× The internal search function is temporarily non-functional. The current search engine is no longer viable and we are researching alternatives.
As a stop gap measure, we are using Google's custom search engine service.
If you know of an easy to use, open source, search engine ... please contact support@midrange.com.


  1.  Home
  2. MIDRANGE-L
  3. February 2002

RE: BugTraq Exploit for OS/400








"Hall, Philip" <phall@spss.com> on 02/25/2002 01:35:44 PM

Please respond to midrange-l@midrange.com

To:   "'midrange-l@midrange.com'" <midrange-l@midrange.com>
cc:    (bcc: Kevin a Layne/crcmn)

Subject:  RE: BugTraq Exploit for OS/400





>But Mr. Hacker doesn't know who works there, and given that he wants as much
>help as he can get - and it will help him being told whether or not the user
>profile exists or not.

Sure.  but if you are concerned with sys request as at bugtrac the hacker is
already on your system and you have problems with physical security.

Usernames are easy, I can shoulder surf them. Maybe the next big Bugtrac
'vulnerability' will be the username displayed in plain text on the logon
screen.  I can get all I want at the furniture store checking stock with
different salespersons..or walking through my office in the morning... I can
probably get passwords this way too if I'm observant.:)

many email addresses are in the form of  username@whatever.com.  hey now i got
the domain info too!

Changing the messages is a good idea and will provide no help to a hacker who
gets a log on screen and won't effect legitimate users.

Good password rules will prevent brute force (3 trys and your out) minimum
length,  no trivial passwords(require a number) etc and can be set and enforced
through system values.

I assign short usernames and passwords need to be longer so I have never had a
user with a default password. The system supplied profiles have all been changed
long ago. New users are set up with a non default password that is set as
expired so they must change it the first time they log on.

A system value that does not allow default passwords would be a good idea and is
not there as of 4r4.

I think if all the other security bases are covered, usernames are the least of
the problems.

Kevin Layne

As an Amazon Associate we earn from qualifying purchases.

This thread ...
Follow On AppleNews
Return to Archive home page | Return to MIDRANGE.COM home page

This mailing list archive is Copyright 1997-2024 by midrange.com and David Gibbs as a compilation work. Use of the archive is restricted to research of a business or technical nature. Any other uses are prohibited. Full details are available on our policy page. If you have questions about this, please contact [javascript protected email address].

Operating expenses for this site are earned using the Amazon Associate program and Google Adsense.