[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

MSN hackers heaven (fwd)

   This is a variation on Brad's forward of the MSN security

   Information Week, August 28, 1995, p. 24.

   Risk Looms On Microsoft Network. E-mail icons can hide

   A feature designed to make electronic mail easy to use on
   the Microsoft Network online service may also make it
   easier for hackers to trick users into running destructive
   software programs on their PCs.

   When a Microsoft Network user sends a binary file embedded
   in an E-mail message, the file appears as an icon on the
   recipient's screen. The recipient can double-click on the
   icon to automatically download the embedded file and
   execute it. To download the file without executing it, the
   recipient must use the mouse's right button, which has been
   rarely needed until now.

   Though other online services offer automatic downloading of
   files, Microsoft's goes one step further in allowing the
   file's automatic execution. That file could be a virus or
   other malicious program that could erase files or reformat
   a hard disk, according to Mike Wyman, VP and chief
   technical offficer of Interactive Data Corp., an investment
   information firm in Lexington, Mass., and a Microsoft
   Network beta user. "On the Microsoft Network, I can
   disguise an icon so that it looks innocuous," says Wyman.
   "The analogy I like to use is the Unabomber. If you get a
   package in the mail that's wrapped in duct tape and brown
   paper, you'd regard it as suspicious. But if it's a plain
   white envelope with Ed McMahon's picture on it, you
   wouldn't think twice about opening it."

   Microsoft says the feature is a convenience, not a security
   hole. "There are risks of getting [data] off the network in
   any form," says George Meng, group product manager for the
   Microsoft Network in Redmond, Wash. "People have to be
   aware of what the source of information is."

   Winn Schwartau, president of Interpact Inc., a computer
   security consulting firm in Seminole, Fla., disagrees. "If
   the ability to execute programs bypasses conventional
   filtering and virus controls, then you certainly have a
   security hole," he says "Potential 'Trojan horse' programs
   could be sent by anyone."

   By Mitch Wagner and Clinton Wilder