lynx-dev
[Top][All Lists]
Advanced

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

LYNX-DEV warning: applets flying about


From: Philip Webb
Subject: LYNX-DEV warning: applets flying about
Date: Thu, 20 Feb 1997 20:36:44 -0500 (EST)

members may be interested in the following article from New Scientist 970222,
which points up dangers ahead with the spread of Java, applets etc.
presumably Lynx will have to be able to cope with this brave new world,
if it's to handle secure commercial transactions.

blind members should be warned that my version contains many abbreviations:
i hope their synthesisers can cope with them.  if not, the original is at
 www.newscientist.com : you have to register, but it's free.

Web bank robbers poised to pounce -- Mark Ward
                                      
By exploiting security loopholes in Microsoft's I/net software & Quicken,
a pgm used by  c 9 Mpax  to manage their financial affairs, Chaos C'r Club
(Germany) claims it can make someone transfer $$ w/o knowing they are doing so:
the 1st a victim wd know is seeing it on their bank stmt.  The hackers have
created an applet wh cb hidden in a WWW page to surreptitiously copy itself
into the PC of anyone browsing there (the page need have ~th to do w $$).
Once the applet is downloaded, it looks around for Quicken & if it finds it,
creates a transaction order requesting $$ be transferred fr the owner's account
to one owned by the thief.  Quicken does~ check the origins of its transaction
orders, so when the victim connects to his bank to pay a bill, check a balance
or order a chequebook, the malicious instruction is also transferred; the bank
assumes instructions have come fr the customer & moves $$ to another account.
                                         
Applets are usually used to liven up WWW pages, by animating icons or creating
sounds; the most popular languages for writing applets are Java & ActiveX:
Chaos wrote its bank-robber pgm in ActiveX.
                                      
Tony Macklin, Intuit UK product mgr for Quicken, says: "It is certainly
a valid concern", adding Intuit is researching ways to close the loophole.
9701 Royal Bank of Scotland became the 1st UK bank to offer a PC service:
a spokeswoman said it is aware of the problem, but its robust security
procedures are likely to defeat any such scam.
                                      
The problem of malicious applets is likely to get worse, however, as software
used to navigate the WWW evolves.  Current popular browsers like I/net Explorer
& Netscape Navigator are multi-Mb pgms, but soon they wb replaced by loosely
connected applets written in Java or ActiveX, st every browse of the I/net
will involve swapping many applets back & forth.
                                      
The C'r Emergency Response Team (Carnegie Mellon U) monitors security loopholes
& has issued a warning re Java & ActiveX, tho' it has yet to receive reports
of anyone falling victim to a malicious applet. It recommends surfers turn off
Java & ActiveX controls unless their browser is an up-to-date version
in wh the holes have been plugged.

See also:
                                      
  Unofficial Quicken Web page --  quicken.sj-coop.net
  Safe I/net Pgming, Princeton U C'r Science Dept --  www.cs.princeton.edu/sip
  How the hackers broke the story
    --  www.iks-jena.de/mitarb/lutz/security/activex.en.html

-- 
========================,,============================================
SUPPORT     ___________//___,  Philip Webb : address@hidden
ELECTRIC   /] [] [] [] [] []|  Centre for Urban & Community Studies
TRANSIT    `-O----------O---'  University of Toronto
;
; To UNSUBSCRIBE:  Send a mail message to address@hidden
;                  with "unsubscribe lynx-dev" (without the
;                  quotation marks) on a line by itself.
;

reply via email to

[Prev in Thread] Current Thread [Next in Thread]