[LINK] Identity theft virus infects 10,000 computers

rchirgwin at ozemail.com.au rchirgwin at ozemail.com.au
Sat Aug 5 08:17:06 AEST 2006 

Cutting back to the original story, I went and looked at Auscert again. 
It has placed an explanatory statement here:
http://www.auscert.org.au/render.html?it=6581

In this statement, Auscert says that the ATO released a statement on 
Wednesday about the problem. I can't see any such statement; have any 
Linkers seen the ATO release?

This is a very good example of a stuff-up. Crap disclosure, inept 
dissemination, and self-serving "clarifications" which serve only to 
raise questions like "whose backside are you covering?"

RC

Kim Holburn wrote:

> Identity theft virus infects 10,000 computers
> http://www.smh.com.au/news/technology/virus-infects-10000-computers/ 
> 2006/08/02/1154198204613.html
>
>> MORE than 10,000 Australian computers have been infected by a  trojan 
>> virus - invisible to most anti-virus software - that is  transmitting 
>> their owners' private details to identity thieves.
>>
>> The Australian Tax Office confirmed yesterday that 178 taxpayers  had 
>> unwittingly revealed their tax file numbers while lodging tax  
>> returns online.
>>
>> These people had been notified and were being offered new tax file  
>> numbers, a spokesman said.
>
>
> Another reason not to use a windows version of etax.
>
> Here is what I sent the tax office in feedback about a month ago:
>
>> etax is sadly lacking in security.
>>
>> etax only runs on Microsoft Windows.
>> It requires administrator access just to run.
>> It stores or tries to store personal data in the application directory
>> It tries to install in the directory C:/etax
>> Your site wants to use Internet explorer and with ActiveX turned on  
>> to check security.
>>
>> All of these things make it a serious security risk.
>> As a security professional this is a series of badly thought out  
>> decisions in regards to security.
>>
>> It is a fairly simple matter these days to use a development system  
>> that creates applications that run on various systems like Linux  LSB 
>> or Macintosh.
>>
>> Security professionals these days are recommending people not run  
>> Windows and if they do run windows they should not use Internet  
>> Explorer and if they do run internet explorer they should turn off  
>> ActiveX.
>>
>> Applications should be able to run without Administrative privileges.
>> They should only store data in user directories.
>>
>> You really need to get a security professional to audit the whole  
>> etax system.
>
>
>
>
>
>
> -- 
> Kim Holburn
> Network Consultant
> Ph: +61 2 61258620 M: +61 417820641  F: +61 2 6230 6121
> mailto:kim at holburn.net  aim://kimholburn
> skype://kholburn - PGP Public Key on request
> Cacert Root Cert: http://www.cacert.org/cacert.crt
> Aust. Spam Act: To stop receiving mail from me: reply and let me know.
> Use ISO 8601 dates [YYYY-MM-DD] http://www.saqqara.demon.co.uk/ 
> datefmt.htm
>
> In pre 9/11 US, you check out books at the library. In Bush's  
> America, the library checks out you!
>                           -- with apologies to Yakov Smirnov
>
>
>
>
> _______________________________________________
> Link mailing list
> Link at mailman.anu.edu.au
> http://mailman.anu.edu.au/mailman/listinfo/link
>

More information about the Link mailing list