Another potential threat to Internet banking security has cropped up, this time in Germany.
In a live television demonstration, the Chaos Computer Club of Hamburg showed how a program written in Microsoft Corp.'s Active-X language could be downloaded from a Web site without the user's knowledge.
The hostile program surreptitiously inserted an illicit transaction on Intuit Inc.'s Quicken personal financial software.
Microsoft responded by unveiling a "Microsoft Security Advisor" on its Web site and warning users to be cautious about what they download.
The incident illustrates a hazard that some observers said requires more than mere verbal cautions to users.
"It is clearly a responsibility of the financial systems community to make sure that they understand these technologies and that they are providing the appropriate level of risk protection for themselves and their customers," said David Spinhoff, director of product marketing in Sun Microsystems Inc.'s JavaSoft unit.
Microsoft officials acknowledged their Internet Explorer Web browser permits downloads of Active-X programs. But they said a default setting in the browser guards against anonymously written programs, such as the one written by the Chaos Computer Club.
In a press release posted on its Web site, the Chaos Computer Club said, "It is very easy to go around Microsoft's supposed security measures" and to "siphon from an account using home-banking software.
"You can be harmlessly looking at a Web site, and someone can get your information."
Microsoft sharply criticized the prank.
"Do you realize that what they have done is criminal?" said Cornelius Willis, group manager of Internet platforms for Microsoft. "In most jurisdictions, it is illegal to write malicious computer code."
Nonetheless, the incident has touched off a debate among technologists about the relative merits of security measures in Active-X and in Java, the programming language owned by Microsoft rival Sun Microsystems.
Both languages help users enhance Web pages. A financial institution, for example, might use them to let customers do on-screen calculations.
Experts said Sun Microsystems has used security as a big selling point of Java, but, like Microsoft, it has run into problems.
"Java tries to stop programs from doing bad things at all," said Gary McGraw, co-author of "Java Security: Hostile Applets, Holes and Antidotes." "Whether it works or not is an interesting question."
Mr. McGraw has documented eight Java security flaws found by laboratory researchers. Recent versions of Netscape Navigator and Microsoft Internet Explorer were modified to avoid these security pitfalls.
Active-X differs radically from Java. To get around establishing elaborate security precautions, Active-X relies upon a system in which software publishers authenticate their programs with an encrypted digital signature.
A Web user encountering a site using Active-X controls will be notified of the program's author. Microsoft officials said this assures tamper-free software much like the "shrink-wrapped" versions sold in stores.
But once a "signed" application is admitted to a machine, there are no constraints on what it can do, said Mr. McGraw. One notorious Active-X control would erase the user's hard disk, he said.
"With Java, you have a door with a lock," said Lior Arussy, vice president of Finjan Software Ltd. of Santa Clara, Calif., which has worked with several firewall vendors to bolster Java security.
"With Active-X, there is no lock whatsoever. What Finjan is providing is a doorman, a guard, and alarm system," said Mr. Arussy.
"Java runs in an 'interpreter' on the local machine, which is carefully limited so that it doesn't have access" to the computer's hard drive, added Eric C.W. Dunn, senior vice president at Intuit.
This so-called "sandbox" keeps a Java application from reading and writing data to other parts of the computer.
Java, which only recently has begun to be used in the financial world, may begin to suffer from problems like those faced by Active-X, as developers write programs that are permitted to leave the "sandbox."
Programmers at Sun Microsystems and Netscape Communications Corp. are working on new versions of Netscape's browser that would let it read and write on a hard drive. Observers said such versions will require a system of digital certificates for Java programs.
"The need for authenticated content is becoming more and more clear," said Stratton D. Sclavos, chief executive officer of Verisign Inc., which has issued about 1,000 such certificates to programmers working in Active-X and Java.
"People shouldn't think of these as providing security," he said. They provide a "stamp" that shows a product or Web site is genuine.
Even that may not yet satisfy risk managers.
David Luther, president of the Security First Technologies network security division in Atlanta, said he is not fully confident in either of the competing interactive software architectures.
"At this point in the technology, you should probably have both Active-X and Java turned off" when doing financial transactions, Mr. Luther said last week at a conference in New York sponsored by the National Computer Security Association.
Mr. Luther is not a detached observer. His parent organization, Security First Network Bank, serves Internet customers via their Web browsers, relying on Secure Sockets Layer encryption. Security First does not deliver software that competes on a home computer with Quicken or Microsoft's Money.
*
Microsoft Corp. is among several industry leaders to join an alliance organized by Cisco Systems Inc. to promote security technologies that cut across all internal and external needs of companies.
The concept, known as enterprise security, has become a common thrust in the data security and open-networks communities. Cisco, the top Internet networking supplier, announced the cooperative effort Monday, calling it the Enterprise Security Alliance.
Other members include Cylink Corp., Hewlett-Packard Co., Oracle Corp., RSA Data Security Inc., and Verisign Inc.
Cisco concurrently announced an 18-month initiative to address identification and authentication, data integrity and confidentiality, and network auditing across enterprises.
The participating companies see their efforts as complementary, such as the enterprise security programs of RSA and its parent, Security Dynamics Technologies Inc.
Similarly, Verisign sees enterprise security as an outlet for its digital authentication systems: "By working with Cisco, the clear leader in internetworking products and services, we can extend the use of our Digital ID technology to an exciting array of new network applications and services," said Verisign president Stratton Sclavos.
