• Enjoy the freedom to innovate and grow your business

    [ad] With Microsoft Azure you have hybrid cloud flexibility, allowing your platform to span your cloud and on premise data centre. Learn more at microsoftcloud.com.

  • IT Admin: No Time to Save Time?

    [ad] Do you spend too much time patching machines or cleaning up after virus attacks? With automation controlled from a central IT management console accessible anytime, anywhere – you can save time for bigger tasks. Try simple IT management from GFI Cloud and start saving time today!

  • Free Forrester analysis of CRM solutions

    [ad] In this 25 page report, independent analyst house Forrester evaluates 18 significant products in the customer relationship management space from a broad range of vendors, detailing its findings on how CRM suites measure up and plotting where they stand in relation to each other. Download it for free now.

  • Great articles on other sites
  • RSS Great articles on other sites

  • Reader giveaway: Google Nexus 5

    We’re big fans of Google’s Nexus line-up in general at Delimiter towers. Nexus 4, Nexus 7, Nexus 10 … we love pretty much anything Nexus. Because of this we've kicked off a new competition to give away one of Google’s new Nexus 5 smartphones to a lucky reader. Click here to enter.

  • News - Written by on Monday, September 13, 2010 12:34 - 4 Comments

    Does e-tax 2010 have a security hole?

    update The denizens of global security mailing list Bugtraq have started discussing whether the Australian Taxation Office’s e-tax 2010 software — currently being used by millions of Australians to submit their tax returns — has a security hole in it, due to the way it deals with remote Secure Socket Layer (SSL) certificates.

    The breaches were unintentionally discovered when a security expert, known only as Dave B, became fed up with the ATO’s restrictions on the use of alternative operating systems other than Windows — he tried to do a workaround so he didn’t have to use Microsoft’s platform.

    At first Dave B thought that the software did not check the SSL certificate of involved domains and would work if the certificate came from a valid certificate authority. Other tests were made and he found that a “freshly generated” self-signed certificate would be accepted by the software — so the SSL certificate does not need to be signed by a certificate authority.

    e-tax will communicate via the unencrypted http protocol rather than https if told to — for example, using URL manipulations like such as the Apache mod_rewrite module. e-tax2010 will send the details of the tax request in a Simple Object Access Protocol (SOAP) request.

    Securus Global Managing Director Drazen Drazic said he believed the risks were clear and that the whole process was open to attacks such man in the middle (MITM) attacks where an attacker could pull information from the stream between the ATO and the e-tax end user.

    “The risks seem to be purely on the client side of things in regards to this advisory,” he said. “People need to be careful when accessing. How it’s working based upon the advisory means people could be directed to anywhere with personal information being sent to unauthorised parties. Given the type of information, not a good thing.”

    For instance if an individual has an SSL certificate for another website, that certificate could then be used to masquerade as the ATO’s tax server.

    An ATO spokesperson said: “We don’t provide comment on security-related matters, however we can assure taxpayers that income tax details submitted by e-tax software is secure.”

    Last week Dave logged his discovery on security mailing list Bug Traq in a series of logs – each revealed that the security breach was much worse than previously thought. The first bug logged can be viewed below, subsequent bugs logged can be located here and here.

    Image credit: Dave B

    submit to reddit


    You can follow any responses to this entry through the RSS 2.0 feed. Both comments and pings are currently closed.

    1. RoboticButtocks
      Posted 13/09/2010 at 1:51 pm | Permalink |

      I wonder if there other business software has similar issues. Sitting between James Packer’s accountant and the ATO would be good times.

    2. Posted 13/09/2010 at 2:30 pm | Permalink |

      Biggest problem I had with e-tax 2010 was that it didn’t give me a big enough tax return… ;)

      Seriously though – self-signed certificates are not necessarily “bad” in and of themselves – the connection IS secure, but obviously does not obfuscate the possibility of MITM attacks, as the article suggests.

      The ATO do need to take this one seriously.

    3. dave b
      Posted 13/09/2010 at 6:45 pm | Permalink |

      I haven’t looked at that stuff – I haven’t had reason. The ato are using AUSKEY which looks okish from a quick glance. However, some of the documentation is lacking and you have to email to get a copy of their reference implementation.

      A fair amount of edi isn’t secured :)

    4. Posted 08/12/2010 at 5:55 pm | Permalink |

      There are some websites which aren’t really secured.

    Get our 'Best of the Week' newsletter on Fridays

    Just the most important stories, one email a week.

    Email address:

  • Most Popular Content

  • Six smart secrets for nurturing customer relationships
    [ad] Today, we are experiencing a world where behind every app, every device, and every connection, is a customer. Your customers will demand you to be where they and managing customer relationship is the key to your business’s growth. The question is where do you start? Click here to download six free whitepapers to help you connect with your customers in a whole new way.
  • Enterprise IT stories

    • Hills dumped $18m ERP/CRM rollout for Salesforce.com hills

      According to a blog post published by Salesforce.com today, one of Ted Pretty’s first moves upon taking up managing director role at iconic Australian brand Hills in 2012 was to halt an expensive traditional business software project and call Salesforce.com instead.

    • Dropbox opens Sydney office koalabox

      Cloud computing storage player Dropbox has announced it is opening an office in Sydney, as competition in the local enterprise cloud storage market accelerates.

    • Heartbleed, internal outages: CBA’s horror 24 hours commbankatm

      The Commonwealth Bank’s IT division has suffered something of a nightmare 24 hours, with a catastrophic internal IT outage taking down multiple systems and resulting in physical branches being offline, and the bank separately suffering public opprobrium stemming from contradictory statements it made with respect to potential vulnerabilities stemming from the Heartbleed OpenSSL bug.

    • Android in the enterprise: Three Aussie examples from Samsung androidapple

      Forget iOS and Windows. Today we present three decently sized deployments of Android in the Australian market on Samsung’s hardware, which the Korean vendor has dug up from its archives over the past several years for us after a little prompting :)

    • Businesslink cancelled Office 365 rollout cancelled

      Microsoft has been on a bit of a tear recently in Australia with its cloud-based Office 365 platform, signing up major customers such as the Queensland Government, Qantas, V8 Supercars and rental chain Mr Rental. And it’s not hard to see why, with the platform’s hybrid cloud/traditional deployment model giving customers substantial options. However, as iTNews reported last week, it hasn’t been all plain sailing for Redmond in this arena.

    • Qld Govt inks $26.5m deal for Office 365 walker

      The Queensland State Government yesterday announced it had signed a $26.5 million deal with Microsoft which will gain the state access to Microsoft’s Office 365 software and services platform. However, with the deal not covering operating system licences and not being mandatory for departments and agencies, it remains unclear what its impact will be.

    • Hospital IT booking system ‘putting lives at risk’ doctor

      A new IT booking platform at the Austin Hospital and Olivia Newton-John Cancer and Wellness Centre in Melbourne is reportedly placing the welfare of patients with serious conditions at risk.

    • Bailey quits Macquarie for non-profit COO role marc-bailey

      Long-time Macquarie University chief information officer Marc Bailey has left the educational institution to join non-profit group Intersect, which focuses on applying advanced ICT technologies to the practice of research.

    • Finally some action on Windows Azure in Australia ballmer-cloud

      Remember when software giant Microsoft made a big deal back in May 2013 about how it was going to launch two new Australian datacentres for its Windows Azure cloud computing service? At the time it seemed as though the company’s plans were quite advanced and that we’d be seeing Australia-based Azure in short order. Well, almost a year has come and gone since that time and Microsoft has so far failed to deliver. The latest blip of news on the cloud front from the company comes in an article published by The Australian newspaper this morning.

    • IBM inks cloud ERP deal with Coca-Cola Amatil coke1

      Global technology giant IBM this morning revealed it had signed a five-year, multi-million-dollar deal with Coca-Cola Amatil which will see the beverage company’s revamped enterprise resource planning operations hosted out of an IBM datacentre located in Sydney.

  • Blog, Enterprise IT - Apr 15, 2014 16:24 - 0 Comments

    Hills dumped $18m ERP/CRM rollout for Salesforce.com

    More In Enterprise IT

    News, Telecommunications - Apr 16, 2014 11:46 - 38 Comments

    CBN FTTN test shows speeds of 105Mbps

    More In Telecommunications

    Industry, News - Apr 15, 2014 15:54 - 3 Comments

    Hackett takes 40 percent UltraServe stake

    More In Industry

    Analysis, Digital Rights - Apr 14, 2014 9:40 - 7 Comments

    NAB’s Bitcoin ban a symptom of the digital currency threat

    More In Digital Rights