• Subject: AS/400 security ignored
  • From: brian <sysp@xxxxxxxxxxxxxxx>
  • Date: Mon, 8 Mar 1999 04:35:50 -0700 (MST)

I work at a bank which recently upgraded to a 620 running software from
Jack Henry and Associates from an ES/9000 running VSE and bizarre custom
software.  Needless to say, I was ecstatic.

Despite repeated warnings, however, the ES/9000 guy has left several joe
(userid=password) user profiles on the box.  Many of them are
USRCLS(*SECOFR) or possess special authorities that would make gaining all
other authorities trivial.  

One user profile, for example, is used exclusively for ftp transfers.  For
some reason, it's *SECOFR.  Worse, it is found in several ftp scripts.  

The fact that the box does *bank* processing is especially worrisome to
me.  Mere deletion of the entire box would be bad enough, but in this
case, an attacker might instead do some very difficult-to-detect

I am quitting my job there soon, for obvious reasons.  If you'd like to,
offer predictions about the future of a bank that will not pay attention
to important security matters.  I would find it amusing to prepare a stack
of "fire him" emails from AS/400 professionals around the globe for my



| This is the Midrange System Mailing List!
| To submit a new message, send your mail to MIDRANGE-L@midrange.com.
| To subscribe to this list send email to MIDRANGE-L-SUB@midrange.com.
| To unsubscribe from this list send email to MIDRANGE-L-UNSUB@midrange.com.
| Questions should be directed to the list owner/operator: david@midrange.com

This thread ...


Follow On AppleNews
Return to Archive home page | Return to MIDRANGE.COM home page

This mailing list archive is Copyright 1997-2019 by midrange.com and David Gibbs as a compilation work. Use of the archive is restricted to research of a business or technical nature. Any other uses are prohibited. Full details are available on our policy page. If you have questions about this, please contact [javascript protected email address].