|
Actually running traces in TCP/IP or sniffing the line will give you what is types from signon screens. Unfortunately 5250 data streams are not secure. Your Client Access, Express, Mocha or what ever do not create a VPN connection to your AS400. You can also trace SNA communications, (Pass Thru), as well as twinax lines. But you do have to have service authority to do this on the AS400. But any hacker in your company can snip the Ethernet/token ring and find your signon. But if you use only switches in your network and NO HUBs, sniffing becomes rather difficult. Again this becomes an INSIDE job. Now if you connect to your AS400 over the internet without VPN, you just gave the world your user ids and passwords. Think about it, Christopher K. Bipes mailto:ChrisB@Cross-Check.com Sr. Programmer/Analyst mailto:Chris_Bipes@Yahoo.com CrossCheck, Inc. http://www.cross-check.com 6119 State Farm Drive Phone: 707 586-0551 x 1102 Rohnert Park CA 94928 Fax: 707 586-1884 If consistency is the hobgoblin of little minds, only geniuses work here. Karen Herbelin - Readers Digest 3/2000 -----Original Message----- From: William Washington III [mailto:w.washington@iols.net] Sent: Friday, June 09, 2000 5:52 AM To: MIDRANGE-L@midrange.com Subject: Re: AS400 user password (fwd) Obviously, a security officer with knowledge of MI and encryption as well as alot of time on his hand can eventually get into a system. Also obvisouly, there has to be a file with the user ids and passwords to perform validation. I think the real question is: How easy is it for someone outside of the system to break in? The answer to that is "not very." Security is more than passwords. It is also varying off the terminal after a certain number of failed attempts to log in. This prevents brute-force attacks. Also, someone mentioned that if someone knows the user id, they can get the password. Once again, this would rely on **very** specialized knowledge as well as a special user profile authoization adoption to do this. In other words, it has to be an "inside job." Someone who can demonstrate that they can run a program and get user ids and passwords without being logged on as security officer, or someone who can crack into an AS/400 consistently (without brute-force methods) will get my "anything is possible, but what are going to do with it?" award. Oh, the standard precautions (level 30 or 40 security, vary off devices after three invalid attempts, secured SECOFR authorities) should be taken on the machine. Bottom line... a simple explanation is required as to why the claim is made. Don't tell the group "oh, you have to look at the MI API's to figure it out." Duh, who has access to MI? (Answer: SECOFR and some service functions.) And how will that help someone on the outside break in a properly-secured system? Anything less is simply an attempt to spread fear, uncertainty, and doubt in the community. For what it's worth.... I'm truly interested in a public reply. William +--- | This is the Midrange System Mailing List! | To submit a new message, send your mail to MIDRANGE-L@midrange.com. | To subscribe to this list send email to MIDRANGE-L-SUB@midrange.com. | To unsubscribe from this list send email to MIDRANGE-L-UNSUB@midrange.com. | Questions should be directed to the list owner/operator: david@midrange.com +---
As an Amazon Associate we earn from qualifying purchases.
This mailing list archive is Copyright 1997-2024 by midrange.com and David Gibbs as a compilation work. Use of the archive is restricted to research of a business or technical nature. Any other uses are prohibited. Full details are available on our policy page. If you have questions about this, please contact [javascript protected email address].
Operating expenses for this site are earned using the Amazon Associate program and Google Adsense.