dslreports logo
 
    All Forums Hot Topics Gallery
spc
Search similar:


uniqs
846

goalieskates
Premium Member
join:2004-09-12
land of big

goalieskates

Premium Member

100% of Tested IRS Databases Are Vulnerable to Hackers

According to the Treasury Inspector General for Tax Administration
quote:
Some of the 2,200 databases that the IRS uses to manage and process taxpayer data are not configured securely, are running out-of-date software, and no longer receive security patches. Nor has the IRS fully implemented its plans to complete vulnerability scans of its databases -- although the IRS spent more than $1.1 million in software licenses and support costs for a database vulnerability scanning and compliance assessment tool, it did not fully implement it.

TIGTA used database vulnerability assessment software to conduct remote scans of the primary databases for 13 applications supporting critical tax administration business processes. Its review found high and medium risk vulnerabilities, as classified by the scanning tool in each of the 13 databases.


gorrillamcd
Hangin' Out
join:2010-04-01
mexico

gorrillamcd

Member

While I'm not surprised that they're so insecure, it's refreshing to now be hearing about another hack. Now as long as they act on the information they've received from the scan, we won't be needing to start the thread "IRS Tax databases hacked".

The original .pdf is actually a pretty good read for those of us that want to learn from the mistakes of the IRS in security. From page 2, it looks like the most glaring vulnerabilities dealt with user permissions not being separated enough (one user has more permissions than necessary), default user accounts still being activated (what?!), and passwords that didn't meet requirements.

And, this quote isn't too reassuring: "However, we reviewed the plans of actions and milestones documents from Fiscal Years 2007 and 2008 for those systems tested in the previous audit and could not determine if the weaknesses were entered, addressed, or closed. As a result, we have no assurance that the previous security weaknesses were corrected."
HarryH3
Premium Member
join:2005-02-21

1 recommendation

HarryH3 to goalieskates

Premium Member

to goalieskates
This should come as no surprise to anyone. If there exists a government department anywhere that isn't grossly mismanaged, hobbled by senseless bureaucracy, and/or just horribly inept then it is one of the best kept secrets in the world.

coldmoon
Premium Member
join:2002-02-04
Fulton, NY

coldmoon

Premium Member

said by HarryH3:

This should come as no surprise to anyone. If there exists a government department anywhere that isn't grossly mismanaged, hobbled by senseless bureaucracy, and/or just horribly inept then it is one of the best kept secrets in the world.

Have you considered that austerity and general lack of funding might have something to do with this? It costs money to purchase upgraded computers and I am certain that got taken out of the equation for a great number of machines that someone has determined "don't need fixing"...

Just a thought you might consider before you say the US Government's IT structure and personnel are incompetent by default. Many are trying to do the best they can with what little resources the current and past political environments have provided for them to use...

JMHO

notaxupgrade
@telus.net

notaxupgrade to goalieskates

Anon

to goalieskates
thank g.w. bush for cutting computer upgrade funding for 8 years. old people don't always see the need for new technology like a computer than is faster than 300Mhz and a computer that doesn't need a tape drive to store data. the expense is badly needed for some old dinosaur equipment that needs serious attention. electronic security must be number one priority, instead of half the yearly budget going to land wars caused by the errors from some dead presidents 'fixing' of other countries heathen/communist/ungodly populations 40 years ago.

at least WiKiLeaks can take a rest for a couple of months. the people are revolting against the secrecy of documents and blatant oppression that started after sept 11 2001.
how much data did china actually get, when they popped in to say high to the feds computers a while back? obviously not just the phone number and address to the best chinese food in america.
HarryH3
Premium Member
join:2005-02-21

HarryH3 to coldmoon

Premium Member

to coldmoon
said by coldmoon:

said by HarryH3:

This should come as no surprise to anyone. If there exists a government department anywhere that isn't grossly mismanaged, hobbled by senseless bureaucracy, and/or just horribly inept then it is one of the best kept secrets in the world.

Have you considered that austerity and general lack of funding might have something to do with this? It costs money to purchase upgraded computers and I am certain that got taken out of the equation for a great number of machines that someone has determined "don't need fixing"...

Just a thought you might consider before you say the US Government's IT structure and personnel are incompetent by default. Many are trying to do the best they can with what little resources the current and past political environments have provided for them to use...

JMHO

Did you even READ what I wrote? I don't see anywhere that I picked on any IT guys. Read the news and you'll see stories every day about one agency or another that has failed miserably in its primary mission. It's a problem that has become endemic to government in general.

Blackbird
Built for Speed
Premium Member
join:2005-01-14
Fort Wayne, IN

Blackbird to notaxupgrade

Premium Member

to notaxupgrade
said by notaxupgrade :

thank g.w. bush for cutting computer upgrade funding for 8 years. old people don't always see the need for new technology like a computer than is faster than 300Mhz and a computer that doesn't need a tape drive to store data. the expense is badly needed for some old dinosaur equipment that needs serious attention. electronic security must be number one priority, instead of half the yearly budget going to land wars caused by the errors from some dead presidents 'fixing' of other countries heathen/communist/ungodly populations 40 years ago. ...

G.W. may not have helped the situation - but neither did Bill nor George Sr. The IRS and its computers were an enormous mess long before George Jr. ever went to Washington. Anyone who recalls the horrific revelations regarding the IRS's computers and their maddening data flow back prior to Y2K will also recall that the IRS wasn't even able to inventory its computers before the dreaded date fell, let alone remediate all the potentially flaky code involved. The IRS is the hyper-bureaucratic arm of the world's largest bureaucracy... and significant change, upgrading, or improvement comes painfully slow (if at all) in such an environment - no matter who's pushing for it. It's now 2011 - yet the IRS is at least 2 years behind in just computer-matching W2 Social Security witholding data to the numbers taxpayers enter on their 1040's - right where they were 5 years ago! Contact a generic representative at a single IRS hot-line number and they can computer-access a number of specific pieces of data regarding your filed tax forms; call the same number again a week later as a follow -up, and the generic representative you reach that time will tell you their computer lacks the capability to access that same data. It's the epitome of computer chaos.

And please understand... I don't fault the poor folks working at the IRS. Most of us would never put up with the dreadful inertia and bureaucracy with which they have to contend on an hourly basis in trying to do their jobs... I certainly know I never would. What should be a fairly simple process - figuring and paying one's taxes - has been turned into the world's worst fur-ball of complexity and confusion. For that you can thank the politicians of both parties who for many, many years have crafted a gigantic mess of a tax code - such that most ordinary folks cannot even grasp what their taxes should be without the aid of computers or paid consultants. It boggles the mind to consider how much national productivity is now wrapped up in the computation, tracking, and auditing of Federal taxes. And all those computers, all those networks, all that data-handling represent potential weak-points for attack that could compromise personal data. That 100% of the tested IRS databases are vulnerable is no surprise at all... given what exists in the antiquated, hodge-podge, cobbled array of IRS computer systems coupled with a hopelessly arcane and complex tax code, the cause for surprise would be that any IRS database (or system) was invulnerable.
Expand your moderator at work

shortckt
Watchen Das Blinken Lights
Premium Member
join:2000-12-05
Tenant Hell

shortckt to notaxupgrade

Premium Member

to notaxupgrade

Re: 100% of Tested IRS Databases Are Vulnerable to Hackers

said by notaxupgrade :

[....] old people don't always see the need for new technology like a computer than is faster than 300Mhz and a computer that doesn't need a tape drive to store data.

It's the same all over gov't, except maybe at intelligence where they get the big bucks to buy all those high-tech goodies. Let's not forget that until recently some FAA air traffic control radar was operating on vacuum tube 1950's era equipment.
said by notaxupgrade :

how much data did china actually get, when they popped in to say high to the feds computers a while back? obviously not just the phone number and address to the best chinese food in america.

Yes, unfortunately they got that too....

goalieskates
Premium Member
join:2004-09-12
land of big

goalieskates to notaxupgrade

Premium Member

to notaxupgrade
said by notaxupgrade :

old people don't always see the need for new technology like a computer than is faster than 300Mhz and a computer that doesn't need a tape drive to store data.

You're blaming "old people"? Seriously?

The days of young people knowing more about computers than old people are long gone as the Boomers age, and an awful lot of young people can punch buttons and nothing more. Your political rant further demonstrates the problem with youth, because you lack context and a larger understanding of the problem.

Huge sums of money have been thrown at IT over the years - some of it wisely spent, too much of it not. Because the purchases, while substantial, weren't made with the total business purpose in mind, instead fixating on replacing "dinosaur equipment" and not procedures, just as you advocate. Technology offers new abilities, but there's always a yin/yang of upside and downside. It's human nature and even moreso political nature to reach for the glittery upside without addressing the downsides of security and how you're going to make things work efficiently, and if anyone tries to they're accused of being "negative." New equipment isn't going to address that little problem, because it's a human problem.

coldmoon
Premium Member
join:2002-02-04
Fulton, NY

coldmoon to HarryH3

Premium Member

to HarryH3
said by HarryH3:

said by coldmoon:

said by HarryH3:

This should come as no surprise to anyone. If there exists a government department anywhere that isn't grossly mismanaged, hobbled by senseless bureaucracy, and/or just horribly inept then it is one of the best kept secrets in the world.

Have you considered that austerity and general lack of funding might have something to do with this? It costs money to purchase upgraded computers and I am certain that got taken out of the equation for a great number of machines that someone has determined "don't need fixing"...

Just a thought you might consider before you say the US Government's IT structure and personnel are incompetent by default. Many are trying to do the best they can with what little resources the current and past political environments have provided for them to use...

JMHO

Did you even READ what I wrote? I don't see anywhere that I picked on any IT guys. Read the news and you'll see stories every day about one agency or another that has failed miserably in its primary mission. It's a problem that has become endemic to government in general.

My point was not about "picking" on Government It types. It was in reaction to the usual Gov bashing where the entire Gov is labeled as incompetent when the issue is actually more complex with a great deal of political BS thrown in to muddy the situation even further.

You get what you pay for and not funding departments because it is politically inconvenient tends to get you what you deserve. If security and privacy are really the true priorities, then the logic dictates certain processes and expenses. If theater is the objective while pinching pennies, well you get what we have now. The choice is simple - cut out the politics and do what needs be done...

fatness
subtle

join:2000-11-17
fishing

fatness to gorrillamcd

to gorrillamcd
said by gorrillamcd:

While I'm not surprised that they're so insecure, it's refreshing to now be hearing about another hack. Now as long as they act on the information they've received from the scan, we won't be needing to start the thread "IRS Tax databases hacked".

I agree completely.