Beta
×

Welcome to the Slashdot Beta site -- learn more here. Use the link in the footer or click here to return to the Classic version of Slashdot.

Thank you!

Before you choose to head back to the Classic look of the site, we'd appreciate it if you share your thoughts on the Beta; your feedback is what drives our ongoing development.

Beta is different and we value you taking the time to try it out. Please take a look at the changes we've made in Beta and  learn more about it. Thanks for reading, and for making the site better!

IRS Security Faults Leave Taxpayer Data At Risk

Soulskill posted more than 3 years ago | from the your-tax-dollars-at-work dept.

Privacy 42

coondoggie writes "In this tax season, when billions of dollars and tons of personal information is relayed to and from the government, it's more than disconcerting to hear that the Internal Revenue Service is still struggling to keep private information secure. A report out Friday from watchdogs at the Government Accountability Office says about 69% of the tax agency's previously noted security flaws remain unfixed and continue to jeopardize the confidentiality, integrity, and availability of the IRS's systems (PDF). The problems put the IRS at increased risk of unauthorized disclosure, modification, or destruction of financial and taxpayer information, the GAO concluded."

cancel ×

42 comments

Sorry! There are no comments related to the filter you selected.

These are basic best practices. (3, Informative)

DJRumpy (1345787) | more than 3 years ago | (#31549860)

Shameful that any company would fail at these basic tasks. It would take any competent admin very little time to compose policies that would effectively handle most of these. the others would require procedural changes but why would they continue to let the issue go if they know it's an audit exposure? (no pun intended)

From TFA:

For example, the GAO stated that the IRS continues to:

        * use passwords that are not complex,
        * ineffectively remove application accounts in a timely manner for separated employees,
        * allow personnel excessive file and directory permissions,
        * allow the unencrypted transmission of user and administrator login information,
        * install security patches in an untimely manner

Re:These are basic best practices. (1)

Opportunist (166417) | more than 3 years ago | (#31549866)

These are not basic best practices, but basic rules of economy. If it is not punishable and if it is an expense, it will not happen. Simple as that.

Re:These are basic best practices. (1)

beakerMeep (716990) | more than 3 years ago | (#31549904)

I know those things are important, but from the article headline I half expected them to be publishing a giant red "Admin" button anyone could click to hack the IRS.

Re:These are basic best practices. (3, Interesting)

Vellmont (569020) | more than 3 years ago | (#31550192)


                * use passwords that are not complex,
                * ineffectively remove application accounts in a timely manner for separated employees,
                * allow personnel excessive file and directory permissions,
                * allow the unencrypted transmission of user and administrator login information,
                * install security patches in an untimely manner

I've seen most of those items every place I've worked. None of them are particularly "red alert" type problems on their own. For instance, are the passwords that aren't complex on publicly accessible systems? Someone logging into IRS.gov with "irs", "password" is a MAJOR MAJOR problem. Someone logging into a system only available in an IRS office with "s.johnson", "skipper2" is far less so.

The report is long and focuses on stuff auditors with no real IT experience sit around and worry about. I'm sure not going to read through the whole thing, but the parts I read are relatively yawn-worthy. An example would be how passwords were set to expire after 118 days on a certain system instead of 58 days. This despite the fact there's wide scale disagreement as to whether requiring people to change passwords has any real effect on security. Another example would be they didn't perfectly segregate important duties properly. (The example given was someone was both a database administrator and a system administrator).

The report is littered with statements like this:

For example, about 120 IRS employees had access to key documents, including cost data for input to its administrative
accounting system and a critical process-control spreadsheet used in IRS's cost allocation process. However, fewer than 10 employees needed this
access to perform their jobs...which could result in incorrect input and data processing... ultimately jeopardizing the information presented in IRS's annual financial statements.

(excuse me if this isn't something I'm going to write my congressman about)

If this is really the worst the GAO can come up with, I'd say we're all pretty safe. How many controls do you think your local H&R Block has?

Re:These are basic best practices. (0)

Anonymous Coward | more than 4 years ago | (#31555940)

I know of DBA's and people on production support - where the security system is broken, it cannot and will not allow any extra permissions - so they have to be given bigger ones.

I've yet to see an auditors report highlighting the inadequacy and feebleness of the security platforms. Oh, its 'technical ' .

Bottom line, security is less of a problem than corrupt data with relational integrity errors, and nobody stomping down. One is changed fraudulently, one is a processing or conversion error.
Know what - they are equally as bad - but no-one has the IT-people in their sights.

Re:These are basic best practices. (1)

noidentity (188756) | more than 3 years ago | (#31550282)

Shameful that any company would fail at these basic tasks. It would take any competent admin very little time to compose policies that would effectively handle most of these.

The IRS is not a company. It doesn't have to please customers. It doesn't have to make a profit via voluntary exchange. Why should it care about protecting its payers' data?

Re:These are basic best practices. (2, Insightful)

zippthorne (748122) | more than 3 years ago | (#31550532)

It doesn't have an inventory of products either, so there's no way to tell how much they're supposed to collect. If they don't keep thing secure, you could have multiple people using a single person's set of credentials to do business, but only paying the "fair share" of a single one of those people. IRS has an economic incentive to avoid that outcome at least.

IRS vs Private Industry (2, Insightful)

Anonymous Coward | more than 3 years ago | (#31549864)

The IRS is concerned about not disclosing private data.

Private industry (including those companies you have not choice in using) has been selling as much of your information as possible for years. While of course encountering security breeches of their own.

The bottom line is that private companies have already sold all of this data, so relax.

Re:IRS vs Private Industry (1)

repetty (260322) | more than 3 years ago | (#31550458)

> The IRS is concerned about not disclosing private data.

Why do you believe this to be true?

The IRS is totally unaccountable for data security.

They could dump a billion private records into the public space and there would be no recourse for us and no punishment for them. Tried to sue the IRS lately?

The IRS is, by definition, exempt from accountability.

I agree with the other stuff you write and I have a hunch that you simply left out the word "not" from the first sentence.

Different how? (2, Interesting)

jofny (540291) | more than 3 years ago | (#31549910)

Im not a fan of the IRS, but let's be real: 1. There are almost no government agencies or civilian organizations that don't have fairly terrible security...2. These checkbox requirements dont really tell a story. 2. These checkbox requirements dont tell a story of the actual level of security. You'd have to take a look at the whole architecture to figure out whether, for example, those UNIX passwords actually were important or not.

Re:Different how? (1)

beakerMeep (716990) | more than 3 years ago | (#31550002)

I'm a fan of the IRS, I have a t-shirt, mug and one of those giant over-sized nerf hands with the pointed index finger.

Re:Different how? (1, Funny)

Anonymous Coward | more than 3 years ago | (#31550194)

How do you keep a grip on your scythe with one of those on?

Re:Different how? (1)

zippthorne (748122) | more than 3 years ago | (#31550560)

I don't think he's a fan of taxes either, what with paying a fortune in tolls to that ferryman twice a day.

Re:Different how? (1)

The Wild Norseman (1404891) | more than 3 years ago | (#31550248)

I'm a fan of the IRS, I have a t-shirt, mug and one of those giant over-sized nerf hands with the pointed index finger.

I'm not a fan of the IRS. I have a t-shirt, mug and one of those giant over-sized nerf hands with the pointed middle finger.

See?! (2, Funny)

oldhack (1037484) | more than 3 years ago | (#31549994)

That's why I don't pay tax.

Re:See?! (2, Insightful)

voisine (153062) | more than 3 years ago | (#31550280)

Are you an Indian software engineer by chance? Because then you don't have to fill out the census either.

"Representatives and direct Taxes shall be apportioned among the several States which may be included within this Union, according to their respective Numbers... and excluding Indians not taxed"

Re:See?! (1)

noidentity (188756) | more than 3 years ago | (#31550300)

That's why I don't pay tax. (posted by oldhack)

*cough*Post Anonymously checkbox*cough*

Re:See?! (1)

oldhack (1037484) | more than 3 years ago | (#31550348)

Yeah, thanks for sticking in that "posted by oldhack" bit, pal.

Not a good week for the IRS (-1)

will_die (586523) | more than 3 years ago | (#31549996)

First then get coverage because they send 2 agents after a person who did not pay 4 cents [myfoxnepa.com] . However everyone will be glad to know these are the people that will be enforcing Obamacare [nationalreview.com] .

Hey! We're the effin' IRS! (1)

HiggsBison (678319) | more than 3 years ago | (#31550096)

First they get coverage because they send 2 agents after a person who did not pay 4 cents.

I think someone at the IRS is under the impression that they're so badass they don't need security.

None will expect raw data, 'cause that's obscure (0)

Anonymous Coward | more than 3 years ago | (#31550342)

It's like encrypting your eMail using spam as symbol markers. Who'd think just sending acct information in Plane site wouldn't throw off salvagers? It's like disguising a Whale-meat Processing ship as Whale Research vessel, and then creating your own opposition as a bunch of hippies to capture the hearts of the world so their court arguments would be all LSD-tainted of any legal merit but to push the primary goal for recognizing animals as persons and citizens.

Re:Not a good week for the IRS (0)

Anonymous Coward | more than 3 years ago | (#31550724)


First then get coverage because they send 2 agents after a person who did not pay 4 cents.

I'm sure glad that FOX news is reporting a "fair and balanced" story rather than just quoting the guy being audited. I mean, people accused of fraud would never outright lie or conveniently ignore facts!

(The IRS wouldn't comment citing "privacy" you say? I see. So I guess the alternative of not printing the story because it couldn't in any way be confirmed wasn't an option?)

This goes contrary to what I've heard. (2, Interesting)

Securityemo (1407943) | more than 3 years ago | (#31550050)

A long while back, someone came in on Slashdot and claimed to have consulted/worked with the IRS, and described a security culture and tolerance for hair-trigger detection measures that would make any security fascist drool. So these problems would most likely be on a purely bureaucratic level, then?

Re:This goes contrary to what I've heard. (1)

mh1997 (1065630) | more than 3 years ago | (#31550316)

A long while back, someone came in on Slashdot and claimed to have consulted/worked with the IRS, and described a security culture and tolerance for hair-trigger detection measures that would make any security fascist drool. So these problems would most likely be on a purely bureaucratic level, then?

So what you are saying is that some anonymous person posted on an internet forum claiming something that couldn't be verified (and then repeated by another anonymous person) and that this information could quite possibly be wrong? Well, I assure you that when I worked for NASA as an astronaut, nothing like that ever happened!

Good to know (3, Insightful)

g0bshiTe (596213) | more than 3 years ago | (#31550078)

It's good to know that those who deal with SOX compliance and don't come into compliance are slapped hard with penalties, yet the same rules don't apply to the branch of the FEDERAL GOVERNMENT that deals with more sensitive data than any SOX umbrella'd company.

Re:Good to know (4, Insightful)

Vellmont (569020) | more than 3 years ago | (#31550474)


It's good to know that those who deal with SOX compliance and don't come into compliance are slapped hard with penalties,

Anyone who's ever been audited knows that the audit is all about the auditor, not about the rules. In the case of SOX, it's the company being audited who hires the auditor. The company DOING the audit isn't even liable if the the company being audited is fraudulent, and the auditor doesn't catch it. This adds up a huge conflict of interest along the lines of the bond rating companies. Who's going to hire an auditing firm that's a known bunch of sticklers?


the same rules don't apply to the branch of the FEDERAL GOVERNMENT that deals with more sensitive data than any SOX umbrella'd company.

Access to data is a very small part of what SOX is supposed to be about, and about zero reason why it was created in the first place. SOX was a reaction the the Enron scandal where they essentially had extraordinarily deceptive accounting practices that claimed they were worth billions of dollars when in fact they weren't worth much of anything. They did other tricks like create dummy corporations that traded assets back and forth to inflate worth. Citigroup was recently reported as selling their crappy worthless mortgage bonds the day before the end of a quarter for cash in exchange for buying them back the next quarter (this was actually recently). THAT is the real scam, though obviously the SOX rules didn't do much of anything to stop anyone.

If you want to get all pedantic about "the rules", go ahead. I think you miss the larger picture though.

Re:Good to know (0)

Anonymous Coward | more than 3 years ago | (#31550504)

The report is there so IRS can *improve* their practices. That's the purpose of the report. Only idiots would start to flail that "IRS security faults leave taxpayer data at risk". Taxpayer data is ALWAYS at risk, mostly from private companies like LexisNexis accumulating so much information about individuals such that what IRS has is almost meaningless.

This report is a good step forward to improving security practices at IRS.

Great... (0)

Mantis8 (876944) | more than 3 years ago | (#31550120)

Let's just publish all the known weaknesses of the IRS computer network system & its mismanagement for the whole world to see so all the bad guys can get in & do more damage faster & easier.

Re:Great... (1)

NotBornYesterday (1093817) | more than 3 years ago | (#31550494)

if ($obscurity == $security) {
$publish_whistleblower = "false";
echo "We're good! They'll never figure it out!";
} else {
$publish_whistleblower = "true";
}

if ($publish_whistleblower == "false") {
$internal_correction = "never";
$external_oversight = 0;
} else {
echo "Holy shit, the emperor really isn't wearing any clothes!";
$external_oversight = $external oversight ++;
$internal_correction = 1;
}

EVERY APRIL a T.E.A. Party member has a name... (0)

Anonymous Coward | more than 3 years ago | (#31550246)

This man's name is Joseph STACK.

His name is Joseph STACK.
His name is Joseph STACK.
His name is Joseph STACK.

They fscked me. (3, Insightful)

MikeFM (12491) | more than 3 years ago | (#31550368)

The only identity theft I've ever suffered is through the IRS. Supposedly four years ago someone else filed with my SSN. I haven't got my tax refund since. They won't talk to me about what is going on. I've done everything they've asked including filing a police report and verifying my identity with the social security office. If you call the customer support number they aren't able to help because my account is being handled by a secret agency within the IRS that not even they can talk to. They've twice sent me [different] dead phone numbers that are supposedly my point of contact for finding out what is going on. They've gone so far as to send me a bill and to threaten what will happen to me if they find out I'm doing something bad. Last year they finally sent me a letter confirming they recognize that I am me. They sent me a couple hundred dollar check (they owe me thousands) and said there might be more after further review. I've never heard from them again. This year my tax refund got flagged and lost in limbo again.

Don't file, all taxes go through a District Court. (0)

Anonymous Coward | more than 3 years ago | (#31550438)

A tax is a seizure on land or a wage garnishment, handled through the First Judiciary Act as a District Court of the United States. Think about it; when you file a legal form, you create a contract that binds you to admit you owe a tax. Move back to your venue with a miscelaneous case file to record your court of competant jurisdiction by an administrator/trustee deployed under UNITED STATES DISTRICT COURT. If I.R.S. is moving on behalf of a creditor then that DC will call that claim to be validated beginning with Title 26 Section 83(a).

All I ever throw in my Miscelaneous docket are Refusals for Cause. I don't need to commit taxable activity, so I refuse to do them because I want to continue in my unlimited liability, and sue anyone that converts my rights to a privilege from someone not interested since the onset.

Re:They fscked me. (2, Informative)

Vellmont (569020) | more than 3 years ago | (#31550548)


The only identity theft I've ever suffered is through the IRS. Supposedly four years ago someone else filed with my SSN.

It sounds to me like the identity theft itself wasn't through the IRS, but through some individual picking your SSN. It's not uncommon for an illegal alien to pick someone else's SSN when applying for a job. It happened to a friend of mine about 10 years ago and he only found out about it when he had a landlord or employer did a background check on him and found a referenced employer that he never worked for. (I think it was some womens abuse shelter and the employer or landlord only read the word abuse, and thought he was an abuser himself).

The problem you bring up I'm sure is entirely real, and it isn't addressed in any way by the GAO report. I'm FAR more concerned about this kind of thing than I am about the nonsense they bring up in the report.

Re:They fscked me. (1)

zippthorne (748122) | more than 3 years ago | (#31550620)

It's disturbing that the women's abuse center didn't itself do a background check...

Re:They fscked me. (1)

MikeFM (12491) | more than 3 years ago | (#31550756)

One of the customer support agents I recently talked to said they have a problem with typos being flagged as identity theft too and forever causing trouble afterwards.

Re:They fscked me. (1)

zippthorne (748122) | more than 3 years ago | (#31550606)

I'm pretty sure you can request another SSN or taxpayer ID in circumstances like that. Also, if I were in your position, I'd try to reduce my withholding so that I'd always owe a little at the end. That way they can't refuse to send a refund.

That doesn't help you get back what you're owed, but just staunching the bleed seems like it would be an improvement.

Re:They fscked me. (1)

MikeFM (12491) | more than 3 years ago | (#31550776)

They gave me a taxpayer ID but it didn't help. Then they told me not to use it and keep filing as normal. I've considered a new SSN but IMO my SSN is like my name and I shouldn't have to change it because the IRS is retarded.

I reduced my withholding. They sent me a bill and threatened me.

Re:They fscked me. (1)

zippthorne (748122) | more than 3 years ago | (#31552232)

Gah. I wish I had a good idea then. Not having shared your plight, I remain optimistic that there's gotta be away to free yourself from the unyielding gears of bureaucracy somehow.

I mean, "Brazil" wasn't supposed to be a documentary.

--

way-side-comment: you're not really fscked. fscking is how one fixes corruption, and what happened to you is the opposite of fixing corruption.

How do you all not get this? (1)

Hurricane78 (562437) | more than 3 years ago | (#31551218)

It’s the law of reactive efficiency.
They will only change something, if they lost something before, that was big enough to seriously get them at risk of losing their job.
Otherwise, what would be the point? (From their p.o.v.)
Seriously.

I mean you got a job. And your job is to obey rules. So you switch to passive mode.
You get good money. So you get the most profit from it, if you do the least possible amount of work in return.

It’s how nature works, and there is nothing weird about it.

The problem is that:
1. They are not actively involved in their organization. (Including the risk.)
2. And they can‘t feel any danger. We only feel the danger. But we can’t pass it on and threaten to punish them.

I bet you money that if you get them to fear for their jobs, or achieve to threaten those who already are responsible, they WILL change something. (Don’t forget to state exactly what you expect to get! ^^)

Mainframe? (0)

Miser (36591) | more than 3 years ago | (#31551274)

I would think that the IRS would use an IBM mainframe for such a massive data warehouse such as taxes. Why should there even be "security patches" in the report. You mean to tell me they are using WINDOWS?!?! GMAFB.

Just try to break into an IBM mainframe not connected to the Internet at all (or just accessible via IP on the IRS's network or VPN protected by SecurID) running CICS or CA/TOP SECRET or pick your favorite mainframe security system. I don't get it. The US can run $some_obscene_number into the red but not get real, decent security for the bloodsuckers^H^H^H^H^H^H IRS?

Miser

Transparency ??? (1)

FragHARD (640825) | more than 4 years ago | (#31554592)

Maybe this is part of 0bama's transparency of gov't(people) ??? I think it might be...

FairTax (1)

d_54321 (446966) | more than 4 years ago | (#31554994)

At times like this, I wish we'd use something else [fairtax.org]

Check for New Comments
Slashdot Login

Need an Account?

Forgot your password?

Submission Text Formatting Tips

We support a small subset of HTML, namely these tags:

  • b
  • i
  • p
  • br
  • a
  • ol
  • ul
  • li
  • dl
  • dt
  • dd
  • em
  • strong
  • tt
  • blockquote
  • div
  • quote
  • ecode

"ecode" can be used for code snippets, for example:

<ecode>    while(1) { do_something(); } </ecode>