Your Taxes Are Being Leaked

so without further ado your taxes are being leaked and how Michael Wiley will let you know thank you very much appreciate it well thank you very much for joining me early in the morning for us hackers here on the beginning of a hacker week in Vegas this presentation is kind of changed a little bit since I submitted it I first found a vulnerability that I wanted to share with the community and how I found it and what we can do better but as I start doing more and more research into it and talking to some of the security teams I found more and more and it started snowballing up until about last week I was on the phone with some of these

vendors and they're still struggling to to fix some of the vulnerabilities so it's kind of taking a little bit of a turn and I've tried to defang some of it and not on my some of it as they're still rolling out patches tomorrow they're rolling out more patches some of them haven't even addressed some of the vulnerabilities yet and it's a long road to fix this so I hope this can do good and I've got this talk book to later in the year and hopefully I can release more of the details I've had to remove some of the specifics just to protect all of our tax data so I think they did a great job introducing meme but

basically I'm a co-founder of corporate blue I do cyber security consulting Department of Defense contractor I do training for the US Department of Defense some universities I've built some pentesting programs for colleges and I teach cyber security as well so this kind of outline of what we'll go through we're gonna do a little bit of introduction to the tax prep industry and what I've kind of found on that we'll do some look at the research and some of the case studies into breaches specifically in California where I reside we'll look at some cybersecurity laws and how they apply to CPAs and tax preparers then we'll look at some common breakdowns in the CPA security or tax

repairs and what they're doing wrong then we'll analyze tax prep software and some of the ones I've looked at what the tax prep and CPA people are using and then we'll go into a systemic issue or systemic issue that I found or a lot of those issues when testing the software and what I've been doing working with the vendors to fix some of these issues and then what you can do and what your CPA can do to protect your taxpayer data so the tax industry I learned a lot doing some of this research into the industry it's a large global market 11 billion dollars are going to these CPAs and tax prep people I don't think this

includes a lot of the advisory services like earnest and young and Deloitte are doing these are just for tax preparation I North America it's 4.6 billion that they're generating there's about five data breaches per week according to the IRS and their report in 2017 177 tax Pro's reported breaches from January to May in 2017 five point billion dollars was paid by the IRS in refunds to fraudulent attackers in 2013 and then the IRS claimed that they stopped twenty four point two billion dollar and fraudulent returns in 2013 so they did a good job in stopping a lot of those but there's still a lot of fraudulent returns that are going on and and our refunds are going to the bad

actors so how do Americans file their tax returns we can see that some people are going to H&R Block are those brick-and-mortar places others are self filing if you do that kudos to you 19.2% don't file taxes at all apparently and ten percent or just about eleven percent they have a friend or family that might knows tax laws and they file for them and and then a lot of people using TurboTax so 34 percent ish will use TurboTax and then almost 30 percent are using a CPA or tax preparer to do that so I couldn't broke this down based off age as well because I wanted to understand and I think we're missing a piece of what about businesses but I

think most businesses are going to use a CPA or tax repair but we can see the higher income earners and as you get a little bit older you're probably going to be using a CPA compared to filing yourself or using TurboTax or having a friend or family member do that so the IRS I saw a couple articles and people were saying yeah we're doing great as tax preparers we're protecting your data where we've stomped a lot of these fraudulent filings but yet even the IRS 2016 2017 2018 or Phelps end these reports to tax repairs and CPA firms saying that there's a lot of warnings that they're seeing an increase in these fraudulent filings and taxpayer

data being leaked so thieves are able to access tax professionals computers use remote technologies take control accessing client data and completing a filing returns on behalf of all of us so essentially there's different ways now go into some of these that the attackers are doing but they are able to get into the CPA or the tax firms and they're looking for your and my extensions and when they see that you filed for an extension then they go ahead and file a return on your behalf and they send your refund check to their Pio box or some other place and they take your taxes or your refund check for you in a special agent for the IRS he's saying that the

bad actors tend to go for the low-hanging fruit I thought this was an important quote because a lot of the CPA firms the smaller ones that I work with they say we're not really target we're not you why we're not Deloitte we're not KPMG we're not really a target but even the IRS and special agents saying no we're seeing that they're going for the low-hanging fruit Deloitte you iack cetera these are big players they should have better security in there but your little 5 10 15 20 user or even up to a hundred CPA firms they're a low-hanging fruit they don't have the security controls in place they're also seeing that Wi-Fi security is one of the the

biggest and most common threats for these small firms so let's look at some of these case studies so what I did is I took I went through the California breach notifications and it's a little hard to dig into what I wanted because a lot of these CPA and tax prep firms they're using their names it's kind of like a law firm and use like Wiley & Sons LLP or whatever it is so I kind of have our time going through that and figuring out what our CPA firms versus law firms so I had to use some keywords unfortunately I only used CPA and tax as my keywords I probably could have used accountancy or accounting as well but I

went to those keywords and I looked at every breach that I could find in the California database since 2015 and 2015 when California set up their database and they started recording this information online so that's all the data I had was 2015 to present and each state has their own data breach laws and reporting requirements so you can check out your your own state but I wanted to focus on what I knew and that was California so I had the 2015 to current data I had to make some assumptions that most states they've got only electronic breach requirements so I don't know about you if you go to a CPA or you've been to any of these places

I've been to plenty of CPA firms doing security assessments and when I go there I see piles and piles of paperwork right they've got tax stuff and I get a little bit concerned when I go in there because I can see other people's income tax returns all on the CPAs desk and I wonder how many other people are coming in here and seeing my tax returns sitting on your desk and so almost all states do not require you to report if your physical files get taken it's only for electronic file so this 2015 to present breaches that I've researched and went through there are only electronic breaches as well we also have to assume that even though they're

required to it's kind of difficult to get caught unless you know if someone broke into a CPAs firm and they got the digital records they make it notice they may not but even if they did get noticed by the CPA firm it's not like the police are going to swoop in or the FBI or the CIA or the IRS and see that so a lot of these places may just say well we're not really going to get caught so why report it we also see that in California if it's less than firemen records so if I'm a CPA firm and I have 499 of your records that got stolen Social Security numbers home addresses spouses

information child dependent set cetera I do not have to report this as a breach also if it's over 500 records and it's encrypted so I lost 9000 records and my firm for example but they were encrypted and they were using DES or maybe they were just using md5 or maybe they were really just base64-encoded I may not have to report that either companies so as I mentioned I used CPA in taxes my queries and I was a little bit surprised from the the records and the research today that I found was that they were very vague and so the California provides a template a what you can kind of send out to your customers if you have a breach and it

one of the things I saw in common was that you have to obviously say well we're going to pay for Experian or whatever to monitor your credit for a year but it was very very vague on what they actually had to say that happened and a lot of times I felt like they didn't even know what really happened so these are these statistics are kind of my assumptions based off of reading every single report I see that there was about 12% of them I would categorize as email compromised so that tells me that they're not using multi-factor authentication they're using weak credentials they're susceptible to phishing attacks and in the most recent spearfishing campaign that we did for a

local CPA firm we had over 80 percent open rate right and we sent that out on April 17th because we knew they'd be busy with taxes and filing at the last minute so we waited the morning of that and we send out our spearfishing campaign and we got a large open rate and large click-through rate so we're seeing that that could then lead to some of these other attacks like malware unauthorized remote access portal compromised or any of these others up here but in 12% I think is too high for our CPAs and tax prep people if they have public-facing sites or authentication such as web mail office 365 Google Apps they need to have

multi-factor authentication we shouldn't see that there at all on the other ones I saw malware so we don't really know what the malware did it was very vague they just said we got infected a system got infected I don't think they knew or they really spent the time investigating that of what the malware did they might have just saw a pop-up come up and they said ok I've got nowhere or ransomware and they don't really know I even read one report and the CPA firm said we got ransomware and so we're reporting this breach for me I have no idea why they're reporting a breach ransomware I think that's encrypting your data so is there

something they're not sharing that well the data was also exfiltrated and they're not really letting us know or did they not really know what ransomware did and they thought they had to report it so there's a lot of confusion in these reports um the other one that really surprised me doing this was physical security so I was thinking okay a CPA firm they know what they have they've got these these physical records they probably have these fireproof safes and they're taking care of our data 25% of the breach is stemmed from a physical security issue so a laptop being stolen someone breaking into the office this isn't just someone throw a brick through the window and they got in this

was data was actually taken out of the environment um we'll go into a couple examples of those as well okay and then the other one was a lot of unauthorized remote access almost 40 percent went on through some access what does that mean I have no idea that's how they kind of classified it so did they have remote desktop open and they're the domain controller public facing on the Internet and were they using some remote software was their IT team doing something they have VNC running we don't really know exactly what that was they just classified as unauthorized remote access okay and then what were the attackers actually after this was really difficult for me to decipher because they don't

say they just kind of said this this large amount of data might have been stolen and this is what we think might have happened and this is the date range we think there might have been someone in here that's it that's all we have so a big part of that 56% I could not distinguish what the attacker was actually after was it to file extensions and get a refund was it to take your social security number and/or medical records or whatever it was I really don't know what they were trying to do I don't think we ever will 25% was to file fraudulent returns so that seems to be one of the the targeted attacks the

goals of the attackers are to get your social security number and find out your own extension and file the the returns on your behalf to get that money okay so I've got a couple local case studies in California but I also have a couple larger companies so even Deloitte right so we thought they were secure E&Y secure these big companies we even see that Deloitte had some of these issues as well it's very difficult for me to find out what exactly happened these private companies because the reporting requirements are so vague and and subjective that you don't really have to say a lot of information so if you look at Deloitte's website about the breach

they said that very few customers or clients were impacted and they think it was only a couple so they did not even put the breach in the California database but then there's other sources that say all administrative accounts and all internal systems were compromised so I'm not really sure which it is we have conflicting information the one that said that all administrator accounts and internal systems were compromised was supposed to be a internal employee like a whistleblower so we don't really know exactly what happened there either but then may or may not have been a couple clients or all the clients they also had they gotten a little bit of trouble because the the breach happened in 2016

and then it wasn't until late 2017 that actually reported the breach so it could have been an entire year that your social security number or your data is linked out cases more local ones in California so wheeler and Egger they had a breach in the end of 2016 or mid 2016 and they reported it about a month later they basically said a bad actor efile 45 mm returns on extension so this one actually was reported to me by one of our clients and they said that they knew this company and they had mentioned that it was a sophisticated attack and what happened is they there was the the attackers were actually on the network quite a bit longer and they didn't find

out until about that the that month and then they looked for specific customers that were high income earners and that had filed it extension and those forty-five unique individuals out of thousands they targeted and they saw that they they would be able to get a substantial refund check because of their income level they filed those returns and they they got the refund check and they walked away with it and then when the CPA firm went to go file finish the extension and file the paperwork with the IRS and the state the IRS they kept getting rejections saying you've already filed your return now that's a little bit strange you know we we did an extension we no one in the

office knows about these people and they did a couple more returns they found another one and another one I thought this is unusual we have so many people and they're saying that they've already filed their returns and they they haven't gone they haven't left our firm or gone somewhere else we know that they're our client so they called the IRS and the IRS said we were about to come visit you we know exactly what happened so the IRS is looking for some of these things they're aware of it and we're seeing this more and more of these these efile returns by the bad actors i and as usual most of them will say that we don't know everything that was taken

but we assume it's your name your gender your date of birth your telephone number your address social security numbers eeew n if applicable your employment w2 1099 SK ones etc investment information and more so in this specific scenario they assume it's malware what I assume happened there that they had some kind of it was targeted attack and there was some type of let's say a reverse shell or something that they had access because I don't think just malware is looking for tax data and then it's going to e-file or turn so I think that might have been the entry point but there was a lot more it was a sophisticated target attack Geoffrey Bourne CPA this is the end of

2017 so you can see these are even recent scenarios that are happening to unencrypted password protected laptops were stolen so I kind of chuckled at this one and I thought well they're they're saying and they I added unencrypted but they just say to all of their customers that were affected by this briefs I had their name date of birth telephone number Social Security number 1099 s tax data insurance information all the stuff that was leaked they sent them a letter saying we'll give you a year of protecting your your identity and really what happened is we had two laptops that were password protected so it's okay and they were stolen but if you remember back on the

reporting requirements you only have to report if it's unencrypted and it's a certain number of tax so or breaches so this basically is saying yes they were password protected but this means the CPA is not doing basic security and encrypting those laptops and essentially those laptops were taken I can pull the hard drive out as a bad actor and I can throw those into another machine and I can see all that taxpayer data Gabe Friedman Perry CPA this one happened there was a span so it's about a six month span that we see that where there's potential bad actors sitting on the the target network and that took them about two three months to report

this breach and so they can see they were able to determine that there was bad actors that came in from a foreign IP address so they weren't using any kind of geoip filtering or protection against those foreign countries and it looks like from what I can read that it was Remote Desktop Protocol that they had access to so this tells me that on their private network they had Remote Desktop port 3389 that was open and some was able to get in I'm also gonna make some assumptions there they probably didn't have lockout policies or any thresholds or anything like that so someone's probably brute-forcing that trying to get in to a system and I can

only imagine that it was a file server or domain control or something like that okay and they filed a ton of fraudulent 2016 tax returns so data that was accessed again full name date of birth telephone number draft Social Security tons of other data relating to your taxes okay and then this one is a little bit different I got two more case studies here so this one was tax layer there was a huge breach almost nine thousand tax records were released and tax layer if you're not familiar with them I believed a little more like TurboTax you can go on there and you can file your tax return get help with your taxes and so they had from what the eff

the FTC said in their complaint is that there was weak security measures that were involved that led to this breach of over 9,000 accounts so usernames and passwords that were able to be compromised they were able to get that they were able to get in and see tax returns from 2014 Social Security numbers name addresses of 9,000 people okay and then into it Turbo taps attacks so I want to put this one in there excite of people are probably using TurboTax so according to the the research and tim tomes was actually the one that brought this to my attention as I was letting them know about this talk and so from about 2010 2015 and in the

reports they have here a little bit vague because a lot of it has been kind of suppressed so 2010 2015 there's allegations and court cases as well as articles from whistleblowers that TurboTax knowingly was seeing fraudulent returns coming in and they were basically ignoring that to keep the revenue high so there's a couple court cases that people filed a class action lawsuits individuals after these two individuals ex employees Shane and Robert that were in the Intuit I think security departments and they notified management that we have clear evidence or we have clear indications that these these certain accounts are filing bad tax returns for example you see a an account a TurboTax account and its filing over a hundred different tax

returns doesn't really make sense you know why do you have a hundred different social security numbers in there so they brought that up or that there was multiple or duplicate social security numbers being filed with different TurboTax accounts that's another indication why would a use or trying to file their taxes three four or five ten different times and so they reported that to management and management claimed that they're not going to do anything about that and TurboTax makes 50 about one hundred fifty dollars from what I've seen filing these tax returns so they thought well for getting this money why suppress these and so there's I say these are allegations because they're there in court documents and I've got

these and notes afterwards I can share the link for this but every every court case that I saw that was filed against Intuit regarding this issue after these whistleblowers reported this were suppressed with arbitration agreements so I'm assuming when you go and you sign up for TurboTax that they are saying when you basically check that box and you go through that you're agreeing to arbitration so every time someone filed a lawsuit and said you're leaking our data you're breaching this you're negligent TurboTax Intuit came back and said look look at that arbitration agreement you can't do this in court and they basically push it on the rug and we don't know exactly what happened in

arbitration Intuit I think there see so it was that said this and one of the articles I read is that it's IRS his job to catch fraudulent returns in response to this so they're saying no it's IRS is business we're just basically firing returns it's not our responsibility we're pushing it off on someone else and - it was granted dismissal and closed the door arbitration cited their case there and the victims in this all these people that had the fraudulent eve file returns because TurboTax let them do this even though they could have stopped it allegedly they are no longer allowed to file returns the IRS has said your your you know someone has your social

security number you no longer do that so now they're inconvenienced and they're damaged based off of this and from what I saw in the court cases it was over 30 hours per person that they dealt with these issues and all the problems dealing with the IRS and the states and trying to clear up their name for this so it's a lot of pain suffering and financial impact to these individuals because their data got leaked and Intuit allegedly had the ability to stop that okay so let's look at some of these laws I thought okay there's got to be laws for this right we've got hippo we've got PCI DSS we've got all these laws there's

got to be some cybersecurity laws for this and I talked to some CPA firms and tack preparing for him about this they said what what are you bound by and then they said well the IRS tells us all the stuff we have to do it okay so they've got some laws they said there's the the AICPA they've got some laws and they said state laws so I started doing some research and I like to think I'm pretty good at google searching that's how I'm an IT I'm in security that's that's where I got to I am but the AICPA says that there are actually no uniform federal laws on business cybersecurity and this was relating to CPA firms so there's nothing

federally saying that that okay maybe the IRS has something I looked at the IRS and scavenge through their site and I see that they there's a quote the IRS recommends repairs create a security plan that's pretty much what they say that's their law GLBA or GLB was probably the closest thing that i saw to a law that applies to CPA or tax prep firms so there's a safeguard rule that says you need to designate one employee to coordinate InfoSec you need to identify risky PII you need to design implement monitor test safeguards this law was enacted in 1999 has cyber changed since then I like to think so okay so I think that there's a little

bit outdated and it's not really doing a whole lot of protections and I've gone through so many security programs and policies and built them for customers and whatnot and they all say ok it's a requirement from a customer or a regulation that I have someone designated as our InfoSec person office manner that's you they don't really know what they're doing there's no training involved with this so these are kind of like checkbox items identifying in assess risk epi I guarantee if I went to a CPA and said this is a requirement they're gonna go ahead and say well tax returns that's it that's all I have but they're not really doing anything to protect these there is

the financial Privacy Rule requirement the IRS has there's a couple sections of IRS code that that require for disclosure and penalties for unauthorized disclosure but again it's not really anything preventing or keeping CPAs in check right and I use the CPA term but it's really tax preparers you don't have to be a CPA to do tax preparation you have to take a quick test the IRS has some requirements I did find for efile security so if you're a filing or your tax persons e-filing or you use TurboTax is there a filing for you there are some there's six requirements that they give out one of them's had extended validated SSL certificate yeah it doesn't even have to

be really installed properly you just have to have one weekly external form ability scans I have seen so many vulnerability scans and I have rarely seen someone actually take they're all in fall and really scan and do something about it the department defense is probably one of the closest ones that do it pretty well but a lot we'll get those volatility scans and they look at it and they say I've got a lot to do overwhelmed we don't have the resources so we're checking the box we have a volunteer we know that there's vulnerabilities but we don't have time to fix it or I don't really know how to fix this it says that my server is

accepting a role desktop but I need access remote desktop or it's using weak ciphers but I'm not really sure how to fix that and we're not gonna pay for an InfoSec person to come in so I have the phone rescan I did my job but that's it and I also its external vulnerability scan if you see as well so external valen scan you probably have a firewall maybe a Palo Alto SonicWALL a Cisco whatever it is and it's doing a fairly good job and I really think when I do security assessments and pen tests I don't try and attack the external gateway that's very difficult for me to do I'm not that smart to break into one

of those but I can fish a user and I can go on the inside or I can drop a USB Drive or I can do other things internally where you're much easier lower hanging fruit to get in they need to have information policies and safeguard policies but as much as I like policies a lot of people just they've got it in place it's check box they don't look at it they don't update it's not really doing its job um you need to have a website with CAPTCHA right and so you might have you accept tax return some like that so you have to have CAPTCHA it doesn't have to be properly implemented or tested you just have to

have it your domain has to be registered in the in the United States okay and then you have to report security incidents but that's also state and federal requirements so there's not really a whole lot that they're mandating even if you're doing efile they do have this so if you've got a CPA or maybe you work for a tax prep firm this is a little snippet from the PDF that I found that I actually thought was pretty good that the IRS posted and so they've got this I think was in 2018 June 2018 was the last revision of this PDX is called a safeguard safeguarding taxpayer data it's a PDF it's pretty lengthy and it's got some really good

checklist items so you can go through there and you can you can say ongoing or you've done or it's not applicable but you can maintain this and it's a pretty good checklist for security and it's geared at tax preparers or CPA firms okay and again to kind of combat what some people are saying is oh no we're getting better we're getting better we're not seeing as many fraudulent returns we're not targets were blah blah blah what I see from the IRS Commissioner himself has said the threat remains and we need to help tax professionals take basic steps so they're not even taking basic steps to safeguard systems and taxpayer data hey this is a sight it was

DWT calm it was awesome it prepared this graphical map for me that showed me what are the breach notification statutes in the different states so we can see that most states the ones in yellow here you only have to report the breach so if your taxpayer data gets out in any other state except for a couple of those green ones and it's physical copies so your your whole CPI office gets ranked ransacked and they take all his file cabinets they don't even have to let you know about that right so most of its just electronic data there's also another way for them to kind of get out of reporting the breaches as well there's a harm threshold so the ones in

yellow here have that harm threshold where it's notifications not required if in good faith and prompt investigation the covered entity determines that the breach is not reasonably likely to cause some substantial harm to you okay so there's a lot of subjective things you know reasonable substantial etc good faith you know what's a prompt investigations there's a lot of things in there that they can weasel Laurie out of there's also as I mentioned the the encryption safe harbor so if you've got encrypted truncated office gated so you take a social security number you convert to base64 they may argue well we don't have to report this because it's office gated okay and so in some in

California California has a couple on laws you've got the the breach notification laws and that's where I got a lot of my data and there's finally one this one has not been it's been put into law but it doesn't really doe have to follow it until 2020 it's the California Consumer Protection Act this is when I found out about recently 2020 you have to start it's enforceable it allows consumers to sue companies for unauthorized access exfiltration theft and disclosure of your information so in the future we should have this this is supposed to be kind of to to be similar to GLB and whatnot so California breaches so here's the problem that I found so there's in

all the breaches I've read and the CPA firms have done security assessment for I see a common theme here so a broken record there's improper basic security controls there's file servers with taxpayer data that it has full control with anyone in the office so everyone full control on these these shares NTFS and the share permissions the the IT people just don't understand that or they're they're not locking it down for whatever reason there's other things like passwords shared passwords in the office these basic controls that are not put into place we see lack of logging so when all these breaches it's a lot of I don't know what happened I'm not really exactly sure we think this happened so

we're seeing they're not logging properly they're not notifying there's no encryption on taxpayer data laptops are being stolen backups are being stolen unauthorized access to these systems and what I'll show you if and towards the end of my talk here of actual tax software that they're using to file your tax returns they're not even encrypted at rest in process or in transit we're seeing that there's no clear understanding of what was what data was taken it's it's kind of like we weren't logging properly we don't have IR policy we're not really sure so we know someone got in because something happened but sorry we don't know and then they'll give you one year of identity theft protection so as me as

the attacker thinking is the bad person if I breach in a CPA firm or tax prep firm then I'm gonna wait 13 months and then I'm gonna go ahead and do identity theft after that point so we're still you're still impacted after one year but they're only required to do the one year of identity protection and they play down the the severity of what happens I'll show you in a second some real some of them are paraphrase some of them are exact quotes from these breaches and I'll translate that into what it really means so they're playing down what happened and for the end-user not you who are at a security conference but your parents your grandparents your

relatives who are in different industries they might see that and say all password protected laptop was stolen we're safe it's okay we're good they don't understand what this actually means and there's no requirement to educate the users and then reading the breach ports it's not clear what who how when or what they're even doing to protect this in the future there's nothing that requires them to actually take better controls in the future or make sure that they've remediated all the the security issues okay so let me translate some of these reports for you so statement a password protect a password protected laptop was stolen that means the laptop was not encrypted your sense of data has been accessed by

someone else and they could just plug it into another laptop and they can see everything that was on it another statement we found unauthorized access to our secure network if there's unauthorized access is it really secure we immediately contact your IT consultant and promptly hired an IT security expert so our IT consultant doesn't really understand security we didn't have the proper controls in place everyone the attacker managed to hack into our systems despite the use of firewalls and antivirus software so really they're just checking a box or they didn't implement it properly they don't understand the security controls another statement backup hard drives were stolen though they require a proprietary software to be readable I downloaded

every single software except for one and within a matter of about 10 minutes and AWS spun them up and I was able to read database files also most and I won't disclose exactly which vendors but most of the tax prep software's I found the file that they're actually storing all the PII data and your tax say pretty much everything the software and they are in some proprietary format but if you've ever used the strings tool and Linux or you can download it for Windows all your data is in strings clear text so you can just read it with the hat so that proprietary software for me I don't even need to install it I can just run

strings against the file I'll give granted some of them they did make it a little difficult to find and there was I had to dig around in directories but it didn't take too long also none of that data has been encrypted they wouldn't have to do these reports another statement we take aggressive steps to protect your information to ensure all records are securely locked this isn't a breach notice so the data was not securely locked it was unencrypted and someone already got your data okay but I think these are important because non tap or non security people are seeing this and they're saying oh okay they take aggressive steps they securely lock this thing it wasn't their fault right and

maybe they did do a good job maybe I'm being too hard on them but from what I've seen in doing more and more research in this is that everyone's passing the ball as far as who's responsible for this the CPAs aren't responsible because they're buying secure protected software and they're buying firewalls and antivirus software and vendor's I've spoke to we're not at fault because there's clear text protocols that the CPAs are using and also it's the IRS is responsibility not our so everyone's kind of passing the ball on the IRS says CPAs need to take basic steps to secure this stuff so who's really responsible for our tax data so let's look at some of the

software that the CPAs and tax people are using so there's this great survey from the accountancy or the Journal of account accountancy that I grabbed they provided this awesome information so there's really only a handful of software that the tax pros are using again this is not the turbo tax or the I think H&R Block has their own proprietary software these are if you go to a CPA firm a tax prep firm this is what they're using and if we add up all the different categories except for other we're gonna see that it's about 84% if I did the math right that they're using the the top five pieces of software even if we take the top two

here and we see that the ultra tax TS and pro systems that makes up you know pretty darn close to 50% a little less than 50% of that so these are major targets here on the 2017 survey did a little better job in in 2016 survey and they broke it down by number of preparers and this was one of my favorite slides for when I started talking to these vendors that make the tax software and they would say to me flat out and this is even as it as of Monday of this week they told me well we know we're working on securing the software still we're putting a patch out soon but our software is not meant for

large CPA firms or our software is not meant to be shared amongst multiple CPAs it's for one user and a client only and I look at this and I would show them this and say wait a second and I won't name the vendor but I'd say you know pretty much if you look at some of these and let's just again it's it's not them but let's let's take C CH and say okay well if you're saying that over a hundred users that the CPA firms thirty percent of the CPA CPAs are using your software in a hundred more environment so even though you say we don't recommend it and it's not designed for that that's not how it's actually being

used and you ain't you have KB articles you help people install it on server client your models and topologies so even though you're saying one thing it's not your responsibility we can see the data that it's being used a certain way and you as a manufacturer of this tax software that's holding census data you are responsible for protecting all of our tax data inside of it okay and this one I'm going to kind of skip through this but I've got it again these slides later on I tried to find looking through surveys of of why CPS are using one software for another based off the size of their firm I didn't find a lot of information that kind of

correlated it I could see ease-of-use was a big one it's funny but price was a big reason that a lot of people either switched software or bought one software so price and ease if you seem to be the reason that one piece of software was more popular than another and support I didn't find too much different on this but one thing else notice looking at all these different tables was there was nothing on security they didn't do any surveys of how important security to you how what measures you know the the steps that the the provider of the software is using for security is that important is it not important anything that it's not even part of the survey here at all okay

so let's look at some of the the testing of the tax software and I want to go into a couple definitions before showing some screenshots because I've had a lot of debate with different tax software and vendors and people and they're trying to argue whose fault it is so I thought Troy Hunt quote on pwned passwords I was pretty good he says the entire point is to ensure that any personal info and in a secure data is obfuscated such that it requires a concerted effort to remove the protected the protected move the protection but that the data is still usable for its intended purpose so we need to protect the data but also make sure it's usable

when I looked at mitre and I thought well how do I start registering these CVEs because I'm not really a software person I'm not I don't do exploit development or security research this is my first project in this I'm really focused on securing businesses and doing some some security assessments and pen testing and so as I looked through this I thought okay well how do exactly do I classify this and I kept getting pushback from look from the vendors and saying no no it's not of all in really it's it's an exposure it's not this it's not that it's not our fault it's it's really the protocol so I kind of want to go through these and I well I do think

that these are some exposures I also think there's some vulnerability to it so with an exposure a systems configuration issue or a mistake in the software that allows access to information or capabilities that can be used by attacker as a stepping stone into a system or a net so I thought well it kind of makes sense but it's not a stepping stone if you're an attacker and you're after Social Security numbers names date of birth tax data is it a stepping stone or did you get the jackpot there then when to look at vulnerability is weakness in a logic it found in software and hardware components that when exploited results in a negative impact confidentially

integrity or availability well these exposures do have a negative impact on confidentiality I would assume you want your social security number in your home address and your phone number and spouse information remain private and then so if we look at the definition of access control or improper acts control which I registered most of these TVs under they're defined as the software does not restrict or incorrectly restricts access to a resource from unauthorized actor and so this I went back to this is that's the definition of all vulnerable II it's one of the sub categories you can register the CV under and the manufacturer of one of the software kept saying it's not really you know weakness

it's not our responsibility it's a clear text protocol or there's other servers or things that are leaking the data is not us but again this year and I underline it the software does not restrict or include incorrectly restricts access from unauthorized actors so I I do think that they're responsible for protecting that so in my findings I found and looking at these different CPA firms that if you have more than one CPA or tax preparer even if it's one CPA and an office administrator the office administrator still needs access to the tax software because it's the CRM as well they need the phone number the name they need to print documents so even if it's a one

CPA with an assistant or an office manager you're still probably doing a client-server topology even though most of these vendors when I spoke to them we're saying that it's not meant to be that way it's only supposed to be client and client setup so we're not seeing that even though they're saying that's how it's supposed to be okay and they also said well if you're gonna do client server you need more people to access the software you use set up Terminal Services or Remote Desktop Services great now we've got remote desktop running around on our network that we have to control as well also the default setup when you start installing software's in a client-server

relationship is use the SMB version two many of the software vendors don't recommend SM v3 do the performance so when I first started this in my first disclosure and I contacted the vendor almost slipped with their name they they said no no no we don't recommend SMB version three there's a performance hit it's we don't even support that and I kept pulling up the chain up the chain eventually in security managers and their InfoSec team and developers and they finally said at the end of four months now working with them they said our recommendation is use SMB version three with encryption okay I thought there's a performance impact no no there's not a performance impact okay

so are you recommending that now are you requiring that because going back to this slide here the software needs to restrict access or unauthorized access and they said well we can't force people to use that so we're just going to recommend that and that's our solution to the data exposure all right well if you're not restricting you're not really doing your job and not being responsible for this so vendors claim they don't recommend the client-server relationship the sense the data is analyzed in transit and Rast least from I found I didn't even look at it in memory in a process because I'm making an assumption it's already in clear-text anyways still working with vendors on the patches so

no one yet out of all the tax software I've tested no one has fixed the problem yet all right and this report of four months ago was the start of this I'm still working with them I had a call as of Monday with one of the teams also with their compliance which I think's a fancy word for their legal counsel and the one of them is releasing a patch tomorrow which I'm very grateful for and they were actually the last person I found or the last vendor that I found the issue with and I reported to them and they're releasing a patch tomorrow so kudos to them but still there's a lot of issues and they're only fixing one of the two

issues um so I did some screenshots there for illustration originally I had exactly which vendor the CVEs how I found this and I had to tweak this because I am shocked that they still haven't fixed these issues but my CPAs every CP I've ever used their software still vulnerable so I don't really want to give you all the details and you go find my CPA and now you've got my tax data a lot of security pros that I did I know they've - I've asked them hey what is your CP I use and then I've gotten test that software and it's vulnerable - so I feel like all of our data if we use the CPA we're probably still vulnerable

this so I'm trying to keep it a little bit under the rug until maybe another couple months or two and then I'll post a blog and then I'm also gonna be talking at aisaka in Nova Scotia Canada and I'll release all the details pending that they please please fix these issues so these these screen shots that I have coming up here they are defamed and some of them don't exactly map one-to-one but I'm trying to kind of hide who is vulnerable but you'll still get an illustration of what was leaked out so I first did a little bit research I thought okay well maybe someone else found Lee CVS and it just hasn't been fixed so I looked at ultra

tax which was the most popular one mitre and exploit dv0 no vulnerabilities disclosed how is this popular that's the pop most popular tax software billions of dollar industry and there's no vulnerabilities in the software the software that's made a long time ago this is incredible so I look for pro system FX one vulnerability but it's like a DLL buffer overflow it's you know not really related to this at all Intuit Lacerte and by the way and too it owns quite a few of these as well so we see just into Atlas earth that's the one I'm the most familiar with because I've had a lot of customers with it and I've worked with it when I did IT in the past

but they own a couple of these nothing not a single vulnerability that I could find out there Drake tax nothing ok Pro Pro Series vulnerability research there was one this one's definitely it was a DLL so we have buffer overflow and like QuickBooks and applied to a couple of them and that was 2007 that's quite a bit of time ago as well okay so let's look into this so I grabbed the software and again this isn't specifically the software but I every piece of software I used I put in fake data here obviously my name is still there but I put in a fake social security number of all ones just occupations security guru date of birth

that made me apparently 106 years old all this other stuff in there put my fake wife's information in there hustler SKU number so I could see what's coming out so I added in as a new customer some more information I added in again I just kind of incremented all the numbers so I could see what was what and I documented this hey some more tax information I could put what state I'm filing in etc driver's license formation spouse dependents etc some of the software even asked me to upload pictures of a driver's license the picture and also bank account numbers so that you can have your taxes and the money funneled out to the IRS and I'll show you how

that's interesting in a second so once I added the record and a bunch of other fake records in here we can see on the the default this is like a customer list of everything that was in the database name customer number primary social security number and then the status of the return and then what state that they're filing in there so once I basically most of the software when you launched you've got the the server that's running it's got the database file when you've got the client and you open it up sometimes there's a password sometimes it doesn't require password at all which a whole nother issue but you log in and so then what

the client is doing oops down one the client then says an SMB request for a file and I've redacted that and it does a read request and then gets a read response and so my first one I did a pen test I saw tons of SMB and I thought wait a second why is this taught that this tax off we're doing this and so then I saw okay this is not good ones were my social security number twos was my wife's social security number so in clear-text i'm seeing that come across in transit over the wire then to my surprise this was the one of the worst ones that I found the client so in the

red is the clients request we don't see the full conversation blue is the service response when the CPA logs in or they launch the client on their workstation the server then sends an entire copy of the database of all customers including social security number home address name occupation you know pretty much everything you can eat here spouses number account number mobile phone numbers email addresses where they work Pio box home address and they've logged in they didn't even request the file it just basically sent a thousand and this this first case study that I did over a thousand records and Social Security numbers and clear text on the network a little closer review of that and I thought okay so

what about when I make a change inside a customer so that you logged in all that data is just exposed in clear text and and we see all that that's fine what about actual w-2s when you file that so I opened up the software here and I put in fake I wish this was a real amount that I made every year but nine million nine hundred ninety nine thousand dollars and I watched with with TCP down from Wireshark what was going to happen over the network and in clear-text I can see not only that record that but again the client sent all that taxpayer data so security number name home address etc everything to the

server the server responded with the same thing I guess they wanted both to share the information over the network and then it was an entire record here of every number that I had in my tax records so w2 1099 etc so you could map this out and you could basically get this is the tax return essentially of the customer okay I thought okay that's bad now I tested a different piece of software I thought they can't all be like this this has got to be a one in a million I stumbled upon this nope second when I tested same kind of issue it didn't do the entire customer database so thank you for for you who made the software

but you did still send the client ID the client name Social Security numbers who filed the tax return there the the taxes they filed what state if it's federal and then they also send it a nice piece of information for the attacker the bank name and then the bank account number as well so now you can you know pretend to be them and you can go into their bank and try and steal money from them as well I thought okay so let me look at these database files so now that that was in transit now I took a look at at rest so these these proprietary software have to be encrypted they have to have

the data sitting on disk and it has to be protected it's just had to be an issue with reading that was the vulnerability so I ran strings and yes you can get strings for Windows and so I ran strings against these database files redacted the file name and this one was interesting because the ones were my social security number they really wanted to share that with someone right I don't know if that was like a placeholder if it was if it was blank or what was going on but they essentially just dumped my social security number and then the twos were my wife stole security number and some other information such as phone number job

title names etc and just kept going on and on and on so basically yes you can't open these database files just with notepad or something like that but if you run strings against them you're going to see everything inside without authenticating okay here's another one this one you could see everything else a lot of weird characters and stuff in there but essentially jobs titles names this is basically the whole database file as well this one was one of the best ones that I saw okay so some discussion with the vendors if somewhat difficult to reach them I had a hard time getting hold the security teams eventually I had to even try and threaten them on Twitter and

other places and say I have a vulnerability or software please respond the worst one I got was one vendor I only found the support team because sales and other people wouldn't respond to me and their support team said you need a customer ID and pin number like no no I'm a security researcher doing this stuff I have information for free I'm helping you sorry you need a customer ID or we will not respond to you anymore do you not understand I posted a link to this talk and an article I wrote and so I said I will be exposing this to hackers on this week if you do not respond to me so that's why I

had the call with their legal counsel a bunch of their people on Monday they apparently my tweets when iris said hey you've got this vulnerability blah blah blah they kept being deleted I still have to look into that I don't know if Twitter was leading him where there's keywords or what's going on but they kept just disappearing the vendors claimed they didn't delete it or don't have responsibility for that some of the vendors have private bug bounty programs with bugcrowd and hacker one but I'm not part of them so I couldn't get in there and tell them the issue they need to make these public I need to make this accessible for people who want to

responsibly disclose this they denied initially that it was their responsibility and they said the issue was SMB version 2 I told them if I'm a bank and I have your login over HTTP it's not my responsibility neither that's yours right usually be using VPNs they didn't quite agree with that either so I said no you can't force someone else to use SMB version 3 with encryption I'm set up it's your responsibility as a vendor to make this secure and at rest in transit and in process they said the software wasn't meant to be client-server they say that there's legacy software going back 2015 we can't patch those issues we don't support it that old so some of the stuff is never

going to get patched they say encryption would break integration with third-party they say that's why they can't do anything is because there's other third parties that you can like link your bank and this and that and they would break too many pieces of software so they don't want to make it harder to use so that's why they're not fixing it or they're having a difficult time doing that one vendor patched their vulnerability or doing that tomorrow and I really appreciate that they're doing that taking it so seriously I reported it two weeks ago and they're actually doing something about it so not going to name them because they haven't fixed all of it but I really appreciate that and

anyone who is a software vendor here or works for company we're trying to the best thing is presenters and screwed researchers so go ahead and take our free help and please Pratt your software for disclosing it um so now what so wrapping up here and so interview your CPA right and so say hey what are you doing what are you encrypting your backups I'm seeing a lot of data that's not being you know it's backed up but it's not encrypted at all how are you encrypting it interview them a little more when was your last pen test or ballin scam what are you doing about that so interview them a little bit don't just say hey you're the cheapest

price I'm gonna use you what exactly are you doing and eventually I'm going to turn this into a checklist similar to the the IRS is one so people can use this and interview their CPA well it's your instant response policy right your IT person probably doesn't know security or instant response so who do you have do you have someone on retainer do you have insurance what are you going to do about this and then what policies do you have in place may people where share the link for this I have blog post I have the slides on our website that you can you can send out or give to people make them aware and let's

try and get this fixed as well I really want this problem fixed for for the general public help test tax software if you're a security researcher and a knapsack please help test it I am NOT an app SEC person so I'm sure there's a lot more problems we saw there's no vulnerabilities posted except for a couple of both buffer overflows and myself so please try and test those software your CPA they can do dis defense-in-depth you can help them out build security programs do not use wireless on production network have them use multi-factor authentication for everything that's public facing have have them encrypt everything at rest I see FTP servers open Remote Desktop servers have them encrypt and lock

things down make sure that their tax prep work stations that are accessing softwares are dedicated and isolated and use endpoint protection maybe EDR buzzword who's doing it right is my last slide drake software i'm going to name one vendor i think they're doing a pretty good job dave they might not have things perfect but these are some pop-ups i got they notify you when they're sensitive data that you're looking at they pop these things up when there's an update and say you cannot use your software unless you patch it with these security issues thank you they also if you don't touch the keyboard they mandatory require a password and then if you don't touch the keyboard it

locks out all these are default settings I didn't touch these every other tax software did not have a password when I started didn't require it it didn't require updates so they're doing a fairly good job they also are encrypting at rest and in transit from what I've seen as well so that's my findings I thank you for for coming out here again in an early morning if you want to contact me I've got my contact information up there Twitter LinkedIn an email address and if you go to corporate blue comm slash blog I do have a the slides of this and you can download a PDF with all my notes and research case studies surveys all that

kind of stuff so you can look at that a little bit more happy to take we're doing questions outside apologize about that so if there's any questions I'll be standing outside happy to answer them if it's related to this or other topics I'm happy to chat and I'll I'll be out there thank you for your time I appreciate it [Applause]