IBM is aware of, and is not ignoring, the encrypted password issue
being discussed here.

IBM is also aware of the claim that Leif is able to bypass AS/400
security to get to OS/400 objects.  We take this claim very seriously.

IBM accepts APARs on all security related issues.  Despite repeated
requests, the company Leif works for has refused to submit an APAR with,
or to provide, the details of this second claim.  We are attempting to
reproduce the claimed attack; however, with no more information than has
been made available on this forum, we are not at this time able to
confirm the exposure.  We are continuing our investigation.

IBM welcomes an APAR submission by Leif, his company, or anyone else
that includes the details of this second claim.

Let us look at the method used.  To launch a brute-force attack on a
password, you must have the encrypted password.  How do you get that
value?  You get it through either an API or service tool.  To use the
API, you must have *ALLOBJ and *SECADM special authorities.  To use
service tools, you must have either *SERVICE special authority or access
to DST and then know how to find the value.  Who should have these
special authorities or access?  Only trusted individuals - in other
words, your security officer.  The average user should not be given this
access or special authorities and, therefore, will not able to launch
a brute-force attack against an encrypted password.

In addition, the use of these interfaces can be audited so even when a
trusted individual uses these interfaces, you can know it.  To restrict
access to DST, we recommend that access to the system itself be
restricted; and, for units where a keystick is available, the key
position be set to secure and the keystick removed and placed in a
secure location.

That said, we are investigating alternative password encryption schemes
for use on AS/400.

Bruce Vining



+---
| This is the Midrange System Mailing List!
| To submit a new message, send your mail to MIDRANGE-L@midrange.com.
| To subscribe to this list send email to MIDRANGE-L-SUB@midrange.com.
| To unsubscribe from this list send email to MIDRANGE-L-UNSUB@midrange.com.
| Questions should be directed to the list owner/operator: david@midrange.com
+---

This thread ...

Follow-Ups:

Follow On AppleNews
Return to Archive home page | Return to MIDRANGE.COM home page

This mailing list archive is Copyright 1997-2019 by midrange.com and David Gibbs as a compilation work. Use of the archive is restricted to research of a business or technical nature. Any other uses are prohibited. Full details are available on our policy page. If you have questions about this, please contact [javascript protected email address].