Fred McLain’s Internet Exploder showed that an ActiveX control can turn off your computer. But, as we’ve said, it could have done far worse damage. Indeed, it is hard to overstate the attacks that could be written and the subsequent risks of executing code downloaded from the Internet.
Increasingly, programs running computers can spend the money of their owners. What happens when money is spent by a program without the owner’s permission? Who is liable for the funds spent? How can owners prevent these attacks?
To answer these questions, it’s necessary to first understand how the money is being spent.
One of the first recorded cases of a computer program that could spend money on behalf of somebody else was the pornography viewer distributed by the Sexy Girls web site (described at the beginning of this chapter).
In this case, what made it possible for the money to be spent was the international long distance system, which already has provisions for billing individuals for long distance telephone calls placed on telephone lines. Because a program running on the computer could place a telephone call of its choosing, and because there is a system for charging people for these calls, the program could spend money.
Although the Sexy Girls pornography viewer spent money by placing international telephone calls, it could just as easily have dialed telephone numbers in the 976 exchange or 900 area code, both of which are used for teletext services. The international nature of the telephone calls simply makes it harder for authorities to refund the money spent, because the terms of these calls are subject to international agreements.
One way to protect against these calls would be to have some sort of trusted operating system that does not allow a modem to be dialed without informing the person sitting at the computer. Another approach would be to limit the telephone’s ability to place international telephone calls, the same as telephones can be blocked from calling 976 and 900 numbers. But ultimately, it might be more successful to use the threat of legal action as a deterrent against this form of attack.
In February 1997, Lutz Donnerhacke, a member of Germany’s Chaos Computer Club, demonstrated an ActiveX control that could initiate wire transfers using the European version of Quicken, a popular home banking program.
With the European version of Quicken it is possible to initiate a wire transfer directly from one bank account to another bank account. Donnerhacke’s program started up a copy of Quicken on the user’s computer and recorded such a transfer in the user’s checking account ledger.
Written in Visual Basic as a demonstration for a television station, the ActiveX control did not attempt to hide its actions. But Donnerhacke said that if he had actually been interested in stealing money, he could have made the program more stealthy.
One of the easiest attacks for downloaded code to carry out against a networked environment is the systematic and targeted theft of private and confidential information. The reason for this ease is the network itself: besides being used to download the programs to the host machine, the network can be used to upload confidential information. Unfortunately, this can also be one of the most difficult threats to detect and guard against.
A program that is downloaded to an end user’s machine can scan that computer’s hard disk or the network for important information. This scan can easily be masked to avoid detection. The program can then smuggle the data to the outside world using the computer’s network connection.
Programs running on a modern computer can do far more than simply scan their own hard drives for confidential information: they can become eyes and ears for attackers:
Any computer that has an Ethernet interface can run a packet sniffer, eavesdropping on network traffic, capturing passwords, and generally compromising a corporation’s internal security.
Once a program has gained a foothold on one computer, it can use the network to spread worm-like to other computers. Robert T. Morris’ Internet Worm used this sort of technique to spread to thousands of computers on the Internet in 1988. Computers running Windows 95 are considerably less secure than the UNIX computers that were penetrated by the Worm, and usually much less well administered.
Programs that have access to audio or visual devices can bug physical space. Few computers have small red lights to indicate when the microphone is on and listening or when the video camera is recording. Bugging capability can even be hidden in programs that legitimately have access to your computer’s facilities: imagine a video conferencing ActiveX control that sends selected frames and an audio track to an anonymous computer somewhere in South America.
Companies developing new hardware should have even deeper worries. Imagine a chip manufacturer that decides to test a new graphic accelerator using a multiuser video game downloaded from the Internet. What the chip manufacturer doesn’t realize is that as part of the game’s startup procedure it benchmarks the hardware on which it is running and reports the results back to a central facility. Is this market research on the part of the game publisher or industrial espionage on the part of its parent company? It’s difficult to tell.
 There is a perhaps apocryphal story of a New York City janitor who got his own 976 number in the 1980s and called it from the telephone of any office that he cleaned. Blocking calls to the 976 exchange and the 900 area code prevents such attacks.