|
I work at a bank which recently upgraded to a 620 running software from Jack Henry and Associates from an ES/9000 running VSE and bizarre custom software. Needless to say, I was ecstatic. Despite repeated warnings, however, the ES/9000 guy has left several joe (userid=password) user profiles on the box. Many of them are USRCLS(*SECOFR) or possess special authorities that would make gaining all other authorities trivial. One user profile, for example, is used exclusively for ftp transfers. For some reason, it's *SECOFR. Worse, it is found in several ftp scripts. The fact that the box does *bank* processing is especially worrisome to me. Mere deletion of the entire box would be bad enough, but in this case, an attacker might instead do some very difficult-to-detect embezzlement. I am quitting my job there soon, for obvious reasons. If you'd like to, offer predictions about the future of a bank that will not pay attention to important security matters. I would find it amusing to prepare a stack of "fire him" emails from AS/400 professionals around the globe for my superiors. Thanks. -brian +--- | This is the Midrange System Mailing List! | To submit a new message, send your mail to MIDRANGE-L@midrange.com. | To subscribe to this list send email to MIDRANGE-L-SUB@midrange.com. | To unsubscribe from this list send email to MIDRANGE-L-UNSUB@midrange.com. | Questions should be directed to the list owner/operator: david@midrange.com +---
As an Amazon Associate we earn from qualifying purchases.
This mailing list archive is Copyright 1997-2024 by midrange.com and David Gibbs as a compilation work. Use of the archive is restricted to research of a business or technical nature. Any other uses are prohibited. Full details are available on our policy page. If you have questions about this, please contact [javascript protected email address].
Operating expenses for this site are earned using the Amazon Associate program and Google Adsense.
midrange.com
