PDA

Bekijk Volledige Versie : Security Advisory - MyTaxexpress 2003


Nathan Wosnack
26/03/03, 20:35
Original Advisory: Tuesday, March 25, 2003

Severity: Medium - High

Description: Unencrypted tax-return information saved in C:\My Documents
by default can pose security risks, and may disclose financial/personal
information to the Internet via peer-to-peer (P2P) networks.

Version: Tested on the version released March 20, 2003

Authors: David Coomber and Nathan Wosnack were involved in the research
and development.

Tax Software Background:

MyTaxexpress 2003 is a CCRA (Canada Customs and Revenue Agency) certified
GUI application developed by ExpressInfo Software that allows Canadian tax
payers located in Alberta, British Columbia, and Ontario to work through
their tax returns and file them electronically using a tax filing system
known as NETFILE.

Description of the problem:

If you decide to save your return, your personal information is saved to
your computer unencrypted in the directory C:\My Documents by default with
a *.ret extension. The problem with this is two-fold; if someone is able
to access this file, then all they would need to do is open it with a text
editor such as Notepad to reveal personal information. The personal
information disclosed includes your full name, your address, your social
insurance number, your earnings, spending claims, where you work, etc.
Saving your tax files in C:\My Documents makes it easier to get a hold of
since many Microsoft Windows users share C:\My Documents when using P2P
programs without understanding the consequences. Also, Many P2P file-
sharing networks have been known to share the C:\My Documents folder. One
such example of a file sharing program that does this is a program
called 'Kazaa' (with K++ extensions). With a simple query on Kazaa,
looking up file names such as 'taxes 2003.ret', 'taxes.ret', one could
gather large amounts of data on unsuspecting users that have C:\My
Documents shared.

Recommendations:

Due to the fact that MyTaxexpress does not encrypt your tax return when
saved to disk, and stores it in C:\My Documents by default, the risk of
having personal financial information stolen and used for illegal purposes
is high. In order to protect this financial information from disclosure
and misuse, we recommend saving your returns in a different directory and
encrypting your returns (and all other personal information) with a strong
encryption program such as Blowfish for Windows(1) or similar.

Related Links:

http://www.pivx.com/ - Related advisories focusing on United States tax
software.

http://www.hypervivid.com/ - Information, Telecom and Wireless Security
Consulting Firm.

Vendor Contact:

http://www.mytaxexpress.com/ - ExpressInfo software.

Have any questions or comments?
e-mail: advisories@hypervivid.com

Copyright © 2003, Hypervivid Solutions Incorporated. All Rights Reserved.
(1) Note: We are not affiliated with any products or services mentioned on
this page, we provide the links solely as a convenience to the reader.
HCTITS Security Division
27/03/03, 20:05
Did this guy miss the discussion about this very issue like, two weeks
ago?

I think the ultimate resolution of that discussion was that users are
lazy and stupid ("uninformed"), not likely to change defaults or be
savvy enough to use third-party encryption software, much less be
inclined to have to engage in that extra step.

There comes a point when we must wash our hands of the matter and leave
the user's security up to the user. Inform them, yes, but leave them to
their own informed peril.

It sounds like most tax software does not encrypt personal data and
stores it in predictable locations. I think a better tack on this
matter is to take steps to prevent the data from being accessible to
outside attackers. Inform users how to disable the insecure default
shares that some OSes create and how to protect their computers from
many data-compromising vulnerabilities. For example, "My Documents"
shouldn't be allowed to be accessible from outside anyway.

Or we could all do our taxes on paper, hand-deliver them to their
respective agents, keep our record copies in 6-inch hardened-steel
glass-packed (remember The Score?) fireproof safes, and crosscut-shred,
bleach, and burn any other paperwork with sensitive information. =20

Regards,
~Brian


On Tue, 2003-03-25 at 14:46, Nathan Wosnack wrote:
>=20
>=20
> Original Advisory: Tuesday, March 25, 2003
>=20
> Severity: Medium - High
>=20
> Description: Unencrypted tax-return information saved in C:\My Documents=20
> by default can pose security risks, and may disclose financial/personal=20
> information to the Internet via peer-to-peer (P2P) networks.
>=20
> Version: Tested on the version released March 20, 2003
>=20
> Authors: David Coomber and Nathan Wosnack were involved in the research=20
> and development.
>=20
> Tax Software Background:
>=20
> MyTaxexpress 2003 is a CCRA (Canada Customs and Revenue Agency) certified=
=20
> GUI application developed by ExpressInfo Software that allows Canadian ta=
x=20
> payers located in Alberta, British Columbia, and Ontario to work through=20
> their tax returns and file them electronically using a tax filing system=20
> known as NETFILE.
>=20
> Description of the problem:
>=20
> If you decide to save your return, your personal information is saved to=20
> your computer unencrypted in the directory C:\My Documents by default wit=
h=20
> a *.ret extension. The problem with this is two-fold; if someone is able=20
> to access this file, then all they would need to do is open it with a tex=
t=20
> editor such as Notepad to reveal personal information. The personal=20
> information disclosed includes your full name, your address, your social=20
> insurance number, your earnings, spending claims, where you work, etc.=20
> Saving your tax files in C:\My Documents makes it easier to get a hold of=
=20
> since many Microsoft Windows users share C:\My Documents when using P2P=20
> programs without understanding the consequences. Also, Many P2P file-
> sharing networks have been known to share the C:\My Documents folder. One=
=20
> such example of a file sharing program that does this is a program=20
> called 'Kazaa' (with K++ extensions). With a simple query on Kazaa,=20
> looking up file names such as 'taxes 2003.ret', 'taxes.ret', one could=20
> gather large amounts of data on unsuspecting users that have C:\My=20
> Documents shared.
>=20
> Recommendations:
>=20
> Due to the fact that MyTaxexpress does not encrypt your tax return when=20
> saved to disk, and stores it in C:\My Documents by default, the risk of=20
> having personal financial information stolen and used for illegal purpose=
s=20
> is high. In order to protect this financial information from disclosure=20
> and misuse, we recommend saving your returns in a different directory and=
=20
> encrypting your returns (and all other personal information) with a stron=
g=20
> encryption program such as Blowfish for Windows(1) or similar.
>=20
> Related Links:
>=20
> http://www.pivx.com/ - Related advisories focusing on United States tax=20
> software.
>=20
> http://www.hypervivid.com/ - Information, Telecom and Wireless Security=20
> Consulting Firm.
>=20
> Vendor Contact:
>=20
> http://www.mytaxexpress.com/ - ExpressInfo software.
>=20
> Have any questions or comments?
> e-mail: advisories@hypervivid.com
>=20
> Copyright =A9 2003, Hypervivid Solutions Incorporated. All Rights Reserve=
d.=20
> (1) Note: We are not affiliated with any products or services mentioned o=
n=20
> this page, we provide the links solely as a convenience to the reader.