PC Week Article

February 6, 1997 6:15 PM ET

Hackers claim ActiveX code can be used to pilfer funds online

By Maria Seminerio

When Microsoft Corp. officials brag about the interactive capabilities of ActiveX, they're not talking about interacting with other people's bank accounts.

But that's exactly what a hacker organization in Hamburg, Germany, called the Chaos Computer Club claims it can do with a bastardized ActiveX control, much to the software giant's chagrin.

The fuss began last week when a Berlin newspaper, Tagespiegel, reported that Chaos Computer Club hackers had demonstrated an online theft on German TV using their homemade ActiveX code. Microsoft became aware of the situation when users who had seen the show called the company, according to Cornelius Willis, group product manager for ActiveX in Redmond, Wash.

According to the newspaper, the hackers configured an ActiveX control to execute a bogus money transfer order on a PC running a financial software application, enabling funds to be pilfered from the PC owner's account.

Willis stressed, however, that Microsoft so far has not been able to confirm that any funds were actually stolen using ActiveX controls. Company officials contacted the hackers who appeared on the TV program and asked them to turn over the offending code, but they refused, Willis said.

Club members told Microsoft the code would be published in the Feb. 20 issue of a German periodical called IX Multi-User Magazine, Willis said.

The Chaos Computer Club (http://berlin.ccc.de/WarmWelcome.html) describes itself as "a galactic community of human beings including all ages, genders, races and social positions" and calls for "unlimited freedom and flow of information without censorship."

Willis added that he has been reading "a lot of poorly translated material" on the alleged ActiveX mischief, which partly explains why a confirmation of any theft has been hard to come by. But Microsoft officials have determined that users setting their Internet browsers to "medium" or "high" security should be immune from the threat of this particular control.

"It just goes to show that all executable code is dangerous, and you need to know where it's coming from," Willis said. "You don't take candy from strangers."

Microsoft's Authenticode technology for verifying the origins of software components would block the applet from accessing a user's PC, since it would not contain an identifying digital signature, he said.

Copyright(c) 1997 Ziff-Davis Publishing Company. All rights reserved. Reproduction in whole or in part in any form or medium without express written permission of Ziff-Davis Publishing Company is prohibited. PC Week and the PC Week logo are trademarks of Ziff-Davis Publishing Company. PC Week Online and the PC Week Online logo are trademarks of Ziff-Davis Publishing Company.

Send mail to PC Week

zur ckzurück © 1996-2024 Lutz Donnerhacke @ IKS GmbH Jena Wednesday | 25.Dec.2024