Want to read Slashdot from your mobile device? Point it at m.slashdot.org and keep reading!

 



Forgot your password?
typodupeerror
×
Security IT

IRS Employees Fall For Hackers 279

linuxwrangler writes "Treasury department auditors recently posed as network technicians and attempted to get IRS employees to reveal their usernames and passwords and/or change the password to one suggested by the "technician". The result: over one-third shared their passwords. If there is any good news in the story it is that the 35% figure represents a substantial reduction from the 71% who fell for the ruse in 2001."
This discussion has been archived. No new comments can be posted.

IRS Employees Fall For Hackers

Comments Filter:
  • by suso ( 153703 ) * on Wednesday March 16, 2005 @10:05PM (#11961485) Journal
    Just like I always say. Social Engineering is the biggest security problem nowadays. Maybe this time it showed a decrease in the people who fell for the attack, but I bet that if the Auditors increased the sophistication of their ruse, that they would actually increase the amount who fell for it.
    • Social Engineering has always been the biggest problem. There is no such thing as perfect security when too many people are in the know, or have some sort of access.

      No matter how good an encryption system is, its obviously going to fail if the person breaking in has the right information.
      • by suso ( 153703 ) * on Wednesday March 16, 2005 @10:16PM (#11961587) Journal
        Right, but it also *seems* (I have no fact to back up this claim) that social engineering is the least worried about security vulnerability.

        I was however pleasantly surprised recently when going to a gas station, paying at the pump, the receipt didn't print out and when I went inside the cashier actually asked me for the last name on the card instead of just handing me the receipt. I almost offered him a job.
        • that social engineering is the least worried about security vulnerability.

          That's an excellent point. I'd say perhaps that instead of being least worried about, its more likely the most over looked. When you think of stopping hackers, most people picture a firewall program and router. Not their telephone and a random IT department problem.
          • by slittle ( 4150 ) on Wednesday March 16, 2005 @10:50PM (#11961814) Homepage
            Firewalls and routers are technological solutions - throw money at the problem and it goes away.

            The problem with social engineering is that before the users can be given a clue, management has to get one.

            And they can't just buy it in a shrinkwrapped package from $VENDOR, they'd have to admit (to the entire company) they don't know something and be educated. But they're not going to do that, nor will they defer to the experts they (should have) employed to handle it without managerial fiddling. Therefore the problem doesn't exist, mmkay?
        • I worry about it all the time. My users constantly volunteer their passwords when I don't ask for them. If they know I am going to use their computer to install a printer driver or something, many will write their password on a sticky note for me, "just in case."

          Our receptionist will buzz anybody into the office if they ask. After work one day, she admitted she felt bad not knowing anybody's name because she's new, and didn't want anybody to realise she didn't know them, so she buzzes everybody in.

          So, any random person could compromise my whole network by knowing only a few words of english. "Can you buzz me in?" and it doesn't matter what they say for the second part, because you can trust anybody in the building because you "need key card access," and the users will volunteer their password to anybody they think they can trust. ::sigh:: I spend more time worrying about spyware, though.
        • by T-Ranger ( 10520 ) <jeffwNO@SPAMchebucto.ns.ca> on Wednesday March 16, 2005 @11:03PM (#11961891) Homepage
          I suppose it depends on what level of security you are dealing with. In 2005, on Slashdot, security might only mean computers, but its more general then that. The good counterexample would be that of Alan Turing.. While he was not hacked, the powers beleived he could be, and thus was striped of all his security clearences.
        • I hope you gave the guy a compliment. I always remark how I appreciate their concern for security when somebody does something similar. It's unfortunate good behaviour needs to be rewarded, but that's life...
        • by KingJoshi ( 615691 ) <slashdot@joshi.tk> on Thursday March 17, 2005 @01:15AM (#11962570) Homepage
          I'm working temporarily as a cashier at a fast food place. Sometimes, I get tips from people when I ask them for IDs on their credit cards :)

          People are willing to pay a huge price for convenience. Social engineering attacks exploit that, but obviously, it hasn't been enough to make people cynical or stringent on rules.

          My first inclination was to make the process of buying and receiving the food fast and convenient. Many people don't bring out their IDs with their credit cards and sometimes have to dig through purses for them. So it makes it slower and inconveniences them. Obviously, I understand that security is important enough, but it's not something people are taught. And even if you are, when you have rushes of people and some can be a pain, you just want to get them through.

          But even then, you have to wonder what balance to reach. Do you always reject people if they don't have their IDs? On campus, some places take your ID if you check something out or whatever. How trusting can you be? And "never" just doesn't work in regards to customer service because you want the people to feel as they're treated well and come back (without angering those that care about security).

          Social engineering will always work into the future because people are willing to take certain losses (billions of dollars each year) for convenience, values such as courtesy and (as in the secretary case the other guy mentioned) save face.

          Then, you have issues of people that rebel due to overly strict rules or disagreement with them. I know that many universities have had to deal with theft. The Engineering department at MSU locks the doors on the buildings around midnight (though the hours say until 2am) and since so many people come in and go out of the buildling later than that, the students keep a trash can to prop the door open. And if I'm going out of the building, I wouldn't hesitate to keep it open for someone who's trying to get in.

          With software it's the same things. Writing passwords down or whatever. Given the option between security and convenience, most likely, it'll be the latter.
      • There is no such thing as perfect security when too many people are in the know, or have some sort of access. There is no such thing as perfect security. Given a sufficient motivation, amount of time, and resources any protection can be overcome.
    • Absolutely; it's too easy to fool someone to do something like make someone change their password this way, simply because people are nervous aout their computers and they'd obey anyone who sounds technical enough. It's like people need a minimum Bachelor's in CS* to live in this age.

      *not that said degrees are/are not useful, just that lots of people need to learn a lot about computers and scams like this. Now.
    • by yuriismaster ( 776296 ) <tubaswimmer.gmail@com> on Wednesday March 16, 2005 @10:15PM (#11961583) Homepage
      I think they should take any person who fell for this and instantly can them. I mean, unless the Auditors used the Tech Line's desk number, any (semi-intelligent) IRS employee would feel a little cautious. Their job is VERY important, and any security breach spells disaster.

      I think there should be a memo at every single person's desk: "Never give out your password or credit card number in a phone call." (Quick play on MSN's security warning..)

      Besides, any admin worth his salt will reset a user's password and tell him to change it instead of telling him to change it to what the admin wants.

      I hate stupid poeple...
      • Besides, any admin worth his salt will reset a user's password and tell him to change it instead of telling him to change it to what the admin wants.

        There's a good scam I read about in a book, I think it might have been the one written by Mitnick. Here's how it works:

        You pretend to be the network administrator testing some new security procedures and you phone up your target user. Introduce yourself and say that you're running some security testing on the networks and you need five minutes of their time to do some testing. Remind them that never, under any circumstances, should the user tell anybody else their password. Even reinforce that they shouldn't even tell you, as you don't need to know.

        Now here's the trick. Ask them to logoff. Once they've done that, tell them that you're doing some monitoring and that they should now login with their password... "and remember, don't tell me what it is!" Great, now we need to test the change password function. Get them to change their user account password to something which is known, such as "abacus". Once they've changed their password, ask them to logoff again. You, the intruder, can now login to their account as you know the password. If it's unix-based, you can setup some kind of daemon to run and accept connections, grab random files, login to the corporate VPN, whatever. Stall them for a little bit while you pillage their network... get them to login, letting them know you can't see their login come through, etc. Whatever buys you the time you need.

        Then get them to login once more and change their password back to what it was. Remind them yet again not to tell you that password as they should never tell anybody what their password is. Thank them for their time and for helping you test the security system [and for allowing you to preview tomorrow's result of whether or not the FDA will be accepting or rejecting their new drug therapy, thereby allowing you to take out appropriate options on the stock].
      • Yes, fire everyone! Don't bother taking an important chance to educate the existing workforce. After all, it would cost practically nothing to rehire and retrain 30% of the IRS.

        So while I agree with you that absolutely draconian measures are called for, and people should be fired for not being as smart as you (even though they were hired for jobs in which computer expertise is not a prerequisite), I'm curious about the potential disaster you proclaim.

        What sort of disaster would this be exactly? Every
    • Quit lying! (Score:4, Funny)

      by toupsie ( 88295 ) on Wednesday March 16, 2005 @10:23PM (#11961639) Homepage
      Social Engineering is the biggest problem. Just like I always say

      Oh please. You have never ever said that before. Just yesterday you were saying the shrinkrap on new DVDs was the biggest problem. I can hear it now, "Damn it! I can't get open up my new Steel Magnolia Director's Cut DVD!!! This damn wrapper is the biggest problem! There should be a law!".
    • by dezcola ( 627992 ) on Wednesday March 16, 2005 @10:26PM (#11961658)
      The first time I saw Social Engineering on the big screen was when Matthew Broderick got himself sent to the principals office just so he could get the weekly password. That movie came out in 83 and the idea wasn't new then.
    • "...I bet that if the Auditors increased the sophistication of their ruse, that they would actually increase the amount who fell for it."

      You think? Of course, the more "sophisticated the ruse" is, the more people will fall for it. That's what worries me. If 30% fall for this, then what about the key employee who will be tricked by a deceptive criminal who is focusing all his attention on tricking that one person?
    • I believe this is how the "most famous hacker ever" (mitnick) got into most of the systems.
      It's been proved time and time again that it is so much easier to just walk up and ask for a password than to try and crack it.

      1024-bit encryption doesn't prevent a helpful secretary with her password on a post-it note stuck to the front of her monitor.
  • We need more incompetence out there giving away our life stories!
  • by The Amazing Fish Boy ( 863897 ) on Wednesday March 16, 2005 @10:07PM (#11961499) Homepage Journal
    If there is any good news in the story it is that the 35% figure represents a substantial reduction from the 71% who fell for the ruse in 2001.

    You know, there's an old saying in Tennessee - I know it's in Texas, it's probably in Tennessee...
    • by Anonymous Coward
      Fool me once shame on you, fool me twice I must be an American.
  • I would be happy.. (Score:5, Insightful)

    by KenFury ( 55827 ) <kenfury@hBALDWINotmail.com minus author> on Wednesday March 16, 2005 @10:07PM (#11961506) Journal
    While not perfect results, a 50% decrease in the number of users giving away their password is a victory. Hopefully in a few years it will be down to 10%.
    • by LewsTherinKinslayer ( 817418 ) <lewstherinkinslayer@gmail.com> on Wednesday March 16, 2005 @10:11PM (#11961538) Homepage
      ... Hopefully in a few years it will be down to 10%

      I like your goal, its actually feasible. I think it would be pretty much impossible to make social engineering ineffective in any large business or agency.

      Better training to recognizing attempts at social engineering I think would make a world of difference.
      • by gstoddart ( 321705 ) on Wednesday March 16, 2005 @11:07PM (#11961915) Homepage
        ... Hopefully in a few years it will be down to 10%

        I like your goal, its actually feasible. I think it would be pretty much impossible to make social engineering ineffective in any large business or agency.

        Not to detract from the observation this is a vast improvement, but I should think you could do one hella lot of mischief with even a 10% rate of success. Especially at the IRS. And almost anyplace else, come to think of it.
      • by knightri ( 841297 )
        Another form of authentication seems like a feasible solution. Eye-print scanning, blood analysis, distributed networked random key generation or even simple yet less secure fingerprinting
      • You think you'd be able to get it through some people's heads: "DON'T GIVE OUT YOUR PASSWORD!" It's not brain surgery...if an admin needs to get you to change your password, he can set an expiration date...or, *gasp*, talk to you in person. Or log into your account using su and just leave a note. You just don't do things like that over the phone...
      • You're probably right, but I'd like to think 0.x% is possible.

        Afterall, the campaign should be simple.

        "If ANYONE, EVER asks for a personal password, report it to I.T. and building security immediately."

        Hang posters above the urinals, on the walls, in every cubicle... just to drive it home.
    • Not to mention they're doing regular audits, which is more than I can say for some downstream users of my credit data.
    • by vfwlkr ( 668341 )
      However, when it comes to IRS, SSA or the like, even 10% would be a defeat. Hackers need only one account to gain unauthorised access, not 10% of the workforce!
      • by GigsVT ( 208848 )
        If the other 90% actively reported attempted social engineering, and those reports were followed up on by real law enforcement, then it would raise the bar as to who would actually attempt such an attack.

        The only measure of security is:

        It would make an effective deterrent to all but the most dedicated intruder.

        That's all that matters. Increasing the dedication needed to break in is what security is all about.
    • To: Me
      From: Myself
      Subject: Meet with auditing team 10:30

      Something about stupid passwords.
      Don't miss it!

      --

      Can you be fired from the IRS for brazen stupidity?

  • by peculiarmethod ( 301094 ) on Wednesday March 16, 2005 @10:08PM (#11961512) Journal
    as the old saying goes.. death, taxes, and idiocy.
  • by TelJanin ( 784836 ) on Wednesday March 16, 2005 @10:09PM (#11961518)
    ...the user is the largest security hole. Either you can restrict them to where they can't do their job, or somebody can get them to reveal their u/p for a candy bar.
    • Informative? This is common knnowledge, or should be to any admin who's been on the job for more than a day or two.

      Where have all the BOFHs gone? In my day, that candy bar would be 6o grams or so of C4 nougat with 3 remote detonator almonds all covered in a delicious chocolatey coating.

      Kids - no sense of history [xnet.com].

      Soko
  • No Surprise here (Score:3, Interesting)

    by bananahead ( 829691 ) * on Wednesday March 16, 2005 @10:10PM (#11961527) Journal
    This does not surtprise me, the typical IRS employee has probably only had a computer for 6 months. And it is probably a crippled 386. The IRS has NEVER been at the forefront of technology. In fact, it is a well kept secret that their use of technology is very limited. In addition, the caliber of people that will actually work for the IRS is not exactly the highest in the world. It is mostly Civil Service work. Now, before you jump up my ass with flames about not being fair, I am being fair. I didn't say Civil Service was bad, it just doesn't attract the finest we have to offer. Try training them.
    • Re:No Surprise here (Score:5, Informative)

      by BenEnglishAtHome ( 449670 ) on Thursday March 17, 2005 @09:23AM (#11964531)

      A few notes from someone who works at the subject TLA.

      ...the typical IRS employee has probably only had a computer for 6 months.

      Flat wrong. Essentially every IRS employee gets a computer when they come on board.

      ...it is probably a crippled 386.

      Wrong. All the 386s have been gone for years. The slowest machines in common use are 800Mhz Dell C600s and they're being replaced this year.

      The IRS has NEVER been at the forefront of technology.

      Demonstrably wrong. Look at the history of LCD fabs for one example. Specifically, IRS demand for larger LCDs drove much of the that industrys momentum a couple of decades ago. Look up the screen specs for the old Zenith 171 lunchbox computer.

      You want more current examples? Linux deployment, our VPN implementations, and plenty of other things we do have been at the leading edge of what's workable for a long time.

      ...it is a well kept secret that their use of technology is very limited.

      Where in the hell did you get that idea? Holy smoke, our work processes are so tied to technology it's ridiculous. That's why people freak out when computers don't work and they're willing to do anything, even, sometimes, give out their passwords, to get things working again. I really don't know where you're getting this crap.

      ...the caliber of people that will actually work for the IRS is not exactly the highest in the world.

      Ad hominem and not worth responding to. Wrong, to boot.

      ...It is mostly Civil Service work.

      The Civil Service system is almost dead. If you didn't get on board over 20 years ago, you're probably not even a member. Almost everyone is a Federal Employee Retirement System member now, so the old "stay there a lifetime and ossify in your chair because you're bound to the retirement system" motivation no longer exists. As for the more general use of the term, as in "Civil Service protections," they've been under unrelenting attack for so long there's little left. Yes, it's different from private industry but the old image of "Civil Service," which is what you're evoking, is simply no longer anywhere close to accurate.

      ...before you jump up my ass with flames about not being fair, I am being fair. I didn't say Civil Service was bad, it just doesn't attract the finest we have to offer.

      I would never flame someone for ignorance. Ignorance is curable.

      Try training them.

      Finally, something insightful. Thank you. The IRS dedication to computer training is pitiful and if that condition were corrected, much of these problems would go away.

      As an aside, the IRS was on the verge of making huge inroads on this in 2001. We had set up a new-hire training model that shipped all new employees to a central location for training. The advantages were absolutely huge. This successfully addressed complaints from tax professionals about disparate enforcement of tax law in different jurisidictions because everyone was going to be trained to do things the same way. In addition, since everyone was in one place at the same time, the IT folks had managed to get time slots to provide real, quality training to everyone. Things were good.

      We were in class on 9/11. We dealt with getting people home during the full ground stop. We dealt with people who saw massive numbers of their coworkers dying on television and simply collapsed under the emotional assault. (Not our people, but some of the folks working in the same facility were HQ'd in the WTC.) We dealt with people having an unreasonable fear of flying for a long time. (I spent a half day printing maps and plotting routes for shaky employees who had chosen to rent cars and drive home, even if that drive was a thousand miles.)

      The bottom line, though, was that centralized (read: high quality, consistent) training was then deemed too cumbersome and the program canceled. Big mistake. I hope we find a better way to do things before I retire.

  • by nganju ( 821034 ) on Wednesday March 16, 2005 @10:10PM (#11961530)

    I'm sure that all this bad press for the IRS must be really taxing.

    Sorry.
  • Hmmm (Score:5, Funny)

    by user9918277462 ( 834092 ) on Wednesday March 16, 2005 @10:11PM (#11961537) Journal
    Anybody who's had any significant amount of contact with government workers isn't impressed. You could probably get 35% of them to stick their tongues in an electrical socket if a "technician" told them it'd make their "Internet work better".
    • Yeah, but that would be good for the people of the US, and thus is party of their duty. Giving away their passwords isn't.
  • fire them (Score:5, Insightful)

    by CAIMLAS ( 41445 ) on Wednesday March 16, 2005 @10:12PM (#11961548)
    any of those 35% that fell for it 4 years ago should immediately be sacked. you'd think that after such a drastic fuck up, someone might take it to heart...
  • Fingerprints (Score:3, Interesting)

    by SamMichaels ( 213605 ) on Wednesday March 16, 2005 @10:13PM (#11961560)
    We've had fingerprint technology for a long time. In fact, the Samsung laptop has it built in. Why are (especially) government agencies using passwords? You can't exactly "share" your fingerprint with someone on the phone.
  • Giving out passwords (Score:5, Informative)

    by dcclark ( 846336 ) on Wednesday March 16, 2005 @10:13PM (#11961561) Homepage
    Other employees could not find the caller's name on a global IRS employee directory but gave their information anyway. Some hesitated but got approval from their managers to cooperate.

    Scary.

    Call me silly, but I think people should know that ANYONE in a position to legitimately be messing around with your account already has the ability to do what they need without giving you a call. There should be a simple policy (and maybe there even is, but obviously even some managers don't know): DON'T give out your password or userid to anyone. Period. And start telling that to the managers!
  • by hedley ( 8715 ) <hedley@pacbell.net> on Wednesday March 16, 2005 @10:14PM (#11961566) Homepage Journal
    The two hour echo strikes again.

    H.
  • by hunterx11 ( 778171 ) <hunterx11.gmail@com> on Wednesday March 16, 2005 @10:15PM (#11961579) Homepage Journal
    Wetware too is vulnerable to buffer overflow exploits. Annoy a person for long enough and they'll do what you say just to get you to stop talking.
  • by Dark Coder ( 66759 ) on Wednesday March 16, 2005 @10:18PM (#11961599)
    71% down to 35%.

    IRS employs [house.gov] 100,013 employees in 2001.

    36,000 employees got wise. What about the remaining 35,000 employees?

    No wonder, the quality of our audit is getting better! I just hope not to get audit at all, but if I do, I'd like to know which employee passed this social engineering test so I can avoid them...

    What better ways to railroad them with unmarked receipts and explaination of multiple exemptions?
  • by Shackleford ( 623553 ) on Wednesday March 16, 2005 @10:19PM (#11961611) Journal
    As I read through the article, I wondered what it was that made these employees think that giving their usernames and passwords could possibly correct anything that was occurring on the network. Then in the article was the explanation I was looking for.

    "Some said they were not aware of the hacking technique and did not suspect foul play, or they wanted to be as helpful as possible to the computer technicians. Some were having network problems at the time, so the call seemed logical."

    It all appears to come from these people naturally wanting help those who ask for assistance and claim to be trying to help them. It also can be the result of ignorance, with their lack of knowledge of this technique, and thinking that it would be logical to give that kind of information. But here's what I find most interesting:

    "Other employees could not find the caller's name on a global IRS employee directory but gave their information anyway. Some hesitated but got approval from their managers to cooperate."

    It was managers that gave this approval? Aren't they the ones who should be informing the employees of social engineering attacks? I think this may be the problem right here.

  • by Anonymous Coward on Wednesday March 16, 2005 @10:22PM (#11961627)
    Wow! Tax chicks will date me?
  • by gmerideth ( 107286 ) <`moc.jnlcu' `ta' `htediremg'> on Wednesday March 16, 2005 @10:24PM (#11961640) Homepage
    I started using a feature that WatchGuard has on their website called ClickAware [watchguard.com] within 2-3 days of our big "security" speech at some of our clients.

    We spent 4 hours discussing spyware, attachment best practices, viruses, adaware, malicious sites and policys on installing web apps.

    Shortly afterwards, using the ClickAware site, we send out fake e-mail with ( my personal favorite ) the "Install this Microsoft Patch" message with a phantom 241K attachment.

    I can then view the click rate and then match the click's to the internal IP browsing logs to see who's been a bad boy/girl/it.

    I'm stunned most of the time when not but 3 days after a rather lengthy, yet energetic, discussion, some 70% of the people ( of 122 e-mails ) actually clicked on the phantom attachment and saw the "If this was real you would be in trouble" message.

    As the subject says, I feel like I am wasting my time in performing these security meetings but hell, I'm getting paid for it.

    I know there will be the obligatory ( you must suck as a teacher then ) comments but it would be good to see if anyone else has experienced the same thing after doing security discussions with their employees.
  • by camusflage ( 65105 ) on Wednesday March 16, 2005 @10:24PM (#11961641)
    This really shouldn't be terribly surprising. It has been made obvious that the government is not all that swift at securing technology. From the recent FBI email hack [seclists.org] to the several times the Department of the Interior has been ordered offline [slashdot.org] by a federal judge because of their security ineptitude, it seems pretty clear to me that aside from a few pockets, by and large, the government couldn't secure a pop tart, let alone a complex network.
  • by DodgeRules ( 854165 ) on Wednesday March 16, 2005 @10:27PM (#11961665)
    The company I worked for 6 years ago was upgrading some software on all of their computers. They emailed everyone asking them for their username and password so that the technician could log in to their computer at night and perform the upgrade. I refused to hand over my password and told them that I would be there at the time they wanted to perform the upgrade. They weren't very happy about it. When they came to upgrade, I logged in for them. And watched everything they did. I watched as they connected to the server and install the upgrade. After they finished, they rebooted and left. I connected to the server again using my account and noticed that on the server was a list of everyone in the company, their usernames and passwords. Including the President and CEO of the company, CTO, CFO, all the way down the food chain. I walked over to the IT staff, showed them what I found and told them "THAT is why I won't give out my password."
    • by omahajim ( 723760 ) on Wednesday March 16, 2005 @11:10PM (#11961929)
      So if the IT department can't reset the password of their own employees, what the hell good are they? If you can't remember your password, you're forever locked out of your account? In a company with a "food chain" large enough to include a CEO, CTO, CFO, and "all the way down", they weren't using SMS or some other central software distribution system that doesn't require individual visits to client desktops? I don't doubt your story, I laugh at the clearly deficient system design that required someone to personally visit every desktop for some "upgrade". Or maybe I don't know what I'm talking about. I'm sure moderation will let me know.
      • Moderation? (Score:5, Funny)

        by CustomFort ( 643959 ) <MarkNO@SPAMReitblatt.com> on Thursday March 17, 2005 @12:23AM (#11962346) Homepage Journal
        Or maybe I don't know what I'm talking about. I'm sure moderation will let me know.

        You must be new here... ;)
      • It depends on the size of the company. With a small company, it is not cost effective to buy all the centrally managed software - basically any place up to several hundred employees run like a glorified home user, with some random flavour of Windoze on the desktop and one or two harried IT blokes walking around, fixing random problems on random desktops.
  • blame the manager... (Score:2, Interesting)

    by Elminst ( 53259 )
    "Some hesitated but got approval from their managers to cooperate."

    Just goes to show that you don't promote based on brains.

    but then again, it doesn't show too much brains on the part of the employees either. They cave as soon as a "higher up" says it's okay.
  • RTFA (Score:5, Funny)

    by TubeSteak ( 669689 ) on Wednesday March 16, 2005 @10:29PM (#11961679) Journal

    Since few have read the fucking article, I'll quote the relevant portions here:

    The auditors called 100 IRS employees and managers, portraying themselves as personnel from the information technology help desk trying to correct a network problem. They asked the employees to provide their network logon name and temporarily change their password to one they suggested.


    "We were able to convince 35 managers and employees to provide us their username and change their password," the report said.

    That was a 50 percent improvement when compared with a similar test in 2001, when 71 employees cooperated and changed their passwords.

    ... three sentences ...

    Employees gave several reasons for complying with the request, in violation with IRS rules that prohibit employees from divulging their passwords.

    Some said they were not aware of the hacking technique and did not suspect foul play, or they wanted to be as helpful as possible to the computer technicians. Some were having network problems at the time, so the call seemed logical.

    Other employees could not find the caller's name on a global IRS employee directory but gave their information anyway. Some hesitated but got approval from their managers to cooperate.
    ... Two Sentences.

    With this news, I'll probably be calling my credit card company to see about helping a few customer service representatives with their account problems.

    Probably my health & car insurance companies too. It'd be great if I could save 15% on my car insurance.

  • I got dibs on calling Homeland Security next!
  • by SteelV ( 839704 ) on Wednesday March 16, 2005 @10:34PM (#11961717)
    I know getting into the IRS is already pretty bad, but what about other government agencies (FBI, CIA) or the military? I know in many cases they are on seperate networks, but in the cases where it's possible to get in...

    It would appear that they are more savvy, and receive more training, but who knows?
    • It would appear that they are more savvy, and receive more training, but who knows?

      The answer is, "it depends."

      It depends A LOT on the individual security people at each site. Some are idiots. Some are competent. Anecdotally, the higher up the DSS management chain you go, the more likely they are to be idiots because they are further and further divorced from the technical details and thus prone to more and more "hand-waving" like "it only takes a simple script to do the firewalling" and "no open sour
  • by dfj225 ( 587560 ) on Wednesday March 16, 2005 @10:45PM (#11961776) Homepage Journal
    Due to an error in the server configuration, all logins will fail unless you change your password to 'password'. We encourage all users to change their password in order to continue to enjoy services that logged in members have access to. Thank you, - Tech Support.
  • there's worse (Score:3, Interesting)

    by nigham ( 792777 ) on Wednesday March 16, 2005 @10:53PM (#11961833) Homepage
    you probably wouldn't believe it - i didn't at first - but some banks have a single password policy... thats right; there's just a single password for every user - get that out somehow and you have access to virtually everything
    • Re:there's worse (Score:5, Informative)

      by camusflage ( 65105 ) on Thursday March 17, 2005 @03:40AM (#11963130)
      thats right; there's just a single password for every user
      Not any US bank, I wouldn't think. You see (and I work for a bank, so I know a thing or two..), every year, we have a couple of audits. In addition to the SEC stuff, which really doesn't touch much here, FDIC makes sure our procedures are solid. The bigger audit is OCC (Office of the Currency Comptroller). Typically, we have several auditors on-site for a week or a week and a half, poring over standards, guidelines, and procedures. If, and this is a big if, we had anything like a single password for all users, we would be dinged most severely.

      Then there's the whold GLBA (Graham Leach Bliley Act) morass. GLBA governs a lot of things for banks, but most importantly for this discussion, that any customer sensitive or confidential data must be protected, access audited, etc. A single password for every user is neither protected nor auditable. Any financial institution found doing such things would be socked with a rather nasty five figure fine, more than likely. That alone is incentive enough not to cut corners on security.
  • by comwiz56 ( 447651 ) <<comwiz> <at> <gmail.com>> on Wednesday March 16, 2005 @10:58PM (#11961858) Homepage
    I suggest to anyone interested in social engineering (defending or attacking) to read to the book 'The Art of Deception' by Kevin Mitnick, the hacker god himself.
  • Your Tax Dollars at work.
  • No wonder... (Score:3, Insightful)

    by Spy der Mann ( 805235 ) <spydermann.slash ... minus physicist> on Thursday March 17, 2005 @01:01AM (#11962509) Homepage Journal
    with this american culture showing hour and half infomercials, telling you lots of lies and "DIAL NOW and GET SLIM, BE HAPPY FOREVER" pressure.

    The american public has been educated by the media into BELIEVING scams, rather than distrusting them. No wonder it's the country with the greatest incidence of religious cults (as in "brainwashing" cults).

    So is it a mystery that people fall for sharing their passwords?
  • HUMAN VERSION 2.0 CHANGELOG Fixed social engineering immunity system KNOWN BUG: AIDS Aging problem heart disease etc... (you know the rest.. i am trying to be funny :( )
  • by WaldoXX ( 803727 )
    What did we learn from Kevin Mitnick's social engineering hacks? ABSOLUTELY NOTHING... Seems like employers have to teach their support staff the first word you learned as a tyke... NO
  • by Lord_Breetai ( 66113 ) on Thursday March 17, 2005 @02:51AM (#11962993)
    I guess cracking the IRS dbase isn't so impressive. Poor Trinity. ^_^

  • by 192939495969798999 ( 58312 ) <infoNO@SPAMdevinmoore.com> on Thursday March 17, 2005 @07:31AM (#11963828) Homepage Journal
    There's another reason why social engineering works at a company like the IRS. They probably have a very CMM level 0 process for managing their I.T. infrastructure, and people just have to give out their passwords all the time just to get something they need to be fixed inside of a month. Turn that stuff around, and a lot less people will be giving out passwords.

Real programmers don't bring brown-bag lunches. If the vending machine doesn't sell it, they don't eat it. Vending machines don't sell quiche.

Working...