Report: IRS bungles may imperil data

Just in time for tax day, government auditors have issued a new report that raps the Internal Revenue Service on a number of security vulnerabilities in its computer systems.

"Significant weaknesses in access controls and other information security controls continue to threaten the confidentiality, integrity, and availability of IRS's financial and tax processing systems and information," the Government Accountability Office said in a report (PDF) released Friday.

The findings run the gamut: failure to audit who has accessed what on its various systems, inconsistent encryption of data, and lack of physical security controls--such as surveillance cameras, security guards and locks--for starters. Overall, the GAO found that the agency had corrected only about one-third of the 73 security weaknesses it reported as unresolved during its last review.

Here's a sampling of the gaffes the auditors uncovered:

* In some instances, accounts did not lock out users after failed logon attempts, and passwords did not expire, leaving databases vulnerable to "a brute force password attack that could result in unauthorized access."
* At one site, the agency stored user IDs and passwords in mainframe files that could be read by every mainframe user, running the risk that anyone could log on and masquerade as an authorized user.
* In an ironic twist, considering recent concerns over scammers purporting to be IRS agents, the feds did not "appropriately" restrict users' ability to send anonymous e-mails via the two mainframe systems reviewed by the GAO. That loophole meant a GAO analyst--or anyone else who accessed the system--could pretend to be a legitimate sender and theoretically "expose IRS employees to malicious activity, including phishing."
* When the GAO did its review in August 2006, it found critical Windows patches released a month earlier had not yet been installed on IRS systems, even though its policy requires application of patches within 72 hours.

In response to the report, IRS Commissioner Mark Everson provided a list of steps the agency has already taken in an attempt to improve its computer security practices. "While we have made significant progress," he wrote in a letter attached to the report, "we recognize that continued diligence is required."