How IRS Security Flaws Exposes Taxpayers Information

By Partho, Gaea News Network
Monday, March 22, 2010

Billions of dollars and loads of personal information are involved in the current heavy tax season managed by Internal Revenue Service (IRS). IRS extensively depends on computerized systems to support its financial and mission-related operations. In a latest report by Government Accountability Office (GOA) it is disconcerting to see that Internal Revenue Service (IRS) fails to secure private information. According to a report from Government Accountability Office, 69% of the tax agency’s already registered security flaws are unattended and continue to risk the confidentiality, integrity and availability of IRS’s systems. GAO informed that the problems will place IRS at increased risk of unauthorized disclosure, modification or destruction of financial and taxpayers information.

GAO provided a picture of the loopholes in security, According to them IRS

  • Uses password that are not complex
  • Ineffectively removes the application accounts in a timely manner for separated employees
  • Allow the unencrypted transmission of user and administrator login information,
  • Allows personnel excessive file and directory permission
  • Install security patches in an untimely manner

GAO accuses IRS of not enforcing strong identification and authentication. For instance, administrator passwords for two servers located at one IRS center that were not set to comply with IRS password age policy. The both cases the administrator password age was set to 118 days, which fails to match IRS’s requirement by 58 days.

This will increase the risk of compromising administrator password and it will be used by unauthorized users for a longer period of time to gain unauthorized access to server resources.

In its two UNIX systems at two centers, IRS employees continue to use weak passwords and stores clear text passwords in computer program scripts at another center. Moreover, the passwords remains unprotected during transmission. For instance, the IRS implemented weak authentication protocols for networks logons. There are ten servers including domain controllers, configured to accept an authentication protocol, which is vulnerable to widely published attacks for obtaining user passwords. This clearly increases the risk of crackers hacking user passwords and use them to gain unauthorized access to IRS systems,

IRS was found not to be using encryption for routing table messages for six routers at two of the centers. Without encryption the routing table messages there are chances of purposely or accidentally adding an unauthorized router to the network and either corrupting routing tables or launching a denial of service attack.

However, the report included some face-savers for IRS which provided that,

IRS has corrected 28 security control weaknesses previously identified by the GAO and continues to work on other information security weaknesses at its three computing centers.

will not be displayed