http://www.darkreading.com/document.asp?doc_id=166144 By Kelly Jackson Higgins Senior Editor Dark Reading OCTOBER 16, 2008 The Internal Revenue Service left taxpayer data exposed by deploying two major computer systems despite knowing that they harbor security vulnerabilities, according to a report [1] released publicly today by the Treasury Inspector General for Tax Administration (TIGTA). The inspector general office says the IRS’s mainframe-based Customer Account Data Engine (CADE) for managing taxpayer accounts and its Account Management Services (AMS) for IRS access to taxpayer data contain flaws identified that the IRS identified but did not fix before rolling them out last year. The billion-dollar, high-sensitivity CADE system is one of the key elements of the IRS’s computer modernization program, and processed about 20 percent of the 142 billion tax returns filed to the IRS, according to the Associated Press. CADE contains vulnerabilities that could lead to potential administrative privilege abuse, malware attacks, and unauthorized access to the system and its data. Among the other flaws highlighted in the report is a lack of configuration management, storage, and disaster recovery deficiencies, and no actual security guidelines or plans for connecting the system to other government agencies’ systems. The IRS also sends personally identifiable information from CADE within its data centers in clear text, and leaves its backup systems unencrypted. AMS, meanwhile, includes taxpayer identification numbers in its application error log, and its operating system has only a 77.8 percent compliance rate with the required security settings, according to the report. TIGTA is unaware of any taxpayer data actually getting compromised or falling into the wrong hands, but the data was exposed on these systems, according to the agency. [1] http://www.treas.gov/tigta/auditreports/2008reports/200820163fr.pdf [...] __________________________________________________ Register now for HITBSecConf2008 - Malaysia! With a new triple-track conference featuring 4 keynote speakers and over 35 international experts, this is the largest network security event in Asia and the Middle East! http://conference.hackinthebox.org/hitbsecconf2008kl/Received on Thu Oct 16 2008 - 23:29:35 PDT
This archive was generated by hypermail 2.2.0 : Thu Oct 16 2008 - 23:44:10 PDT