• Subject: Re: Rewarding Challenge AS/400
  • From: Larry Bolhuis <lbolhui@xxxxxxx>
  • Date: Thu, 30 Sep 1999 21:45:03 -0400
  • Organization: Arbor Solutions, Inc

Bruce,

  Thank you for this post, it is the most succinct statement yet as to what IBM
knows about this problem and is doing about it.

  Lief, that said: Why, if this is such an important issue (and I agree that it
is) has an APAR not been opened?   Having been very vocal on the issue, and
knowing what you know, it seems IMHO, that you have a responsibility to report
this as fully and completely to IBM as you can.  Those of us who are concerned
with this problem can (and I have) notified those that we can that the problem
exists but only you have the intimate details.

  Bruce You bring up one point that has irritated me for some time and my
complaints have fallen on deaf ears:  Why are keysticks only available when you
spend $100,000 or more on your AS/400?  Consider that most systems of that value
and up are in secured areas. They don't need the stick as much as those 170's 
and
600's that are under peoples desks!!  Keystick or other panel security should be
extended from the 170 and up!

  And one other note:  While 'hacking' a secured password ON the System Being
Hacked requires considerable authority, if a copy of a SAVSYS or SAVSECDTA is
available the hacking can be done in private.

  - Larry

bvining@vnet.ibm.com wrote:
> 
> IBM is aware of, and is not ignoring, the encrypted password issue
> being discussed here.
> 
> IBM is also aware of the claim that Leif is able to bypass AS/400
> security to get to OS/400 objects.  We take this claim very seriously.
> 
> IBM accepts APARs on all security related issues.  Despite repeated
> requests, the company Leif works for has refused to submit an APAR with,
> or to provide, the details of this second claim.  We are attempting to
> reproduce the claimed attack; however, with no more information than has
> been made available on this forum, we are not at this time able to
> confirm the exposure.  We are continuing our investigation.
> 
> IBM welcomes an APAR submission by Leif, his company, or anyone else
> that includes the details of this second claim.
> 
> Let us look at the method used.  To launch a brute-force attack on a
> password, you must have the encrypted password.  How do you get that
> value?  You get it through either an API or service tool.  To use the
> API, you must have *ALLOBJ and *SECADM special authorities.  To use
> service tools, you must have either *SERVICE special authority or access
> to DST and then know how to find the value.  Who should have these
> special authorities or access?  Only trusted individuals - in other
> words, your security officer.  The average user should not be given this
> access or special authorities and, therefore, will not able to launch
> a brute-force attack against an encrypted password.
> 
> In addition, the use of these interfaces can be audited so even when a
> trusted individual uses these interfaces, you can know it.  To restrict
> access to DST, we recommend that access to the system itself be
> restricted; and, for units where a keystick is available, the key
> position be set to secure and the keystick removed and placed in a
> secure location.
> 
> That said, we are investigating alternative password encryption schemes
> for use on AS/400.
> 
> Bruce Vining


-- 
Larry Bolhuis         | What do You want to Reload today?
Arbor Solutions, Inc  | Don't throw your PC out the window,
(616) 451-2500        |  throw WINDOWS out of your PC.
(616) 451-2571 -fax   | Two rules to success in life:
lbolhui@ibm.net       | 1. Never tell people everything you know.
+---
| This is the Midrange System Mailing List!
| To submit a new message, send your mail to MIDRANGE-L@midrange.com.
| To subscribe to this list send email to MIDRANGE-L-SUB@midrange.com.
| To unsubscribe from this list send email to MIDRANGE-L-UNSUB@midrange.com.
| Questions should be directed to the list owner/operator: david@midrange.com
+---

This thread ...

Replies:

Follow On AppleNews
Return to Archive home page | Return to MIDRANGE.COM home page

This mailing list archive is Copyright 1997-2019 by midrange.com and David Gibbs as a compilation work. Use of the archive is restricted to research of a business or technical nature. Any other uses are prohibited. Full details are available on our policy page. If you have questions about this, please contact [javascript protected email address].