lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list] 
Message-ID: <F7D9C71C56007349BB92C92FF52874281EB90F@bermuda.esohq.kc>
Date: Fri, 14 Mar 2003 14:47:29 -0600
From: <Ken.Williams@...curityonline.com>
To: <bugtraq@...urityfocus.com>
Subject: RE: response to tax software not encrypting tax info

Hi,

I have read both of the original advisories, and all of the replies 
on this subject, and nobody yet has properly assessed AND 
emphasized the actual risk associated with this tax software.

Lots of software programs do not encrypt sensitive data, but what 
makes this tax software different, and what increases the 
associated risk *substantially*, is that so much of your sensitive 
personal and financial information is contained, unencrypted, IN 
ONE PLACE.  Your full name, address, date of birth, phone number, 
social security number, bank account numbers, employment 
information, income information, credit card numbers (if making tax 
payment with CC), stocks, bonds, other investments, business 
information, etc - ALL IN ONE PLACE.  If you are married filing 
jointly, or have children or dependants on your tax return, then 
the personal and financial info for even more people is exposed. 
All of the information is guaranteed to be current and correct too. 
This is a gold mine for identity thieves.  Identity theft is one of
the fastest growing crimes in the US right now too.

Reference:  http://www.consumer.gov/idtheft/

Vendors of tax software should not allow users to leave all of this 
data in one place unencrypted; the risk is too great.

Note also that other tax software programs not mentioned in the 
original advisories are also vulnerable to this issue (thanks for 
noting those issues, kjk).  I'm not at liberty to discuss those
other tax software packages though.

Regards,
ken

Ken Williams ; CISSP
eSecurityOnline - an eSecurity Venture of Ernst & Young 
ken.williams@...com ; www.esecurityonline.com ; 1-877-eSecurity

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ