Trojan Compromises Oregon Taxpayers 250
Blair writes "An employee at the Oregon Department of Revenue downloaded a trojan file from a porn site, possibly compromising up to 2,200 taxpayers. An information technology security officer with the state said, 'the released data likely involved names, addresses or Social Security numbers, or possibly in some cases all three.' I guess some of our public workers are having too much fun after all."
Cliché (Score:2, Funny)
Re:Cliché (Score:5, Funny)
Hey, maybe I can get government funding for creating an approved porn list of sites that government employees can surf without getting a drive-by smack ...
Re:Cliché (Score:2)
Re:Another option (Score:2)
It wouldn't end them keeping data on everyone ... here's what they have to say about how it would work:
http://www.fairtaxvolunteer.org/smart/sketch.html [fairtaxvolunteer.org]
So unless you're registered and providing ALL your financial info, current up to the last week (to properly adjust your "prebate l
Re:Cliché (Score:2, Funny)
By announcing that you wanted a +5 Funny, you screwed your chances.
Re:Cliché (Score:4, Funny)
Now where's my +5, huh?
Re:Cliché (Score:4, Funny)
KFG
Re:Cliché (Score:2)
Re:Cliché (Score:2)
Re:Cliché (Score:4, Funny)
Re:Cliché (Score:2)
Only 2000 people paying tax in Oregon? (Score:5, Funny)
moron! (Score:5, Insightful)
Actually there seem to be multiple failures in this. Running Windows, not employing some sort of web filtering software, lax rules on conduct...I don't know where to even begin.
Re:moron! (Score:3, Interesting)
Re:moron! (Score:5, Informative)
1. Allowing private data to be stored on a workstation that has access to the Internet.
2. Failure to encrypt private data or a private key (presumably) when the computer is connected to the Internet.
3. Allowing a user who has access to private data to access sites that do not have anything to do with official duties.
4. Failure to log data packets sent on a secure computer (not every packet, but at least the bytes sent).
All of these have the same root cause: the government and government employees did not consider the private data in their custody important enough to require rigorous controls and rigorous controls were not implemented. We could break down the problems into training issues, operational issues, etc., and politicians certainly will. But I would guess that the issue was due to a lack of political motivation to hold accountable every state IT group that has access to private data. Secure networks with access to classified or private information can be built, like the SIPRNET [wikipedia.org], but people didn't think the private data was important enough. It will change in Oregon (at least for the Dept. of Revenue) due to this incident, but elsewhere in the country people will carry on business as usual, until it affects them.
Anyone want to guess how long it takes before Social Security numbers become worthless because of these data intrusions? We know the government isn't going to learn.
Re:moron! (Score:3, Insightful)
There are only four entities that should have your Social Security number; Yourself, your spouse, your employer, and the US Social Security Administration. Nobody else should have your Social Security number; not the IRS, no state or local governments, and especially; not the banks, lenders or credit bureaus.
When Social Security numbers were introduced, man
Re:moron! (Score:4, Informative)
I can tell you, the majority of web usage during the hours where students are not present (90%+ of bandwidth utilization yearly, nearly 100% during Late Nov/all Dec) is personal shopping. Sure, there is a good deal of sports and a spattering of news sites as well. But the people your tax dollars pay to be doing work, are spending your tax dollars and getting paid to do it.
Individuals who get caught have their internet disabled and *might* be written up. Being written up in government means you might be able to have it used against you if you: a) sexually harass someone, or b) come to work drunk/stoned. As far as penalties in government work, umm... there aren't really any. I do have to pay state income tax (with no other income source than the state) of course there are lots of other inefficiencies, rampant graft, overly complex beurocratic heirarchies and completely complacent unions but such are the benefits of socialism.
Re:moron! (Score:2)
Now, I'm not too sure how the hell 90% of the bandwidth during non-school hours could all be personal shopping and have no one get caught, perhaps I misunderstood your comment.
Re:moron! (Score:3, Insightful)
'Cake & eat it too' kind of Sheriff you are, eh?
There is a reason you're only a filter nazi and the school admin is an admin...
Most employers know that their employees shop online via their work computer - and most don't break a sweat of it, because it is either allow it or face having them absent an entire afternoon just to drop by Border's. Shopping online for 30 minutes can take the place of driving around, looking for parking, cruisin
Re:moron! (Score:2, Insightful)
BINGO! And that time not spent driving around hells half acre to get some chores done leads to a less stressed, happier employee. And, in the case of teachers, more time at home to grade papers. :-) It's not like teachers do all their work on site between 8AM and 5PM.
--JoeRe:moron! (Score:2)
When I taught middle school I was also in charge of the network for the schools I was at. The hype was all about the 'improper access' that kids might have to the internet, but nearly all the violations were
Re:moron! (Score:2)
There are likely issues with YOUR (not you're) school as well.
Re:moron! (Score:5, Informative)
There was. Major player in the industry, updated every day.
Virus software on the desktops set to update ever 2 hours.
This was a zero day exploit from a non-obvious, not yet blocked web site.
It reported back only via port 80.
The trojan wasn't picked up by virus protection until after we reported it, which was after we discovered it.
He might have been an idiot, but not a dumb one.
As for rules on conduct, suprisingly, browsing porn is actually against the rules.
You have to sign an Internet Use agreement before you can use the Internet.
Windows? Well, we have no choice there.
There were some things that the tech staff has asked for that we now are likely to change, but the tech stuff is much better than I've seen in the other agencies.
Re:moron! (Score:2)
Re:moron! (Score:2)
Nuff said.
MORON!
DUMBASS!
TOO STUPID TO LIVE!
Get the idea?
Re:moron! (Score:2)
This was a keylogger. Encrypting the data won't help when the person still has to type in information in cleartext.
personal information should not be on individual machines with access to the internet
Well, since the number of people in my company with access to "sensitive" information is, well, everyone, such a suggestion is simply not feasible. What company do you know that will ban the entire HR department, most (if not all) of the finance department, and all VPs and hi
Re:moron! (Score:2)
Re:moron! (Score:2)
Re:moron! (Score:2)
For what computers cost these days, if the guy really needed web access, they could have issued him two machines in a red/black environment. I like air gaps. They're almost as good as not storing the data in the first place.
Re:moron! (Score:2)
Can you imagine how much worse this would be if the data compromised included the GPS information that the good state of Oregon seems to want to collect from your car usage patterns? Suddenly, this information on the usage and driving patterns of every single car in the state of Oregon would/could be used by black hats - the number of cars stolen might just drop your jaw.
I'd push hard to preserve the gas tax! It not only preserves your p
Re:moron! (Score:2)
Re:moron! (Score:2)
Re:moron! (Score:2)
Re:moron! (Score:2)
I wrote them a note stating how irresponsible this was... causing delays in its processing. For those out there who are too young, or haven't been educated on such matters: think about how many folks will get to see that check. Now think... they have your name, financial instit
Re:moron! (Score:2)
Re:moron! (Score:2)
t.
First, the state gov't processes it. I am not sure how many handle, but I bet the majority of the folks in their check processing department otherwise would not know my SSN. Why do they need my SSN to process a check?
The check does not stay in just their hands. It eventually gets handed to someone at a third party bank that I do NOT do business with. Jillian the cashier now gets to see my SSN and all my banking information. She hands that off to someone who does the reconciliation. It g
Re:moron! (Score:2)
a) an outgoing desktop firewall
or
b) limited functionality browsers on the desktop.
I just don't see why the Department of Administrative Services insists that everybody needs IE 6.0, the most unsafe browser immaginable, on the desktop. That's just asking for this kind of abuse.
Why does every workstation need a web browser????? (Score:2)
If the job is to manage high value and sensitive date then why use a known flawed home OS?
Just read down the "features" of XP-professional, how many people consider all that multimedia junk applicable to business uses?
People should start to get fired for running Windows!
Re:moron! (Score:2)
I heard about this manager who not only surfed pr0n at work, but printed it out on the full-color plotter as a poster to take home! Needless to say, he didn't stay very long after that.
The IT staff was a hilariously incompetent bunch. I remember that they wanted to upgrade all the computers, so they bought a pallet full of 486 OverDrive chip upgrades. By the time the purchase order got in and their overpriced, sleazy vendor go
Re:moron! (Score:2)
And if you read the summary, the employee apparently didn't have both hands available....
Indicitive of a larger problem (Score:5, Insightful)
It is absolutely amazing to me that this event was even possible.
Re:Indicitive of a larger problem (Score:3, Insightful)
A competent admin is working elsewhere, where s/he is paid accordingly. The IT leftovers, not able to get hired by the private sector, get to work for the Govt... Generalization, of course, but more true than not.
Remember, in 2006, nearly 5 years after 9/11, most FBI employees still do not have a work email access, or the ability to do multiple word searches (e.g. cannot search for "bin laden", have to enter just "bin", then scroll down, because of the space charact
Re:Indicitive of a larger problem (Score:2)
I work part time as sysadmin for the government, and I chose to do so because, well, things happen at a slower pace. When I'm not working here, I got my studies to tend to, so I love a job where I don't have to stress anything, and when I'm off work - I'm off, theres no calling me at 3 a.m. because something doesn't work. If it's broken people just send an email and expect me to deal with it when I find the time to do so.
Re:Indicitive of a larger problem (Score:2)
FTA:
may have been compromised by an ex-employee's unauthorized use of a computer,
It doesn't say that it was downloades on the computer that held the information.
Re:Indicitive of a larger problem (Score:2)
From the article:
That suggests to me that only the workstation was compromised, as does this:
Indicative of the norm (Score:3, Informative)
This is the same old story over again, it shouldnt suprise you, why? Here's [wikipedia.org] some links [thinkgeek.com] to get [ubergoth.net] you started [dansdata.com]
Likely a reporting wonk (Score:2)
The alternative is thin-clients, which haven't ever taken off, mostly because they tend to be harder to use.
Re:Likely a reporting wonk (Score:4, Insightful)
Dummy data. In all my years as a software engineer I have never worked with real or production data. There is never a reason for it, so just dummy something up and use that. Then situations like this are simply impossible.
Not in the Department of Revenue. At least, they shouldn't. That they obviously do should be a huge cause for concern and a process audit or three.
Re:Indicitive of a larger problem (Score:5, Informative)
What he's saying is that the data should only be on an oracle or whatever database where only reporting applications can run pre-written reporting programs on it, Those program will then return reports to the idiot business people. Those reports will not return a soc. or other identifying info all at the same (and rarely that stuff at all).
The reporting monkeys take *that* home. No one actaully gets to see the data. This is exactly what part of sarbanes oxley is forcing the private sector to do with customer credit card data and other sensitive info.
Re:Indicitive of a larger problem (Score:2)
People (not you, necessarily) in this thread have immediately jumped on a public/private sector distinction. But I don't think that's so much the cause of variance. Instead, security, finally, varies by resource allocation. If a body, public or private, puts the right resources and personnel towards security, then things will be better. If they don't, things
Re:Indicitive of a larger problem (Score:3, Interesting)
You seem to be forgetting about the developers who design these things and the reports that the idiot business people run. Only 2,200 records were compromised? Soun
Re:Indicitive of a larger problem (Score:2)
Re:Indicitive of a larger problem (Score:4, Informative)
I don't know what companies you've been working for, but out there in the real world, people tend to run things by the seat of their pants. I've seen data, including credit card data, stored in a database on a windows 2000 server directly connected to the internet. I've had data worth millions of dollars emailed to me on the same machine I browsed Slashdot on during lunch. It was a windows 2000 machine too.
That's just personal expierience. I've heard stories of critical data sitting in USB shared drives, secured by nothing but friction to their sockets. Private company files transferred to the upstairs office via a hotmail account. Databases being backed up to iPods. The list goes on.
These stories didn't come from government or other public organisations. No. These are stories straight from private industry, that magical market force that will save us all. If you think people actually follow the rules out there in the real world, you'd do better to think again.
Re:Indicitive of a larger problem (Score:2, Informative)
You work with Data? I always thought he were just a fictionary Star Trek character
SCNR
If not under lock and key... (Score:2)
First off, you are right that direct access is Bad. Very Bad. In fact, internal systems should ideally be going through proxies and a firewall to prevent random applications (such as viruses) from setting up their own connections. For what is presumably a fairly low-bandwidth facility
Re:If not under lock and key... (Score:2)
The "security" provided by proxies is for the most part only perceived security - it's not exactly rocket science for malware to pull the proxy settings from other software such as your web browser and just connect that way.
they could probably even use layer 7 filtering and block unauthorized applications even if they did have all the correct password
Re:If not under lock and key... (Score:2)
Re:Indicitive of a larger problem (Score:5, Insightful)
Actually, it isn't that amazing at all. I'm wrapping up a sysadmin gig in the nonprofit world (and moving back to strictly commercial work) right now. Specifically, I'm in legal services, where the IT talent is very thin but some of the privacy and security needs are pretty serious. I can tell you, I know of three legal services organizations or programs in the US that practice anything resembling defense-in-depth. That's why a lot of recent attacks (like the rise of "spear-phishing") use social engineering to get in. Because once you're inside the walls, so to speak, far too many networks are open season that really shouldn't be.
If you're throwing around passwords in the clear or unecrypted files or have network shares with sensitive information and broad access on the local network, the risk is there because there's always a door to the inside in our pervasive-Internet world. In many cases, that door is through human nature/sociological probability/whatever you want to call it.
A sysadmin must absolutely assume that there will be a user that is going to pull this kind of stupid crap, and design their defenses around it. But, speaking from experience, go to a big ol' local nonprofit that has lots of sensitive client information and start grilling the sysadmins about defense-in-depth and see what they say. You think they're monitoring all local network segments for malicious traffic with Snort? Encrypting local traffic and keeping a tight lock on any shared resources? Have a containment strategy if they detect an intrusion? Have clear and enforceable policies with respect to data retention or user activity? You'll definitely find folks are running Symantec Enterprise and have a badass firewall, etc, and that's cool, but it just isn't enough.
Shoot, this isn't local security, but nonetheless some major ASPs that handle donations for nonprofits provide the option of sending credit cards numbers in the clear. Sure, you're looking at a secure page, but some script is actually doing the real POST over straight http, and you never see it.
Defense-in-depth is going to become more and more critical for everybody, especially small and medium sized businesses that have been marketed elaborate and powerful perimeter defenses and anti-virus companies have hawked products that day-by-day become increasingly irrelevant to the real security threats, which must rely on tightening local security measures and doing actual traffic analysis of the network itself, not just watching for compromises on the client, because those compromises are going to be harder and harder to detect as the compromises become more and more social in nature and frankly, only good for post-mortem analysis, after the catastrophe has already hit.
A final thought: Elaine Scarry, a philosopher, is writing a book on the meaning of consent in a world where nuclear war is a possibility. I think one could ask some questions about the meaning of technological freedom in a world where a lot of greedy, malicious people are out to clobber any and all security weaknesses on computing machines that store and transmit incredibly sensitive information.
Re:Indicitive of a larger problem (Score:2)
Re:Indicitive of a larger problem (Score:2)
(But this information definitely should not have been on a computer that was used for downloading porn, or rather, a computer with this information on it definitely should not have been used for downloading porn...)
Re:Indicitive of a larger problem (Score:2)
through separate computers in the corridors, in plain sight, on a separate network. The only way
to move private data to the Internet-enabled computer is by memorizing it. It is terribly
inconvenient for IT staff, but it works.
Re:Indicitive of a larger problem (Score:2)
Actually, it's just the opposite. For one, the thief will get through all of the records eventually. If they don't, a buyer will.
Also, the bigger the leak, the more complicated it becomes to account for every potentially compromised individual and notfiy them.
Forgive me if I offend, but I had a good chuckle at t
From the I've-never-had-a-2,200-some-before dept. (Score:5, Funny)
Windows+IE+Porn (Score:3, Funny)
It's fitting I suppose... (Score:4, Funny)
Re:It's fitting I suppose... (Score:2)
"Only figures... Since most of the money I was supposed to pay my taxes with, I used to buy porn anyway."
That what you call cutting out the middle man. Only thing is, I can't remember if cutting out the middle man is considered Good or Bad in the pr0n world....
Re:It's fitting I suppose... (Score:2, Funny)
Whitelist sites they can and cannot use (Score:2, Interesting)
Re:Whitelist sites they can and cannot use (Score:2)
Re:Whitelist sites they can and cannot use (Score:2)
What's that?
Re:Whitelist sites they can and cannot use (Score:2)
First, there is no such thing. MS even came out during their trial and said that it was impossible for to totally lock down windows. So it is impossible to "properly protect" it. As such, I would hope that somebody with Linux on the net has done a good job. But I sure feel better if It is somewhat current.
Second, watch news.com for announced thefts. Whenever they occur, go to netcraft and find out what w
Wow... (Score:2, Funny)
Re:Wow... (Score:2)
Meaning, of course, that it's "diculous" a second time.
Um...
On the other hand (Score:4, Insightful)
"Electronic files containing personal data of up to 2,200 Oregon taxpayers may have been compromised by an ex-employee's unauthorized use of a computer, the Oregon Department of Revenue said Tuesday."
Lets read that again
Electronic files containing personal data of up to 2,200 Oregon taxpayers may have been compromised by an ex-employee's unauthorized use of a computer, the Oregon Department of Revenue said Tuesday.
EX-EMPLOYEEE!
What the hell was an ex employee doing on site, surfing porn. Forget computational security, what about physical security.
In the words of Napoleon Dynamite "Freakin Idiot!"
Re:On the other hand (Score:2, Funny)
Re:On the other hand (Score:5, Informative)
You don't need a trojan ... (Score:2, Interesting)
Filters ? (Score:2)
I mean, it is the taxpayers money that are paying for that computer, internet link and his time.
Yes, I know it is possible to circunvect those filter. But people who can circunvect filters are not likely to catch those trojans.
Re:Filters ? (Score:2)
You'd be surpriced how government offices are run...
Employees who hook the -unused- built-in 56K modem into the phoneline to bypass filters to be able to read personal emails and what not, infecting the network without an admin being able to do much other then glueing the sockets shut to physically make it impossible to use that modem.
Government employees aren't particulary the brightest or security-aware lot; I've heard quite shocking stories of consultants working for [Belgian] government instances.
Another view, better tech quality (Score:5, Informative)
Quote from this one: "We maybe had a false sense of security," O'Meara said.
Whoa, maybe. Y'think?
The Trojan horse gathered the equivalent of 7,000 text pages of data.
Somewhere a scammer is very, very busy.
7000 pages? (Score:2, Interesting)
and
So that's ~5.3 "pages of text" per person they got only the SSN, name and address for. Either people in Oregon have really long names and addresses, or something e
Oregon = Oregon Trail (Score:4, Funny)
Welcome to the present... (Score:5, Informative)
Re:Welcome to the present... (Score:2)
So... (Score:2, Funny)
They don't have to care as long as others pay (Score:5, Insightful)
Is it just my perception or is this becoming routine now?
I used to be only concerned in a detached way. Then *today* I received a letter from the student loan people saying, in essence: "We lost a dataset including your information. Sorry! Better contact the credit bureaus, and watch your financial statements. Have a nice day!"
The only way we are going to have data security is if the parties that fail to secure data are held responsible for the consequences to others. Ideally, that would mean that if someone commits fraud using my stolen data, the organization that lost it has to pay me the actual cost of correcting credit reports, changing all my accounts, compensation for time spent, any lawyers needed, etc..
Instead the banks are allowed to exploit the situation by selling insurance against it. We can't even get disclosure laws everywhere.
Well excuse me for ranting. I guess my only point is, the only way the technical and user-education type of solutions will become relevant is if the costs are placed appropriately.
Re:They don't have to care as long as others pay (Score:2)
Re:They don't have to care as long as others pay (Score:2)
And those affected would never see that money anyway, it'd simply be revenue for the states and the lawyers.
Re:They don't have to care as long as others pay (Score:2)
Re:They don't have to care as long as others pay (Score:2)
Maybe, trending towards probably not. There are fines for knowlingly hiring illegal aliens. Wonder how that has worked out...
The real problem is assigning some magical property (uniqueness, secrecy) to a number. It doesn't matter if that number is a SSN or some other number (or ID form). Because if it is widespread enough it will be used by everyone f
Screwed? (Score:2)
The internet is for porn (Score:3, Funny)
The internet is for porn! http://video.google.com/videoplay?docid=543034384
You think that's bad? See what they do in the UK (Score:2)
An information technology security officer!!!?? (Score:3, Interesting)
Noticeably missing from all of the articles I have seen is the name of the OS that was compromised. Is that because the news sites don't know there is more than one OS, because the reporters are incompetant, because Bill Gates will fire them if they mention it (think msnbc subsidiary), or because the reporters figure it is patently obvious that it was Windows since the compromise happened in the first place?
Re:An information technology security officer!!!?? (Score:2)
Even with the nonmentioned prevalent OS it is a snap to configure an office workstation in such a way that ordinary employees are not able to download, install and execute programs (including trojans) from the web.
It starts by not giving the user an Adminstrator account.
From the department of redundancy department .... (Score:2)
From your reply:
Three questing before firing DOR squatters (Score:2, Insightful)
2) What (the fuck) is DOR employee doing on the internet porn site during working hours ?
3) Where (the fuck) is this whole world coming to!? (err, is he a prudent republican?)
That'll teach ya... (Score:2)
Here's the real problem (Score:2)
When are people going to learn? The rule in security is denied unless explicitly allowed.
Simple math says there are an infinite number of sites to be blocked but only a handful of sites to be unblocked!
I have no sympathy for:
a) a company that allows the users to install software
b) a company that allows everything and only blocks after the fact
No Lawyer Necessary - Only Patience. Here's How (Score:5, Informative)
A lawyer is unnecessary and expensive. It's easy to handle ID theft once you understand that the situation cannot be corrected immediately, that you shouldn't go ballistic, and that time and patience (and a few simple procedures) is all that's required to correct the situation:
Above all, be patient, take your time (there's no rush, all changes are made at snail mail speed at best) and don't worry. Just go through the steps and everything can be corrected within about 180 days.
After that, make sure you check your credit record with the major credit bureaus at least once a year. They'll send this for free. Follow the above steps whenever you see a fraudulent account or application. The Bad Guys won't be able to touch you.