Original
The Cutting Edge/Dan Stets
Is it safe to do your banking and investing online?
The answer is an emphatic ``no'' if you use Microsoft's latest Web browser, Internet Explorer 3.0, which is embedded with a technology known as ActiveX.
That's the opinion of the Chaos Computer Club (http://berlin.ccc.de/), whose members, all experienced computer hackers, went on German television to demonstrate the risks ActiveX poses to your personal-finance software.
The club members showed how an ActiveX ``control'' makes it possible for hackers to switch money from your bank account to theirs without your having the slightest idea that you're being robbed.
Neither businesses nor individuals should use the latest Internet Explorer because of the security risk to all kinds of data and transactions, said Frank Rieger, a spokesman for the Chaos Club, in a telephone interview.
The ActiveX in the browser makes it possible for hackers to slip a control or mini-program onto your computer that then can do pretty much anything the hacker wants it to do, he explained.
ActiveX is an interactive programming language becoming increasingly prevalent on the Internet and within the personal computers that use Microsoft's Windows operating program.
The language is Microsoft's response to Java from Sun Microsystems, another interactive programming language used for mini-programs or applets.
However, there is a key difference between Microsoft and Sun products. ActiveX, if you are a Windows user, is a language ``native'' to your computer so that it can go in and take over control of your machine.
Java, on the other hand, is not native to your computer and generally doesn't get onto your hard drive.
So how do the Chaos Computer Club members know about the risks, and why should we listen?
They make it their business to explore and then expose the security risks in computing, particularly Internet and network computing.
The group has its headquarters in Hamburg and branches around Germany, including one in Berlin that puts up a page on the World Wide Web through which the club disseminates news on its latest hot-button issue.
On television Jan. 28, members showed how a computer user could unknowingly download what is known as a ``malicious control'' from a site on the Web, then how that control could scan the user's computer for Intuit's Quicken personal-finance software. Later, when the user uses Quicken to conduct online banking, the hacker's program could trick Quicken into transferring money to a hacker's bank account.
The control could attack not only Quicken, but online investment software or any other sensitive data a hacker decided to target.
Microsoft's reaction to the problem is to blame the potential victims, saying if something happens to a user, well, then it's his fault.
``Users need to understand they should only download code or executables from publishers they trust,'' said Christine Chang, a Microsoft security product manager.
According to Microsoft's version of reality, users should not download any ``executable'' file, a file that can make your computer do something, that isn't verified with its Autheticode Security Technology. In theory, before you download an ActiveX control, an authentication certificate should appear on your screen, telling you it is from a reputable programmer.
The Chaos Club says a clever hacker can easily get around Microsoft's security precautions. Rieger said it would not be hard for someone with malicious intent to get an authorization certificate from VeriSign Commercial Software Publishers. All that is needed is $20 and a credit card number, Rieger said.
Rieger was apologetic that the Chaos Club had used Intuit's Quicken in the demonstration. But the club needed something that would get people's attention. ActiveX could be used to undermine any sort of data, he noted.
Intuit is not happy that it has been brought into the controversy. Sensitive data are now being encrypted on the latest versions of Quicken issued in the United States and Canada, said Intuit senior vice president Eric Dunn.
``In the event a customer suffered financial loss through the use of our product, as a matter of policy, we would, of course, make that customer whole,'' he said.
It might be easy to discount information from a bunch of German computer hackers, as Microsoft would clearly like us to do, if it weren't for the actions of another American software company, Symantec Corp., maker of the Norton anti-virus programs.
On Thursday, Symantec offered new software to ``provide protection against malicious ActiveX controls.''
While it may seem that Symantec was trying cynically to get some marketing advantage out of Microsoft's plight, company spokesman Dwaynne Vanderhorst said Symantec has had a team studying the potential security risks of ActiveX.
``We wanted to be one of the first ones to let people know that our software can prevent this from happening to you,'' said Vanderhorst. ``You go into your bank and you find out you have no money. You would be a little bit upset about that.''
The two Symantec programs are Norton Your Eyes Only, a data encryption product, and new trial software, Norton Secret Stuff. The latter can be downloaded free until April from Symantec's Web site (http://www.symantec.com).
Dan Stets e-mail address:
dan.stets@phillynews.com
|