Taxpayer Data At IRS Remains Vulnerable

CWmike writes "A new Government Accountability Office report (PDF) finds that taxpayer and other sensitive data continues to remain dangerously underprotected at the IRS. The news comes less than three months after the Treasury Inspector General for Tax Administration reported that there were major security vulnerabilities in two crucial IRS systems. Two big standouts in the latest finding: The IRS still does not always enforce strong password management rules for identifying and authenticating users of its systems, nor does it encrypt certain types of sensitive data, the GAO said."

It's not the first time, it won't be the last.

[GrpA]

That reminds me of what happened in Australia with the taxation department a few years ago.

The ATO put everyone's tax details online and used their Tax File Number ( everyone who pays tax has one ).

Some bright spark noticed his TFN in the URL the day they launched their new service and changed the number only to find that it gave him access to someone else's data.

There were accusations of hacking and all, but it conveniently left out the discussion that it was a pretty obvious and blatant flaw.

The minister responsible was never held accountable. That's why these security breaches keep on happening over here.

I'm pretty sure that there's a similar situation in the US.

GrpA

Re:

[MichaelSmith]

Actually that was in 1999 or 2000, almost ten years ago.

Re:It's not the first time, it won't be the last.

[playerone]

The minister responsible was never held accountable. That's why these security breaches keep on happening over here.

GrpA

I am so angry that politicians are not accountable for their actions. It makes the implementation of democracy a farce because the people in power voted in by the public can basically do whatever the hell they want and walk away with a fat paycheck and pension without having to worry that if they do something seriously wrong they can be punished somehow.

Such a rort.

All it would take is some simple bad behavior = punishment laws for politicians but oh hold on its those same politicians that vote on the laws so of course they won't do that.
Don't even get me started on being able to give yourself a payrise.

P1

Re:

[CDMA_Demo]

I am so angry that politicians are not accountable for their actions. It makes the implementation of democracy a farce because the people in power voted in by the public can basically do whatever the hell they want and walk away with a fat paycheck and pension without having to worry that if they do something seriously wrong they can be punished somehow.

If you hit the bull's eye, the rest of the dominoes will fall like a house of cards, checkmate!

Re:

[solafide]

How many game metaphors can one cram into one post?

Re:

[SpaceLifeForm]

And it was just a demo.

Re:

[Klootzak]

I am so angry that politicians are not accountable for their actions. It makes the implementation of democracy a farce because the people in power voted in by the public can basically do whatever the hell they want and walk away with a fat paycheck and pension without having to worry that if they do something seriously wrong they can be punished somehow.

That's a very Insightful comment...

Politicians tend to say "If you pay peanuts you'll get monkeys", yet most businesses appear to operate on exactly this ideology.

I don't know about you, but I've seen far more Monkeys working as politicians than as (relatively) low-seniority employees.

Re:

[jlarocco]

In a democracy, for a politician to lose his job requires the public to stop voting for the person.

If the politician does something stupid, but the public keeps voting for them, it's an indication that the public doesn't consider the stupid things to be a problem. It's clear that most people don't care about the privacy of their personal information, or they would have fired the guy by voting for somebody else.

That's why it's important to keep the government as small as possible. Something you consid

Re:

[Hordeking]

There's no boycotting the government.

Sure there is. It just involves suicide.

Re:

[TGoddard]

How was the Minister supposed to know that there were security issues? If they had ignored advice to spend money on security testing and auditing then they certainly would be responsible, but in general it is the responsibility of the IT contractors producing software to advise the client on what is required.

To be honest, there is a major problem with the understanding of security issues in the IT industry. Even a basic understanding of networking, a healthy dose of distrust and attention to the flow of inf

Re:

[mahadiga]

Democracy != Meritocracy

Re:

[CDMA_Demo]

In 2000: http://www.abc.net.au/7.30/stories/s146760.htm [abc.net.au]

Re:It's not the first time, it won't be the last.

[Anthony_Cargile]

Some bright spark noticed his TFN in the URL the day they launched their new service and changed the number only to find that it gave him access to someone else's data.

Really? They should have fired the webmaster for both putting that sensitive of information in the URL query string (HTTP GET), and for not managing sessions in the authentication process. It amazes me the query string vulnerabilities these sites have these days - the other day I pulled the /etc/passwd file from a guitar tab website (don't judge me) because I noticed the path in the query string to the ascii tabs used in the shtml, which a little directory traversal and lack of permissions aided. A few nodes requesting /dev/urandom could have crashed the whole fucking server because of the stupid webmaster!

Yes, in 2000 we had no php or asp.net session management like we do today (where a 3 year old with the proper training could code a secure session), but we had perl, C, and even Java, so lack of a babying framework is no excuse for lack of security, especially something as obvious as that! Its just one of those raw nerves to me!

I'm pretty sure that there's a similar situation in the US.

Dear lord I hope not. If my information is still to this day in 2009 retrievable via changing a query string parameter (or cookie, or directory trversal, or even shell code via some obscure method) then I swear I'm going to start my own country, where we manage our own servers so little script kiddies can't get harvest information that easily (not really, don't need treason charges :).

But seriously, especially if working with secure information retrievable publicly, please secure your site and check for server vulnerabilities and all (php registered globals, etc.). Sorry for all of that but it just absolutely bugs me when a simple bad web app can bring down information, security, or even a whole server deployment. Thats all.
</rant></rave>

Re:

[dissy]

then I swear I'm going to start my own country, where we manage our own servers so little script kiddies can't get harvest information that easily (not really, don't need treason charges :).

Naa, treason would only apply if you tried to over throw -this- govt... as long as you start your country off their land, your good to go!

PS, call me when the army of ninjas (marines) and pirates (navy) are in place, and hell, even i'd like to subscribe to your country (or news letter)

Re:

[QuantumG]

Their solution was funny too.

1. You have to authenticate yourself to the site in an annoying and expensive way.
2. It's trivial to get someone else's data but the site logs all accesses.
3. They periodically check who has been a bad boy and send the police out to talk to them.

Of course, there's the slight problem that no matter how good the identification/authorization process is, someone will hack it, and that means that innocent people will get done for it.

Re:It's not the first time, it won't be the last.

[GFree678]

There were accusations of hacking and all, but it conveniently left out the discussion that it was a pretty obvious and blatant flaw.

Oh my God. Are you saying that changing one digit in a completely accessible URL is enough to be accused of hacking?

Humanity is hopelessly lost when it comes to common sense.

Re:

[Thanshin]

Humanity is hopelessly lost when it comes to common sense.

"Common sense" must the most wrongly named concept in history.

Ok, "democracy" is quite funny too.

Re:

[cloudmaster]

It /is/ hacking - and cracking. Just not the hard kind that requires significant knowledge or gains you the respect of your peers. :) Here in the US, that's "gaining access to data you aren't supposed to access". As an analogy, if you found that I left my car doors unlocked, and I found you sitting in my car, I'd probably proceed to issue you a beatdown whether you actually stole anything or not. I'd probably thank you if you just mentioned that you saw them to be unlocked. This is pretty much the same

Re:

[Anonymous Coward]

My best friend works for the Federal Government (Social Security, not the IRS).

You wouldn't believe. Let me say ... well, you just wouldn't believe some of the things they do (and don't do) regarding computer security.

Most employees where this friend works basically sit and play solitaire, or chat on their cell phones while their monitors are filled with sensitive information about Joe Average's income sources. That's when they're actually working, of course. People from the mail room, the phone room and th

Re:

[drpt]

Just one more reason not to file taxes

Re:

[DJRumpy]

It is the voters responsibility to hold the politician responsible. Something as simple as picking up the phone and calling your representative to complain can work wonders. They will often gauge their response on the direct input from those that they represent.

People should stop reacting to every situation by immediately blaming someone else, and take a little responsibility for their government.

We only have ourselves to blame if a democracy fails...

To answer my question

[BadAnalogyGuy]

According to the IG's report, systems administrators and other privileged users are able to access, modify and delete taxpayer data with impunity because of a lack of monitoring capabilities in the two systems.

So it seems that the system allows for modification of taxpayer data. That's quite a bit different from just having it available.

Re:To answer my question

[techno-vampire]

Not only that, it makes wholesale identity theft nice and easy.

Re:

[DaFallus]

Or erasing the tax records of scandal plagued politicians and their chronies...

Re:

[necro81]

Ah, but as the RIAA would have us believe, making [beckermanlegal.com] available [wikipedia.org] is indeed a crime.

Re:

[ITEric]

So what if someone else knows how much you make?

There's more to a person's tax record than how much s/he makes. The tax man knows WAY more than most people would want to be common knowledge.

Re:What's the big secret?

[networkBoy]

I hope you're being funny.
If others knew what I make, I would get a pay cut. My pay has been negotiated between myself and management. There would be a brouhaha if others in similar, but less accountable, roles thought I was "paid too much" or some such.*
My pay is not something I would want broadcast. Also, I would not want marketers to know my pay, nor family (aside from my spouse).
-nB

* I say this who has worked their way up from the bottom, where I used to think I was mighty damn important, now I know my absolute value may be low but my relative value is higher. I don't expect others who are in the boat I was in to necessarily understand this, and would rather avoid the conflict.

Re:

[techno-vampire]

I worked at one company where I'm sure I missed out on getting a transfer to a new department where I could have done a lot of good and learned new things because my new manager asked me how much I was getting. I could see from his expression that I'd lost out the moment he learned that I was making more than he was. Not only had I received a merit increase at one point, but our annual raises were a percentage, and even if my percentage was average, it still meant a bigger raise than the other techs got,

Re:

[Jherek Carnelian]

If others knew what I make, I would get a pay cut. My pay has been negotiated between myself and management. There would be a brouhaha if others in similar, but less accountable, roles thought I was "paid too much" or some such.

Or, it would be incentive for everyone else to negotiate better.
It depends on whether the people around you are more interested in pulling you down, or lifting themselves up.

There is a reason it is just about standard corporate policy world-wide that employees are forbidden from sharing salary information amongst themselves, and it certainly isn't to protect those of us who have better negotiating skills.

Re:

[Hatta]

Care to post your tax return online and find out?

Re:

[Anthony_Cargile]

So what if someone else knows how much you make?

Well if they also know where you work and live, there's always a threat of being mugged, burglary, etc. Just a consideration.

Solution

[truthsearch]

Suspend all income taxes for one year. Plenty of time to focus on the security holes and a temporary boost to the economy. Two problems easily solved.

Re:

[ITEric]

Suspend all income taxes for one year. Plenty of time to focus on the security holes and a temporary boost to the economy. Two problems easily solved.

Folks would still need to file a return to get whatever refunds of their payments, etc. that are due. It would surely boost the economy, but not help with the security issue.

Re:

[smoker2]

It amazes me that anybody with a clue thinks that suspending income tax will be a boost to the economy. How many people work for government depts. ? Are you going to let them go without pay completely ? Are the army just going to disband for the duration, and the various regulatory organisations stop inspecting food and drugs for poisons ? Are the armies of accountants going to just shut up shop because they have nothing to do ?

Just think beyond your own pocket for 5 minutes.

Re:

[ITEric]

First of all, I would not seriously suggest suspending income tax all together.

That being said, how do you suppose the government has gotten into such a large debt in the first place? It is because when faced with deficit spending, they simply borrow more money from the "Federal Reserve" (which is neither federal nor a reserve - go figure!). We must even use the term "borrow" loosely as the Fed doesn't have more money just sitting around, rather they print it on demand with nothing of value to back it up sa

Re:

[DustyShadow]

But I thought big government was the answer? How will we get that without taxes?

Re:

[need4mospd]

The solution is easier than that. Scrap the IRS entirely and move to a national sales tax. The government will no longer have the need to possess the information in the first place. The citizens become MUCH more aware of how much tax they are really paying by being reminded of it each purchase. Businesses and individuals no long have a complicated tax code to fumble through every year on April 15th. The nation saves $265 billion every year from the costs of doing taxes, not the taxes themselves, just the ac

Re:

[Anonymous Coward]

It would probably hurt Conservatives, as it has in Canada and Australia.

When these countries eliminated business taxes and simply moved them to sales taxes, the cost of management increased. Instead of the easy double-checking verification of income taxes, businesses were more likely to hide their sales and evade taxation.

It's just harder to hide your income than sales.

You also had a significant rise in prices. Although the tax burden had not changed at all, businesses did not lower their prices when busi

Re:

[charlener]

Aren't sales taxes inherently regressive? As in, they hurt those with lower income the most as it increases the proportion of their income spent on taxes compared to those with higher incomes.

Most states at this point do not tax "necessary for life" stuff, such as basic food and medicines, though I believe clothes, etc continue to be taxed. Does this proposal mean taxation across the board on all things, or only "nonessential" things, or what?

It doesn't seem just to tax sales on essential to life items, w

Re:

[azenpunk]

well sales tax on a single purchase taxes a larger percentage of a smaller income. but people with money buy alot of extra crap. i have no idea where that leaves the balance though.

Re:

[KovaaK]

but people with money buy alot of extra crap.

They do buy more extra crap, but the question is "Do they proportionally buy more extra crap compared to lower income people?" If not, then the tax burden shifts to lower income people.

http://www.fivethirtyeight.com/2008/12/on-importance-of-middle-class-lesson-of.html [fivethirtyeight.com] is slightly related to the topic, and the chart at the top kind of makes my point - people with all that extra income invest in certain areas that wouldn't be taxed if you relied entirely on a sales tax.

Government Solutions Office

[im_thatoneguy]

What we need is a counterpart to the GAO.

The GAO should be able to exact fines from any agency for waste, insecurity etc etc.

All of this fine money should be funneled into a Government Solutions Office whose task is to spend that money back into the program to fix it.

GAO finds improper encryptions. Fines IRS. GSO hires a security expert to create new policies and purchase needed training.

Just a thought.

Re:

[a_ghostwheel]

You should first look at that. [despair.com]

Re:

[BlueStrat]

What we need is a counterpart to the GAO.

The GAO should be able to exact fines from any agency for waste, insecurity etc etc.

All of this fine money should be funneled into a Government Solutions Office whose task is to spend that money back into the program to fix it.

GAO finds improper encryptions. Fines IRS. GSO hires a security expert to create new policies and purchase needed training.

Just a thought.

It sounds like a good idea, except getting Congress to give the GAO the powers it would need to be able to

Re:

[fgelias]

What we need is a counterpart to the GAO.

The GAO should be able to exact fines from any agency for waste, insecurity etc etc.

All of this fine money should be funneled into a Government Solutions Office whose task is to spend that money back into the program to fix it.

GAO finds improper encryptions. Fines IRS. GSO hires a security expert to create new policies and purchase needed training.

Just a thought.

There is. It's called Congress.

OT: Grammar Nazi

[noidentity]

Taxpayer Data At IRS Remain Vulnerable

That is all.

I can't wait for someone to....

[hesaigo999ca]

I can't wait for someone to....hack into the system, and change the info to reflect that all rich people pay extra 10% and all poor people pay a 10% less, that would be a very nice hack!

CTO?

[gEvil (beta)]

Remember a month or so ago when so many people here were saying what a stupid idea it was that Obama wanted to create a CTO position for the government? Isn't this exactly the sort of thing that someone in that position would be involved in sorting out?

What do you expect from the GAO?

[Gothmolly]

It's like when the PWC douchebags come and "audit" you, by first being given root access on all your servers, then glibly pointing out that you're running sendmail or Tomcat of some microscopic version behind the current rev or that /etc/password is world-readable.

An inside view

[BenEnglishAtHome]

I didn't want to comment until I read the report. Now I have.

The report cites some less-than-optimum security practices. To me, it sounds like lots of nitpicky stuff but I realize that a minor vulnerability can be a major problem if exploited by someone sharp and evil.

That said, doing evil via any of the avenues suggested by the report requires an insider to do bad things. So, if security is a process and has lots of layers, is it reasonable to be vulnerable in one area if that area is rendered unimporta