That hole can be crawled through for existing employees that watch for
new people.  Once the new ID is created, call the help desk and say
you're the new guy.  Get the temp pwd and use it to access the system.
Sign on and change the password.  No biggie.  Have fun with whatever
privs the new ID was granted.  When the new guy actually calls for their
password, which will likely be hours or days after the ID was created,
the profile will get changed but there is a window of opportunity that
can be exploited fairly easily.  Unless the help desk actually checked
for recent signon activity before changing the pwd the fact that the
profile was used may never come to light.

That risk can be mitigated, BTW.  When called for a password reset our
help desk will not give the new password to a human over the phone.
Instead, the user is asked to not answer the phone and the help desk
calls them back at the number listed in the corporate address book.  The
help desk leaves the temp password in the user's voicemail, which is
password/PIN protected.  (Of course this assumes the voicemail PIN is a
non-default value.)

John A. Jones, CISSP
Americas Information Security Officer
Jones Lang LaSalle, Inc.
V: +1-630-455-2787 F: +1-312-601-1782

-----Original Message-----
From: midrange-l-bounces@xxxxxxxxxxxx
[mailto:midrange-l-bounces@xxxxxxxxxxxx] On Behalf Of Turnidge, Dave
Sent: Thursday, November 09, 2006 10:33 AM
To: Midrange Systems Technical Discussion
Subject: RE: iSeries Security in Computerworld

Use CHGCMDDFT and change the password default to *NONE. 

It took a while, but I finally got management to make the standard that
a profile is always created with *NONE as the password. When the user is
ready to sign on for the first time, they are to call the helpdesk, at
which time, a one-time password is given, with the requirement that it
be changed when they sign on. 

Before that, since everyone knew that a new profile had the profile name
as password, it was a HUGE security hole. Don't know if anyone crawled
through it or not, but they can't now.

OTOH, there are have been a few times when there ended up being a
default password, but I have a set of programs from SkyView Partners
that runs every morning, and that's one of the things I am informed of.
It's changed as soon as I see it in the morning.


-----Original Message-----
From: midrange-l-bounces@xxxxxxxxxxxx
[mailto:midrange-l-bounces@xxxxxxxxxxxx] On Behalf Of rob@xxxxxxxxx
Sent: Thursday, November 09, 2006 10:24 AM
To: Midrange Systems Technical Discussion
Subject: RE: iSeries Security in Computerworld

Same as everyone else out there, look at the default for password on
CRTUSRPRF.  We get some who says "we gotta have a signon for ...".  Then
they never actually sign on and change their password.

Rob Berendt
Group Dekko Services, LLC
Dept 01.073
PO Box 2000
Dock 108
6928N 400E
Kendallville, IN 46755

"Joe Pluta" <joepluta@xxxxxxxxxxxxxxxxx> Sent by:
11/09/2006 10:05 AM
Please respond to
Midrange Systems Technical Discussion <midrange-l@xxxxxxxxxxxx>

"'Midrange Systems Technical Discussion'" <midrange-l@xxxxxxxxxxxx>

RE: iSeries Security in Computerworld

Rob, I don't count your shop as "typical" :).  For example, how in the 
did you manage to create 111 enabled default password accounts?  Seems 
you have a SERIOUS issue. 


From: rob@xxxxxxxxx


Do we count as a client, I seem to recall writing a check...
CPC2232 - 119 user profiles have default passwords of which 111 have
status of *ENABLED.
Total number of user profiles =796.  Seems to be greater than 1 out of


This thread ...


Return to Archive home page | Return to MIDRANGE.COM home page