× The internal search function is temporarily non-functional. The current search engine is no longer viable and we are researching alternatives.
As a stop gap measure, we are using Google's custom search engine service.
If you know of an easy to use, open source, search engine ... please contact support@midrange.com.


  1.  Home
  2. MIDRANGE-L
  3. December 1999

Re: VIRUS Alert for the LIST

  • Subject: Re: VIRUS Alert for the LIST
  • From: John Earl <johnearl@xxxxxxxxxxxxxxx>
  • Date: Tue, 28 Dec 1999 06:50:53 -0800
  • Organization: The PowerTech Group
 
Ray Peterson wrote:
 
> Could a "Trojan Horse" be created to attach itself to an OpsNavigator PC
> program and harvest user ids and passwords? After all, OpsNav can create
> and change user id's and object permissions. 

The people who say that AS/400 has never had a virus are, I assume,
speaking of the self-replicating sort of virus that uses internal
address pointers (or the SEPT table on the AS/400) to attach itself to
another, already existing programs.  While this is difficult at
Qsecurity levels 40 and above (and can be further hindered by keeping
the SYSVAL ALWOBJRST=*NO until you need it to be different), it is not
impossible.  If you're the kind of person that likes to curl up with a
good non-fiction horror story, try Joe Park's "AS/400 Security in a
Client Server Environment" (Wiley Press 1995). 

But a Trojan Horse can infect _any_ computer that can run a program
(isn't that every computer??), and preys upon weak security
implementations such as those commonly found in AS/400 purchased
package software where *PUBLIC = *CHANGE (or worse) or the Object
Owning Profile = the end user's Group Profile.  Unfortunately there
are way too many software applications that are vulnerable because of
this kind of a security setup.  

And as you pointed out Ray, a Trojan horse will skirt AS/400's really
good object security by attaching itself to a process that already has
authority to something.  The trick to stopping Trojan Horses is
preventing them from getting added to your system in the first place. 
The three most likey places that a Trojan Horse (or any other virus
for that matter) would be introduced are:
   1) Programs written by someone in your own shop
   2) Programs restored from Tape or CD
   3) Programs restored via Network Connections (FTP, CA, DDM, etc.)

The best way to keep these little buggies away are to:
   1) Use an object security scheme that results in Users (and
Programmers?) not having *OBJEXT (delete) rights to programs.
   2) Use a good change management system. 
   3) Control and track who restores programs to your AS/400.  The
QAUDLVL *SAVRST will track restore operations, and (shameless
commercial plug here) you can track data and object transfers to the
AS/400 with our free PowerLock/SE intrusion detection software
(download it from www.400security.com.  It really is free, and it
really doesn't expire after X days).

> 
> Could OpsNav be modified to start IP servers you don't normally start - e.g. 
>FTP?

Sure.  Trojan Horses on the PC are really easy because there is
nothing that prevents a PC program from being modified and or
replaced.  I'm sure that the folks in Rochester would argue that this
is not an AS/400 virus because it is actually implemented on the
desktop (but for you and I the results are the same).  This just makes
it that much more important to to have control of what get's
introduced to the /400.  Admittedly AS/400 Library security is not as
tight as we'd like (because a user only needs *USE authority to place
new objects into a library), but for a trojan horse to be usefull, it
has to either replace an existing program or get put higher in the
library list than the program that it attempts to replace.  You can
prevent program replacement by ensuring that the user community
doesn't have *OBJEXT rights to existing programs, for new objects
you'll have to have some sort of monitoring arrangement.


jte

--
John Earl                                          
johnearl@powertechgroup.com
The PowerTech Group                        206-575-0711
PowerLock Network Security              www.400security.com
The 400 School                                www.400school.com
--
+---
| This is the Midrange System Mailing List!
| To submit a new message, send your mail to MIDRANGE-L@midrange.com.
| To subscribe to this list send email to MIDRANGE-L-SUB@midrange.com.
| To unsubscribe from this list send email to MIDRANGE-L-UNSUB@midrange.com.
| Questions should be directed to the list owner/operator: david@midrange.com
+---

As an Amazon Associate we earn from qualifying purchases.

This thread ...
Follow-Ups:
Replies:
Follow On AppleNews
Return to Archive home page | Return to MIDRANGE.COM home page

This mailing list archive is Copyright 1997-2024 by midrange.com and David Gibbs as a compilation work. Use of the archive is restricted to research of a business or technical nature. Any other uses are prohibited. Full details are available on our policy page. If you have questions about this, please contact [javascript protected email address].

Operating expenses for this site are earned using the Amazon Associate program and Google Adsense.