March 17, 2005

Computer [In]Security at the IRS.

Filed under: Uncategorized — Jim @ 8:20 pm points to an unsettling story entitled, “IRS Workers Prone to Hackers.”

More than one-third of Internal Revenue Service employees and managers who were contacted by Treasury Department inspectors posing as computer technicians [trying to remedy a “network problem”] provided their computer login and changed their password [to the one suggested by the inspector].

Believe it or not, this was a fifty percent improvement from the results of a similar audit performed in 2001 when seventy-one percent of IRS employees gave up their login names and passwords.

It is safe to assume that none of these employees intended to do anything wrong, and, more to the point, they had no idea that they had done anything wrong. After all, in a large organization, where employees don’t normally have interactions with the organization’s network personnel, an employee receiving such a call could be caught off guard and, in an effort to be cooperative, provide the requested information.

What is needed is: (a) a better understanding on the part of managers and employees of the reality that there are people (indeed, some very bad people) who can and will use the same techniques to hack into critical information systems, and (b) the training of managers and employees to automatically respond properly to such inquiries. The rule should be simple to state, and there should be no exceptions. says it clearly:

Anyone who asks for any password is up to no good. Anyone who asks for your password over the phone is a liar. Anyone who needs to know your password already knows it, can reset it, or can bypass it entirely.

The simple rule is, “Just say no.”


  1. David Hannum (not P.T. Barnum) said it best: There’s a sucker born every minute.

    According to the intarwebnetAOL, and so it must be true.)

    Comment by Margi — March 18, 2005 @ 2:39 am

  2. It’s hard to believe that people would be that gullible nowadays.

    Comment by Moogie — March 18, 2005 @ 7:33 am

  3. Wait — “no” is my password.

    Comment by Jack Bog — March 18, 2005 @ 7:00 pm

  4. A Little Social Engineering

    Over at Parkway Rest Stop, Jim has the story about the ease with which IRS employees can be led to give out their computer information. More than one-third of Internal Revenue Service employees and managers who were contacted by Treasury…

    Trackback by Technicalities — March 18, 2005 @ 10:47 pm

RSS feed for comments on this post.

Leave a comment

Powered by WordPress