MSNBC Article
By Barton Crockett. MSNBC

Hackers have snooped on e-mails, crashed systems and stolen software.

Now comes the newest feat, a hack designed for Microsoft Corp.'s Internet Explorer browser that can steal your money if you bank electronically in Germany.

(Microsoft is a partner in the joint venture that operates MSNBC.)

The code is an "ActiveX control," made by the Chaos Computer Club of Hamburg, Germany, and now on the Web, that can zip into your computer and instruct the German versions of personal finance software from Microsoft or Intuit Inc. to zap electronic payments to whomever the hackers want.

The Lesson: Surf Safely

And even though the hack is ostensibly limited to Germany and was just a demonstration - no one has lost any money - it highlights an important issue: If you don't practice safe surfing, you can download some nasty code.

"This incident puts all of us on notice that 'executable' content is potentially very dangerous," said Cornelius Willis, group product manager for Internet platforms at Microsoft. (ActiveX is intended to bring animation and features like moving stock quotes to Web browsers. Sun Microsystems Inc. sells a competing program called Java.)

The Chaos Computer Club is a self-described group of "legal" hackers that is also notorious for members who have reportedly hacked NASA and Barclays Bank and sold secrets to the Soviet Union.

The ActiveX hack came to light in late January when Chaos members demonstrated it on German television.

In the demo, a Chaos member stopped at a Web site that said "How to Become a Millionaire in Five Minutes." In seconds, code was secretly loaded into the PC that inserted a payment instruction, said Chaos spokesman Hendrik Fulda.

One more step is needed for the money to go out. The user must approve the unbidden payment before sending it to his or her bank.

The Hack As Protest

Nonetheless, the hack was an eye-opening feat, something Chaos members say is a protest against weak security in Microsoft's ActiveX. "The Control was made for the only purpose of demonstrating the massive risks of the usage of ActiveX," wrote another Chaos spokesman, Frank Rieger, in an e-mail. Rieger said Chaos members don't actually plan to use the control to steal money.

But does the control work?

"As far as we can tell, it does," Willis said.

He said the control uses a known feature of ActiveX in which a control sent from a Web site to your computer can execute commands that affect other applications or your operating system.

Indeed, Chaos isn't the first to take advantage of this capability. Last year a Bothell, Wash.-based computer consultant, Fred McClain, posted an ActiveX control to the Internet that automatically shuts computers down.

And even though the Chaos code appears to be specific to German versions of Intuit's Quicken and Microsoft's Money, it could theoretically be modified to work in other countries, experts said.

Roadblocks To A Hack

But there's an important caveat. Willis said a malicious ActiveX control can enter a computer only if the user sets the Internet Explorer browser to the lowest possible security setting or consciously chooses to download the control.

"High" is Explorer's default security setting. On High, Explorer will not download any ActiveX controls unless the control has a digital certificate - a registration statement that says who wrote it.

"Medium" allows you to choose to download controls without certificates. And "None," which Explorer describes as "not recommended," means the browser automatically downloads every control it encounters.

Willis said the only way to get a malicious ActiveX control is to set your security on None or to say yes when given the option to download in Medium or High security.

That would be the equivalent of leaving your front door wide open or taking candy from strangers, Willis said.

The lesson?

"Don't take candy from strangers; don't let strangers into your house."

Fulda disagreed with Willis' assessment. He said the Chaos control is so small it can zip into your machine before Explorer asks whether you want to download it.

But security experts seem to side with Willis.

"This sounds to me like this Chaos guy is trumpeting his horn a little too loudly," said Tim Mather, information systems security manager at Apple Computer Inc. in Cupertino, Calif.

© 1997 MSNBC


real audio clips that were with the story:
  • Cornelius Willis on what users can do to guard against this and other viruses (Picture: *)Cornelius Willis on the lesson to be learned from this virus.
  • Fulda says disable ActiveXThe ActiveX hack, as described by Chaos spokesman Hendrik Fulda
zur ckzurück © 1996-2024 Lutz Donnerhacke @ IKS GmbH Jena Friday | 15.Nov.2024