|
-- [ Picked text/plain from multipart/alternative ] You are absolutely right. What I was trying to say was - the greatest threat to the system comes from inside the organisation. From people who already have a valid sign on. It is they who have access to this information which they could then use to hack other integral servers (eg. FTP, ODBC). If a hacker from outside the organisation has successfully hacked a 5250 session, the system is compromised, and could be under greater threat. Syd Nicholson Castlehill Computer Services Ltd. James Rich wrote: >On Mon, 25 Feb 2002, Dr Syd Nicholson wrote: > >>Are we not all missing the point here?? >> >>In order to use the use the System Request menu the user has signed on. >>They have a user ID and password. If this is an unauthorised person the >>system is already compromised. The system has already been hacked!!! >> > >Not all vulnerabilities are remote or can be exploited without a valid >login. A vulnerability is a situation where some user can do something >that that user is not allowed to do. The fact that a certain >vulnerability cannot be exploited remotely or requires a valid login >to be exploited does not mean that it is not a security breach. > >>If the signed-on user is authorised to use the system, they probably >>know the other User IDs anyway. >> >>If your system has been hacked - 5250 sessions are the least of the >>problem - check out FTP and ODBC, these are MUCH more dangerous. If the >>installed applications do not allow sufficient flexibility regarding >>configuring the security of OS/400, consider using exit point security >>programs to close back door access to the system. >> > >That there are many methods to break into systems is not the point. That >this particular exploit requires a valid login is not the point. That >some program or service can be tricked into doing something it was not >designed to do is the point. > >Who's clever sig is it that says, "there are two types of programs... >those that do what they are supposed and those that don't. I use the >latter." ? > >James Rich >james@eaerich.com > >_______________________________________________ >This is the Midrange Systems Technical Discussion (MIDRANGE-L) mailing list >To post a message email: MIDRANGE-L@midrange.com >To subscribe, unsubscribe, or change list options, >visit: http://lists.midrange.com/cgi-bin/listinfo/midrange-l >or email: MIDRANGE-L-request@midrange.com >Before posting, please take a moment to review the archives >at http://archive.midrange.com/midrange-l. > --
As an Amazon Associate we earn from qualifying purchases.
This mailing list archive is Copyright 1997-2024 by midrange.com and David Gibbs as a compilation work. Use of the archive is restricted to research of a business or technical nature. Any other uses are prohibited. Full details are available on our policy page. If you have questions about this, please contact [javascript protected email address].
Operating expenses for this site are earned using the Amazon Associate program and Google Adsense.