HAMBURG, GERMANY, 1997 FEB 12 (NB) -- By Sylvia Dennis. Members of the
Chaos Computer Club, the infamous hacking elite of Germany, caused
German TV audiences to gasp last week when they demonstrated an
ActiveX hacking program that allowed them to access copies of Quicken,
the accounting software package from Intuit, and transfer money
between bank accounts, without needing to enter the normal password
security systems of Quicken.
The sinister aspect of Chaos' ActiveX package is that Quicken now
allows interactive access to online banking services, to carry out
automated transfers. In front of German TV audiences, the Chaos
Computer Club apparently carried a number of transactions without
any authorization whatsoever.
According to the Chaos Computer Club, the ActiveX program is now
available for download by members of the club on the club's Web site.
Once the package is downloaded from the site and executed, it scan's
the users PCs for the presence of Quicken and extracts details of the
user's bank accounts held within the package.
The ActiveX software then tricks Quicken into transferring funds from
one bank account to another the next time a user logs on to an online
banking service. The transactions are apparently masked from the user,
who then thinks that only authorized transactions are being carried
out.
Needless to say, the TV program caused a storm of protest in Germany
over the weekend, with the media denouncing the Chaos Club as anti-
establishment. The German computer media has seen the TV demonstration
as showing how powerful ActiveX, a Microsoft developed extension
to its Internet Explorer Web browser, really is.
According to Newsbytes' sources, the ActiveX program that the Chaos
members have created, allows users to take advantage of the
"accountability" system known as Authenticode that ActiveX uses.
Normally, Newsbytes notes, Authenticode allows a programming module of
Internet Explorer to include a digital signature authenticating the
transaction and the data channel itself. What the Chaos ActiveX
program appears to do is to hack the Authenticode data stream and
bypass the native controls in the Authenticode programming code itself.
Using this approach appears to allow the ActiveX program to bypass
many of the security controls of Internet Explorer itself, which makes
Chaos' program, if it does what the club members, all the more
horrifying.
Microsoft Internet Explorer users should not worry too much about
the security implications, as the German media quotes Microsoft
Deutschland as confirming that it is working with its software
developers to ensure that the security loopholes identified by the
Chaos Computer Club are clearly understood by IE and ActiveX
programmers.
(19970212/Reported By Newsbytes News Network: http://www.newsbytes.com)