RE: BugTraq Exploit for OS/400

"Hall, Philip" <phall@spss.com> on 02/25/2002 01:35:44 PM

Please respond to midrange-l@midrange.com

To:   "'midrange-l@midrange.com'" <midrange-l@midrange.com>
cc:    (bcc: Kevin a Layne/crcmn)

Subject:  RE: BugTraq Exploit for OS/400





>But Mr. Hacker doesn't know who works there, and given that he wants as much
>help as he can get - and it will help him being told whether or not the user
>profile exists or not.

Sure.  but if you are concerned with sys request as at bugtrac the hacker is
already on your system and you have problems with physical security.

Usernames are easy, I can shoulder surf them. Maybe the next big Bugtrac
'vulnerability' will be the username displayed in plain text on the logon
screen.  I can get all I want at the furniture store checking stock with
different salespersons..or walking through my office in the morning... I can
probably get passwords this way too if I'm observant.:)

many email addresses are in the form of  username@whatever.com.  hey now i got
the domain info too!

Changing the messages is a good idea and will provide no help to a hacker who
gets a log on screen and won't effect legitimate users.

Good password rules will prevent brute force (3 trys and your out) minimum
length,  no trivial passwords(require a number) etc and can be set and enforced
through system values.

I assign short usernames and passwords need to be longer so I have never had a
user with a default password. The system supplied profiles have all been changed
long ago. New users are set up with a non default password that is set as
expired so they must change it the first time they log on.

A system value that does not allow default passwords would be a good idea and is
not there as of 4r4.

I think if all the other security bases are covered, usernames are the least of
the problems.

Kevin Layne