I read a post that said this was off-topic, but IMHO this is of particular interest to AS/400 java programmers. Until java and the internet, most AS/400s existed in their own secured private networks. Although java and the internet are not tied to each other, I would guess that many AS/400 shops that are exploring java are also thinking about how to leverage their current AS/400 business processes for e-business. In any case, even if I'm wrong about other shops, as a java programmer on the AS/400 this topic is very relevant to me. Please correct me if you still think this should be posted in a different area. So, victor. Here's my suggestions for trying to loopholes AS/400 security: 1) If you are not already familiar with the typical ways of breaking into unix/NT boxes you should do some reasearch as this will give you ideas on what you could try on the AS/400. 2) The AS/400 is known for being very secure but that doesn't mean that you can't break into one. I.e. there may be no loopholes in the AS/400 security model as created by IBM. _IF_ you follow IBM's security suggestions. My question would be, how many shops stray from IBM's suggestions and are therefor vunerable? 3) Familiarize yourself with the AS/400 security model. IBM has manuals on security that describe the model and various levels of security in detail. IBM's suggestions on what SHOULD be done should give you an idea of what many shops may have overlooked. One area in particular to explore would be users that have authority to objects that they shouldn't have authority to. Can a typical business user get access to a command line and delete a critical business file? 4) Try some of the typical attacks such as guesing user passwords. There are some default user profiles that ship with the AS/400 such as QSYSOPR, QPGMR, and QSECOFR. You could try obvious passwords for these profiles as many shops do not choose wisely for these passwords. 5) Try some standard TCP/IP or java attacks. 6) You may want to hire an AS/400 security expert to do an audit as some AS/400 attacks require quite a sophisticated knowledge of the AS/400. For example, I know that if a system has a certain very popular ERP package installed I can use security bugs in that package to create a program with QSECOFR access. Please let us know what your findings are. - Todd Chaffee Lead Consultant Arkay Computer Consultants, Inc. voice . . (201) 847-9798 fax . . . (201) 847-9701 email . . firstname.lastname@example.org At 02:45 PM 01/10/2000 -0500, you wrote: >Victor Rodrigues wrote: > >> Hello All, >> I've been asked to find loopholes in the OS/400 security. Well basically >> hacking the system. >> Be it accessing resources i don't have authority to or finding some other >> profiles passsword or anything else for that matter. I was told by microsoft >> guys in our org. that they could do this in an NT and unix. Want me to >> explore the AS/400. IS THIS POSSIBLE. I've always heard that this isnt. >> Has this ever been done before. Anyone worked on this before. >> Request some info. on this. >> Regards, >> victor >> +--- >> | This is the JAVA/400 Mailing List! >> | To submit a new message, send your mail to JAVA400-L@midrange.com. >> | To subscribe to this list send email to JAVA400-L-SUB@midrange.com. >> | To unsubscribe from this list send email to JAVA400-L-UNSUB@midrange.com. >> | Questions should be directed to the list owner: email@example.com >> +--- > >I don't think this is possible. Security is a little better on the AS/400 than >a simple NT machine. > >Mike Everidge > >+--- >| This is the JAVA/400 Mailing List! >| To submit a new message, send your mail to JAVA400-L@midrange.com. >| To subscribe to this list send email to JAVA400-L-SUB@midrange.com. >| To unsubscribe from this list send email to JAVA400-L-UNSUB@midrange.com. >| Questions should be directed to the list owner: firstname.lastname@example.org >+--- > > Lead Consultant Arkay Computer Consultants, Inc. voice . . (201) 847-9798 fax . . . (201) 847-9701 email . . email@example.com +--- | This is the JAVA/400 Mailing List! | To submit a new message, send your mail to JAVA400-L@midrange.com. | To subscribe to this list send email to JAVA400-L-SUB@midrange.com. | To unsubscribe from this list send email to JAVA400-L-UNSUB@midrange.com. | Questions should be directed to the list owner: firstname.lastname@example.org +---
As an Amazon Associate we earn from qualifying purchases.
Operating expenses for this site are earned using the Amazon Associate program and Google Adsense.