-- Cheryl Ross, industry reporter NEWS/400 GOES AFTER GERSTNER'S CREDIT CARD NUMBER IN ETHICAL HACK With more and more businesses moving at least part of their operations onto the Web, Internet security is a hot topic. In surveys conducted in the past three years by varying organizations, a consistent 40 percent of companies polled reported breaches of information security in the preceding 12 months. The total estimated losses from these attacks have been reported as anywhere from $800 million to $300 billion. At least half of these attacks were internal, but a significant number originated on vulnerable Web sites. So can using one type of Web server over another improve the security of your Web site? IBM likes to tout the innate security of the AS/400 and how that extends to the Web, and news reports overflow with accounts of security breaches of NT-hosted sites. But which of these platforms really provides the safest home for your Web site? NEWS/400 set out to answer this question in the first IBM-endorsed public hack of the AS/400, with a separate hack of an equivalent NT server. Armed with standard hacker kits, two teams of security consultants staged a 48-hour assault on the servers, each of which temporarily housed an e-commerce site on the Duke Communications LAN. (Duke is the parent company of both NEWS/400 and its sister publication, Windows NT Magazine.) Their goal: to get Lou Gerstner's credit card number off the AS/400 and the system administrator's identification and password off the NT Server. Wait. To give a fair test, you should have the same target goal. Looking for sensitive info on an AS/400 and a password on NT is extremely unproportional. Using two teams does not provide a standard mindset as one team could overlook something obvious. While the two teams of ethical hackers had different realms of security expertise -- an AS/400 team led by NEWS/400 senior tech editor and security consultant Mel Beckman, and an NT team from the Columbus, Ohio, security consultancy Midwestern Commerce -- they used standard, known hacker tricks that anyone could try. Both machines were set up as standalone, self-contained Web servers, with the AS/400 running Internet Connection Secure Server at security level 40 and the NT Server fully locked down. The Web applications were standard online stores tempting visitors to buy fictitious goods. Other services, such as Telnet, FTP, and e-mail, were disabled during the Web server security test. The AS/400 e-commerce application was written in C by an IBM team headed by John Nielsen and was loaded on an AS/400e model S50 running V4R1, which was secured by IBM AS/400 Security Architect Carol Woodbury following the steps recommended in the IBM manual "Tips and Tools for Securing Your AS/400." The NT application was adapted from Microsoft's sample "Volcano" Web site by John Enck, a NEWS/400 senior tech editor and Windows NT Magazine lab manager. Mark Joseph Edwards, a leading NT security expert, secured the NT system. In both cases, the applications were written and the Web sites secured according to widely published standards for each platform, with no special tricks or security patches. "We wanted to make the test as customer-like as possible," Woodbury says. "We wanted to make sure that it could be replicated by any one of our customers, and we wanted to test our own procedures to make sure that we were complete in telling everybody everything that they needed to know." So which server was more secure? Of the Web server attacks the teams tried -- modifying password strings, changing SQL requests, trying to directly execute CGI, attempting all known default passwords, and generating common passwords with a hacker's password-cracking tool, among others -- all failed on both servers. This means, of course, that you can configure either an AS/400 or an NT server so that confidential information remains secure. "That the AS/400 was able to keep out an extended, determined attack from so many well-trained technicians," Beckman says, "shows that IBM is paying attention to Internet security." Why priase the AS/400 when NEITHER were broken into? While the test NEWS/400 conducted in cooperation with IBM addressed only information security, there are other ways to assault a system. In a separate test, NEWS/400 will look at denial-of-service attacks, which can cripple a network by overloading or breaking one or more network services. For detailed reports about both of these security tests, see Mel Beckman's articles in NEWS/400, starting in June. -- Cheryl Ross, industry reporter