|
The following are my personal opinions and in no way reflect the official position of my employer or anyone else... There is a recent posting on bugtraq that is very misleading. It is the latest in a series of recent postings that are also very miss leading and often inaccurate. The most recent bugtraq post includes: > The IBM iSeries (AS/400) server provides a unified access scheme, called > IFS, to all of the files and to all of the database tables in all of the > database libraries. It fails to mention that, like any file system, it only provides access to those authenticated users that are also authorized to those databases and libraries. > iSeries servers without FTP security protection are vulnerable by > default. I'm not aware of anything called "FTP security." The way to protect any data on this system -- or any other system -- is through use of the native access control mechanism. There is, in this bugtraq posting -- like some previous postings -- a kernel of accuracy. However, the sky is not falling. If you manage the authority on your iSeries objects so that only those who are supposed to access them are authorized, then this "canonicalization" attack is a moot point. In my opinion, the person making the recent appends to the bugtraq list appears to some motive other than providing useful information about security. I base this opinion on the following: - To my knowledge, s/he has never submitted an APAR regarding any of the posting made to bugtraq either before or after making the posting. - To my knowledge, s/he has never contacted anyone working for the vendor that could help verify the claim, fix any problem if one existed, or that could help verify his claims, or educate him on the difference between say, a buffer overflow type of attack utilizing "root takeover" and the system providing information to an authenticated AND authorized user that happens to access the system via something other than a green screen. - To my knowledge, s/he has never attempted to verify any alleged exposure with any independent expert with knowledge of the particular system for which s/he is claiming an exposure. - Provided example scripts highlighting an exposure with a posting which didn't work at all without modification - Attributed an architected and documented behavior of the system (users in a group are allowed to see other members of the same group) which behaves the same way through all interfaces as an "exposure" of the LDAP server. - Claims that a "feature" of a client OS that allows any rogue remote system -- of any type -- running a telnet server to use the telnet connection to the client to perform operations on the client is somehow an exposure inherent to the the OS on which the telnet server is running. - Includes a link in all postings to bugtraq to a website where a book that can help protect against these "exposures" can be conveniently purchased. - Periodically has annoying pop up ads for other products that must be blocked or clicked to be avoided. So while some of the postings have bits and pieces that may be accurate, they all contain glaring inaccuracies which tend to sensationalize and magnify the ramifications of any of the parts that are accurate. I suspect most security experts would also agree that publicly announcing exposures without ever informing the vendor (before or after making the public announcement) is generally assumed to be grandstanding...
As an Amazon Associate we earn from qualifying purchases.
This mailing list archive is Copyright 1997-2024 by midrange.com and David Gibbs as a compilation work. Use of the archive is restricted to research of a business or technical nature. Any other uses are prohibited. Full details are available on our policy page. If you have questions about this, please contact [javascript protected email address].
Operating expenses for this site are earned using the Amazon Associate program and Google Adsense.