• Subject: Re: Rewarding Challenge AS/400
  • From: Chuck Lewis <clewis@xxxxxxxxxx>
  • Date: Fri, 01 Oct 1999 07:50:27 +0100

Bruce,

Thanks for the GREAT information and hopefully we will know something SOON (?).
Nice to know someone that can get attention focused on things like this from the
list :-)

And Leif ! Thanks for letting us know about his, but come on buddy; let's get an
APAR in for ALL our sakes :-)

Chuck

bvining@VNET.IBM.COM wrote:

> IBM is aware of, and is not ignoring, the encrypted password issue
> being discussed here.
>
> IBM is also aware of the claim that Leif is able to bypass AS/400
> security to get to OS/400 objects.  We take this claim very seriously.
>
> IBM accepts APARs on all security related issues.  Despite repeated
> requests, the company Leif works for has refused to submit an APAR with,
> or to provide, the details of this second claim.  We are attempting to
> reproduce the claimed attack; however, with no more information than has
> been made available on this forum, we are not at this time able to
> confirm the exposure.  We are continuing our investigation.
>
> IBM welcomes an APAR submission by Leif, his company, or anyone else
> that includes the details of this second claim.
>
> Let us look at the method used.  To launch a brute-force attack on a
> password, you must have the encrypted password.  How do you get that
> value?  You get it through either an API or service tool.  To use the
> API, you must have *ALLOBJ and *SECADM special authorities.  To use
> service tools, you must have either *SERVICE special authority or access
> to DST and then know how to find the value.  Who should have these
> special authorities or access?  Only trusted individuals - in other
> words, your security officer.  The average user should not be given this
> access or special authorities and, therefore, will not able to launch
> a brute-force attack against an encrypted password.
>
> In addition, the use of these interfaces can be audited so even when a
> trusted individual uses these interfaces, you can know it.  To restrict
> access to DST, we recommend that access to the system itself be
> restricted; and, for units where a keystick is available, the key
> position be set to secure and the keystick removed and placed in a
> secure location.
>
> That said, we are investigating alternative password encryption schemes
> for use on AS/400.
>
> Bruce Vining
>
> +---
> | This is the Midrange System Mailing List!
> | To submit a new message, send your mail to MIDRANGE-L@midrange.com.
> | To subscribe to this list send email to MIDRANGE-L-SUB@midrange.com.
> | To unsubscribe from this list send email to MIDRANGE-L-UNSUB@midrange.com.
> | Questions should be directed to the list owner/operator: david@midrange.com
> +---

+---
| This is the Midrange System Mailing List!
| To submit a new message, send your mail to MIDRANGE-L@midrange.com.
| To subscribe to this list send email to MIDRANGE-L-SUB@midrange.com.
| To unsubscribe from this list send email to MIDRANGE-L-UNSUB@midrange.com.
| Questions should be directed to the list owner/operator: david@midrange.com
+---

This thread ...


Follow On AppleNews
Return to Archive home page | Return to MIDRANGE.COM home page

This mailing list archive is Copyright 1997-2019 by midrange.com and David Gibbs as a compilation work. Use of the archive is restricted to research of a business or technical nature. Any other uses are prohibited. Full details are available on our policy page. If you have questions about this, please contact [javascript protected email address].