ad info




CNN.com
 MAIN PAGE
 WORLD
 ASIANOW
 U.S.
 LOCAL
 POLITICS
 WEATHER
 BUSINESS
 SPORTS
 TECHNOLOGY
   computing
   personal technology
   space
 NATURE
 ENTERTAINMENT
 BOOKS
 TRAVEL
 FOOD
 HEALTH
 STYLE
 IN-DEPTH

 custom news
 Headline News brief
 daily almanac
 CNN networks
 CNN programs
 on-air transcripts
 news quiz

  CNN WEB SITES:
CNN Websites
 TIME INC. SITES:
 MORE SERVICES:
 video on demand
 video archive
 audio on demand
 news email services
 free email accounts
 desktop headlines
 pointcast
 pagenet

 DISCUSSION:
 message boards
 chat
 feedback

 SITE GUIDES:
 help
 contents
 search

 FASTER ACCESS:
 europe
 japan

 WEB SERVICES:
COMPUTING

New tool blocks wily e-comm hacker tricks

September 7, 1999
Web posted at: 11:46 p.m. EDT (1546 GMT)

by Ellen Messmer

From...
Network World Fusion
virus graphic
 ALSO:
   Insurgency on the Internet

   Sign up for the Computer Connection email service

   For more computing stories
 

(IDG) -- Think your electronic commerce site is safe from hackers? A little demonstration from start-up Perfecto Technologies might convince you otherwise.

Company co-founder Eran Reshef sat down at this reporter's PC, logged on to an e-commerce site and, using only the browser, changed the price of an item by modifying the site's HTML.

A similar demo for Quote.com exposed security holes and led Quote.com to buy AppShield, a tool Perfecto designed to bullet-proof e-commerce sites.

Reshef came up with the idea for AppShield with his partner, Gil Raanan. Both honed their computer skills as officers with Israeli secret intelligence.

AppShield is an HTTP proxy filter that sits in front of a Web-based e-commerce application. It keep crooks out by refusing to process any bogus character inputs, such as long Common Gateway Interface buffer overflows, that can hijack the server.

Clean cookies

AppShield also blocks a trick called "cookie poisoning," in which an attacker alters his Web cookie after he's logged on with a password and ID. This is important because many Web sites rely on a cookie to keep a state of connection with the e-commerce user after authentication. Once altered, the trickster can take on another identity and use someone else's account, for example.
MORE COMPUTING INTELLIGENCE
IDG.net   IDG.net home page
  Network World Fusion home page
  Free Network World Fusion newsletters
 Reviews & in-depth info at IDG.net
 *   IDG.net's bridges & routers page
  IDG.net's hubs & switches page
 *   IDG.net's network operating systems page
  IDG.net's network management software page
  Year 2000 World
  Questions about computers? Let IDG.net's editors help you
  Subscribe to IDG.net's free daily newsletter for network experts
  Search IDG.net in 12 languages
 News Radio
 * Fusion audio primers
 * Computerworld Minute
   

AppShield can also prevent hackers from changing prices on items added to e-commerce shopping carts, something that can be surprisingly easy to do with the HTML tools that are part of the Netscape and Microsoft browsers.

Shipped last week, AppShield is already winning plaudits from beta testers who have had the chance to kick its tires for a few months.

"We have evidence of the fact that it can work," says Kaj Pedersen, vice president of engineering at Quote.com, a Web site that provides stock quotes, news, research and portfolio management for investors. Pedersen found out about Quote.com's security holes after Perfecto employees hacked the company's Web site in two or three different ways right in front of him.

Page watching

To prevent break-ins, AppShield analyzes every page generated by the Web server every time it is requested, but before the page gets to the browser. The process adds about 20 milliseconds to the browser-server communication, Reshef says.

AppShield's policy recognition engine expects an application page to be returned as it originated, and AppShield filters out illegal character inputs. If the software senses trouble, AppShield notifies the e-commerce manager through an e-mail or pager alert. The software can also give the would-be Web hacker an error code response or other message.

In general, preventing hacker exploits requires the e-commerce application to be rigorously designed and reviewed by security experts. But this is a luxury not all e-commerce operations can afford.

Instead, e-commerce sites are often rushed into production for competitive reasons. But Perfecto's founders think their application security proxy can protect sites that have not been designed with such rigor.

"This is for brokerages, airline companies, phone companies, retailers, financial institutions and online pharmacies," Rashef says. "It's for newspapers, analysts and TV stations."

AppShield, which costs $20,000, will be just the first product from Perfecto. Reshef says the start-up plans to announce other security tools in the next few months.


SPECIAL:
Insurgency on the Internet

RELATED STORIES:
Hacker ruse can exploit ActiveX Controls
September 6, 1999
Hackers hit Web site of C-SPAN
September 6, 1999
E-commerce encryption now vulnerable?
August 30, 1999

RELATED IDG.net STORIES:
Cyberattacks against NATO traced to China
(Federal Computer Week)
Hotmail hack: This time it's personal
(IDG.net)
Justice nabs hacker of Army computers
(Federal Computer Week)
Hack of the Month: Vendor defaults open doors to invasions
(Computerworld)
Hacker lessons
(Computerworld)
BlackICE Defender protects your PC against hack attacks
(PC World Online)
Is your business as safe as you think it is?
(CIO)
Note: Pages will open in a new browser window
External sites are not endorsed by CNN Interactive.

RELATED SITES:
Perfecto Technologies
Quote.com
Note: Pages will open in a new browser window
External sites are not endorsed by CNN Interactive.
 LATEST HEADLINES:
SEARCH CNN.com
Enter keyword(s)   go    help

Back to the top   © 2001 Cable News Network. All Rights Reserved.
Terms under which this service is provided to you.
Read our privacy guidelines.