The US Internal Revenue Service is putting tax payers at risk by operating thousands of web servers that contain security vulnerabilities or have not received proper authorization, a new report has concluded. According to the Treasury Inspector for the Tax Administration - a Treasury Department watchdog - the IRS operates 2,093 …
Pay no attention to the anti-virus vendor behind the curtain... or: Vulnerability != Exploit
Why oh why oh why do I smell a computer security vendor rat in this story?
Guess what? Every web server visible on the Internet has at least one vulnerability or more. The trick is in mitigating them. Anyone serious about "Information Assurance" knows the difference between a vulnerability and an actual threat, and can prevent threats.
Hitting a vulnerability in an IRS server might let you put in an extra web page or two, but would it let you commit gainful fraud somehow? And how many of those "unauthorized servers" are even remotely connected to sensitive data?
"...hackers or employees could exploit the vulnerabilities." Show me the proof, and stop wasting my time with anecdotes. The IRS employ some of the most paranoid people in the United States, and so much as sneezing on an IRS employee is dangerous... :-)
All hail Gaia! er... AIAG!!
Another Incompetent Agent of Government.
Our tax dollars at work
Then again, they should lynch (or at least terminate them) those who put these things on the air. Double the punishment if they are windoze based.
THe first person they catch hacking
Will be publicly executed on the street. The body will be left there for the family to claim. The family will be billed for the cost of the execution and the cost of trial and investigation.
the absolute horse shit the federal government makes us go through, through little exercises like HIPPA compliance and SOX compliance, the bastards in the IRS should be keelhauled when their security audits show miserable failures.
There are very few entities within the US government that have virtually every VITAL bit of information about every citizen in the country, than the US.
The mere thought they have ‘thousands’ of unregistered servers just floating around in their networks leaves me nervously laughing in a mild state of shock and disbelief. It’s not the fact that there’s now a publically available report showing significant numbers, it’s the fact that it’s probably much worse than they think.
One client I’ve worked for, that does work for the government, is so paranoid that if there’s a single rogue access point found on the premises, a full scale forensic investigation is launched, all machines attached to the switch or within the maximum signal radius of the AP are quarantined until they are deemed secured. They take this stance with their workstations because they are that serious about their workstation security, so I positively shudder to think about the repercussions if one ‘rogue’ server that just happens to provide some support for business and doesn’t conform to a strict policy/configuration model. Not only would somebody’s ass be fired but after the smoke cleared I’d hazard to guess that all traces of they and their family would cease to be.
So I find it terrifying that the bloodsucking-bastard’s-from-hell IRS have a minor security problem and have such a difficult time controlling their networks.
Calm down, calm down!
If you read the title of the report - it's not so clear from the Reg article :( - the investigation was into *internal* (intranet) web servers, they're not connected to the Internet. This includes many desktops with port 80 active in error. So, weak security (lack of configuration control) - certainly; bad practice (policies and procedures not being followed) - definitely; open season for hackers - err, probably not.
Move along folks, nothing to see here ..
So its okay to have a bunch of gaping security holes in such an important network, because they might not be exploited?
We aren't talking about a few web pages here. This is their internal network, the one that work actually gets done on. The fact that it is in such a terrible state speaks of a fundamental sloppiness in systems administration and IT management that simply should not be there in any organisation, let alone an arm of government.
So someone wants to sell them stuff? Big deal. Clearly someone needs to clean up there, and they evidently can't do it themselves.
Most printers these days have built in Web-sever admins. I know the two in my department have them, and they are vanilla HP and Xerox printers.
I'll lay odds there are many, many printers in the IRS.