bugtraq post relevant to Gnucash
swaters at luy.info
Sat Mar 15 20:18:01 CST 2003
While gnucash isn't tax preparation software, the general concerns about
centralized personal financial information should probably be
RE: response to tax software not
encrypting tax info
Mar 14 2003 8:47PM
<Ken.Williams at esecurityonline.com>
<F7D9C71C56007349BB92C92FF52874281EB90F at bermuda.esohq.kc>
I have read both of the original advisories, and all of the replies
on this subject, and nobody yet has properly assessed AND
emphasized the actual risk associated with this tax software.
Lots of software programs do not encrypt sensitive data, but what
makes this tax software different, and what increases the
associated risk *substantially*, is that so much of your sensitive
personal and financial information is contained, unencrypted, IN
ONE PLACE. Your full name, address, date of birth, phone number,
social security number, bank account numbers, employment
information, income information, credit card numbers (if making tax
payment with CC), stocks, bonds, other investments, business
information, etc - ALL IN ONE PLACE. If you are married filing
jointly, or have children or dependants on your tax return, then
the personal and financial info for even more people is exposed.
All of the information is guaranteed to be current and correct too.
This is a gold mine for identity thieves. Identity theft is one of
the fastest growing crimes in the US right now too.
Vendors of tax software should not allow users to leave all of this
data in one place unencrypted; the risk is too great.
Note also that other tax software programs not mentioned in the
original advisories are also vulnerable to this issue (thanks for
noting those issues, kjk). I'm not at liberty to discuss those
other tax software packages though.
Ken Williams ; CISSP
eSecurityOnline - an eSecurity Venture of Ernst & Young
ken.williams at ey.com ; www.esecurityonline.com ; 1-877-eSecurity
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Size: 189 bytes
Desc: This is a digitally signed message part
Url : /pipermail/attachments/20030315/23c1cfb0/attachment.bin
More information about the gnucash-devel