lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [day] [month] [year] [list] 
Date: 27 Mar 2003 10:40:31 -0500
From: HCTITS Security Division <security@...ancentrictech.com>
To: undisclosed-recipients:;
Subject: Re: Security Advisory - MyTaxexpress 2003


Did this guy miss the discussion about this very issue like, two weeks
ago?

I think the ultimate resolution of that discussion was that users are
lazy and stupid ("uninformed"), not likely to change defaults or be
savvy enough to use third-party encryption software, much less be
inclined to have to engage in that extra step.

There comes a point when we must wash our hands of the matter and leave
the user's security up to the user.  Inform them, yes, but leave them to
their own informed peril.

It sounds like most tax software does not encrypt personal data and
stores it in predictable locations.  I think a better tack on this
matter is to take steps to prevent the data from being accessible to
outside attackers.  Inform users how to disable the insecure default
shares that some OSes create and how to protect their computers from
many data-compromising vulnerabilities.  For example, "My Documents"
shouldn't be allowed to be accessible from outside anyway.

Or we could all do our taxes on paper, hand-deliver them to their
respective agents, keep our record copies in 6-inch hardened-steel
glass-packed (remember The Score?) fireproof safes, and crosscut-shred,
bleach, and burn any other paperwork with sensitive information.  

Regards,
~Brian


On Tue, 2003-03-25 at 14:46, Nathan Wosnack wrote:
> 
> 
> Original Advisory: Tuesday, March 25, 2003
> 
> Severity: Medium - High
> 
> Description: Unencrypted tax-return information saved in C:\My Documents 
> by default can pose security risks, and may disclose financial/personal 
> information to the Internet via peer-to-peer (P2P) networks.
> 
> Version: Tested on the version released March 20, 2003
> 
> Authors: David Coomber and Nathan Wosnack were involved in the research 
> and development.
> 
> Tax Software Background:
> 
> MyTaxexpress 2003 is a CCRA (Canada Customs and Revenue Agency) certified 
> GUI application developed by ExpressInfo Software that allows Canadian tax 
> payers located in Alberta, British Columbia, and Ontario to work through 
> their tax returns and file them electronically using a tax filing system 
> known as NETFILE.
> 
> Description of the problem:
> 
> If you decide to save your return, your personal information is saved to 
> your computer unencrypted in the directory C:\My Documents by default with 
> a *.ret extension. The problem with this is two-fold; if someone is able 
> to access this file, then all they would need to do is open it with a text 
> editor such as Notepad to reveal personal information. The personal 
> information disclosed includes your full name, your address, your social 
> insurance number, your earnings, spending claims, where you work, etc. 
> Saving your tax files in C:\My Documents makes it easier to get a hold of 
> since many Microsoft Windows users share C:\My Documents when using P2P 
> programs without understanding the consequences. Also, Many P2P file-
> sharing networks have been known to share the C:\My Documents folder. One 
> such example of a file sharing program that does this is a program 
> called 'Kazaa' (with K++ extensions). With a simple query on Kazaa, 
> looking up file names such as 'taxes 2003.ret', 'taxes.ret', one could 
> gather large amounts of data on unsuspecting users that have C:\My 
> Documents shared.
> 
> Recommendations:
> 
> Due to the fact that MyTaxexpress does not encrypt your tax return when 
> saved to disk, and stores it in C:\My Documents by default, the risk of 
> having personal financial information stolen and used for illegal purposes 
> is high. In order to protect this financial information from disclosure 
> and misuse, we recommend saving your returns in a different directory and 
> encrypting your returns (and all other personal information) with a strong 
> encryption program such as Blowfish for Windows(1) or similar.
> 
> Related Links:
> 
> http://www.pivx.com/ - Related advisories focusing on United States tax 
> software.
> 
> http://www.hypervivid.com/ - Information, Telecom and Wireless Security 
> Consulting Firm.
> 
> Vendor Contact:
> 
> http://www.mytaxexpress.com/ - ExpressInfo software.
> 
> Have any questions or comments?
> e-mail: advisories@...ervivid.com
> 
> Copyright © 2003, Hypervivid Solutions Incorporated. All Rights Reserved. 
> (1) Note: We are not affiliated with any products or services mentioned on 
> this page, we provide the links solely as a convenience to the reader.

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ