Ray Van Eng (02/14/97) The Chaos Computer Club (CCC), a hacker group from Hamburg, Germany demonstrated on national TV that they can use an ActiveX control (a Microsoft Internet technology) to steal money from an Internet consumer account and put it into another without the use of a Personal Identification Number (PIN) during an online banking transaction. CCC showed that once the ActiveX control is downloaded by a web surfer who uses Intuit's Quicken for electronic banking, the control will add an extra electronic fund transfer (EFT) command to benefit the hacker to the pending transfer list. The next time the user does his or her banking online, the bogus transaction will get executed along with the rest. The user would have no idea such a illegal action has taken place unless he/she gives a closer look at his monthly statement. Apparently, Microsoft is aware that these loopholes do exist in their ActiveX architecture. Unlike java applets (a Sun Microsystems technology) which are prevented from tampering with users hard disk contents, ActiveX controls are capable of executing any function including reading and writing of user files. That is a design weakness of the ActiveX technology that the German hacker is able to exploit. From a security standpoint, Java is safer than ActiveX. However, ActiveX may be more flexible in delivering functionalities in an intranet environment where all users are company employees. Microsoft's remedy to the situation is to "authenticode" the control, that is to apply a digital signature to the program and code-signed it. That does not make the program safe by any means, it just makes it easier to identify the culprit if problems arise. In the heat of the moment during an intense web surfing session, it is our belief that a user would likely accept any ActiveX control (signed or unsigned) just to move things along. On the one hand, these downloadable "just-in-time" software components mean tremendous benefits to the users, but the potential for damage is also huge. (See our related story about an Internet sex scam out of Moldova). In respond to the CCC incident, Microsoft said that they will roll out a campaign aimed at educating the public about Internet security issues. There are an estimated 9 million copies of Intuit's Quicken software in use today. Interestingly, Symantec claimed that two of its software: Norton Your Eyes Only for Windows 95 and Norton Secret Stuff can protect the users from the Chaos ActiveX attack by encrypting the Quicken files. Meanwhile Microsoft is also looking into a number of ways to make ActiveX control more secure. One way is HTML signing in which an ActiveX control or java applet would only run when the HTML page that has the control is open in the browser, allowing to the user to see what exactly is going on. Other ways under investigations include the creation of a hostile applet database for screening via proxy servers or firewalls and the establishment of a industry wide clearinghouse for ActiveX controls and java applets. ------------------------------- Updates (02/18/97): Intuit called for disabling the ActiveX controls in the Internet Explorer browsers or switch to the Netscape Navigator if users are concerned about the safety of ActiveX controls. The company also stated that the present U.S. version of Quicken can only be used to transfer money from "pre-authorized" accounts as approved by the user. A future German version of the software will have encryption features to prevent hackers from breaking in. E-Mail

© Copyright Ray Van Eng 1997 - 1999. All Rights Reserved.