How safe it the Revenue IT system from attack by hackers?

Our IT consultant was at an internet security conference in Dublin hosted by microsoft. They had a guy there from MS who had been a hacker and now works for MS (probably a condition of parole!) ... anyhow to cut a long story short, he asked someone to volenteer a URL for example purposes. A lady from the revenue commissioners stood up and told the room about how much money the revenue has spent on upgrading and securing their site. It took the demonstator 4 minutes to get in.

Can you feel confident filing your tax returns on line?
If you were the subject of a DIRT or similar inquiry, would it not pay you to employ this man to delete you from the revenue database?

Just pondering

Henny Penny said:

It took the demonstator 4 minutes to get in.

Click to expand...

What do you mean by "get in"? Precisely what information was he able to access, in particular information that was not already publicly available?

Henny Penny

I have to agree with the other posters that this story does not sound credible.

If it were true I am sure it would be in most newspapers at this stage. Also, if true then the site would have been hacked numerous times (if one guy can get in that easily then so can others).

Most reputable IT companies do not hire ex-hackers. It is the same principle as hiring someone convicted of fraud to look after your accounts. Especially a company like Microsoft who have taking a hammering in media regarding security.

Finally what the alleged hacker, a Microsoft emplyee, has done at a public conference is break the law, most likely Section 5 of The Criminal Damages Act 1991 "Unauthorised Accessing of data".

I would ask your IT Consultant to back the story up with specifics and accurate data. Your consultant wasn't trying to sell you a security solution?<g>

C

I would ask your IT Consultant to back his story up with facts and accurate data.

C

On the subject of Microsoft, I do have to laugh at that ad on the radio at the moment. Something along the lines of:

Man #1: See the great offer that Microsoft are doing at the moment? Save €€€€€s on upgrades to their latest software packages. Maybe we should avail of this?

Man #2: Naw. Sure our existing setup is fine isn't it?

Man #1: You mean that virus in your inbox is fine? That buggy software that keeps crashing is fine? That site that keeps getting hacked is fine? ...

Click to expand...

So - the message seems to be that they sold us a load of buggy crap before but the latest version will solve all of our problems if we just pay up? Hilarious stuff! This sort of patronisation (not to mention the steep prices and tortuously arcane licensing policies) is one of the reasons that I have moved to free, Open Source and cheaper/better commercial alternatives to Microsoft packages whenever and as far as possible.

Originally posted by Ubiquitous - reposted to get the order of posts correct:


This story sounds like a load of cobblers.

The idea of a Revenue representative (or an official of any large organisation) announcing themselves as such at a public conference and inviting a total stranger to hack the Revenue site in public! is, frankly, laughable.

Thanks for the replies ... I do believe this actually happened. The hacker doing the demonstatation could update the online screens etc. until stopped by the revenue rep.

The danger was that no matter how safe the site was, if the host server was not secure all the software in the world could not secure the site. It got me thinking, when a lot of sites are being hosted from India or China or wherever, in mass server sheds, how much monitoring of security goes on?

Sorry - I refuse to believe that this happened until somebody can provide supporting/authoritative evidence. What do you mean that the hacker (I presume you actually mean (ex?) cracker) "could update the online screens etc."? What "online screens"? Also I don't understand what the geographic location per se of an ISP's infrastructure has to do with security. You seem to imply that Chinese and Indian ISPs or network infrastructure providers in particular might be lax in terms of security, or more so than more geographically proximate providers. Why is this? Do you mean physical or electronic security, or both?

A teacher in an IT class I attended a couple of years ago told us that companies were employing (ex) hackers to test the security systems. Not crackers whose intent is malicious. Hackers, we were told, use their skills for the intellectual challenge. Don't know if this is true but it makes sense to me.

Hi Clubman
Glad to see you have taken an interest in this topic.

The weakest link in internet security seems to be in the hosting ... if a hacker can acertain an IP address for a particular site, he/she can run a simple program to ascertain the relevant passwords to access supposedly secure areas of the site. Mr HP demonstrated this to me at the weekend by accessing his work server from home using the IP address and this server. He got access to all passwords and user ids on the network, including ones which had been removed from the system.

While networking is very convenient I would question the security implications of having sensitive data (even password protected data) on a network.

Mr HP is attending a seminar on the subject on Wednesday ... I will post more details on the subject later in the week.

HP

I can tell you from experience there is no such thing as a secure server.
I work in the business and do a little poking and prodding of networks for fun in my own time.
To tell you the truth networks are more open now than they ever were.

Henny Penny

I work in the area of IT security, and while I may be sticking my neck out here for it to be chopped off, I have to strongly agree with Clubman on this. I do find the story hard to believe.

Simply knowing the IP address of a server does not imply it is insecure. It is quite simple to get the IP address of any website, it is no secret. Your IP address is simply the equivalent in the IT world to your phone number in the real world.

If your network, web server or host, is not secured or managed properly then it is possible to break into it. However, if it is protected by proper protection devices such as Firewalls, Intrusion Detection Systems and it is properly patched and managed, then it will be much more difficult to attack. Similarly if your house has proper locks on the the doors and windows, a burglar alarm that alerts you when it goes off, etc. then it is going to be difficult to break into. While there is no such thing as 100% security, by making your systems/house more difficult to get into than your neighbours you increase the chance of the bad guys moving onto an easier target.

Regarding the passwords on Mr HPs network, especially those of ones that had been removed from the system. This points to me that Mr HP's network is not managed properly and that their administrator needs to go on a security training course. If Mr HP can get that information then he is not the only one and his company's information is under threat. Indeed they company may be in breach of various regulatory and legal obligations, and they should remedy the situation ASAP.

No matter where your server is hosted you should make sure that you are satisified with their ability to secure your server. The above companies, be that in China, India, Ireland or the US would not be in business long if their customer's websites are easily attacked.

Finally just to reiterate what another poster said, a cracker in IT security parlance is the bad guy while a hacker is a good guy and someone who uses their skills and knowledge for the better. However the media have used the word hacker to such an extend now that it is associated solely with the world of breaking into systems.

Regards

C

Whats the difference between a Hacker and a Cracker ? , both enter and break into systems or networks which is illegal.
The Cracker does more damage, but to break into a system or euphamise with the word "house" is the same thing as "breaking and entering". Just because it is data we are talking about viewing is as bad as retrieving the informtation, so i think it is a fine hair we are splitting.

In relation to the seminar I would feel that the Revenue official would be obliged to inform her employer and the police if such a task had happened, along with the accompliuces involved they would all be in the SH*t House .

it is not splitting hairs - a hacker would be employed by a firm to attempt to hack into their OWN systems. There is a big difference between trying to break into your own home to test its security as opposed to trying to break into other peoples' homes.

I don't believe this story for a second - hacking into a third party's computer systems is a criminal offence and I seriously doubt it was possible and that some guy was stupid enough to risk prosecution by a public stunt like this.

Yeah...sorry...with all due respect to henny penny I think the original story is completely untrue. Somewhere along the line someone has told porkies. With the correct security in place it is not as easy as everyone thinks to hack.

In computing circles;
Hacker is someone who has the skills to look into how applications, operating systems and hardware works. Not necessarily to break them but to figure out the ins and outs of the system. Invariably these people find bugs and issues, some of which are security related others that are not.

A cracker is someone who seeks to find a flaw in a system with the deliberate intention to undermine the security of that system and gain access to information, resources and/or data they are not entitled to have.

As mentioned before, the popular press has given the monicor Hacker to both type of activities. So now you also have
White Hat hackers - the "good" guys as per first definition
Black Hat Hackers - the "bad" guys who are the ones we read about breaking into systems
Grey Hat Hackers - Kinda fall in between both stools.

And on top of that we also have to worry about other sources of security breaches. Most security breaches come internally within most companies.

C

Henny Penny said:

Thanks for the replies ... I do believe this actually happened. The hacker doing the demonstatation could update the online screens etc. until stopped by the revenue rep.

Click to expand...

What was the date & location of the demonstration?

Hi
I'm sorry I even started this thread now ... the demonstration was apparantely held last Wednesday 3 in Microsoft, Sandyford. Sorry I can't be more certain than that. Maybe someone else was there who can verify the story ... it's only 3rd hand information I have.
The point I tried to make seems to have been lost somewhere along the way. I just wonder how secure we should feel sending tax returns online ... ? Are we liable for penalties if the system fails (due to hackers or otherwise)?

On review, I would probably agree that the story about the revenue is a red herring but as usual I swallowed it hook line and sinker ... pardon the pun.

Henny Penny

No system is 100% secure. Personally I am quite confident in conducting business online with the Revenue or indeed with any other parties. The main thing is to assure yourself you are dealing with reputable companies and that they have adequate protections in place.

C

Henny - you are also liable for penalties if the postal system fails and your paper return arrives late.

*IF* the Revenue system fails due to a major recognised problem I would be reasonably sure they would allow an extension for filing. In the same way if the postal system fails due to a strike, they would make allowance for late deliveries.

z

To their credit, Revenue are generally very reasonable in solving issues that arise due to online filing difficulties (most notably after the Nov 03 tax filing deadline when their system was overwhelmed by the volume of returns being filed), and glitches in the postal system.

In contrast, the Companies Office are totally inflexible in this regard and disgracefully refuse to mitigate late filing penalties when items have been delayed or lost in the postal system, unless the items were sent by recorded post.