Re: URGENT !! PTFs to fix another integrity problem -- JAVA400-L

Hi all and Chuck

I am getting the feeling we are exagerating in this cover up in the past 
when security holes and other OS holes we were alwaise ready to inform 
others of the how to and the fix to it as well
My question is why are you so protestive toword IBM they shold be critisized 
the same way as others after all this just proves AS400 is vulnerable to 
smart minds.

I personally found out how to do it and I have shared it with my collegus 
and other AS400 profesionals for the purpose of awareness not hacking who 
has the time for that.

Regards Joel


>From: Chuck Lewis <clewis@iquest.net>
>Reply-To: JAVA400-L@midrange.com
>To: JAVA400-L@midrange.com
>Subject: Re: URGENT !! PTFs to fix another integrity problem
>Date: Fri, 28 Jul 2000 07:28:50 +0100
>
>Right you are Eric !
>
>The first problem was discovered last month and dealt with fairly quickly 
>(even
>though it had been around since the S/38 days from what I hear - someone
>correct me if I am wrong !!! So warn any S/38 shops you know of  <BG>)
>
>Chuck
>
>Eric Merritt wrote:
>
> > Here is the deal guys. Be aware there are two sets of
> > ptfs. This is strait from the AS400 Network ->
> >
> > New PTFs Plug Password Security Hole
> > By Gary Guthrie
> > Tech Editor
> > JUNE 14, 2000 � A serious AS/400 security exposure was
> > recently brought to IBM�s attention. Though IBM
> > encrypts passwords before storing them permanently,
> > your users� passwords may have been compromised by the
> > fact that unencrypted passwords are also stored in
> > another location temporarily. If a hacker discovers
> > where and when the unencrypted passwords are stored,
> > he can use a simple technique to capture the
> > passwords, giving him access to your network
> > resources.
> >
> > IBM responded to this revelation in an expedient
> > manner and has issued the following PTFs:
> >
> > V3R2 � SF62947
> > V4R1 � SF62944
> > V4R1M4 � SF62945
> > V4R2 � SF62946
> > V4R3 � SF62894
> > V4R4 � SF62895
> > V4R5 � SF62896
> > Because of the other PTFs in the supercede chain, the
> > PTFs for V3R2 and V4R2 are delayed PTFs. You must IPL
> > to apply the PTFs for these releases.
> >
> > You should load and apply the appropriate PTF
> > immediately. You can download these PTFs on the
> > Internet using IBM�s iPTF facility at
> > http://as400service.ibm.com. Click the "Fixes,
> > Downloads and Updates" link and follow the links for
> > the AS/400 Internet PTF facility (iPTF).
> >
> > After loading and applying the PTF, you must end and
> > restart all subsystems to fully activate the fix.
> > Because passwords may have been compromised prior to
> > the PTF being applied to your system, it is strongly
> > recommended that after you activate the fix, you
> > require all users to change their passwords.
> >
> > -------------------------------------------------------
> > Tech Talk: More PTFs for More Password Security Holes
> > By Gary Guthrie
> > Tech Editor
> > JULY 26, 2000 � You may recall that last month we
> > reported a serious security exposure in which your
> > passwords may have been compromised, along with a list
> > of PTFs to address the issue. Well, the AS/400
> > security fires continue to heat up with another round
> > of PTFs to address yet another serious security
> > exposure. As with last month�s problem, your passwords
> > may have been compromised by the fact that another
> > location has been found that contains easily obtained
> > unencrypted passwords. Again, IBM responded quickly to
> > this issue and released the following PTFs:
> >
> > V3R2 � SF63352
> > V4R1 � SF63350
> > V4R1M4 � SF63351
> > V4R2 � SF63357
> > V4R3 � SF63347
> > V4R4 � SF63349
> > But be aware; this security hole isn�t the same as the
> > one discussed last month. Even if you�ve applied the
> > PTFs from last month�s fix, the exposure still exists.
> >
> > My advice this month is that same as last month. You
> > should load and apply the appropriate PTF immediately.
> > You can download these PTFs on the Internet using
> > IBM�s iPTF facility at http://as400service.ibm.com.
> > Click the "Fixes, Downloads and Updates" link and
> > follow the links for the AS/400 Internet PTF facility
> > (iPTF).
> >
> > Because passwords may have been compromised prior to
> > the PTF being applied to your system, it is strongly
> > recommended that after you activate the fix, you
> > require all users to change their passwords.
> >
> > __________________________________________________
> > Do You Yahoo!?
> > Kick off your party with Yahoo! Invites.
> > http://invites.yahoo.com/
> > +---
> > | This is the JAVA/400 Mailing List!
> > | To submit a new message, send your mail to JAVA400-L@midrange.com.
> > | To subscribe to this list send email to JAVA400-L-SUB@midrange.com.
> > | To unsubscribe from this list send email to 
>JAVA400-L-UNSUB@midrange.com.
> > | Questions should be directed to the list owner: joe@zappie.net
> > +---
>
>+---
>| This is the JAVA/400 Mailing List!
>| To submit a new message, send your mail to JAVA400-L@midrange.com.
>| To subscribe to this list send email to JAVA400-L-SUB@midrange.com.
>| To unsubscribe from this list send email to JAVA400-L-UNSUB@midrange.com.
>| Questions should be directed to the list owner: joe@zappie.net
>+---

________________________________________________________________________
Get Your Private, Free E-mail from MSN Hotmail at http://www.hotmail.com

+---
| This is the JAVA/400 Mailing List!
| To submit a new message, send your mail to JAVA400-L@midrange.com.
| To subscribe to this list send email to JAVA400-L-SUB@midrange.com.
| To unsubscribe from this list send email to JAVA400-L-UNSUB@midrange.com.
| Questions should be directed to the list owner: joe@zappie.net
+---