Enjoy the freedom to innovate and grow your business
[ad] With Microsoft Azure you have hybrid cloud flexibility, allowing your platform to span your cloud and on premise data centre. Learn more at microsoftcloud.com.
IT Admin: No Time to Save Time?
[ad] Do you spend too much time patching machines or cleaning up after virus attacks? With automation controlled from a central IT management console accessible anytime, anywhere – you can save time for bigger tasks. Try simple IT management from GFI Cloud and start saving time today!
Free Forrester analysis of CRM solutions
[ad] In this 25 page report, independent analyst house Forrester evaluates 18 significant products in the customer relationship management space from a broad range of vendors, detailing its findings on how CRM suites measure up and plotting where they stand in relation to each other. Download it for free now.
Great articles on other sites
- Turnbull too quick to abandon faster, smarter broadband service
- NBN hypocrisy confirms contempt for process
- Turnbull walks away from NBN high ground claims
- Costs must be fixed first in piracy solution: Comms Alliance
- NAB deploys Chaos Monkey to kill servers 24/7
- History won't judge Turnbull's governance-free NBN kindly
- Telstra drops cap on wholesale 3G
- Calls for technological neutrality in Financial System Inquiry
- Cloud migration a chance to extinguish bad email habits
- Aussies join action to recover lost bitcoin
Reader giveaway: Google Nexus 5
We’re big fans of Google’s Nexus line-up in general at Delimiter towers. Nexus 4, Nexus 7, Nexus 10 … we love pretty much anything Nexus. Because of this we've kicked off a new competition to give away one of Google’s new Nexus 5 smartphones to a lucky reader. Click here to enter.
News - Written by Jenna Pitcher on Monday, September 13, 2010 12:34 - 4 Comments
Does e-tax 2010 have a security hole?
update The denizens of global security mailing list Bugtraq have started discussing whether the Australian Taxation Office’s e-tax 2010 software — currently being used by millions of Australians to submit their tax returns — has a security hole in it, due to the way it deals with remote Secure Socket Layer (SSL) certificates.
The breaches were unintentionally discovered when a security expert, known only as Dave B, became fed up with the ATO’s restrictions on the use of alternative operating systems other than Windows — he tried to do a workaround so he didn’t have to use Microsoft’s platform.
At first Dave B thought that the software did not check the SSL certificate of involved domains and would work if the certificate came from a valid certificate authority. Other tests were made and he found that a “freshly generated” self-signed certificate would be accepted by the software — so the SSL certificate does not need to be signed by a certificate authority.
e-tax will communicate via the unencrypted http protocol rather than https if told to — for example, using URL manipulations like such as the Apache mod_rewrite module. e-tax2010 will send the details of the tax request in a Simple Object Access Protocol (SOAP) request.
Securus Global Managing Director Drazen Drazic said he believed the risks were clear and that the whole process was open to attacks such man in the middle (MITM) attacks where an attacker could pull information from the stream between the ATO and the e-tax end user.
“The risks seem to be purely on the client side of things in regards to this advisory,” he said. “People need to be careful when accessing. How it’s working based upon the advisory means people could be directed to anywhere with personal information being sent to unauthorised parties. Given the type of information, not a good thing.”
For instance if an individual has an SSL certificate for another website, that certificate could then be used to masquerade as the ATO’s tax server.
An ATO spokesperson said: “We don’t provide comment on security-related matters, however we can assure taxpayers that income tax details submitted by e-tax software is secure.”
Last week Dave logged his discovery on security mailing list Bug Traq in a series of logs – each revealed that the security breach was much worse than previously thought. The first bug logged can be viewed below, subsequent bugs logged can be located here and here.
Image credit: Dave B
Blog, Enterprise IT - Apr 15, 2014 16:24 - 0 Comments
More In Enterprise IT
- Dropbox opens Sydney office
- Heartbleed, internal outages: CBA’s horror 24 hours
- Android in the enterprise: Three Aussie examples from Samsung
- Businesslink cancelled Office 365 rollout
- Qld Govt inks $26.5m deal for Office 365
News, Telecommunications - Apr 16, 2014 11:46 - 38 Comments
More In Telecommunications
- “Labor mindset”: Turnbull denies cost/benefit hypocrisy
- One.Tel saga finally concluded
- NBN Co’s Telstra bill may be $98 billion
- NBN Co to kill TPG rollout while Minister dithers
- What’s actually important for the NBN: Upload speeds
Industry, News - Apr 15, 2014 15:54 - 3 Comments
More In Industry
- Tesla Model S may come to Australia shortly
- Equinix expands third Sydney datacentre
- Atlassian sells US$150m stock to US funds
- NSW Govt directly regulates taxi mobile apps
- Building a financial system for a cashless age
Analysis, Digital Rights - Apr 14, 2014 9:40 - 7 Comments
More In Digital Rights
- Europe says no to data retention, so why is it an option in Australia?
- House Foxtel: Unbowed, Unbent and Unreasonable
- Once again, Australia sets new Game of Thrones piracy record
- Website blocks, court orders, three strikes: Rights holders want it all
- Six more years: Ludlam on track for Senate win