Taxpayer Data At IRS Remains Vulnerable 62
CWmike writes "A new Government Accountability Office report (PDF) finds that taxpayer and other sensitive data continues to remain dangerously underprotected at the IRS. The news comes less than three months after the Treasury Inspector General for Tax Administration reported that there were major security vulnerabilities in two crucial IRS systems. Two big standouts in the latest finding: The IRS still does not always enforce strong password management rules for identifying and authenticating users of its systems, nor does it encrypt certain types of sensitive data, the GAO said."
To answer my question (Score:5, Informative)
So it seems that the system allows for modification of taxpayer data. That's quite a bit different from just having it available.
Re:It's not the first time, it won't be the last. (Score:3, Informative)
Re:It's not the first time, it won't be the last. (Score:5, Informative)
Some bright spark noticed his TFN in the URL the day they launched their new service and changed the number only to find that it gave him access to someone else's data.
Really? They should have fired the webmaster for both putting that sensitive of information in the URL query string (HTTP GET), and for not managing sessions in the authentication process. It amazes me the query string vulnerabilities these sites have these days - the other day I pulled the /etc/passwd file from a guitar tab website (don't judge me) because I noticed the path in the query string to the ascii tabs used in the shtml, which a little directory traversal and lack of permissions aided. A few nodes requesting /dev/urandom could have crashed the whole fucking server because of the stupid webmaster!
Yes, in 2000 we had no php or asp.net session management like we do today (where a 3 year old with the proper training could code a secure session), but we had perl, C, and even Java, so lack of a babying framework is no excuse for lack of security, especially something as obvious as that! Its just one of those raw nerves to me!
I'm pretty sure that there's a similar situation in the US.
Dear lord I hope not. If my information is still to this day in 2009 retrievable via changing a query string parameter (or cookie, or directory trversal, or even shell code via some obscure method) then I swear I'm going to start my own country, where we manage our own servers so little script kiddies can't get harvest information that easily (not really, don't need treason charges :).
But seriously, especially if working with secure information retrievable publicly, please secure your site and check for server vulnerabilities and all (php registered globals, etc.). Sorry for all of that but it just absolutely bugs me when a simple bad web app can bring down information, security, or even a whole server deployment. Thats all.
</rant></rave>
Re:It's not the first time, it won't be the last. (Score:1, Informative)
My best friend works for the Federal Government (Social Security, not the IRS).
You wouldn't believe. Let me say ... well, you just wouldn't believe some of the things they do (and don't do) regarding computer security.
Most employees where this friend works basically sit and play solitaire, or chat on their cell phones while their monitors are filled with sensitive information about Joe Average's income sources. That's when they're actually working, of course. People from the mail room, the phone room and the cafeteria can (and do) walk through. If they cared (which they don't, either, not most of them), they could glance at these monitors and get more info in 10 seconds than a phisher gets in a day's worth of work.
If the average American had any idea how inefficient and insecure the typical government agency REALLY is, there'd be another revolution tomorrow.
The computers in my friend's building are maintained by private contractors via the lowest bid. Some of these contractors can't even figure out how to install RAM or how to make a printer work properly. How are they going to help these government employees secure their machines?
And it goes without saying that anyone who's actually halfway skilled at secure network administration will have long since taken a higher-paying job in the private sector.
Ergo et sum: you shouldn't be surprised.
By the way, the only reason I post anonymously is because this friend could get in trouble.
Re:Solution (Score:2, Informative)
It would probably hurt Conservatives, as it has in Canada and Australia.
When these countries eliminated business taxes and simply moved them to sales taxes, the cost of management increased. Instead of the easy double-checking verification of income taxes, businesses were more likely to hide their sales and evade taxation.
It's just harder to hide your income than sales.
You also had a significant rise in prices. Although the tax burden had not changed at all, businesses did not lower their prices when business-taxes were reduced, but still passed the sales taxes onto consumers. They blamed the higher prices on the Government since the taxes were more visible.
The Fair-Tax plan is an extreme version with no chance of passing. The average earner only pays 13% income taxes, while the Fair Tax would need to charge 30%+ to generate the same revenues. Instead of high earners paying a larger proportion of taxes, the burden is pushed to those who have to spend most of their income to survive.