ad info
   personal technology

 custom news
 Headline News brief
 daily almanac
 CNN networks
 CNN programs
 on-air transcripts
 news quiz

CNN Websites
 video on demand
 video archive
 audio on demand
 news email services
 free email accounts
 desktop headlines

 message boards




New tool blocks wily e-comm hacker tricks

September 7, 1999
Web posted at: 11:46 p.m. EDT (1546 GMT)

by Ellen Messmer

Network World Fusion
virus graphic
   Insurgency on the Internet

   Sign up for the Computer Connection email service

   For more computing stories

(IDG) -- Think your electronic commerce site is safe from hackers? A little demonstration from start-up Perfecto Technologies might convince you otherwise.

Company co-founder Eran Reshef sat down at this reporter's PC, logged on to an e-commerce site and, using only the browser, changed the price of an item by modifying the site's HTML.

A similar demo for exposed security holes and led to buy AppShield, a tool Perfecto designed to bullet-proof e-commerce sites.

Reshef came up with the idea for AppShield with his partner, Gil Raanan. Both honed their computer skills as officers with Israeli secret intelligence.

AppShield is an HTTP proxy filter that sits in front of a Web-based e-commerce application. It keep crooks out by refusing to process any bogus character inputs, such as long Common Gateway Interface buffer overflows, that can hijack the server.

Clean cookies

AppShield also blocks a trick called "cookie poisoning," in which an attacker alters his Web cookie after he's logged on with a password and ID. This is important because many Web sites rely on a cookie to keep a state of connection with the e-commerce user after authentication. Once altered, the trickster can take on another identity and use someone else's account, for example.
  Network World Fusion home page
  Free Network World Fusion newsletters
 Reviews & in-depth info at
 *'s bridges & routers page's hubs & switches page
 *'s network operating systems page's network management software page
  Year 2000 World
  Questions about computers? Let's editors help you
  Subscribe to's free daily newsletter for network experts
  Search in 12 languages
 News Radio
 * Fusion audio primers
 * Computerworld Minute

AppShield can also prevent hackers from changing prices on items added to e-commerce shopping carts, something that can be surprisingly easy to do with the HTML tools that are part of the Netscape and Microsoft browsers.

Shipped last week, AppShield is already winning plaudits from beta testers who have had the chance to kick its tires for a few months.

"We have evidence of the fact that it can work," says Kaj Pedersen, vice president of engineering at, a Web site that provides stock quotes, news, research and portfolio management for investors. Pedersen found out about's security holes after Perfecto employees hacked the company's Web site in two or three different ways right in front of him.

Page watching

To prevent break-ins, AppShield analyzes every page generated by the Web server every time it is requested, but before the page gets to the browser. The process adds about 20 milliseconds to the browser-server communication, Reshef says.

AppShield's policy recognition engine expects an application page to be returned as it originated, and AppShield filters out illegal character inputs. If the software senses trouble, AppShield notifies the e-commerce manager through an e-mail or pager alert. The software can also give the would-be Web hacker an error code response or other message.

In general, preventing hacker exploits requires the e-commerce application to be rigorously designed and reviewed by security experts. But this is a luxury not all e-commerce operations can afford.

Instead, e-commerce sites are often rushed into production for competitive reasons. But Perfecto's founders think their application security proxy can protect sites that have not been designed with such rigor.

"This is for brokerages, airline companies, phone companies, retailers, financial institutions and online pharmacies," Rashef says. "It's for newspapers, analysts and TV stations."

AppShield, which costs $20,000, will be just the first product from Perfecto. Reshef says the start-up plans to announce other security tools in the next few months.

Insurgency on the Internet

Hacker ruse can exploit ActiveX Controls
September 6, 1999
Hackers hit Web site of C-SPAN
September 6, 1999
E-commerce encryption now vulnerable?
August 30, 1999

Cyberattacks against NATO traced to China
(Federal Computer Week)
Hotmail hack: This time it's personal
Justice nabs hacker of Army computers
(Federal Computer Week)
Hack of the Month: Vendor defaults open doors to invasions
Hacker lessons
BlackICE Defender protects your PC against hack attacks
(PC World Online)
Is your business as safe as you think it is?
Note: Pages will open in a new browser window
External sites are not endorsed by CNN Interactive.

Perfecto Technologies
Note: Pages will open in a new browser window
External sites are not endorsed by CNN Interactive.
Enter keyword(s)   go    help

Back to the top   © 2001 Cable News Network. All Rights Reserved.
Terms under which this service is provided to you.
Read our privacy guidelines.