[4426] in WWW Security List Archive
RE: ActiveX Bank-Quicken Exploit
daemon@ATHENA.MIT.EDU (Mirick, James R.)
Fri Feb 14 11:58:12 1997
Date: Fri, 14 Feb 97 09:09 EST
From: "Mirick, James R." <FBS/DEV01/JRMIRICK%First_Bank_System@mcimail.com>
To: Geoffrey Leeming <geoffrey@indiciis.com>,
WWW Security List <WWW-SECURITY@ns2.rutgers.edu>
Errors-To: owner-www-security@ns2.rutgers.edu
Please reply to the following MCI Mail address: 692-1709
Surveys indicate that a surprisingly large number of our customers don't
even open their statements, much less balance them. We found this out
because the Marketing department wanted to study the effectiveness of
statement stuffersl.
Jim Mirick
General Manager, FBS Interactive
First Bank System, Minneapolis www.fbs.com
----------
From: Geoffrey Leeming
Sent: Thursday, February 13, 1997 9:01 PM
To: WWW Security List
Cc: James R. Mirick
Subject: Re: ActiveX Bank-Quicken Exploit
MCI Mail date/time: Thu Feb 13, 1997 8:58 pm CST
Source date/time: Thu, 13 Feb 1997 15:10:41 +0100
-------------------
Just to take the discussion back a few steps, last week someone mentioned
that the Quicken exploit is not that worrying, because attacks would have
to
go unnoticed for a long period.
Extract from the 1996 UK Security Breaches Survey, by DTI/NCC/ICL/ITSEC:
"In some cases security incidents continued undetected over a period of
time. One incident involved the fraudulent payment of company funds into
an
employee's bank account for over two years and resulted in an "immediate"
cost to the company of =A3650,000. "
If companys who PAY people to manage their finances don't notice
unauthorised payments, what chance of the SoHo user noticing?
Geoffrey Leeming 0171 592 3007 - Office Direct Dial
Consultant 0171 836 0567 - Fax
Indicii Salus Ltd. 0956 844 168 - Mobile
//BEGIN BINARY MAIL SEGMENT:
begin 0644 WINMAIL.DAT
M>)\^(B@- 0:0" $ ! $ 0>0!@ ( Y 0 #H $(@ <
M& $E032Y-:6-R;W-O9G0@36%I;"Y.;W1E #$( 0V ! " @ " $$
M@ $ (0 %)%.B!!8W1I=F58($)A;FLM475I8VME;B!%>'!L;VET $,+ 06
M P . S0<" X !P T "4 !0!) 0$@@ , #@ ,T' @ . < ,@ V 4
M6 $!"8 ! "$ Y-C0T-3 Q,#-#.#9$,#$Q.$1&0S P,#1!0T5!,40Q,@ "
M!P$$D 8 5 , ( , P , , + \. (!_P\! @
M 8)1D8$&X 0@ *RN**0 8L> &0 &@ V $H 1 %=75R!396-U
M<FET>2!,:7-T %=75R!396-U<FET>2!,:7-T#0H@("!%35,Z($E.5$523D54
M#0H@("!-0E@Z(%=75RU314-54DE464!N<S(N<G5T9V5R<RYE9'4 '@ ", $
M $ 34-) !X S ! 2@ %=75R!396-U<FET>2!,:7-T#0H@("!%
M35,Z($E.5$523D54#0H@("!-0E@Z(%=75RU314-54DE464!N<S(N<G5T9V5R
M<RYE9'4 # !4, 0 , _@\& '@ !, $ 2 5U=7(%-E8W5R
M:71Y($QI<W0 " 0LP 0 $X !-0TDZ5U=7(%-%0U522519($Q)4U0-
M"B @($5-4SH@24Y415).150-"B @($U"6#H@5U=7+5-%0U5225190$Y3,BY2
M551'15)3+D5$50 , #D "P! .@$ " ?8/ 0 0 #
M# , # $ "P /#@ " ?\/ 0 '< &"49&!!N $(
M "LKBBD &+'@!D !H -0!" $0!'96]F9G)E>2!,965M:6YG $=E;V9F
M<F5Y($QE96UI;F<-"B @($5-4SH@24Y415).150-"B @($U"6#H@9V5O9F9R
M97E :6YD:6-I:7,N8V]M > (P 0 0 !-0TD '@ #, $ !"
M1V5O9F9R97D@3&5E;6EN9PT*(" @14U3.B!)3E1%4DY%5 T*(" @34)8.B!G
M96]F9G)E>4!I;F1I8VEI<RYC;VT # !4, 0 , _@\& '@ !, $
M 1 1V5O9F9R97D@3&5E;6EN9P " 0LP 0 $8 !-0TDZ1T5/
M1D9215D@3$5%34E.1PT*(" @14U3.B!)3E1%4DY%5 T*(" @34)8.B!'14]&
M1E)%64!)3D1)0TE)4RY#3TT # Y L 0#H! @'V#P$ $
M !#NL 0.0!@"P!@ $@ L (P P F + "D
M , +@ P V ! #D ($.+5GX:O $> ' 0 "$ !213H@
M06-T:79E6"!"86YK+5%U:6-K96X@17AP;&]I= " 7$ 0 !8 !
MO!I^5H,04$27ACP1T(W\ 2LZAT2 # 80)J2VSP, !Q!R! '@ ($ $
M !E 4U525D594TE.1$E#051%5$A!5$%355)04DE324Y'3%E,05)'14Y5
M34)%4D]&3U520U535$]-15)31$].5$5614Y/4$5.5$A%25)35$%414U%3E13
M+$U50TA,15-30D%,04Y#10 " 0D0 0 $T% !)!0 Z0@ $Q:1G5V
MK>0=_P * 0\"%0*D ^0%ZP*# % 3 U0" &-H"L!S973N,@8 !L,"@S(#Q@<3
M H.Z,Q,-?0J ",\)V3L5_W@R-34"@ J!#;$+8&[P9S$P,Q0@"PH2\@P!CF,
M0 8 "'!V97D$( $+@&1I8V%T92!&=!' !4!A(',(<'!'!1 D!D ;'D@"V!R
M,F<;T&YU!M $D"!O!F8=\ AP(&-U<W17 W $D 0@9 (@)P5 93,;$ .@;W ?
MD1OP96D?!< >D!NQ!X ",',L(+QM=1&P'2 'D 0@8@= #0!P8QO2(+ N("!7
M^QO0 A!U&W ;X00 'B$%0+\=P!N@'H B,P70"L!K$@ K'-$? &4*L70@PB!W
MEP!P&\ C,6\@875D'1#_)&(-P060)/ ?@2&2'@$@=V<F@B=!$>!L+@J%"H5*
MKP=P!= @0!N0:PJ%1R>QIG('0"21;F$=8'(A$/1&0@7P2281*[ G<PJ%ID8@
M0!Z0($( <&L2,2\>D""P(1 JH&XGP&%P%P;P(W$OS7<PP"YF8G1S+@6@;2F,
M"O0OD#$$.# "T6DM,30TSPWP#- S4PM9,38*H -@\QO )W @+35W"H<T*PPP
M]33V1@-A.C9^-/8,@BMAIQX U ;("!,">!M'-$_-A\W+09@ C X7SEK5&@A
M"'!S9&%Y+&%E8DQR=0K '1 Q,R$0,8 Y.3<@.3HP&L#,4$T[/S<M5&\]?SEK
MWE=%@ 91'G %$'0ZH00 9G1!CS<M0V-#KSEK2GIA!X)2(I JJT<//+=UG&)J
M)V%(OSEK4F5-\(I!)W-8+C,M474JT>D?D45X"U!O1A Q?S*#/#,V,_<4(@P!
M-/9-0]Y)))$#$3^@&\ O)/ '@ ]-\#]1/^) >" X.C68."!P*H!(@%-4"H6]
M(J!3"&$B(55L0*$S5D210-(Q-3H9(#HT&L#^*T$P,O *A35X-8XI]AZ!_R92
M 9 DT"13&X $\!Z )!_ B AP2K@'#$G4 ?@+K%PMR$!"V N$7<)X"YP<QZQ
M_P(@&] @PE^1"8 *A1OS)&+=4.9E470;4 0@;C40&^3^=P6P0% <T2$0(^8;
ML &0YRK@!"!E8'5L(S 1P!L0^R91"H5G)G C$&31&Y F,?\"$ 7 '$ 5D"41
M'] %$ 1P^RE]46!T+0(BX -A)%- P= V(%5+1;A"%@ T!\@( 9!&O-EX1T0
M1%1) "].0T,O24-,06[@5%-%0SHIC"+_+,!A@QY@80 'D1'P1>4+@/QC:0VP
M(.$>8 (A"X *4-\C,",1$@ G828Q;QL0:3+?:<0=\6*F!W$BD$]AX7'V_1M1
M=@;P&Q C,B+1*[ FL/]G("6R"K &P"6R'@$Q00JP^FX=$&8C$1M")F$ < J%
MZR"P48%Y"> G(;(N80#07P6@(Q!K<06Q<^-T96 @OWK $=%YT2,P%@ <8&PF
M(G\+@'G1<& '< > &X ;L2(_"H4%H%XU)'%XMAX!/4'14S U,"PR\# BD'[V
M+0J%27B79N%H)G!00?Y9:;$?P"& )E(#@2PA( 7_,R L$"(1'O9HE J%(Q D
M$/\;\ 6P! F,7@%(0!P1WQ&Q(A(> 21B6(!(:%$1\/<%P&B3'-$_*8R+
M3RLT.EQ++\-!,#<:P#4Y$B S^S+P0/ M=: -T&C!;F @0/\U,H_ !T *A0A0
M (!]D28!FR_)CE,X4S".0#4VCQ*81F%X@B8;<FEI!@&S"D $($QT:A".(CF2
MT#=7(#-@0' V5V"/(4UO_F(#$"UFEH]2#U,;&C4T]@L*A14A )N P 0
M$ # !$0 $ !S# 1+08?AJ\ 4 "## 1+08?AJ\ 1X /0 !
6!0 %)%.B P --/TW !% D0'
end
//END BINARY MAIL SEGMENT
