March 18, 2005
More than one-third of Internal Revenue Service employees and managers who were contacted by Treasury Department inspectors posing as computer technicians [trying to remedy a “network problem”] provided their computer login and changed their password [to the one suggested by the inspector].
Believe it or not, this was a fifty percent improvement from the results of a similar audit performed in 2001 when seventy-one percent of IRS employees gave up their login names and passwords.
In computer security this is called "Social Engineering". It's one of the easiest, most low-tech ways to get into many if not most computer systems. It is also one of the hardest problems to solve in any company - much less the government.
Most people often think of computer hackers as being these really shy, inarticulate, backward, pimple-faced kids, who would stumble over an imaginary bump in the sidewalk. They might be really smart... the thinking goes... but they couldn't possibly be glib enough to actually talk me out of access to the computer system. And you would be soooo wrong about that.
One of the premier computer hackers Kevin Mitnik, used Social Engineering extensively in his quest to break into computers. All he needed to get was a login and password... from there he could exploit weaknesses in the system that didn't require a ton of effort.
Social Engineering exploits human nature in a big way. People want to be helpful, they don't want to be seen as being obstructive, and they are often quite intimidated by computers. So, a guy calls in to a big company, gets hold of a secretary and says "I'm so-and-so, one of the VP's and I've got this hugely important meeting in 15 minutes and I can't seem to login to my system to get my email - can you help me? Can you get me a new password?" Or a guy calls workers at a large operation and tells them there is system trouble. They need to change their login and password right now... How many people are going to question these things? Few if any of them understand that a sys admin doesn't NEED their login to fix ANYTHING. Fewer still want to get on the bad side of one of the big brass of their company.
Computer security people are told they need to do training to help these people understand the things they shouldn't do... then one of the big brass will actually DO something to undermine this - and you're back to square one. Also, computer security experts are rarely seen in companies - it's generally the sys admin who is thrown this job on top of the 5 million other things that must be done to keep the systems up and going. And now your admin has a choice... work on getting the email up and going again or having a training class for people who are going to sit and twiddle their thumbs. (oh yes they will - how many people have rolled their eyes at the "stupid" training class for some "idiotic" new security thing for the d*&^ computers??? How many have simply day dreamed through such a class thinking it's the dumbest thing - when they've got so much work to do?...)
For the most part, it's nearly impossible to make employees and employers understand that there are people who will use them to break into a system. The biggest roadblock to any type of security is the belief that it will never happen to you. The fact that in an organization the size of the IRS, they've been able to get past only one third of the employees... that's actually amazingly good.
Yes, we see a news story like this and think "how can this possibly be? how come they allow this to happen?". Well, now you know... and it's not as crazy as it sounds. Like the case of Brian Nichols, the court house shooter, no one thinks it can happen to them. And they are wrong.
March 10, 2005
Unfortunately the people who run Apply Yourself, had a bug in their web services that allowed a user to make some changes to the URL, giving the user access to pages that were not supposed to be available for public viewing. In this case, it was the acceptance letter, that was found by prying eyes. I'm not going to go through the hack itself - if you follow any of the links, there are explanations on other sites.
I wasn't even going to blog about it, but then I ran across a post by Orin Kerr today.
If this explanation is accurate — and several correspondents have suggested to me that it probably is — it means that the applicants didn't actually do anything that could reasonably be described as "hacking in" to a computer. As I understand it, the ApplyYourself computer had effectively posted everyone's admission decision on the web, just without broadcasting the URL. The applicants then followed the advice posted on the BusinessWeek discussion forum on how to find the public webpage that listed (or would eventually list) their admission decision. No one hacked into anything. The applicants just visited a public website.
Now legally speaking Orin is probably correct. In other words, the letters were part of the web site, even though the links had not been posted yet. And, it's very likely that there was no disclaimer on the page telling anyone "if you are here, this is a private page... go away". So, in taking the case to court - it's very likely that the students would win this one.
OTOH - computer security wise - yes it is definitely a hack. If you look into computer security at all for web sites (which Apply Yourself apparently did NOT do) the old "change the URL" trick has been around for a very long time. It's been used to find everything from private web pages to changing the price of an item that has been ordered online. This is such an old trick, that they should be dreadfully ashamed for letting it get past them.
It could be that they thought "security through obscurity" was good enough. That no one would actually try to find the other web pages. Or it could be that they just didn't know about this type of hack because no one there knows too much about security... it's hard to say. But if I were one of the students who had applied through this database, I'd be sweating bullets about now wondering what other holes there might be and who else might have gotten my information.
Apply Yourself has assured everyone that this trick only works for the person who is logged into that particular account - in other words, you can't look at other acceptance letters. But, that doesn't mean there aren't other holes in the security - even holes you could drive a truck through. If they missed something as simple as a URL hack, there's no telling what else they missed. But you can be very very sure that hackers around the world are trying to find out as I type this... and they won't care whether or not they are accepted to the Harvard School of Business, so they won't cover their eyes.
68 queries taking 0.0121 seconds, 224 records returned.
Powered by Minx 1.1.6c-pink.