Microsoft's Security Advice To Users: Don't Take Candy From Strangers (2/6/97; 5:44 p.m. EST) By Clare Haney, TechWire REDMOND, Washington -- The activities of a group of German hackers in Germany a week ago has forced Microsoft to further accelerate its attempts to publicize the inherent dangers lurking on the Internet. Last Wednesday, the Chaos Computer Club, a well-established hacker organization headquartered in Hamburg, demonstrated on German television how its members could theoretically electronically transfer funds from an individual's bank account without using a personal identification number or a transaction number. The demo centered around the hackers being able to gain access to the transaction list contained within Intuit's personal accounting software Quicken via an ActiveX control, while using Microsoft's Explorer Web browser. Once a user has accessed the Web site containing the ActiveX control and the applet has recognized that Quicken is on the victim's machine, the control gives the accounting software a transfer order which is then saved along with other Quicken pending transfer orders. The damage is done the next time the user sends off their pending transfer orders to the bank. All the orders would then be executed, including the ActiveX one, meaning that money could potentially be spirited out of the user's account, without their knowledge, and into that of the hackers. Cornelius Willis, group product manager for Internet platforms at Microsoft, stressed the theoretical nature of the TV demonstration, saying "We have yet to determine if there has been a security breach. This is the usual thing people do - carry out a demo and get a lot of publicity. But we do take this kind of thing very seriously." He revealed that Microsoft has already made contact with CCC and is "encouraging them to co-operate," although the hackers have yet to release the ActiveX control to the company so that they can check it out. The Club is promising to publicly release the ActiveX control on the Web on February 20. Willis went on to emphasize the general nature of the problem. "Clearly, ActiveX will get a bad rap here, but that's a mistake, this involves all executables," Wills said. "We are concerned that users understand that all executable content on the Internet is potentially dangerous. No user should download applets from unknown sources. The basic message here is: don't take candy from strangers. The problems are becoming a bit better understood, but we've really got to educate users." He added that Microsoft expects to highlight this issue with a program to be launched within the next few weeks, that among other things will involve bringing a chat site on Internet security already hosted on the company's Web site more to the fore. He pointed to the fact that the current version of Internet Explorer 3.0 is the only Web browser to include code signing, a feature Microsoft calls Authenticode, allowing users to identify "with a high degree of certainty" the author of a Java applet, an ActiveX control or a plug-in and to determine that the component in question hasn't been tampered with in transit to the user's desktop. Willis also recommends that, in order to ramp up their Internet security protection, corporations should establish internal testing organizations to give such components a digital certificate certifying that they've been shown to be non-malicious to potential end users. For Intuit, Mark Goines, the company's international vice president, asserts that its Quicken software already contains a stringent review process for any transaction comprising authorization, review, verification, review and reverification stages. Goines said that the TV program provoked very little reaction, but that a few worried Intuit customers did contact the company's German office. Like Microsoft's Willis, he stresses the theoretical nature of the hackers' demonstration and adds that Intuit German staff want to investigate some of the claims made by CCC in the program.