Taxpayer Data At IRS Remains Vulnerable 62
CWmike writes "A new Government Accountability Office report (PDF) finds that taxpayer and other sensitive data continues to remain dangerously underprotected at the IRS. The news comes less than three months after the Treasury Inspector General for Tax Administration reported that there were major security vulnerabilities in two crucial IRS systems. Two big standouts in the latest finding: The IRS still does not always enforce strong password management rules for identifying and authenticating users of its systems, nor does it encrypt certain types of sensitive data, the GAO said."
It's not the first time, it won't be the last. (Score:5, Interesting)
That reminds me of what happened in Australia with the taxation department a few years ago.
The ATO put everyone's tax details online and used their Tax File Number ( everyone who pays tax has one ).
Some bright spark noticed his TFN in the URL the day they launched their new service and changed the number only to find that it gave him access to someone else's data.
There were accusations of hacking and all, but it conveniently left out the discussion that it was a pretty obvious and blatant flaw.
The minister responsible was never held accountable. That's why these security breaches keep on happening over here.
I'm pretty sure that there's a similar situation in the US.
GrpA
Re: (Score:1)
Re:It's not the first time, it won't be the last. (Score:4, Insightful)
The minister responsible was never held accountable. That's why these security breaches keep on happening over here.
GrpA
I am so angry that politicians are not accountable for their actions. It makes the implementation of democracy a farce because the people in power voted in by the public can basically do whatever the hell they want and walk away with a fat paycheck and pension without having to worry that if they do something seriously wrong they can be punished somehow.
Such a rort.
All it would take is some simple bad behavior = punishment laws for politicians but oh hold on its those same politicians that vote on the laws so of course they won't do that.
Don't even get me started on being able to give yourself a payrise.
P1
Re: (Score:3, Funny)
I am so angry that politicians are not accountable for their actions. It makes the implementation of democracy a farce because the people in power voted in by the public can basically do whatever the hell they want and walk away with a fat paycheck and pension without having to worry that if they do something seriously wrong they can be punished somehow.
If you hit the bull's eye, the rest of the dominoes will fall like a house of cards, checkmate!
Re: (Score:3, Funny)
Re: (Score:3, Funny)
And it was just a demo.
Re: (Score:3, Insightful)
I am so angry that politicians are not accountable for their actions. It makes the implementation of democracy a farce because the people in power voted in by the public can basically do whatever the hell they want and walk away with a fat paycheck and pension without having to worry that if they do something seriously wrong they can be punished somehow.
That's a very Insightful comment...
Politicians tend to say "If you pay peanuts you'll get monkeys", yet most businesses appear to operate on exactly this ideology.
I don't know about you, but I've seen far more Monkeys working as politicians than as (relatively) low-seniority employees.
Re: (Score:2)
In a democracy, for a politician to lose his job requires the public to stop voting for the person.
If the politician does something stupid, but the public keeps voting for them, it's an indication that the public doesn't consider the stupid things to be a problem. It's clear that most people don't care about the privacy of their personal information, or they would have fired the guy by voting for somebody else.
That's why it's important to keep the government as small as possible. Something you consid
Re: (Score:1)
There's no boycotting the government.
Sure there is. It just involves suicide.
Re: (Score:1)
How was the Minister supposed to know that there were security issues? If they had ignored advice to spend money on security testing and auditing then they certainly would be responsible, but in general it is the responsibility of the IT contractors producing software to advise the client on what is required.
To be honest, there is a major problem with the understanding of security issues in the IT industry. Even a basic understanding of networking, a healthy dose of distrust and attention to the flow of inf
Re: (Score:1)
Re: (Score:3, Informative)
Re:It's not the first time, it won't be the last. (Score:5, Informative)
Some bright spark noticed his TFN in the URL the day they launched their new service and changed the number only to find that it gave him access to someone else's data.
Really? They should have fired the webmaster for both putting that sensitive of information in the URL query string (HTTP GET), and for not managing sessions in the authentication process. It amazes me the query string vulnerabilities these sites have these days - the other day I pulled the /etc/passwd file from a guitar tab website (don't judge me) because I noticed the path in the query string to the ascii tabs used in the shtml, which a little directory traversal and lack of permissions aided. A few nodes requesting /dev/urandom could have crashed the whole fucking server because of the stupid webmaster!
Yes, in 2000 we had no php or asp.net session management like we do today (where a 3 year old with the proper training could code a secure session), but we had perl, C, and even Java, so lack of a babying framework is no excuse for lack of security, especially something as obvious as that! Its just one of those raw nerves to me!
I'm pretty sure that there's a similar situation in the US.
Dear lord I hope not. If my information is still to this day in 2009 retrievable via changing a query string parameter (or cookie, or directory trversal, or even shell code via some obscure method) then I swear I'm going to start my own country, where we manage our own servers so little script kiddies can't get harvest information that easily (not really, don't need treason charges :).
But seriously, especially if working with secure information retrievable publicly, please secure your site and check for server vulnerabilities and all (php registered globals, etc.). Sorry for all of that but it just absolutely bugs me when a simple bad web app can bring down information, security, or even a whole server deployment. Thats all.
</rant></rave>
Re: (Score:3, Funny)
then I swear I'm going to start my own country, where we manage our own servers so little script kiddies can't get harvest information that easily (not really, don't need treason charges :).
Naa, treason would only apply if you tried to over throw -this- govt... as long as you start your country off their land, your good to go!
PS, call me when the army of ninjas (marines) and pirates (navy) are in place, and hell, even i'd like to subscribe to your country (or news letter)
Re: (Score:2)
Their solution was funny too.
1. You have to authenticate yourself to the site in an annoying and expensive way.
2. It's trivial to get someone else's data but the site logs all accesses.
3. They periodically check who has been a bad boy and send the police out to talk to them.
Of course, there's the slight problem that no matter how good the identification/authorization process is, someone will hack it, and that means that innocent people will get done for it.
Re:It's not the first time, it won't be the last. (Score:5, Insightful)
Oh my God. Are you saying that changing one digit in a completely accessible URL is enough to be accused of hacking?
Humanity is hopelessly lost when it comes to common sense.
Re: (Score:2)
Humanity is hopelessly lost when it comes to common sense.
"Common sense" must the most wrongly named concept in history.
Ok, "democracy" is quite funny too.
Re: (Score:3, Insightful)
It /is/ hacking - and cracking. Just not the hard kind that requires significant knowledge or gains you the respect of your peers. :) Here in the US, that's "gaining access to data you aren't supposed to access". As an analogy, if you found that I left my car doors unlocked, and I found you sitting in my car, I'd probably proceed to issue you a beatdown whether you actually stole anything or not. I'd probably thank you if you just mentioned that you saw them to be unlocked. This is pretty much the same
Re: (Score:1, Informative)
My best friend works for the Federal Government (Social Security, not the IRS).
You wouldn't believe. Let me say ... well, you just wouldn't believe some of the things they do (and don't do) regarding computer security.
Most employees where this friend works basically sit and play solitaire, or chat on their cell phones while their monitors are filled with sensitive information about Joe Average's income sources. That's when they're actually working, of course. People from the mail room, the phone room and th
Re: (Score:1)
Re: (Score:1)
People should stop reacting to every situation by immediately blaming someone else, and take a little responsibility for their government.
We only have ourselves to blame if a democracy fails...
To answer my question (Score:5, Informative)
So it seems that the system allows for modification of taxpayer data. That's quite a bit different from just having it available.
Re:To answer my question (Score:5, Insightful)
Re: (Score:1)
Re: (Score:2)
Re: (Score:1)
So what if someone else knows how much you make?
There's more to a person's tax record than how much s/he makes. The tax man knows WAY more than most people would want to be common knowledge.
Re:What's the big secret? (Score:5, Interesting)
I hope you're being funny.
If others knew what I make, I would get a pay cut. My pay has been negotiated between myself and management. There would be a brouhaha if others in similar, but less accountable, roles thought I was "paid too much" or some such.*
My pay is not something I would want broadcast. Also, I would not want marketers to know my pay, nor family (aside from my spouse).
-nB
* I say this who has worked their way up from the bottom, where I used to think I was mighty damn important, now I know my absolute value may be low but my relative value is higher. I don't expect others who are in the boat I was in to necessarily understand this, and would rather avoid the conflict.
Re: (Score:3, Insightful)
Re: (Score:2)
If others knew what I make, I would get a pay cut. My pay has been negotiated between myself and management. There would be a brouhaha if others in similar, but less accountable, roles thought I was "paid too much" or some such.
Or, it would be incentive for everyone else to negotiate better.
It depends on whether the people around you are more interested in pulling you down, or lifting themselves up.
There is a reason it is just about standard corporate policy world-wide that employees are forbidden from sharing salary information amongst themselves, and it certainly isn't to protect those of us who have better negotiating skills.
Re: (Score:3, Insightful)
Care to post your tax return online and find out?
Re: (Score:2)
So what if someone else knows how much you make?
Well if they also know where you work and live, there's always a threat of being mugged, burglary, etc. Just a consideration.
Solution (Score:3, Insightful)
Suspend all income taxes for one year. Plenty of time to focus on the security holes and a temporary boost to the economy. Two problems easily solved.
Re: (Score:2, Insightful)
Suspend all income taxes for one year. Plenty of time to focus on the security holes and a temporary boost to the economy. Two problems easily solved.
Folks would still need to file a return to get whatever refunds of their payments, etc. that are due. It would surely boost the economy, but not help with the security issue.
Re: (Score:2)
Just think beyond your own pocket for 5 minutes.
Re: (Score:1)
First of all, I would not seriously suggest suspending income tax all together.
That being said, how do you suppose the government has gotten into such a large debt in the first place? It is because when faced with deficit spending, they simply borrow more money from the "Federal Reserve" (which is neither federal nor a reserve - go figure!). We must even use the term "borrow" loosely as the Fed doesn't have more money just sitting around, rather they print it on demand with nothing of value to back it up sa
Re: (Score:2)
Re: (Score:2, Insightful)
The solution is easier than that. Scrap the IRS entirely and move to a national sales tax. The government will no longer have the need to possess the information in the first place. The citizens become MUCH more aware of how much tax they are really paying by being reminded of it each purchase. Businesses and individuals no long have a complicated tax code to fumble through every year on April 15th. The nation saves $265 billion every year from the costs of doing taxes, not the taxes themselves, just the ac
Re: (Score:2, Informative)
It would probably hurt Conservatives, as it has in Canada and Australia.
When these countries eliminated business taxes and simply moved them to sales taxes, the cost of management increased. Instead of the easy double-checking verification of income taxes, businesses were more likely to hide their sales and evade taxation.
It's just harder to hide your income than sales.
You also had a significant rise in prices. Although the tax burden had not changed at all, businesses did not lower their prices when busi
Re: (Score:3, Insightful)
Aren't sales taxes inherently regressive? As in, they hurt those with lower income the most as it increases the proportion of their income spent on taxes compared to those with higher incomes.
Most states at this point do not tax "necessary for life" stuff, such as basic food and medicines, though I believe clothes, etc continue to be taxed. Does this proposal mean taxation across the board on all things, or only "nonessential" things, or what?
It doesn't seem just to tax sales on essential to life items, w
Re: (Score:1)
well sales tax on a single purchase taxes a larger percentage of a smaller income. but people with money buy alot of extra crap. i have no idea where that leaves the balance though.
Re: (Score:2)
but people with money buy alot of extra crap.
They do buy more extra crap, but the question is "Do they proportionally buy more extra crap compared to lower income people?" If not, then the tax burden shifts to lower income people.
http://www.fivethirtyeight.com/2008/12/on-importance-of-middle-class-lesson-of.html [fivethirtyeight.com] is slightly related to the topic, and the chart at the top kind of makes my point - people with all that extra income invest in certain areas that wouldn't be taxed if you relied entirely on a sales tax.
Government Solutions Office (Score:5, Interesting)
What we need is a counterpart to the GAO.
The GAO should be able to exact fines from any agency for waste, insecurity etc etc.
All of this fine money should be funneled into a Government Solutions Office whose task is to spend that money back into the program to fix it.
GAO finds improper encryptions. Fines IRS. GSO hires a security expert to create new policies and purchase needed training.
Just a thought.
Re: (Score:2)
Re: (Score:3, Insightful)
What we need is a counterpart to the GAO.
The GAO should be able to exact fines from any agency for waste, insecurity etc etc.
All of this fine money should be funneled into a Government Solutions Office whose task is to spend that money back into the program to fix it.
GAO finds improper encryptions. Fines IRS. GSO hires a security expert to create new policies and purchase needed training.
Just a thought.
It sounds like a good idea, except getting Congress to give the GAO the powers it would need to be able to
Re: (Score:1)
What we need is a counterpart to the GAO.
The GAO should be able to exact fines from any agency for waste, insecurity etc etc.
All of this fine money should be funneled into a Government Solutions Office whose task is to spend that money back into the program to fix it.
GAO finds improper encryptions. Fines IRS. GSO hires a security expert to create new policies and purchase needed training.
Just a thought.
There is. It's called Congress.
OT: Grammar Nazi (Score:1)
That is all.
I can't wait for someone to.... (Score:1)
I can't wait for someone to....hack into the system, and change the info to reflect that all rich people pay extra 10% and all poor people pay a 10% less, that would be a very nice hack!
CTO? (Score:4, Insightful)
What do you expect from the GAO? (Score:2)
It's like when the PWC douchebags come and "audit" you, by first being given root access on all your servers, then glibly pointing out that you're running sendmail or Tomcat of some microscopic version behind the current rev or that /etc/password is world-readable.
An inside view (Score:2)
I didn't want to comment until I read the report. Now I have.
The report cites some less-than-optimum security practices. To me, it sounds like lots of nitpicky stuff but I realize that a minor vulnerability can be a major problem if exploited by someone sharp and evil.
That said, doing evil via any of the avenues suggested by the report requires an insider to do bad things. So, if security is a process and has lots of layers, is it reasonable to be vulnerable in one area if that area is rendered unimporta