(A Javascript-enabled browser is required to email me.)



Chaos Computer Club Clarifications



February 17, 1997

A member of the Chaos Computer Club, Felix von Leitner <leitner@math.fu-berlin.de>, sent these clarifications to Glen McCready for his 0xdeadbeef mailing list, which had carried a story about the CCC's ActiveX/Quicken hack. von Leitner's note appears on the TBTF archive by permission.
From: Felix von Leitner <leitner@math.fu-berlin.de>

Dear Glen and 0xdeadbeef readers,

I'm a member of the CCC and I think I should give a statement here about
this ActiveX stuff.

Yes, a CCC member wrote an ActiveX control which adds a transaction to
Quicken.  We have opened a test account with the Deutsche Bank (and we
told them the purpose of the account) for the transactions so every
transaction could be identified and cancelled.

The code is no big deal.  In fact, it's almost trivial.  It's a Visual
Basic program AFAIK.  The sources will be published in the German iX
magazine of this month, which is due in a few days.  It will surely be
posted to Usenet soon.

For your information: we wrote another ActiveX control which will set
your explorers internet security setting to "none" so afterwards *all*
ActiveX controls will be executed without user intervention.  You can
find it at

  http://www.artcom.de/~andreas/iesl

iesl means "Internet Explorer Security Low". ;)

> Somebody in Germany has developed an ActiveX control which can be
> invisibly downloaded while viewing a webpage using Internet Explorer 3.1.

The man is called Lutz Donnerhacke.
Whether the control is downloaded invisibly or not depends on your IW
security settings.

> The ActiveX program runs automatically, and if you have Quicken on your
> hard drive (a popular financial package), and if you're using Quicken to
> pay your bills electronically, the ActiveX program will insert a
> transaction into your next electronic bill paying session that will
> transfer money to the hackers' account.

To the test account.

> Microsoft's response?

Well, the original German page about the topic,

  http://www.iks-jena.de/mitarb/lutz/security/activex.html

tells a fun story.  The Deutsche Bank folks had a slight
misunderstanding at first.  They understood that the Microsoft Money
software would be cracked, and they told this to Microsoft Germany, who
phoned Lutz, frightened.  When he told them that it was Quicken, not MS
Money, which he remote controlled to send the money via ActiveX they
said "well then we can calm down".

>  AFTER this was pointed out to Microsoft execs, Microsoft hacked in
> "Authenticode"(tm) which is a digital signature that THEY will give out
> to people who register their ActiveX programs.

This is not 100% true.
Authenticode was part of ActiveX since the beginning, and it's
technology from RSA data security.  It was not hacked in since besides
Authenticode there is nothing to ActiveX, really.  It's OLE with
Authenticode.

Now about the CNN article...:
> =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
> Microsoft's Security Advice To Users:Don't Take Candy From Strangers 
>        Microsoft's Security Advice To Users:Don't Take Candy From Strangers 
> (1997-02-06; 5:44 p.m. EST)
> By Clare Haney, TechWire
> 
>  REDMOND, Washington -- The activities of a group of German hackers in
> Germany a week ago has forced Microsoft to further accelerate its attempts
> to publicize the inherent dangers lurking on the Internet.

This is an euphemism if I ever heard one.

If there is one company that is doing *nothing* to publicize security
information, then it's Microsoft.

> Cornelius Willis, group product manager for Internet platforms at
> Microsoft, stressed the theoretical nature of the TV demonstration,
> saying "We have yet to determine if there has been a security breach.
> This is the usual thing people do - carry out a demo and get a lot of
> publicity.  But we do take this kind of thing very seriously."

Well, the source code will be published soon.  Very soon.
And, if you are a programmer, you can see that they would not need the
source code of the applet.  All they can see from the source code is how
to add an order to Quicken.  The security problem is no hack from the
ActiveX control, it's a design flaw!

>  He revealed that Microsoft has already made contact with CCC and is
> "encouraging them to co-operate," although the hackers have yet to release
> the ActiveX control to the company so that they can check it out.

Well, they sent their lawyers after Lutz.  "encouraging them to
co-operate" is a nice euphemism ;)

> The Club is promising to publicly release the ActiveX control on the
> Web on February 20.

Well, nothing new there, really.

> He added that Microsoft expects to highlight this issue with a program to
> be launched within the next few weeks, that among other things will
> involve bringing a chat site on Internet security already hosted on the
> company's Web site more to the fore.

Haven't I read on this list that the MS security team was closed down
because of lack of interest?

> He pointed to the fact that the current version of Internet Explorer 3.0
> is the only Web browser to include code signing, a feature Microsoft calls
> Authenticode, allowing users to identify "with a high degree of certainty"
> the author of a Java applet, an ActiveX control or a plug-in and to
> determine that the component in question hasn't been tampered with in
> transit to the user's desktop.

Please review the policy that is used to sign applets.  Microsoft does
not sign your applet.  Microsoft is not involved at all.  You go to the
Verisign web page and download your key, and then you can sign all
applets.  By the way -- Verisign wants a credit card number and a social
security number.  Then you get your key.  Please note that *nobody
outside the US* can sign anything legally, because he can't have a SSN.

If you would like to help us get a key (which is legal if you are an US
citizen), please contact me at

  felix@artcom.de

This means that your name signs an applet that demonstrates a security
problem.  Of course, hacker ethics prohibit that we do any real damage,
so we won't use your key to do anything unlawful.

> Willis also recommends that, in order to ramp up their Internet security
> protection, corporations should establish internal testing organizations
> to give such components a digital certificate certifying that they've been
> shown to be non-malicious to potential end users.

Did you read this?  Microsoft expects the system administration to
review *all applets* on the web and make a database of secure ones?  How
is the admin to know that the applet does not do anything malicions
behind his back after working without problems for half a year?

Hasn't the system administration enough stuff to do already?

> For Intuit, Mark Goines, the company's international vice president,
> asserts that its Quicken software already contains a stringent review
> process for any transaction comprising authorization, review,
> verification, review and reverification stages.

... like what?

Felix

[ TBTF for 2/ll/97 ]