|
Hi Brian, Everyone can plead ignorance when moving to new platforms and technologies. That is why one should ASK QUESTIONS, LISTEN to what they are told, TALK to knowledgeable people, READ, READ, READ and LOOSE THE BIG HEAD... It is SCARY that someone would have MULTIPLE profiles set this way. The AS/400 is without a DOUBT one of the most secure computer systems available - IF it has been set up properly. This system is a JOKE if the right/wrong person managed to get access. Sure that "might" be difficult, but then again, don't sell ANYONE short (including internal folks - the VAST majority of tampering, etc. is NOT from external hackers but rather employees - WHY make it easy on them ?). If he is the Security Officer he needs to read up on what that involves. There is a TON of information out there to help with this. There SHOULD be a way to do the FTP stuff without that authority. Ditto for just about EVERYTHING else. This guy obviously has some knowledge but doesn't seem to have been properly prepared for this roll. Who's this persons SUPERVISOR ? ! Good luck - what do you have planned ? Chuck brian wrote: > I work at a bank which recently upgraded to a 620 running software from > Jack Henry and Associates from an ES/9000 running VSE and bizarre custom > software. Needless to say, I was ecstatic. > > Despite repeated warnings, however, the ES/9000 guy has left several joe > (userid=password) user profiles on the box. Many of them are > USRCLS(*SECOFR) or possess special authorities that would make gaining all > other authorities trivial. > > One user profile, for example, is used exclusively for ftp transfers. For > some reason, it's *SECOFR. Worse, it is found in several ftp scripts. > > The fact that the box does *bank* processing is especially worrisome to > me. Mere deletion of the entire box would be bad enough, but in this > case, an attacker might instead do some very difficult-to-detect > embezzlement. > > I am quitting my job there soon, for obvious reasons. If you'd like to, > offer predictions about the future of a bank that will not pay attention > to important security matters. I would find it amusing to prepare a stack > of "fire him" emails from AS/400 professionals around the globe for my > superiors. > > Thanks. > > -brian > > +--- > | This is the Midrange System Mailing List! > | To submit a new message, send your mail to MIDRANGE-L@midrange.com. > | To subscribe to this list send email to MIDRANGE-L-SUB@midrange.com. > | To unsubscribe from this list send email to MIDRANGE-L-UNSUB@midrange.com. > | Questions should be directed to the list owner/operator: david@midrange.com > +--- +--- | This is the Midrange System Mailing List! | To submit a new message, send your mail to MIDRANGE-L@midrange.com. | To subscribe to this list send email to MIDRANGE-L-SUB@midrange.com. | To unsubscribe from this list send email to MIDRANGE-L-UNSUB@midrange.com. | Questions should be directed to the list owner/operator: david@midrange.com +---
As an Amazon Associate we earn from qualifying purchases.
This mailing list archive is Copyright 1997-2024 by midrange.com and David Gibbs as a compilation work. Use of the archive is restricted to research of a business or technical nature. Any other uses are prohibited. Full details are available on our policy page. If you have questions about this, please contact [javascript protected email address].
Operating expenses for this site are earned using the Amazon Associate program and Google Adsense.
midrange.com
