Crackers Shuffle Cash With Quicken, ActiveX

by John Gilles

5:21pm 7.Feb.97 PST

Hackers belonging to Hamburg, Germany's Chaos Computer Club have demonstrated an ActiveX control that will transfer funds from users' bank accounts without using a personal identification or transaction number.

The Chaos crackers demonstrated their hostile ActiveX control on a German TV show to make a point about what they saw as the security risks posed by ActiveX. If made available on a web site, the control could install itself on a user's computer and covertly check to see if the popular personal-finance software package Quicken is installed.

Contiuning the scenario, if the control had found Quicken, it would issue a transfer order and add it to that application's batch of existing transfer orders. The next time the Quicken user paid their bills, the illicit transfer would be included, unnoticed by the victim. Quicken claims to have more than 9 million active users worldwide.

Computer security experts, who have been highly critical of Microsoft's ActiveX, said this was just another example why the technology should be abandoned.

"ActiveX may be very useful for intranets, but it has no place on the Internet because of the security problem," said Kevin McCurley, a cryptography expert at Sandia National Laboratories and the author of the Digicrime Web site.

Microsoft called the demonstration a wake-up call to users about the dangers of downloading untrusted executable code. Such executable code, including unauthorized ActiveX code, can do just about anything it wants, from reading and writing files to installing software, such as games, or viruses.

"In this particular case, the [ActiveX] control is anonymously offered," said Cornelius Willis, Microsoft's group product manager in charge of Internet platforms. "Users should not be downloading and running executables that are not signed."

The Authenticode signing mechanism requires all authorized ActiveX control authors to digitally "sign" their controls. Beyond this, Microsoft's solution to the security risk is largely "buyer beware." Willis said the company is trying to educate users about the risks of downloading any kind of executable file from the Web, including Java applets and MSWord macros.

"We're not saying Authenticode makes anything safe," Willis said. "Authenticode simply lets you make a decision as to a particular [control's] author."

But McCurley said authenticating the source of ActiveX controls isn't enough, because a legitimate, if poorly protected, control could later be invoked by a hacker and modified to serve a different purpose.

"The problem isn't just downloading evil code, it's also downloading bozo code," McCurley said. "If I could get ahold of an ActiveX component installed on your box, I could give it arguments and it would toast your machine.

"If ActiveX components become common," McCurley warns, "hackers will start looking at them as a way to get in."

Copyright © 1993-97 Wired Ventures, Inc. and affiliated companies.
All rights reserved.

zur ckzurück © 1996-2024 Lutz Donnerhacke @ IKS GmbH Jena Wednesday | 25.Dec.2024