Ethical Hacking

Learn to find vulnerabilities before the bad guys do! Gain real world hands on hacking experience in our state of the art hacking lab. Course designed and taught by expert instructors with years of penetration testing experience. 12 student maximum in every class. Certification attempt included in every package.
Computer Forensics Training at InfoSec Institute

Gain the in-demand skills of a certified computer examiner, learn to recover trace data left behind by fraud, theft, and cybercrime perpetrators. Discover the source of computer crime and abuse at your organization so that it never happens again. All of our class sizes are guaranteed to be 12 students or less to facilitate one-on-one interaction with one of our expert instructors.




Network Security Information-Security-News
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

[ISN] Auditors Find IRS Workers Prone to Hackers

from [InfoSec News] Network Security [Permanent Link]
Subject: [ISN] Auditors Find IRS Workers Prone to Hackers
Date: Fri, 18 Mar 2005 01:35:40 -0600 (CST) 
http://www.sfgate.com/cgi-bin/article.cgi?file=/news/archive/2005/03/16/national/w162055S07.DTL

By MARY DALRYMPLE, 
AP Tax Writer
March 16, 2005

WASHINGTON, (AP) - More than one-third of Internal Revenue Service
employees and managers who were contacted by Treasury Department
inspectors posing as computer technicians provided their computer
login and changed their password, a government report said Wednesday.

The report by the Treasury Department's inspector general for tax
administration reveals a human flaw in the security system that
protects taxpayer data.

It also comes on the heels of accounts of thieves' breaking into
computer systems of private data suppliers ChoicePoint Inc. and
LexisNexis.

The auditors called 100 IRS employees and managers, portraying
themselves as personnel from the information technology help desk
trying to correct a network problem. They asked the employees to
provide their network logon name and temporarily change their password
to one they suggested.

"We were able to convince 35 managers and employees to provide us
their username and change their password," the report said.

That was a 50 percent improvement when compared with a similar test in
2001, when 71 employees cooperated and changed their passwords.

"With an employee's user account name and password, a hacker could
gain access to that employee's access privileges," the report said.

"Even more significant, a disgruntled employee could use the same
social engineering tactics and obtain another employee's username and
password," auditors said.

With some knowledge of IRS systems, such an employee could more easily
get access to taxpayer data or damage the agency's computer systems.

Employees gave several reasons for complying with the request, in
violation with IRS rules that prohibit employees from divulging their
passwords.

Some said they were not aware of the hacking technique and did not
suspect foul play, or they wanted to be as helpful as possible to the
computer technicians. Some were having network problems at the time,
so the call seemed logical.

Other employees could not find the caller's name on a global IRS
employee directory but gave their information anyway. Some hesitated
but got approval from their managers to cooperate.

Within two days after the test, the IRS issued an e-mail alert about
the hacking technique and instructed employees to notify security
officials if they get such calls. The agency also included warnings
into its mandatory security training.

-=-

On the Net:
Treasury Inspector General for Tax Administration: www.treas.gov/tigta



_________________________________________
Bellua Cyber Security Asia 2005 -
http://www.bellua.com/bcs2005
[More with this subject...]




<Prev in Thread] Current Thread [Next in Thread>
  • [ISN] Auditors Find IRS Workers Prone to Hackers, InfoSec News <=
Previous by Date:  Re: [ISN] France puts a damper on flaw hunting, InfoSec News
Next by Date:  [ISN] Security Services Heading for Boom Years, InfoSec News
Previous by Thread:  [ISN] Secunia Weekly Summary - Issue: 2005-11, InfoSec News
Next by Thread:  [ISN] Security Services Heading for Boom Years, InfoSec News
Indexes:  [Date] [Thread] [Top] [All Lists]