|
Bruce, Thank you for this post, it is the most succinct statement yet as to what IBM knows about this problem and is doing about it. Lief, that said: Why, if this is such an important issue (and I agree that it is) has an APAR not been opened? Having been very vocal on the issue, and knowing what you know, it seems IMHO, that you have a responsibility to report this as fully and completely to IBM as you can. Those of us who are concerned with this problem can (and I have) notified those that we can that the problem exists but only you have the intimate details. Bruce You bring up one point that has irritated me for some time and my complaints have fallen on deaf ears: Why are keysticks only available when you spend $100,000 or more on your AS/400? Consider that most systems of that value and up are in secured areas. They don't need the stick as much as those 170's and 600's that are under peoples desks!! Keystick or other panel security should be extended from the 170 and up! And one other note: While 'hacking' a secured password ON the System Being Hacked requires considerable authority, if a copy of a SAVSYS or SAVSECDTA is available the hacking can be done in private. - Larry bvining@vnet.ibm.com wrote: > > IBM is aware of, and is not ignoring, the encrypted password issue > being discussed here. > > IBM is also aware of the claim that Leif is able to bypass AS/400 > security to get to OS/400 objects. We take this claim very seriously. > > IBM accepts APARs on all security related issues. Despite repeated > requests, the company Leif works for has refused to submit an APAR with, > or to provide, the details of this second claim. We are attempting to > reproduce the claimed attack; however, with no more information than has > been made available on this forum, we are not at this time able to > confirm the exposure. We are continuing our investigation. > > IBM welcomes an APAR submission by Leif, his company, or anyone else > that includes the details of this second claim. > > Let us look at the method used. To launch a brute-force attack on a > password, you must have the encrypted password. How do you get that > value? You get it through either an API or service tool. To use the > API, you must have *ALLOBJ and *SECADM special authorities. To use > service tools, you must have either *SERVICE special authority or access > to DST and then know how to find the value. Who should have these > special authorities or access? Only trusted individuals - in other > words, your security officer. The average user should not be given this > access or special authorities and, therefore, will not able to launch > a brute-force attack against an encrypted password. > > In addition, the use of these interfaces can be audited so even when a > trusted individual uses these interfaces, you can know it. To restrict > access to DST, we recommend that access to the system itself be > restricted; and, for units where a keystick is available, the key > position be set to secure and the keystick removed and placed in a > secure location. > > That said, we are investigating alternative password encryption schemes > for use on AS/400. > > Bruce Vining -- Larry Bolhuis | What do You want to Reload today? Arbor Solutions, Inc | Don't throw your PC out the window, (616) 451-2500 | throw WINDOWS out of your PC. (616) 451-2571 -fax | Two rules to success in life: lbolhui@ibm.net | 1. Never tell people everything you know. +--- | This is the Midrange System Mailing List! | To submit a new message, send your mail to MIDRANGE-L@midrange.com. | To subscribe to this list send email to MIDRANGE-L-SUB@midrange.com. | To unsubscribe from this list send email to MIDRANGE-L-UNSUB@midrange.com. | Questions should be directed to the list owner/operator: david@midrange.com +---
As an Amazon Associate we earn from qualifying purchases.
This mailing list archive is Copyright 1997-2024 by midrange.com and David Gibbs as a compilation work. Use of the archive is restricted to research of a business or technical nature. Any other uses are prohibited. Full details are available on our policy page. If you have questions about this, please contact [javascript protected email address].
Operating expenses for this site are earned using the Amazon Associate program and Google Adsense.