MIDRANGE dot COM Mailing List Archive



Home » MIDRANGE-L » April 2014

Re: Encryption methods on the i



fixed

On 4/10/2014 12:25 PM, Amy Hoerle wrote:
It appears the latest version available is 0.9.8m per the PTF listing
located at http://www-01.ibm.com/support/docview.wss?uid=nas8N1012172 so
we should all be fine.

Not sure what you have or need to show a manager?

1. call qp2term
2. cd /QOpenSys/QIBM/UserData/SC1/OpenSSL
3. ls

On my system I see:
openssl-0.9.7d openssl-0.9.8j

Are we having fun yet???

This presumes that there isn't any open source project on your IBM i
that uses a vulnerable version. A version which lives in a different
directory.

The best part is where we're asked to certify that we haven't leaked PII
via a vulnerable trading partner. We use SSL to 'securely' transmit
say, name, address and phone number. These go into the trading
partner's server memory where someone has been freely snooping for the
past 2 years. The snooper gets our customer information despite the
fact that our servers are OK.

It gets worse. We may have encrypted that PII (on top of using SSL)
with PGP before sending it, and the trading partner then decrypted it
for their use. The plaintext PII? Once the trading partner decrypts
it, that PII is in a server memory buffer. In plaintext form.

In short, I can't certify that my PII wasn't leaked by a trading
partner. The good news, such as it is, is that the trading partners are
on the hook for (inadvertently) breaking their confidentiality
agreements with us. The bad news is that there is no way of knowing
which customers might be affected. By that I mean that there is no log
the trading partner can use to tell what bits of memory were sniffed and
there is certainly no log that would reveal what bits of what were in
that memory at the moment it was sniffed. Depending on which US state
you have customers in, the reporting laws can be anything from
nonexistent to back-breakingly onerous.

The legal people haven't approached me yet and I will have no good news
for them, despite being 'lucky' enough to not have my IBM i as a server
on the internet. My best guess is that they will opt not to report a
leak because as far as any of us can determine, our systems didn't leak.

I can tell you this: I will be keeping a much more comprehensive paper
trail of my IBM i upgrades, including one off PTF installs. Heartbleed
is a bug affecting only recent versions of OpenSSL but it could have
affected only versions from January 23 2012 through March 26 2013. I
would have no idea if we had that version installed during that specific
time frame.

It's a bad week to be a sysadmin.
--buck





Return to Archive home page | Return to MIDRANGE.COM home page

This mailing list archive is Copyright 1997-2014 by MIDRANGE dot COM and David Gibbs as a compilation work. Use of the archive is restricted to research of a business or technical nature. Any other uses are prohibited. Full details are available here. If you have questions about this, please contact