× The internal search function is temporarily non-functional. The current search engine is no longer viable and we are researching alternatives.
As a stop gap measure, we are using Google's custom search engine service.
If you know of an easy to use, open source, search engine ... please contact support@midrange.com.


  1.  Home
  2. MIDRANGE-L
  3. June 2000

RE: AS400 user password (fwd)

  • Subject: RE: AS400 user password (fwd)
  • From: Chris Bipes <rpg@xxxxxxxxxxxxxxx>
  • Date: Fri, 9 Jun 2000 07:09:23 -0700 
Actually running traces in TCP/IP or sniffing the line will give you what is
types from signon screens.  Unfortunately 5250 data streams are not secure.
Your Client Access, Express, Mocha or what ever do not create a VPN
connection to your AS400.  You can also trace SNA communications, (Pass
Thru), as well as twinax lines.  But you do have to have service authority
to do this on the AS400.  But any hacker in your company can snip the
Ethernet/token ring and find your signon.  But if you use only switches in
your network and NO HUBs, sniffing becomes rather difficult.  Again this
becomes an INSIDE job.  Now if you connect to your AS400 over the internet
without VPN, you just gave the world your user  ids and passwords.

Think about it,



Christopher K. Bipes     mailto:ChrisB@Cross-Check.com
Sr. Programmer/Analyst   mailto:Chris_Bipes@Yahoo.com
CrossCheck, Inc.         http://www.cross-check.com
6119 State Farm Drive    Phone: 707 586-0551 x 1102
Rohnert Park CA  94928 Fax: 707 586-1884

If consistency is the hobgoblin of little minds, only geniuses work here.
Karen Herbelin - Readers Digest 3/2000


-----Original Message-----
From: William Washington III [mailto:w.washington@iols.net]
Sent: Friday, June 09, 2000 5:52 AM
To: MIDRANGE-L@midrange.com
Subject: Re: AS400 user password (fwd)


Obviously, a security officer with knowledge of MI and encryption as well as
alot of time on his hand can eventually get into a system.  Also obvisouly,
there has to be a file with the user ids and passwords to perform
validation.  I think the real question is:  How easy is it for someone
outside of the system to break in?  The answer to that is "not very."

Security is more than passwords.  It is also varying off the terminal after
a certain number of failed attempts to log in.  This prevents brute-force
attacks.  Also, someone mentioned that if someone knows the user id, they
can get the password.  Once again, this would rely on **very** specialized
knowledge as well as a special user profile authoization adoption to do
this.  In other words, it has to be an "inside job."

Someone who can demonstrate that they can run a program and get user ids and
passwords without being logged on as security officer, or someone who can
crack into an AS/400 consistently (without brute-force methods) will get my
"anything is possible, but what are going to do with it?" award.  Oh, the
standard precautions (level 30 or 40 security, vary off devices after three
invalid attempts, secured SECOFR authorities) should be taken on the
machine.

Bottom line... a simple explanation is required as to why the claim is made.
Don't tell the group "oh, you have to look at the MI API's to figure it
out."  Duh, who has access to MI?  (Answer:  SECOFR and some service
functions.)  And how will that help someone on the outside break in a
properly-secured system?  Anything less is simply an attempt to spread fear,
uncertainty, and doubt in the community.

For what it's worth.... I'm truly interested in a public reply.

William
+---
| This is the Midrange System Mailing List!
| To submit a new message, send your mail to MIDRANGE-L@midrange.com.
| To subscribe to this list send email to MIDRANGE-L-SUB@midrange.com.
| To unsubscribe from this list send email to MIDRANGE-L-UNSUB@midrange.com.
| Questions should be directed to the list owner/operator: david@midrange.com
+---

As an Amazon Associate we earn from qualifying purchases.

This thread ...
Follow On AppleNews
Return to Archive home page | Return to MIDRANGE.COM home page

This mailing list archive is Copyright 1997-2024 by midrange.com and David Gibbs as a compilation work. Use of the archive is restricted to research of a business or technical nature. Any other uses are prohibited. Full details are available on our policy page. If you have questions about this, please contact [javascript protected email address].

Operating expenses for this site are earned using the Amazon Associate program and Google Adsense.