[4349] in WWW Security List Archive
Re: Sceptic about (Funds Transfer w/o PIN)
daemon@ATHENA.MIT.EDU (Kevin J Mcmahon)
Tue Feb 11 12:21:50 1997
Date: Tue, 11 Feb 1997 09:12:15 -0500
To: www-security@ns2.rutgers.edu
From: "Kevin J Mcmahon" <Kevin.J.Mcmahon@MCI.Com>
Cc: www-security@ns2.rutgers.edu
In-Reply-To: <9702100025.AA26138@omsk.quadrix.com>
Errors-To: owner-www-security@ns2.rutgers.edu
At 07:25 PM 2/9/97 EST, BVE wrote:
[snip]
>The Java Virtual Machine represents a radical operating system redesign. It
>allows a virtual computer to exist on any platform. This virtual machine can
>be taught to implement any security policy desired. The first step in this
>process has already been taken. Now, finer granularity must be implemented.
>This is already happening. As mentioned above, the new version (which
will be
>in Netscape 4.0) will allow finer control over allowed activities. I believe
>that the model under development has some significant problems, but it's
>another step in a logical progression which has the potential to solve our
>net-based computing security problems.
>
I agree with the above. However, there is still the larger issue of the
fact that a piece of malicious code can be written to modify the system in
any way that it chooses (at least on DOS/Win3.1, Win95, Mac etc.). Imagine
a virus that re-enables Java/Javascript (and ActiveX for IE) on your
browser, then inserts an envelope around your 'home' URL. The next time
you startup your browser the home page is loaded via a hacked site that
contains even more malicious software. The payload for this virus/trojan
horse would be fairly small and once the hacked web site is accessed more
malicious things can be done (like the Quicken hack) based on what
applications you have running on your system.
Kevin J. McMahon
MCI Technical Security
