

      I'm pretty sure that there's a similar situation in the US.

      Dear lord I hope not. If my information is still to this day in 2009 retrievable via changing a query string parameter (or cookie, or directory trversal, or even shell code via some obscure method) then I swear I'm going to start my own country, where we manage our own servers so little script kiddies can't get harvest information that easily (not really, don't need treason charges :).

      But seriously, especially if working with secure information retrievable publicly, please secure your site and check for server vulnerabilities and all (php registered globals, etc.). Sorry for all of that but it just absolutely bugs me when a simple bad web app can bring down information, security, or even a whole server deployment. Thats all.
      </rant></rave>

    3. Re:It's not the first time, it won't be the last. by GFree678 · · Score: 4, Insightful

      There were accusations of hacking and all, but it conveniently left out the discussion that it was a pretty obvious and blatant flaw.

      Oh my God. Are you saying that changing one digit in a completely accessible URL is enough to be accused of hacking?

      Humanity is hopelessly lost when it comes to common sense.

  2. To answer my question by BadAnalogyGuy · · Score: 5, Informative

    According to the IG's report, systems administrators and other privileged users are able to access, modify and delete taxpayer data with impunity because of a lack of monitoring capabilities in the two systems.

    So it seems that the system allows for modification of taxpayer data. That's quite a bit different from just having it available.

    1. Re:To answer my question by techno-vampire · · Score: 4, Insightful

      Not only that, it makes wholesale identity theft nice and easy.

      --
      Good, inexpensive web hosting
  3. Re:What's the big secret? by networkBoy · · Score: 4, Interesting

    I hope you're being funny.
    If others knew what I make, I would get a pay cut. My pay has been negotiated between myself and management. There would be a brouhaha if others in similar, but less accountable, roles thought I was "paid too much" or some such.*
    My pay is not something I would want broadcast. Also, I would not want marketers to know my pay, nor family (aside from my spouse).
    -nB

    * I say this who has worked their way up from the bottom, where I used to think I was mighty damn important, now I know my absolute value may be low but my relative value is higher. I don't expect others who are in the boat I was in to necessarily understand this, and would rather avoid the conflict.

    --
    whois gawk date unzip strip find touch finger mount join nice man top fsck grep eject more yes exit umount sleep dump
  4. Government Solutions Office by im_thatoneguy · · Score: 4, Interesting

    What we need is a counterpart to the GAO.

    The GAO should be able to exact fines from any agency for waste, insecurity etc etc.

    All of this fine money should be funneled into a Government Solutions Office whose task is to spend that money back into the program to fix it.

    GAO finds improper encryptions. Fines IRS. GSO hires a security expert to create new policies and purchase needed training.

    Just a thought.