February 17, 1997
From: Felix von Leitner <leitner@math.fu-berlin.de> Dear Glen and 0xdeadbeef readers, I'm a member of the CCC and I think I should give a statement here about this ActiveX stuff. Yes, a CCC member wrote an ActiveX control which adds a transaction to Quicken. We have opened a test account with the Deutsche Bank (and we told them the purpose of the account) for the transactions so every transaction could be identified and cancelled. The code is no big deal. In fact, it's almost trivial. It's a Visual Basic program AFAIK. The sources will be published in the German iX magazine of this month, which is due in a few days. It will surely be posted to Usenet soon. For your information: we wrote another ActiveX control which will set your explorers internet security setting to "none" so afterwards *all* ActiveX controls will be executed without user intervention. You can find it at http://www.artcom.de/~andreas/iesl iesl means "Internet Explorer Security Low". ;) > Somebody in Germany has developed an ActiveX control which can be > invisibly downloaded while viewing a webpage using Internet Explorer 3.1. The man is called Lutz Donnerhacke. Whether the control is downloaded invisibly or not depends on your IW security settings. > The ActiveX program runs automatically, and if you have Quicken on your > hard drive (a popular financial package), and if you're using Quicken to > pay your bills electronically, the ActiveX program will insert a > transaction into your next electronic bill paying session that will > transfer money to the hackers' account. To the test account. > Microsoft's response? Well, the original German page about the topic, http://www.iks-jena.de/mitarb/lutz/security/activex.html tells a fun story. The Deutsche Bank folks had a slight misunderstanding at first. They understood that the Microsoft Money software would be cracked, and they told this to Microsoft Germany, who phoned Lutz, frightened. When he told them that it was Quicken, not MS Money, which he remote controlled to send the money via ActiveX they said "well then we can calm down". > AFTER this was pointed out to Microsoft execs, Microsoft hacked in > "Authenticode"(tm) which is a digital signature that THEY will give out > to people who register their ActiveX programs. This is not 100% true. Authenticode was part of ActiveX since the beginning, and it's technology from RSA data security. It was not hacked in since besides Authenticode there is nothing to ActiveX, really. It's OLE with Authenticode. Now about the CNN article...: > =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-= > Microsoft's Security Advice To Users:Don't Take Candy From Strangers > Microsoft's Security Advice To Users:Don't Take Candy From Strangers > (1997-02-06; 5:44 p.m. EST) > By Clare Haney, TechWire > > REDMOND, Washington -- The activities of a group of German hackers in > Germany a week ago has forced Microsoft to further accelerate its attempts > to publicize the inherent dangers lurking on the Internet. This is an euphemism if I ever heard one. If there is one company that is doing *nothing* to publicize security information, then it's Microsoft. > Cornelius Willis, group product manager for Internet platforms at > Microsoft, stressed the theoretical nature of the TV demonstration, > saying "We have yet to determine if there has been a security breach. > This is the usual thing people do - carry out a demo and get a lot of > publicity. But we do take this kind of thing very seriously." Well, the source code will be published soon. Very soon. And, if you are a programmer, you can see that they would not need the source code of the applet. All they can see from the source code is how to add an order to Quicken. The security problem is no hack from the ActiveX control, it's a design flaw! > He revealed that Microsoft has already made contact with CCC and is > "encouraging them to co-operate," although the hackers have yet to release > the ActiveX control to the company so that they can check it out. Well, they sent their lawyers after Lutz. "encouraging them to co-operate" is a nice euphemism ;) > The Club is promising to publicly release the ActiveX control on the > Web on February 20. Well, nothing new there, really. > He added that Microsoft expects to highlight this issue with a program to > be launched within the next few weeks, that among other things will > involve bringing a chat site on Internet security already hosted on the > company's Web site more to the fore. Haven't I read on this list that the MS security team was closed down because of lack of interest? > He pointed to the fact that the current version of Internet Explorer 3.0 > is the only Web browser to include code signing, a feature Microsoft calls > Authenticode, allowing users to identify "with a high degree of certainty" > the author of a Java applet, an ActiveX control or a plug-in and to > determine that the component in question hasn't been tampered with in > transit to the user's desktop. Please review the policy that is used to sign applets. Microsoft does not sign your applet. Microsoft is not involved at all. You go to the Verisign web page and download your key, and then you can sign all applets. By the way -- Verisign wants a credit card number and a social security number. Then you get your key. Please note that *nobody outside the US* can sign anything legally, because he can't have a SSN. If you would like to help us get a key (which is legal if you are an US citizen), please contact me at felix@artcom.de This means that your name signs an applet that demonstrates a security problem. Of course, hacker ethics prohibit that we do any real damage, so we won't use your key to do anything unlawful. > Willis also recommends that, in order to ramp up their Internet security > protection, corporations should establish internal testing organizations > to give such components a digital certificate certifying that they've been > shown to be non-malicious to potential end users. Did you read this? Microsoft expects the system administration to review *all applets* on the web and make a database of secure ones? How is the admin to know that the applet does not do anything malicions behind his back after working without problems for half a year? Hasn't the system administration enough stuff to do already? > For Intuit, Mark Goines, the company's international vice president, > asserts that its Quicken software already contains a stringent review > process for any transaction comprising authorization, review, > verification, review and reverification stages. ... like what? Felix
| TBTF HOME |
CURRENT ISSUE |
TBTF LOG |
TABLE OF CONTENTS |
TBTF THREADS |
SEARCH TBTF |