[ISN] News/400 Goes after Credit Info in Ethical Hack

From: jerichot_private
Date: Sat Apr 18 1998 - 19:31:42 PDT

  • Next message: jerichot_private: "[ISN] shake.net Firewall Survey Results"

    Forwarded From: Nicholas Charles Brawn <ncb05t_private>
    Forwarded From: RBFCU <msorbe1t_private>
    With more and more businesses moving at least part of their
    operations onto the Web, Internet security is a hot topic. In
    surveys conducted in the past three years by varying
    organizations, a consistent 40 percent of companies polled
    reported breaches of information security in the preceding 12
    months. The total estimated losses from these attacks have been
    reported as anywhere from $800 million to $300 billion. At least
    half of these attacks were internal, but a significant number
    originated on vulnerable Web sites.
    So can using one type of Web server over another improve the
    security of your Web site? IBM likes to tout the innate security
    of the AS/400 and how that extends to the Web, and news reports
    overflow with accounts of security breaches of NT-hosted sites.
    But which of these platforms really provides the safest home for
    your Web site? NEWS/400 set out to answer this question in the
    first IBM-endorsed public hack of the AS/400, with a separate hack
    of an equivalent NT server.
    Armed with standard hacker kits, two teams of security consultants
    staged a 48-hour assault on the servers, each of which temporarily
    housed an e-commerce site on the Duke Communications LAN. (Duke is
    the parent company of both NEWS/400 and its sister publication,
    Windows NT Magazine.) Their goal: to get Lou Gerstner's credit
    card number off the AS/400 and the system administrator's
    identification and password off the NT Server.
    While the two teams of ethical hackers had different realms of
    security expertise -- an AS/400 team led by NEWS/400 senior tech
    editor and security consultant Mel Beckman, and an NT team from
    the Columbus, Ohio, security consultancy Midwestern Commerce --
    they used standard, known hacker tricks that anyone could try.
    Both machines were set up as standalone, self-contained Web
    servers, with the AS/400 running Internet Connection Secure Server
    at security level 40 and the NT Server fully locked down. The Web
    applications were standard online stores tempting visitors to buy
    fictitious goods. Other services, such as Telnet, FTP, and e-mail,
    were disabled during the Web server security test.
    The AS/400 e-commerce application was written in C by an IBM team
    headed by John Nielsen and was loaded on an AS/400e model S50
    running V4R1, which was secured by IBM AS/400 Security Architect
    Carol Woodbury following the steps recommended in the IBM manual
    "Tips and Tools for Securing Your AS/400." The NT application was
    adapted from Microsoft's sample "Volcano" Web site by John Enck, a
    NEWS/400 senior tech editor and Windows NT Magazine lab manager.
    Mark Joseph Edwards, a leading NT security expert, secured the NT
    system. In both cases, the applications were written and the Web
    sites secured according to widely published standards for each
    platform, with no special tricks or security patches.
    "We wanted to make the test as customer-like as possible,"
    Woodbury says. "We wanted to make sure that it could be replicated
    by any one of our customers, and we wanted to test our own
    procedures to make sure that we were complete in telling everybody
    everything that they needed to know."
    So which server was more secure?
    Of the Web server attacks the teams tried -- modifying password
    strings, changing SQL requests, trying to directly execute CGI,
    attempting all known default passwords, and generating common
    passwords with a hacker's password-cracking tool, among others --
    all failed on both servers. This means, of course, that you can
    configure either an AS/400 or an NT server so that confidential
    information remains secure.
    "That the AS/400 was able to keep out an extended, determined
    attack from so many well-trained technicians," Beckman says,
    "shows that IBM is paying attention to Internet security."
    While the test NEWS/400 conducted in cooperation with IBM
    addressed only information security, there are other ways to
    assault a system. In a separate test, NEWS/400 will look at
    denial-of-service attacks, which can cripple a network by
    overloading or breaking one or more network services. For detailed
    reports about both of these security tests, see Mel Beckman's
    articles in NEWS/400, starting in June.
    -- Cheryl Ross, industry reporter
    Subscribe: mail majordomot_private with "subscribe isn".
    Today's ISN Sponsor: Dimensional Communications (www.dim.com)

    This archive was generated by hypermail 2b30 : Fri Apr 13 2001 - 12:50:52 PDT