Security Scene Errata


-- Cheryl Ross, industry reporter

NEWS/400 GOES AFTER GERSTNER'S CREDIT CARD NUMBER IN ETHICAL HACK
With more and more businesses moving at least part of their
operations onto the Web, Internet security is a hot topic. In
surveys conducted in the past three years by varying
organizations, a consistent 40 percent of companies polled
reported breaches of information security in the preceding 12
months. The total estimated losses from these attacks have been
reported as anywhere from $800 million to $300 billion. At least
half of these attacks were internal, but a significant number
originated on vulnerable Web sites.

So can using one type of Web server over another improve the
security of your Web site? IBM likes to tout the innate security
of the AS/400 and how that extends to the Web, and news reports
overflow with accounts of security breaches of NT-hosted sites.
But which of these platforms really provides the safest home for
your Web site? NEWS/400 set out to answer this question in the
first IBM-endorsed public hack of the AS/400, with a separate hack
of an equivalent NT server.

Armed with standard hacker kits, two teams of security consultants
staged a 48-hour assault on the servers, each of which temporarily
housed an e-commerce site on the Duke Communications LAN. (Duke is
the parent company of both NEWS/400 and its sister publication,
Windows NT Magazine.) Their goal: to get Lou Gerstner's credit
card number off the AS/400 and the system administrator's
identification and password off the NT Server.

Wait. To give a fair test, you should have the same
target goal. Looking for sensitive info on an AS/400 and a password
on NT is extremely unproportional. Using two teams does not provide
a standard mindset as one team could overlook something obvious.

While the two teams of ethical hackers had different realms of
security expertise -- an AS/400 team led by NEWS/400 senior tech
editor and security consultant Mel Beckman, and an NT team from
the Columbus, Ohio, security consultancy Midwestern Commerce --
they used standard, known hacker tricks that anyone could try.

Both machines were set up as standalone, self-contained Web
servers, with the AS/400 running Internet Connection Secure Server
at security level 40 and the NT Server fully locked down. The Web
applications were standard online stores tempting visitors to buy
fictitious goods. Other services, such as Telnet, FTP, and e-mail,
were disabled during the Web server security test.

The AS/400 e-commerce application was written in C by an IBM team
headed by John Nielsen and was loaded on an AS/400e model S50
running V4R1, which was secured by IBM AS/400 Security Architect
Carol Woodbury following the steps recommended in the IBM manual
"Tips and Tools for Securing Your AS/400." The NT application was
adapted from Microsoft's sample "Volcano" Web site by John Enck, a
NEWS/400 senior tech editor and Windows NT Magazine lab manager.
Mark Joseph Edwards, a leading NT security expert, secured the NT
system. In both cases, the applications were written and the Web
sites secured according to widely published standards for each
platform, with no special tricks or security patches.

"We wanted to make the test as customer-like as possible,"
Woodbury says. "We wanted to make sure that it could be replicated
by any one of our customers, and we wanted to test our own
procedures to make sure that we were complete in telling everybody
everything that they needed to know."

So which server was more secure?

Of the Web server attacks the teams tried -- modifying password
strings, changing SQL requests, trying to directly execute CGI,
attempting all known default passwords, and generating common
passwords with a hacker's password-cracking tool, among others --
all failed on both servers. This means, of course, that you can
configure either an AS/400 or an NT server so that confidential
information remains secure.

"That the AS/400 was able to keep out an extended, determined
attack from so many well-trained technicians," Beckman says,
"shows that IBM is paying attention to Internet security."

Why priase the AS/400 when NEITHER were broken into?

While the test NEWS/400 conducted in cooperation with IBM
addressed only information security, there are other ways to
assault a system. In a separate test, NEWS/400 will look at
denial-of-service attacks, which can cripple a network by
overloading or breaking one or more network services. For detailed
reports about both of these security tests, see Mel Beckman's
articles in NEWS/400, starting in June.

-- Cheryl Ross, industry reporter