ActiveX used as hacking tool
By Nick Wingfield
February 7, 1997, 5:15 p.m. PT
The Chaos Computer Club, a band of hackers from Hamburg,
showed the real power of ActiveX last week.
On German national television, they showed off an ActiveX
control that is able to snatch money from one bank account and
deposit it into another, all without the customary personal
identification number (PIN) that is meant to protect theft.
Once it is downloaded from a Web site, the control scans a
user's computer for Intuit's (INTU) popular Quicken finance
software. The ActiveX control then tricks Quicken into
transferring funds from one bank account to another the next
time a user logs on to a banking service.
The incident underscores something that Microsoft (MSFT), the
creator of ActiveX, and most computer security experts have
known for some time: Its programs are not secure. While Java
applets are prevented from performing certain tasks such as
erasing files from a user's hard disk, ActiveX controls--small
Internet programs that work mainly through the Internet
Explorer browser--are able to do virtually anything on a user's
computer that a programmer can dream up, including installing a
destructive virus.
Instead of the "sandbox" model that cordons off Java applets,
Microsoft has created an "accountability" system, called
Authenticode, which allows software publishers to stamp their
controls with a digital signature. If a control does something bad
to a user's computer, the publisher can be tracked down and
prosecuted. In other words, the Authenticode system does not
protect against malicious code; it simply makes it easier to find
out who wrote it.
But it's easy for users to unwittingly accept an unsigned
ActiveX control if they get lazy or frustrated by the Authenticode
warning window. The Chaos club's ActiveX control, for
example, is not signed. Once it is accepted by an Internet
Explorer user, the program is free to do its work.
Microsoft officials said today that they are working to inform
users more about the capabilities, good and bad, of ActiveX.
Within the next two weeks, the company will kick off an
educational campaign that focuses on security issues.
"What this incident tell us is you cannot take candy from
strangers," said Cornelius Willis, group product manager at
Microsoft. "The thing I'm hoping users get out of this is that
they should not be running any executable code that is
anonymous."
To be sure, security risks are involved in using any program,
even if it comes off a retail store shelf. But security experts said
today that the combination of the Internet and sensitive
applications such as online banking can lead to a greater risk of
security breaches.
"We're deploying stuff which has, on the one hand, tremendous
positive potential and, on the other, huge potential for malicious
exploitation," said Stephen Cobb, director of special projects at
National Computer Security Association consultancy. "All
computer technology has been like that to some extent. But what
is different in this context is there is this huge push to deploy
online banking and commerce."
CNET Special Report: Crime on
the Net
Battening down the Net's hatches
Browser bugs hard to catch in Net
rush
ActiveX opens up
Program compromises IE security
Explorer hole patched
MS strengthens encryption
Digital certificates planned for Java
Firm throws down Gauntlet on Java
Microsoft tightens security Net
J