Re: AS400 user password

[Dan <dantanabanana@xxxxxxxxxxxx>]

Just a few days ago, a 17-line RPG-IV program was posted to MI400-L that
sniffs user IDs and passwords as they sign on to the system.  I tried it, it
works.  I understand that it works at security level 30 and below and for user
classes that 95% of the AS/400 shops out there use.  From what I can tell, the
author has managed to get this to work at level 40 with the same features as
the code published the other day and at level 50 with the program changed to a
system state program.

This is real, folks.  Any programmer in your shop can do this.  With a 17-line
RPG-IV program!  I remember the flap awhile ago with the brute force password
cracker; too much trouble and too prone to being discovered.  But this monster
appears to give me all the anonymity I need.  A little patience to sniff out
all the ID's & passwords and, with any luck, get the QSECOFR or any other
UserID with security officer priveledges.

Even though the code was published on MI-400, I will leave it to the original
author to republish it here.  I agree that security-by-obscurity is not
security at all, but don't feel it is my place to throw this hot potato any
further.

But, believe it, it's real, any Joe Programmer can do it, and there's really
no good way to stop him/her.  Until IBM closes this gaping hole, y'all better
be real nice to your programming staff.  <g>

"Hey, boss, about that promotion you denied me.........."


"William Washington III" <w.washington@iols.net> wrote:
> Obviously, a security officer with knowledge of MI and encryption as well
as
> alot of time on his hand can eventually get into a system.  Also obvisouly,
> there has to be a file with the user ids and passwords to perform
> validation.  I think the real question is:  How easy is it for someone
> outside of the system to break in?  The answer to that is "not very."
> 
> Security is more than passwords.  It is also varying off the terminal after
> a certain number of failed attempts to log in.  This prevents brute-force
> attacks.  Also, someone mentioned that if someone knows the user id, they
> can get the password.  Once again, this would rely on **very** specialized
> knowledge as well as a special user profile authoization adoption to do
> this.  In other words, it has to be an "inside job."
> 
> Someone who can demonstrate that they can run a program and get user ids
and
> passwords without being logged on as security officer, or someone who can
> crack into an AS/400 consistently (without brute-force methods) will get my
> "anything is possible, but what are going to do with it?" award.  Oh, the
> standard precautions (level 30 or 40 security, vary off devices after three
> invalid attempts, secured SECOFR authorities) should be taken on the
> machine.
> 
> Bottom line... a simple explanation is required as to why the claim is
made.
> Don't tell the group "oh, you have to look at the MI API's to figure it
> out."  Duh, who has access to MI?  (Answer:  SECOFR and some service
> functions.)  And how will that help someone on the outside break in a
> properly-secured system?  Anything less is simply an attempt to spread
fear,
> uncertainty, and doubt in the community.
> 
> For what it's worth.... I'm truly interested in a public reply.
> 
> William


____________________________________________________________________
Get your own FREE, personal Netscape WebMail account today at 
http://webmail.netscape.com.
+---
| This is the Midrange System Mailing List!
| To submit a new message, send your mail to MIDRANGE-L@midrange.com.
| To subscribe to this list send email to MIDRANGE-L-SUB@midrange.com.
| To unsubscribe from this list send email to MIDRANGE-L-UNSUB@midrange.com.
| Questions should be directed to the list owner/operator: david@midrange.com
+---