---

########################################################################

Mike Kristovich, PivX Security Advisory MK#002A

Date: January 10, 2003

Application: Intuit TurboTax
Version: All versions up to current.
Bug: Information in saved Tax Returns discloses Social Security
Number, Full Information, and more..
Risk: Can allow for identity theft, information disclosure
Author: Mike Kristovich, Security Researcher, PivX Solutions, LLC
e-mail: mkristovich@pivx.com

########################################################################

Sections:

1) Introduction
2) Bug
3) Proof of concept code.
4) Fix
5) Philosophy
6) Closing comments..
7) Contact

______________________________________________________________________


1) Introduction

According to the Jupiter report, 31 percent of online
households intend to file their taxes over the Web this
year, up from the 30 percent reported by the Internal
Revenue Service (IRS) last year. The IRS plans to receive
80 percent of all returns electronically by 2007.

Complaints about identity theft have risen 73 percent from
a year ago, according to a new report from the Federal Trade
Commission.

With the influx of e-tax filers and the rise in identity
theft PivX believes this vulnerability should be taken
quite seriously. Someone with a minimal set of computer skills
could locally or remotely obtain confidential information
on multitude of users.


TurboTax (Advisory #MK002A) and TaxCut (#MK002B) both
save their contents to the hard drive. These files are
unencrypted, and even with a simple text editor, you can
see all the information you would in the tax return.

These files can be accessed in any number of ways, but the
most likely way would be through unprotected windows shares.

Many ISPs have blocked port 139 among others, but in newer
versions of Windows, you may also be sharing on port 445.
Port 445 is Microsoft Directory Service. A large number
of tax files and the identities within can be harvested
in a matter of minutes to hours.

Another key method to extract these files by means of a P2P
file sharing application such as Limewire, KaZaa, Morpheus,
etc etc. Many users have their P2P applications misconfigured
and this is supported by doing a quick search on the tax file
extension listed below. See the below KaZaa screenshot of a
local-range search for tax files. A full network search could
yeild thousands upon thousands of results.:
http://www.pivx.com/kristovich/images/kazaatax.jpg

The bottom line is:
- Be aware of what you are sharing to the public -

There are other ways files could be collected, such as
through a worm, an exploit, or a trojan horse.

Intuit TurboTax files (.tax) are usually named this way:

YYYY Tax Return.tax

and the files are usually located off the root of the drive,
in a directory such as Tax02 Tax01 Tax99, etc.

______________________________________________________________________


2) Bug

Just a small insecurity can lead to a lot of information.

For TurboTax, you can do a simple scan for the
last name of the person, and closely following it, you'll
see their social security number. Browse around that area
of the file and you'll see their street address and more.
If you use turbotax, load up one of your files in a binary
editor and check it out for yourself.

______________________________________________________________________


3) Proof-of-concept code

No proof of concept needed, just use a hex editor or text
editor as files are associated:

(.tax) Hex Editor

View Example Screenshot:
http://www.pivx.com/kristovich/images/taxfile.jpg


______________________________________________________________________


4) Fix

Intuit has been contacted and is currently working on a solution.

They have informed us that they will now be encrypting files starting
in the next version.

The best solution is to move saved tax files to a more private place,
such as a CD-R. Even if a drive is not shared to the public, you may
still be at risk through other exploits or trojan horses.

As mentioned by Becky Worley in a TechTV article tuesday,
[http://www.techtv.com/news/security/story/0,24195,3420432,00.html]
Easy Crypto Deluxe is recommended to password protect your
sensitive data. You can download it here:
http://www.handybits.com/easycrypto.htm

We thank Intuit for the extremely fast response on this one,
keep up the good work!

______________________________________________________________________



5) Philosophy

Full disclosure can lead to a quick fix, and prevent a problem before
it gets into the wrong hands.


______________________________________________________________________



6) Closing comments..

In the electronic world, consider nothing secure. You should never
store this type of information on a live computer. Be careful.

______________________________________________________________________

7) Contact

Any questions, comments, complaints, technical questions:

Mike Kristovich, Researcher
PivX Solutions, LLC
mkristovich@pivx.com

Other Inquiries:

Geoff Shively, CHO
PivX Solutions, LLC
gshively@pivx.com

---

---

########################################################################

Mike Kristovich, PivX Security Advisory MK#002B

Date: January 10, 2003

Application: H&R Block Tax Cut
Version: All versions up to current.
Bug: Information in saved Tax Returns discloses Social Security
Number, Full Information, and more..
Risk: Can allow for identity theft, information disclosure
Author: Mike Kristovich, Security Researcher, PivX Solutions, LLC
e-mail: mkristovich@pivx.com

########################################################################

Sections:

1) Introduction
2) Bug
3) Proof of concept code.
4) Fix
5) Philosophy
6) Closing comments..
7) Contact

______________________________________________________________________


1) Introduction

According to the Jupiter report, 31 percent of online
households intend to file their taxes over the Web this
year, up from the 30 percent reported by the Internal
Revenue Service (IRS) last year. The IRS plans to receive
80 percent of all returns electronically by 2007.

Complaints about identity theft have risen 73 percent from
a year ago, according to a new report from the Federal Trade
Commission.

With the influx of e-tax filers and the rise in identity
theft PivX believes this vulnerability should be taken
quite seriously. Someone with a minimal set of computer skills
could locally or remotely obtain confidential information
on multitude of users.


TurboTax (Advisory #MK002A) and TaxCut (#MK002B) both
save their contents to the hard drive. These files are
unencrypted, and even with a simple text editor, you can
see all the information you would in the tax return.

These files can be accessed in any number of ways, but the
most likely way would be through unprotected windows shares.

Another key method to extract these files by means of a P2P
file sharing application such as Limewire, KaZaa, Morpheus,
etc etc. Many users have their P2P applications misconfigured
and this is supported by doing a quick search on the tax file
extension listed below. See the below KaZaa screenshot of a
local-range search for tax files. A full network search could
yeild thousands upon thousands of results.:
http://www.pivx.com/kristovich/images/kazaatax.jpg

The bottom line is:
- Be aware of what you are sharing to the public -

There are other ways files could be collected, such as
through a worm, an exploit, or a trojan horse.


H&R Block Tax Cut files are named with this extension:

.sbr .. Decently small files < 8k usually.

and are usually located in a directory off the root of the drive, such as "TaxCut02", under the subdirectory "ProgramTaxData"

A "hacked" H&R block computer could give an identity theft hundreds of plaintext files full of information.

Example Screenshot: [http://www.pivx.com/kristovich/images/taxcut.gif]
______________________________________________________________________

2) Bug

Just a small insecurity can lead to a lot of information.

Tax Cut is pretty simple to view. Just load the file into a text editor and you've got it all. Social Security #, dependants SS#s, address, wages, etc.

Example Screenshot: [http://www.pivx.com/kristovich/images/sbrfile.jpg]
______________________________________________________________________

3) Proof-of-concept code

No proof of concept needed, just use a hex editor or text editor as files are associated:

(.sbr) Text Editor
______________________________________________________________________

4) Fix

* No response has yet been recieved from H&R Block. (1/10/2003)
* Second contact email sent on 1/29/2003.
* No response as of 3/04/2003.

The best solution is to move saved tax files to a more private place, such as a CD-R. Even if a drive is not shared to the public, you may still be at risk through other exploits or trojan horses.

As mentioned by Becky Worley in a TechTV article tuesday,

[http://www.techtv.com/news/security/story/0,24195,3420432,00.html]

Easy Crypto Deluxe is recommended to password protect your sensitive data. You can download it here:

http://www.handybits.com/easycrypto.htm

Hopefully the company will create a fix for this problem.
______________________________________________________________________

5) Philosophy

Full disclosure can lead to a quick fix, and prevent a problem before it gets into the wrong hands.
______________________________________________________________________

6) Closing comments..

In the electronic world, consider nothing secure. You should never store this type of information on a live computer. Be careful.
______________________________________________________________________

7) Contact

Any questions, comments, complaints, technical questions:

Mike Kristovich, Researcher
PivX Solutions, LLC
mkristovich@pivx.com

Other Inquiries:

Geoff Shively, CHO
PivX Solutions, LLC
gshively@pivx.com

---