[ISN] Auditors Find IRS Workers Prone to Hackers

From: InfoSec News (isn@private)
Date: Thu Mar 17 2005 - 23:35:40 PST


AP Tax Writer
March 16, 2005

WASHINGTON, (AP) - More than one-third of Internal Revenue Service
employees and managers who were contacted by Treasury Department
inspectors posing as computer technicians provided their computer
login and changed their password, a government report said Wednesday.

The report by the Treasury Department's inspector general for tax
administration reveals a human flaw in the security system that
protects taxpayer data.

It also comes on the heels of accounts of thieves' breaking into
computer systems of private data suppliers ChoicePoint Inc. and

The auditors called 100 IRS employees and managers, portraying
themselves as personnel from the information technology help desk
trying to correct a network problem. They asked the employees to
provide their network logon name and temporarily change their password
to one they suggested.

"We were able to convince 35 managers and employees to provide us
their username and change their password," the report said.

That was a 50 percent improvement when compared with a similar test in
2001, when 71 employees cooperated and changed their passwords.

"With an employee's user account name and password, a hacker could
gain access to that employee's access privileges," the report said.

"Even more significant, a disgruntled employee could use the same
social engineering tactics and obtain another employee's username and
password," auditors said.

With some knowledge of IRS systems, such an employee could more easily
get access to taxpayer data or damage the agency's computer systems.

Employees gave several reasons for complying with the request, in
violation with IRS rules that prohibit employees from divulging their

Some said they were not aware of the hacking technique and did not
suspect foul play, or they wanted to be as helpful as possible to the
computer technicians. Some were having network problems at the time,
so the call seemed logical.

Other employees could not find the caller's name on a global IRS
employee directory but gave their information anyway. Some hesitated
but got approval from their managers to cooperate.

Within two days after the test, the IRS issued an e-mail alert about
the hacking technique and instructed employees to notify security
officials if they get such calls. The agency also included warnings
into its mandatory security training.


On the Net:
Treasury Inspector General for Tax Administration: www.treas.gov/tigta

Bellua Cyber Security Asia 2005 -

This archive was generated by hypermail 2.1.3 : Fri Mar 18 2005 - 02:17:42 PST