Santa Clara, Calif. - February 17, 2000 - Perfecto Technologies, the leading developer of Web application security management software, today unveiled Black Watch Labs (www.perfectotech.com/blackwatchlabs/), an online research center dedicated to increasing awareness of Web application security issues within the Internet community. In addition to publishing general information on Web application security topics, Black Watch Labs will issue alerts when Web application vulnerabilities are discovered. Black Watch Labs today issued its first advisory, which demonstrates how ordinary search engines can be used to identify millions of Web sites that are potentially vulnerable to application-level hacking attacks.

"Up until today, there has been a noticeable lack of comprehensive information about Web application security," said Eran Reshef, senior vice president and co-founder of Perfecto Technologies. "As the leader in Web Application Security Management software, we recognized the significance of this gap and the potential risks faced by any business with a Web site and their customers. We established Black Watch Labs to identify and share Web application vulnerabilities."

"The subject of our first alert is a case in point," Reshef continued. "We discovered that search engines can be used to find Web sites with potential vulnerabilities that allow hackers access to extremely sensitive data. eBusinesses and consumers need to be aware of these problems."

The Black Watch Labs Web site will feature up-to-date information on Web application security, newly discovered vulnerabilities, white papers and links to other security organizations. Subscribers to the free service will also receive e-mail notification every time a new vulnerability is discovered.

In its first advisory, Black Watch Labs reveals how ordinary search engines can be used to discover potential Web application vulnerabilities in indexed sites. Because many Web application vulnerabilities have tell-tale characteristics, searching for the signature of a particular vulnerability can yield thousands of at-risk Web sites. Among the potential weaknesses such searches can uncover are: open debug options (which can be used to grant unlimited access to a site), the ability to track all visitors to a site and the ability to execute remote SQL queries (database commands). For technical details of this problem, please visit https://www.perfectotech.com/blackwatchlabs/.

For example, using Infoseek to search for links containing the word "price" yields 132,561 matches. A link that contains the word "price" might pass the price as a parameter exposing the site to eShoplifting (e.g. changing the price of the item purchased).

Searching AltaVista for the phrase "User Profile by Regions" results in 3,605 pages that contain the usage statistics of Web sites exposed to this loophole. These statistics includes information of users accessing the site, the path they choose during their visit, search engines and keywords used to reach site, etc.

"This is a particularly strong example of the state of application-level security throughout the Internet," commented Dennis Szerszen, of Hurwitz Group. "The idea that search engines can be used to detect Web application vulnerabilities within indexed Web sites, combined with the large number of vulnerable sites found, illustrates a frightening reality that should serve as a wake-up call to anyone doing business on the Internet."

 #   #   #

AppShield is a trademark of Perfecto Technologies, Inc. All other product names referenced are the property of their respective owners and are hereby acknowledged.

For Immediate Release
Contact:

Kevin Pedraja
Sterling Communications
(408) 441-4100
[email protected]