|
Bruce, Thanks for the GREAT information and hopefully we will know something SOON (?). Nice to know someone that can get attention focused on things like this from the list :-) And Leif ! Thanks for letting us know about his, but come on buddy; let's get an APAR in for ALL our sakes :-) Chuck bvining@VNET.IBM.COM wrote: > IBM is aware of, and is not ignoring, the encrypted password issue > being discussed here. > > IBM is also aware of the claim that Leif is able to bypass AS/400 > security to get to OS/400 objects. We take this claim very seriously. > > IBM accepts APARs on all security related issues. Despite repeated > requests, the company Leif works for has refused to submit an APAR with, > or to provide, the details of this second claim. We are attempting to > reproduce the claimed attack; however, with no more information than has > been made available on this forum, we are not at this time able to > confirm the exposure. We are continuing our investigation. > > IBM welcomes an APAR submission by Leif, his company, or anyone else > that includes the details of this second claim. > > Let us look at the method used. To launch a brute-force attack on a > password, you must have the encrypted password. How do you get that > value? You get it through either an API or service tool. To use the > API, you must have *ALLOBJ and *SECADM special authorities. To use > service tools, you must have either *SERVICE special authority or access > to DST and then know how to find the value. Who should have these > special authorities or access? Only trusted individuals - in other > words, your security officer. The average user should not be given this > access or special authorities and, therefore, will not able to launch > a brute-force attack against an encrypted password. > > In addition, the use of these interfaces can be audited so even when a > trusted individual uses these interfaces, you can know it. To restrict > access to DST, we recommend that access to the system itself be > restricted; and, for units where a keystick is available, the key > position be set to secure and the keystick removed and placed in a > secure location. > > That said, we are investigating alternative password encryption schemes > for use on AS/400. > > Bruce Vining > > +--- > | This is the Midrange System Mailing List! > | To submit a new message, send your mail to MIDRANGE-L@midrange.com. > | To subscribe to this list send email to MIDRANGE-L-SUB@midrange.com. > | To unsubscribe from this list send email to MIDRANGE-L-UNSUB@midrange.com. > | Questions should be directed to the list owner/operator: david@midrange.com > +--- +--- | This is the Midrange System Mailing List! | To submit a new message, send your mail to MIDRANGE-L@midrange.com. | To subscribe to this list send email to MIDRANGE-L-SUB@midrange.com. | To unsubscribe from this list send email to MIDRANGE-L-UNSUB@midrange.com. | Questions should be directed to the list owner/operator: david@midrange.com +---
As an Amazon Associate we earn from qualifying purchases.
This mailing list archive is Copyright 1997-2024 by midrange.com and David Gibbs as a compilation work. Use of the archive is restricted to research of a business or technical nature. Any other uses are prohibited. Full details are available on our policy page. If you have questions about this, please contact [javascript protected email address].
Operating expenses for this site are earned using the Amazon Associate program and Google Adsense.
midrange.com
