× The internal search function is temporarily non-functional. The current search engine is no longer viable and we are researching alternatives.
As a stop gap measure, we are using Google's custom search engine service.
If you know of an easy to use, open source, search engine ... please contact support@midrange.com.


  1.  Home
  2. MIDRANGE-L
  3. April 2005

RE: Recent bugtraq postings

Yes, I noticed the same thing with the recent posting here about the
LDAP "security problem."  (See:
http://archive.midrange.com/midrange-l/200504/msg00919.html )  

One of our security people had actually forwarded that one to me earlier
in the week saying that he had noticed it because he "had never seen an
iSeries vulnerability reported before."  After looking into it I told
him that not only would a hacker require the knowledge, they would also
require a valid signon to our system to perform this so-called hack.  

Looks like a FUD campaign to me, similar to recent reliability claims
(about certain lesser servers) I've seen circulating.

Regards,
 
Scott Ingvaldson
iSeries System Administrator
GuideOne Insurance Group

-----Original Message-----
date: Thu, 21 Apr 2005 19:14:57 -0500
from: Patrick Botz <pcbotz@xxxxxxxxx>
subject: Recent bugtraq postings

The following are my personal opinions and in no way reflect the
official 
position of my employer or anyone else...

There is a recent posting on bugtraq that is very misleading. It is the 
latest in a series of recent postings that are also very miss leading
and 
often inaccurate.

The most recent bugtraq post includes:
> The IBM iSeries (AS/400) server provides a unified access scheme,
called
> IFS, to all of the files and to all of the database tables in all of
the
> database libraries.

It fails to mention that, like any file system, it only provides access
to 
those authenticated users that are also authorized to those databases
and 
libraries.

> iSeries servers without FTP security protection are vulnerable by
> default.
I'm not aware of anything called "FTP security." The way to protect any
data 
on this system -- or any other system -- is through use of the native
access 
control mechanism.

There is, in this bugtraq posting -- like some previous postings -- a
kernel 
of accuracy. However, the sky is not falling. If you manage the
authority on 
your iSeries objects so that only those who are supposed to access them
are 
authorized, then this "canonicalization" attack is a moot point. 

In my opinion, the person making the recent appends to the bugtraq list 
appears to some motive other than providing useful information about 
security. I base this opinion on the following:

   - To my knowledge, s/he has never submitted an APAR regarding any of 
   the posting made to bugtraq either before or after making the
posting. 
   - To my knowledge, s/he has never contacted anyone working for the 
   vendor that could help verify the claim, fix any problem if one
existed, or 
   that could help verify his claims, or educate him on the difference
between 
   say, a buffer overflow type of attack utilizing "root takeover" and
the 
   system providing information to an authenticated AND authorized user
that 
   happens to access the system via something other than a green screen.

   - To my knowledge, s/he has never attempted to verify any alleged 
   exposure with any independent expert with knowledge of the particular
system 
   for which s/he is claiming an exposure. 
   - Provided example scripts highlighting an exposure with a posting 
   which didn't work at all without modification 
   - Attributed an architected and documented behavior of the system 
   (users in a group are allowed to see other members of the same group)
which 
   behaves the same way through all interfaces as an "exposure" of the
LDAP 
   server. 
   - Claims that a "feature" of a client OS that allows any rogue remote

   system -- of any type -- running a telnet server to use the telnet 
   connection to the client to perform operations on the client is
somehow an 
   exposure inherent to the the OS on which the telnet server is
running. 
   - Includes a link in all postings to bugtraq to a website where a
book 
   that can help protect against these "exposures" can be conveniently 
   purchased. 
   - Periodically has annoying pop up ads for other products that must
be 
   blocked or clicked to be avoided.
    
So while some of the postings have bits and pieces that may be accurate,

they all contain glaring inaccuracies which tend to sensationalize and 
magnify the ramifications of any of the parts that are accurate.

I suspect most security experts would also agree that publicly
announcing 
exposures without ever informing the vendor (before or after making the 
public announcement) is generally assumed to be grandstanding...


------------------------------

-- 
This is the Midrange Systems Technical Discussion (MIDRANGE-L) digest
list
To post a message email: MIDRANGE-L@xxxxxxxxxxxx
To subscribe, unsubscribe, or change list options,
visit: http://lists.midrange.com/mailman/listinfo/midrange-l
or email: MIDRANGE-L-request@xxxxxxxxxxxx
Before posting, please take a moment to review the archives
at http://archive.midrange.com/midrange-l.



End of MIDRANGE-L Digest, Vol 4, Issue 748
******************************************

As an Amazon Associate we earn from qualifying purchases.

This thread ...
Follow On AppleNews
Return to Archive home page | Return to MIDRANGE.COM home page

This mailing list archive is Copyright 1997-2024 by midrange.com and David Gibbs as a compilation work. Use of the archive is restricted to research of a business or technical nature. Any other uses are prohibited. Full details are available on our policy page. If you have questions about this, please contact [javascript protected email address].

Operating expenses for this site are earned using the Amazon Associate program and Google Adsense.