Re: No single case of hacking...

[Jim Langston <jimlangston@xxxxxxxxxxxxxxxx>]

Actually, Joe, it does prove something of AS/400 security.

If you were running an NT box and IIS a hacker could get in using one of the
many buffer overrun exploits out there now.  And only on port 80.  Some of the
various http server have directory traversal exploits using ../ and such.  And
there are a lot of other exploits out there for getting to a machine that is
"only" serving web pages.

I do not believe, although am not positive, that the AS/400 is not plagued by
buffer overrun exploits.  It may be possible to overrun a buffer (as we've all
done when we pass the wrong length parameter) but the AS/400 is usually smart
enough not to execute this code.

But... that is not to say that an application on the AS/400 could not have some
exploit of the program was known well.  Okay, maybe your server doesn't execute
a buffer overrun, but it might still be possible to "trick" your AS/400 into
crashing the HTTP CGI program if I knew your program well, what parameters it
is being passed, and if I made the first parameter too long, perhaps it would
take the over run as the second parameter which might give me a different file,
yadda, yadda, yadda.

The AS/400 is fairly secure, yet no machine is 100% secure.  Unless it is not
on the network.  And doesn't have any type of input (such as a keyboard).

I'm sure that with time, and knowledge of your AS/400, and exploit could be
found.

Security by obscurity is the main advantage on the AS/400.

Regards,

Jim Langston

Me transmitte sursum, Caledoni!

Joe Pluta wrote:
> 
> Leif, while I agree my machine doesn't prove much about AS/400 security, it
> does prove a lot about Internet security. <grin>
> 
> My machine is not "locked down too tight".  It is a fully functional web
> server, and can also be used to run web-enabled applications.  What more do
> you think "should" be open?  Certainly not Telnet or FTP.  It just so
> happens that I know full well that the only thing an anonymous user should
> be able to do over the web is access the HTTP server.  Anything more and
> you're an accident waiting to happen.
> 
> On the other hand, if I were to give you the appropriate passwords, etc.,
> you could also access my machine through 5250 - I just don't make that sort
> of information public.  Which is the way it's supposed to be.
> 
> On the third hand, if this were a Microsoft IIS server, you could break
> through one of the many known security holes and get into my server and thus
> my system, even with just port 80 access.  In this regard, the IBM HTTP
> server is a much more secure web server than IIS.
> 
> Joe
> 
> > -----Original Message-----
> > From: owner-mi400@midrange.com [mailto:owner-mi400@midrange.com]On
> > Behalf Of Leif Svalgaard
> > Sent: Thursday, June 07, 2001 9:18 AM
> > To: MI400@midrange.com
> > Subject: Re: No single case of hacking...
> >
> >
> > Joe's machine is locked down too strongly for this.
> > No ping, no ftp, no telnet, only serving webpages.
> > It's like saying: "I'm secure, I allow noone on my machine,
> > no programmers, no signons, no restore, no nothing.
> > sure in this way you can be secure. Also as an additional
> > measure: turn off the machine.
> > So this is an extreme case and therefore does not
> > prove that the AS/400 is vastly ahead re security.


Regards,

Jim Langston
+---
| This is the MI Programmers Mailing List!
| To submit a new message, send your mail to MI400@midrange.com.
| To subscribe to this list send email to MI400-SUB@midrange.com.
| To unsubscribe from this list send email to MI400-UNSUB@midrange.com.
| Questions should be directed to the list owner/operator: dr2@cssas400.com
+---