I read a post that said this was off-topic, but IMHO this is of particular
interest to AS/400 java programmers.  Until java and the internet, most
AS/400s existed in their own secured private networks.  Although java and
the internet are not tied to each other, I would guess that many AS/400
shops that are exploring java are also thinking about how to leverage their
current AS/400 business processes for e-business.

In any case, even if I'm wrong about other shops, as a java programmer on
the AS/400 this topic is very relevant to me.  Please correct me if you
still think this should be posted in a different area.

So, victor.  Here's my suggestions for trying to loopholes AS/400 security:

1) If you are not already familiar with the typical ways of breaking into
unix/NT boxes you should do some reasearch as this will give you ideas on
what you could try on the AS/400.

2) The AS/400 is known for being very secure but that doesn't mean that you
can't break into one.  I.e. there may be no loopholes in the AS/400
security model as created by IBM.   _IF_ you follow IBM's security
suggestions.  My question would be, how many shops stray from IBM's
suggestions and are therefor vunerable?

3) Familiarize yourself with the AS/400 security model.  IBM has manuals on
security that describe the model and various levels of security in detail.
IBM's suggestions on what SHOULD be done should give you an idea of what
many shops may have overlooked.  One area in particular to explore would be
users that have authority to objects that they shouldn't have authority to.
 Can a typical business user get access to a command line and delete a
critical business file?

4) Try some of the typical attacks such as guesing user passwords.  There
are some default user profiles that ship with the AS/400 such as QSYSOPR,
QPGMR, and QSECOFR.  You could try obvious passwords for these profiles as
many shops do not choose wisely for these passwords.

5) Try some standard TCP/IP or java attacks.

6) You may want to hire an AS/400 security expert to do an audit as some
AS/400 attacks require quite a sophisticated knowledge of the AS/400.  For
example, I know that if a system has a certain very popular ERP package
installed I can use security bugs in that package to create a program with
QSECOFR access.

Please let us know what your findings are.

- Todd Chaffee

Lead Consultant
Arkay Computer Consultants, Inc.
voice . . (201) 847-9798
fax . . . (201) 847-9701
email . . tchaffee@mars.superlink.net


At 02:45 PM 01/10/2000 -0500, you wrote:
>Victor Rodrigues wrote:
>
>> Hello All,
>> I've been asked to find loopholes in the OS/400 security. Well basically
>> hacking the system.
>> Be it accessing resources i don't have authority to or finding some other
>> profiles passsword or anything else for that matter. I was told by
microsoft
>> guys in our org. that they could do this in an NT and unix. Want me to
>> explore the AS/400. IS THIS POSSIBLE. I've always heard that this isnt.
>> Has this ever been done before. Anyone worked on this before.
>> Request some info. on this.
>> Regards,
>> victor
>> +---
>> | This is the JAVA/400 Mailing List!
>> | To submit a new message, send your mail to JAVA400-L@midrange.com.
>> | To subscribe to this list send email to JAVA400-L-SUB@midrange.com.
>> | To unsubscribe from this list send email to JAVA400-L-UNSUB@midrange.com.
>> | Questions should be directed to the list owner: joe@zappie.net
>> +---
>
>I don't think this is possible.  Security is a little better on the AS/400
than
>a simple NT machine.
>
>Mike Everidge
>
>+---
>| This is the JAVA/400 Mailing List!
>| To submit a new message, send your mail to JAVA400-L@midrange.com.
>| To subscribe to this list send email to JAVA400-L-SUB@midrange.com.
>| To unsubscribe from this list send email to JAVA400-L-UNSUB@midrange.com.
>| Questions should be directed to the list owner: joe@zappie.net
>+---
>
>

Lead Consultant
Arkay Computer Consultants, Inc.
voice . . (201) 847-9798
fax . . . (201) 847-9701
email . . tchaffee@mars.superlink.net

+---
| This is the JAVA/400 Mailing List!
| To submit a new message, send your mail to JAVA400-L@midrange.com.
| To subscribe to this list send email to JAVA400-L-SUB@midrange.com.
| To unsubscribe from this list send email to JAVA400-L-UNSUB@midrange.com.
| Questions should be directed to the list owner: joe@zappie.net
+---

As an Amazon Associate we earn from qualifying purchases.

This thread ...

Replies:

Follow On AppleNews
Return to Archive home page | Return to MIDRANGE.COM home page

This mailing list archive is Copyright 1997-2021 by midrange.com and David Gibbs as a compilation work. Use of the archive is restricted to research of a business or technical nature. Any other uses are prohibited. Full details are available on our policy page. If you have questions about this, please contact [javascript protected email address].

Operating expenses for this site are earned using the Amazon Associate program and Google Adsense.