`
`Crackers Shuffle Cash With Quicken, ActiveX
`
`GEAR
`
`'c>CIENCE EN'TERTAINMfNT
`
`llliSINE«S SECIJRIT ' !)['i1GN OPINION VIDFO
`
`INSIDER MAGAZINE SUBSCRtl:lE
`
`SUBSCRI BE QVUCifl RIHIW
`
`IMriMAliOIW.ORODlS
`
`I I
`
`A N£W REVOLUTION:
`DIIITAL CDRRmY TREftDS
`AIOUND TIULOBE
`'1H1!11 uwr
`
`'""~'o"<o.m·,r
`
`> DNY MHLLON 1'1 1 st
`I
`
`Scit:nce : Di~:O\ t' ti(•s ~
`Crackers Shuffle Cash With Quicken, ActiveX
`.John Gillest0 02.07.97
`Hackers belongi ng to Hamburg, Germa n)•'s Cha<.~ Compl lterCi ub have demonstrated an Acti, t'X control that,,iJ I transfer funds froffi users' bank
`accounts\vithout using a personal identification or transaction num ber.
`The Chaos crackers demonstrated their hostileActh·eX control on a Germ an 1V show to make a point about what th ey saw as the security risks posed by
`ActiveX. If made available on a web si~, the control equid install itself on a user's computer and con !rdy check to .see if the popular personal-fi nance
`software package Quicken is installed.
`Contiuning the scenario. if the control had found Quicken, it wou ld issue a transfer order and add It to that ap plication's batch of existing transfer orders.
`The next time the Quicken user paid their bills, the illicit transfer would be incl uded, unnoticed by the \ictim. Quicken claims to have more than 9
`million active users worldwide.
`Computer security experts, who have been highly critical of Microsoft'sActiveX, said this was just another example why the technology should be
`abandoned.
`"ActiveX may be very useful forintranets, but it has no place on the Internet because ofthe security problem," said Ke,'in McCurley, a cryptography
`expert at Sandia National Laboratories and the anthorofthe Digicrime Web site.
`Microsoft called the demonstration a wake-up call to users about the dangers of downloading untrusted executable code. Such executable code,
`includi ng unauthorized ActiveX code, can do just about anything it wants, from reading and writing files to installing software, such as games. or viruses.
`"In this particular case, the [ActiveX] control is anonymously offered," said Cornelius Willis, Microsoft's group pnxl uct manager in charge of Internet
`platforms. "Users should not be dmmloading and run ning exec utables that are not signed."
`The Authenticode signing mechanism req ui res all authorized ActiveX control authors to digitally "sign" thei r controls. Beyond this, Microsoft's solution
`to the security risk is largely "buyer beware." W:illlssaid the company is trying to educate users about the risks of domtloading any ldnd of executable file
`from the Web, incl uding Java applets and MSWord macros.
`"We're notsayingAuthent:icode makes anything safe," Willis said. "Authenticode simply lets you make a decision as to a particular [control's] author."
`But McCurley said authenticating the source of ActiveX controls isn't enough, because a legitimate, if poorly protected, control could later be inYoked by
`a hacker and modified tosen'e a different purpose.
`"The problem isn'tjustdom1 loadinge,~l code, it'salsodownlooding b020code," McCurley said. "lf J could get ahotd of an ActiveX component installed
`on your box. I could give it arguments and it would toast your mach in e.
`"If Act:iveX components become common," McCurley warns, "hackers will start loo~ing at them as a way to get in."
`
`Related Wired Links:
`
`v-II ActiveX Threaten Nalional Secunly? by Simson Garfinkel
`
`Search 'Mred
`
`(;~Go
`Rela ted Topics:
`
`I Top Stories iJ
`
`SERVICES
`
`Siternap I FAQ COntact Us l WIRED Staff I Aave rtismg 1 Press Cen1 e1 1 Subscnpuon SeiVIce !l I Nt:ws!etter J RSS f~eds
`
`Conde. ~Mst'tleh • ttf;.>s:
`
`Webmonkey 1 Re ddit 1 ArsTechnica 1 De tail s 1 Golf Digest 1 GQ 1 New Yorke r
`
`I Subscribe to a magazine " I I Conde Nast web sites: "I I international Sites:
`
`" I
`
`(
`
`• ' ~
`'•.' '\ ·' ~ :
`·'(:::-
`·'
`::.• :>~ :
`,·::.
`
`>
`
`~. .
`• ~~
`
`< 1
`
`t
`
`•
`
`-·
`
`·~
`
`•
`
`~ U se r Agreement \
`
`Pnvacy Polley
`penn1SS10n of Conde Nas1
`
`-
`
`-
`
`•
`
`,
`
`~
`
`•
`
`Ad Choices
`
`nttp://archive.wired.com/science/di scoveries/new s/1997/02/1943
`
`1/1
`
`PALO ALTO NETWORKS Exhibit 1058 Page 1
Accessing this document will incur an additional charge of $.
After purchase, you can access this document again without charge.
Accept $ Charge
Still Working On It
This document is taking longer than usual to download. This can happen if we need to contact the court directly to obtain the document and their servers are running slowly.
Give it another minute or two to complete, and then try the refresh button.
A few More Minutes ... Still Working
It can take up to 5 minutes for us to download a document if the court servers are running slowly.
Thank you for your continued patience.
This document could not be displayed.
We could not find this document within its docket. Please go back to the docket page and check the link. If that does not work, go back to the docket and refresh it to pull the newest information.
Your account does not support viewing this document.
You need a Paid Account to view this document. Click here to change your account type.
Your account does not support viewing this document.
Set your membership
status to view this document.
With a Docket Alarm membership, you'll
get a whole lot more, including:
- Up-to-date information for this case.
- Email alerts whenever there is an update.
- Full text search for other cases.
- Get email alerts whenever a new case matches your search.
One Moment Please
The filing “” is large (MB) and is being downloaded.
Please refresh this page in a few minutes to see if the filing has been downloaded. The filing will also be emailed to you when the download completes.
Your document is on its way!
If you do not receive the document in five minutes, contact support at support@docketalarm.com.
Sealed Document
We are unable to display this document, it may be under a court ordered seal.
If you have proper credentials to access the file, you may proceed directly to the court's system using your government issued username and password.
Access Government Site
