A good intrusion-detection system is one way to fight off hackers.Studying news of security threats and installing the latest patches is another excellent idea. Hacking your own Web site to verify that it's secure is yet another.

If you hack your own network, make sure to give yourself a safe environment. Making back-up copies of server files and configuration data can be a lifesaver when your hacking attempts succeed beyond your wildest expectations. And make sure the appropriate people know what you're doing beforehand. In your status reports and memos, however, don't refer to you're doing activities as hacking. Use the term "auditing"- it sounds better. Nonetheless, ethical hacking is what you'll be doing.

During a recent project to improve security at a Microsoft Internet Information Server (IIS) 5.0-based Web site, we used five hacking tools:

* @stake's NetCat 1.1; a script-driven utility that connects to Web sites, sends HTML requests and shows the sites' responses.

* Rain Forest Puppy's Whisker 2.1 for Unix and WhIsker 1.4 for Windows; Web site checking tools that obtain Web site contents, run programs on the Web server and crack Web site passwords.

* HooBie's Brutus AET2 and EliteSys' Entry 2.7; superlative, fast password crackers.

* Tennyson Maxwell Information Systems' Teleport Pro 1.29; a Web spider that discovers and copies Web server files.

Our self-hacking game plan was to gain access to the Web site by bombarding it with badly formed URLs, cut through authentication barricades by guessing passwords and copy Web site files once we'd cracked the site's security The five tools helped by revealing operating system and other files on the Web server, defeating password protections and even obtaining (simulated) credit card files.

Some really bad characters

Our research, in combination with NetCat's documentation, suggested that we could break in by using the UniCode...