News - Written by Jenna Pitcher on Monday, September 13, 2010 12:34 - 4 Comments
Does e-tax 2010 have a security hole?
update The denizens of global security mailing list Bugtraq have started discussing whether the Australian Taxation Office’s e-tax 2010 software — currently being used by millions of Australians to submit their tax returns — has a security hole in it, due to the way it deals with remote Secure Socket Layer (SSL) certificates.
The breaches were unintentionally discovered when a security expert, known only as Dave B, became fed up with the ATO’s restrictions on the use of alternative operating systems other than Windows — he tried to do a workaround so he didn’t have to use Microsoft’s platform.
At first Dave B thought that the software did not check the SSL certificate of involved domains and would work if the certificate came from a valid certificate authority. Other tests were made and he found that a “freshly generated” self-signed certificate would be accepted by the software — so the SSL certificate does not need to be signed by a certificate authority.
e-tax will communicate via the unencrypted http protocol rather than https if told to — for example, using URL manipulations like such as the Apache mod_rewrite module. e-tax2010 will send the details of the tax request in a Simple Object Access Protocol (SOAP) request.
Securus Global Managing Director Drazen Drazic said he believed the risks were clear and that the whole process was open to attacks such man in the middle (MITM) attacks where an attacker could pull information from the stream between the ATO and the e-tax end user.
“The risks seem to be purely on the client side of things in regards to this advisory,” he said. “People need to be careful when accessing. How it’s working based upon the advisory means people could be directed to anywhere with personal information being sent to unauthorised parties. Given the type of information, not a good thing.”
For instance if an individual has an SSL certificate for another website, that certificate could then be used to masquerade as the ATO’s tax server.
An ATO spokesperson said: “We don’t provide comment on security-related matters, however we can assure taxpayers that income tax details submitted by e-tax software is secure.”
Last week Dave logged his discovery on security mailing list Bug Traq in a series of logs – each revealed that the security breach was much worse than previously thought. The first bug logged can be viewed below, subsequent bugs logged can be located here and here.
Image credit: Dave B
Blog, Enterprise IT - Jul 5, 2014 13:53 - 0 Comments
More In Enterprise IT
- Qld’s Grant joins analyst firm IBRS
- Westpac dumps desk phones for Samsung Android mobiles
- Ministers’ cloud approval lasted just a year
- WA Govt can’t fund school IT upgrades
- Turnbull outlines Govt ICT vision
Blog, Telecommunications - Jul 5, 2014 12:12 - 0 Comments
More In Telecommunications
- Telstra gets $150m for NBN FTTN trial
- How Australia got online 25 years ago
- Palmer pushes for minimalist NBN policy
- NBN debate heats up at IEEE conference
- Spirit deploys 200Mbps FTTB to Southbank
Analysis, Industry, Internet - Jun 23, 2014 10:33 - 0 Comments
More In Industry
- ABC tech reporter founds micro-transactions startup
- Australia’s got ICT talent: So how do we make the most of it?
- ‘Thriving’ Aussie tech incubator scene a ‘mirage’
- Corporate highs: The US P-TECH model for schools in Australia?
- Facebook wants to hide its Australian earnings
Blog, Digital Rights - Jun 30, 2014 22:24 - 0 Comments
More In Digital Rights
- “Rational debate” needed around surveillance
- Web blocking technically impossible: iiNet reminds Govt of undisputed fact
- We like e-readers – but library users are still borrowing books
- Coalition, Labor support new surveillance laws
- Anti-piracy laws will increase piracy, says Budde