Re: URGENT !! PTFs to fix another integrity problem -- JAVA400-L

Yep,

Was JUST reading that at lunch Dan !

Chuck

"Eyers, Daniel" wrote:

> Interesting article from Compuworld that has some merit, given the recent
> discussion...
>
> Debate erupts over disclosure of software security holes
>
> A keynote speaker at the Black Hat Briefings conference argued that the full
> disclosure of software holes is only encouraging more security attacks - a
> claim
> that other attendees, including well-known security expert Mudge, disputed.
>
> http://www.computerworld.com/cwi/story/0%2C1199%2CNAV47_STO47589%2C00.html?p
> m
>
> dan
>
> -----Original Message-----
> From: Eric Merritt [mailto:cyberlync@yahoo.com]
> Sent: Thursday, July 27, 2000 4:23 PM
> To: JAVA400-L@midrange.com
> Subject: Re: URGENT !! PTFs to fix another integrity problem
>
> Here is the deal guys. Be aware there are two sets of
> ptfs. This is strait from the AS400 Network ->
>
> New PTFs Plug Password Security Hole
> By Gary Guthrie
> Tech Editor
> JUNE 14, 2000 - A serious AS/400 security exposure was
> recently brought to IBM's attention. Though IBM
> encrypts passwords before storing them permanently,
> your users' passwords may have been compromised by the
> fact that unencrypted passwords are also stored in
> another location temporarily. If a hacker discovers
> where and when the unencrypted passwords are stored,
> he can use a simple technique to capture the
> passwords, giving him access to your network
> resources.
>
> IBM responded to this revelation in an expedient
> manner and has issued the following PTFs:
>
> V3R2 - SF62947
> V4R1 - SF62944
> V4R1M4 - SF62945
> V4R2 - SF62946
> V4R3 - SF62894
> V4R4 - SF62895
> V4R5 - SF62896
> Because of the other PTFs in the supercede chain, the
> PTFs for V3R2 and V4R2 are delayed PTFs. You must IPL
> to apply the PTFs for these releases.
>
> You should load and apply the appropriate PTF
> immediately. You can download these PTFs on the
> Internet using IBM's iPTF facility at
> http://as400service.ibm.com. Click the "Fixes,
> Downloads and Updates" link and follow the links for
> the AS/400 Internet PTF facility (iPTF).
>
> After loading and applying the PTF, you must end and
> restart all subsystems to fully activate the fix.
> Because passwords may have been compromised prior to
> the PTF being applied to your system, it is strongly
> recommended that after you activate the fix, you
> require all users to change their passwords.
>
> -------------------------------------------------------
> Tech Talk: More PTFs for More Password Security Holes
> By Gary Guthrie
> Tech Editor
> JULY 26, 2000 - You may recall that last month we
> reported a serious security exposure in which your
> passwords may have been compromised, along with a list
> of PTFs to address the issue. Well, the AS/400
> security fires continue to heat up with another round
> of PTFs to address yet another serious security
> exposure. As with last month's problem, your passwords
> may have been compromised by the fact that another
> location has been found that contains easily obtained
> unencrypted passwords. Again, IBM responded quickly to
> this issue and released the following PTFs:
>
> V3R2 - SF63352
> V4R1 - SF63350
> V4R1M4 - SF63351
> V4R2 - SF63357
> V4R3 - SF63347
> V4R4 - SF63349
> But be aware; this security hole isn't the same as the
> one discussed last month. Even if you've applied the
> PTFs from last month's fix, the exposure still exists.
>
> My advice this month is that same as last month. You
> should load and apply the appropriate PTF immediately.
> You can download these PTFs on the Internet using
> IBM's iPTF facility at http://as400service.ibm.com.
> Click the "Fixes, Downloads and Updates" link and
> follow the links for the AS/400 Internet PTF facility
> (iPTF).
>
> Because passwords may have been compromised prior to
> the PTF being applied to your system, it is strongly
> recommended that after you activate the fix, you
> require all users to change their passwords.
>
> __________________________________________________
> Do You Yahoo!?
> Kick off your party with Yahoo! Invites.
> http://invites.yahoo.com/
> +---
> | This is the JAVA/400 Mailing List!
> | To submit a new message, send your mail to JAVA400-L@midrange.com.
> | To subscribe to this list send email to JAVA400-L-SUB@midrange.com.
> | To unsubscribe from this list send email to JAVA400-L-UNSUB@midrange.com.
> | Questions should be directed to the list owner: joe@zappie.net
> +---
> +---
> | This is the JAVA/400 Mailing List!
> | To submit a new message, send your mail to JAVA400-L@midrange.com.
> | To subscribe to this list send email to JAVA400-L-SUB@midrange.com.
> | To unsubscribe from this list send email to JAVA400-L-UNSUB@midrange.com.
> | Questions should be directed to the list owner: joe@zappie.net
> +---

+---
| This is the JAVA/400 Mailing List!
| To submit a new message, send your mail to JAVA400-L@midrange.com.
| To subscribe to this list send email to JAVA400-L-SUB@midrange.com.
| To unsubscribe from this list send email to JAVA400-L-UNSUB@midrange.com.
| Questions should be directed to the list owner: joe@zappie.net
+---