bugtraq post relevant to Gnucash

Stephen Waters swaters at luy.info
Sat Mar 15 20:18:01 CST 2003

While gnucash isn't tax preparation software, the general concerns about
centralized personal financial information should probably be



RE: response to tax software not
encrypting tax info
Mar 14 2003 8:47PM
<Ken.Williams at esecurityonline.com>
<F7D9C71C56007349BB92C92FF52874281EB90F at bermuda.esohq.kc>


I have read both of the original advisories, and all of the replies 
on this subject, and nobody yet has properly assessed AND 
emphasized the actual risk associated with this tax software.

Lots of software programs do not encrypt sensitive data, but what 
makes this tax software different, and what increases the 
associated risk *substantially*, is that so much of your sensitive 
personal and financial information is contained, unencrypted, IN 
ONE PLACE.  Your full name, address, date of birth, phone number, 
social security number, bank account numbers, employment 
information, income information, credit card numbers (if making tax 
payment with CC), stocks, bonds, other investments, business 
information, etc - ALL IN ONE PLACE.  If you are married filing 
jointly, or have children or dependants on your tax return, then 
the personal and financial info for even more people is exposed. 
All of the information is guaranteed to be current and correct too. 
This is a gold mine for identity thieves.  Identity theft is one of
the fastest growing crimes in the US right now too.

Reference:  http://www.consumer.gov/idtheft/

Vendors of tax software should not allow users to leave all of this 
data in one place unencrypted; the risk is too great.

Note also that other tax software programs not mentioned in the 
original advisories are also vulnerable to this issue (thanks for 
noting those issues, kjk).  I'm not at liberty to discuss those
other tax software packages though.


Ken Williams ; CISSP
eSecurityOnline - an eSecurity Venture of Ernst & Young 
ken.williams at ey.com ; www.esecurityonline.com ; 1-877-eSecurity 

-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: This is a digitally signed message part
Url : /pipermail/attachments/20030315/23c1cfb0/attachment.bin

More information about the gnucash-devel mailing list