• Catch issues early, fix them fast – Free trial


    [ad] With GFI Cloud you can easily manage and secure your remote workforce – wherever they are, from wherever you are! The simple IT management platform includes patch management, antivirus, web protection, monitoring and remote control. Get the benefit of endpoint protection with the ease of central management. Start a free trial now.


  • Great articles on other sites
  • RSS Great articles on other sites

  • News - Written by on Monday, September 13, 2010 12:34 - 4 Comments

    Does e-tax 2010 have a security hole?

    update The denizens of global security mailing list Bugtraq have started discussing whether the Australian Taxation Office’s e-tax 2010 software — currently being used by millions of Australians to submit their tax returns — has a security hole in it, due to the way it deals with remote Secure Socket Layer (SSL) certificates.

    The breaches were unintentionally discovered when a security expert, known only as Dave B, became fed up with the ATO’s restrictions on the use of alternative operating systems other than Windows — he tried to do a workaround so he didn’t have to use Microsoft’s platform.

    At first Dave B thought that the software did not check the SSL certificate of involved domains and would work if the certificate came from a valid certificate authority. Other tests were made and he found that a “freshly generated” self-signed certificate would be accepted by the software — so the SSL certificate does not need to be signed by a certificate authority.

    e-tax will communicate via the unencrypted http protocol rather than https if told to — for example, using URL manipulations like such as the Apache mod_rewrite module. e-tax2010 will send the details of the tax request in a Simple Object Access Protocol (SOAP) request.

    Securus Global Managing Director Drazen Drazic said he believed the risks were clear and that the whole process was open to attacks such man in the middle (MITM) attacks where an attacker could pull information from the stream between the ATO and the e-tax end user.

    “The risks seem to be purely on the client side of things in regards to this advisory,” he said. “People need to be careful when accessing. How it’s working based upon the advisory means people could be directed to anywhere with personal information being sent to unauthorised parties. Given the type of information, not a good thing.”

    For instance if an individual has an SSL certificate for another website, that certificate could then be used to masquerade as the ATO’s tax server.

    An ATO spokesperson said: “We don’t provide comment on security-related matters, however we can assure taxpayers that income tax details submitted by e-tax software is secure.”

    Last week Dave logged his discovery on security mailing list Bug Traq in a series of logs – each revealed that the security breach was much worse than previously thought. The first bug logged can be viewed below, subsequent bugs logged can be located here and here.

    Image credit: Dave B

    submit to reddit

    4 Comments

    You can follow any responses to this entry through the RSS 2.0 feed. Both comments and pings are currently closed.

    1. RoboticButtocks
      Posted 13/09/2010 at 1:51 pm | Permalink |

      I wonder if there other business software has similar issues. Sitting between James Packer’s accountant and the ATO would be good times.

    2. Posted 13/09/2010 at 2:30 pm | Permalink |

      Biggest problem I had with e-tax 2010 was that it didn’t give me a big enough tax return… ;)

      Seriously though – self-signed certificates are not necessarily “bad” in and of themselves – the connection IS secure, but obviously does not obfuscate the possibility of MITM attacks, as the article suggests.

      The ATO do need to take this one seriously.

    3. dave b
      Posted 13/09/2010 at 6:45 pm | Permalink |

      @RoboticButtocks
      I haven’t looked at that stuff – I haven’t had reason. The ato are using AUSKEY which looks okish from a quick glance. However, some of the documentation is lacking and you have to email to get a copy of their reference implementation.

      A fair amount of edi isn’t secured :)

    4. Posted 08/12/2010 at 5:55 pm | Permalink |

      There are some websites which aren’t really secured.




    Get our 'Best of the Week' newsletter on Fridays

    Just the most important stories, one email a week.

    Email address:


  • Most Popular Content

  • Enterprise IT stories

    • Super funds close to dumping $250m IT revamp facepalm2

      If you have even a skin deep awareness of the structure of Australia’s superannuation industry, you’ll be aware that much of the underlying infrastructure used by many of the nation’s major funds — AustralianSuper, CBus, HESTA and more — is provided by a centralised group, Superpartners. One of the group’s main projects in recent years has been to dramatically update and modernise its IT platform — its version of a core banking platform overhaul. Unfortunately, as was revealed in November, the $250 million project has not precisely been going well, and the Financial Review last week reported that Superpartners is actually close to turfing it altogether and going back to the drawing board.

    • Qld’s Grant joins analyst firm IBRS peter-grant

      This week it emerged that Peter Grant, the two-time former Queensland Whole of Government CIO (pictured), has joined well-regarded analyst firm Intelligent Business Research Services (IBRS). We’ve long had a high regard for IBRS, and so it’s fantastic to see such an experienced executive join its ranks.

    • Westpac dumps desk phones for Samsung Android mobiles samsung-galaxy-ace-3

      The era of troublesome desk phones tied to physical locations is gradually coming to an end in many workplaces, with mobile phones becoming increasingly popular as organisations’ main method of voice telecommunications. But some groups are more advanced than others when it comes to adoption of the trend. One of those is Westpac.

    • Ministers’ cloud approval lasted just a year reverse

      Remember how twelve months ago, the Federal Government released a new cloud computing security and privacy directive which required departments and agencies to explicitly acquire the approval of the Attorney-General and the relevant portfolio minister before government data containing private information could be stored in offshore facilities? Remember how the policy was strongly criticised by Microsoft, Government CIOs and Delimiter? Well, it looks like the policy is about to be reversed.

    • WA Govt can’t fund school IT upgrades oops key

      In news from The Department of Disturbing Facts, iTNews revealed late last week that Western Australia’s Department of Education has run out of money halfway through the deployment of new fundamental IT infrastructure to the state’s schools.

    • Turnbull outlines Govt ICT vision turnbull-5

      Communications Minister Malcolm Turnbull has published an extensive article arguing that the Federal Government needed to do a better job of connecting with Australians via digital channels and that public sector IT projects needn’t cost the huge amounts that some have in the past.

    • NZ Govt pushes hard into cloud zealand

      New Zealand’s national Government announced a whole of government contract this morning for what it terms ‘Office Productivity as a Service’ services. This includes email and calendaring services, as well as file-sharing, mobility, instant messaging and collaboration services. The contract complements two existing contracts — Desktop as a Service and Enterprise Content Management as a Service.

    • CommBank reveals Harte’s replacement whiteing

      The Commonwealth Bank of Australia has promoted an internal executive who joined the bank in September after a lengthy career at petroleum giant VP and IT services group Accenture to replace its outgoing chief information officer Michael Harte, who announced in early May that he would leave the bank.

    • Jeff Smith quits Suncorp for IBM jeffsmith4

      Second-tier Australian bank and financial services group Suncorp today announced that its long-serving top technology executive Jeff Smith would leave to take up a senior role with IBM in the United States, in an announcement which marks the end of an era for the nation’s banking IT sector.

    • Small business missing the mobile, social, cloud revolution iphone-stock

      Most companies that live and breathe the online revolution are not tech startups, but smart smaller firms that use online tools to run their core business better: to cut costs, reach customers and suppliers, innovate and get more control. Many others, however, are falling behind, according to a new Grattan Institute discussion paper.

  • Blog, Enterprise IT - Jul 5, 2014 13:53 - 0 Comments

    Super funds close to dumping $250m IT revamp

    More In Enterprise IT


    Blog, Telecommunications - Jul 5, 2014 12:12 - 0 Comments

    What should the ACCC’s role be in guiding infrastructure spending?

    More In Telecommunications


    Analysis, Industry, Internet - Jun 23, 2014 10:33 - 0 Comments

    ‘Google Schmoogle’ – how Yellow Pages got it so wrong

    More In Industry


    Blog, Digital Rights - Jun 30, 2014 22:24 - 0 Comments

    Will Netflix launch in Australia, or not?

    More In Digital Rights