logo

  •   Submit to to del.icio.us   Submit to to digg   submit to to reddit   submit to to StumbleUpon   submit to to Google   Submit to to Yahoo!

Category: news | Posted by Avatar Staff 82 days ago
Via: http://lists.jammed.com | Tags: isn inspector general report irs applications leave taxpayer data risk comments Discuss  






From: InfoSec News <alerts_at_private>




Date: Fri, 17 Oct 2008 01:29:35 -0500 (CDT)






http://www.darkreading.com/document.asp?doc_id=166144



By Kelly Jackson Higgins

Senior Editor

Dark Reading

OCTOBER 16, 2008



The Internal Revenue Service left taxpayer data exposed by deploying two 

major computer systems despite knowing that they harbor security 

vulnerabilities, according to a report [1] released publicly today by 

the Treasury Inspector General for Tax Administration (TIGTA).



The inspector general office says the IRS’s mainframe-based Customer 

Account Data Engine (CADE) for managing taxpayer accounts and its 

Account Management Services (AMS) for IRS access to taxpayer data 

contain flaws identified that the IRS identified but did not fix before 

rolling them out last year. The billion-dollar, high-sensitivity CADE 

system is one of the key elements of the IRS’s computer modernization 

program, and processed about 20 percent of the 142 billion tax returns 

filed to the IRS, according to the Associated Press.



CADE contains vulnerabilities that could lead to potential 

administrative privilege abuse, malware attacks, and unauthorized access 

to the system and its data. Among the other flaws highlighted in the 

report is a lack of configuration management, storage, and disaster 

recovery deficiencies, and no actual security guidelines or plans for 

connecting the system to other government agencies’ systems. The IRS 

also sends personally identifiable information from CADE within its data 

centers in clear text, and leaves its backup systems unencrypted.



AMS, meanwhile, includes taxpayer identification numbers in its 

application error log, and its operating system has only a 77.8 percent 

compliance rate with the required security settings, according to the 

report.



TIGTA is unaware of any taxpayer data actually getting compromised or 

falling into the wrong hands, but the data was exposed on these systems, 

according to the agency. 



[1] http://www.treas.gov/tigta/auditreports/2008reports/200820163fr.pdf



[...]





__________________________________________________      

Register now for HITBSecConf2008 - Malaysia! With 

a new triple-track conference featuring 4 keynote 

speakers and over 35 international experts, this 

is the largest network security event in Asia and 

the Middle East! 

http://conference.hackinthebox.org/hitbsecconf2008kl/



Received on Thu Oct 16 2008 - 23:29:35 PDT
addto Add this link to... report Bury 


Comments Who Voted Related Links
Copyright 2005-2008 Best of Security