It
appears the Russians hacked us…again. In
true Soviet fashion, their government of course denies any official
involvement. The report from Congress
last week is that cyberattackers acquired taxpayer information from approximately
100,000 Americans. This time it was
courtesy of the IRS’ “Get Transcript” tool (Reisinger, 2015). Ignoring the fact that this revelation comes
on the heels of other recent Russian intrusions against the White House and State
Department, the most interesting part of this story isn’t the “who” but the “how.” Employing previously acquired PII such as
names, addresses, and social security numbers, hackers used a weakly defended
internet based tool to make off with an estimated $50 million in tax
refunds. That’s right; we did this to
ourselves…again.
The
IRS has an online database of American taxpayer information called “Get
Transcript.” Hackers conducted targeted
attacks against this system to the tune of 200,000 attempts in order to
successfully acquire 100,000 fraudulent tax refunds. Although the IRS claims this to be a
sophisticated attack against their systems, there appears to be a number of amateurish
steps cyber professionals should have picked up on. According to Reisinger (2015), the 200,000
attempts were made from “questionable email domains with more than 100,000 of
those attempts successfully clearing authentication hurdles." This begs the question “how” did this attack
succeed. Apparently every year the Treasury
Inspector General for Tax Administration audits the IRS to assess its security
systems. “As of March this year, a list
of 44 upgrades suggested to the organization remained uncompleted—ten of which
are now three years old. They included security patches to close loopholes that
could be exploited” (Condliffe, 2015). Shortly
after the disclosure, the current Treasury Inspector General J. Russell George
told Congress that “it would have been much more difficult if they had
implemented all of the recommendations we made.” Although insiders claim a lack of funds is to
fault for the security lapses, testimony given before Congress seems to
contradict this assertion.
Whatever
the reason for the lapse, the ultimate moral of the story is we are our own
worst enemy when it comes to cybersecurity.
FISMA is a 2002 congressional requirement and yet it is still not being
implemented in the federal government correctly. It would seem that IT auditing and
compliance related careers should and will be the first line of defense against
ourselves…and the Russians of course.
References
Condliffe,
J. (2015). IRS failed to update security systems making recent hack more
likely. Gizmodo. Retrieved from http://gizmodo.com/irs-failed-to-update-security-systems-making-recent-hac-1708659493
Reisinger,
D. (2015). Russian hackers behind $50 million IRS scheme, report says. CNET. Retrieved from http://www.cnet.com/news/russian-hackers-behind-50-million-irs-hack-report-says/
