Lets be specific here. On Aug 17, 2013, at 12:30 PM, Skip Robinson <jo.skip.robin...@sce.com> wrote:
> This exposure has been known--and discussed publicly--for several years. > It is NOT true that 'passwords are not stored'. If they weren't 'stored' > at all, then how could RACF validate the password you supply? They are in > fact stored in encrypted form. The encryption method itself is not a state > secret. It can be simulated. The passwords are NOT stored. The encrypted user id is stored > > > The brute force method alluded to here starts with a copy of a RACF data > base. Then generated character strings are fed into an encryption program > until the encrypted form of some random string matches what's found in the > data base for a given userid. Voila. The password has been hacked. > It is not possible to hack RACF passwords unless the user ids that access the system protected by RACF are known. It is typically a difficult task to get a list of user ids without read access to the RACF database. Even if you manage to come up with a list of user ids, it does you no good unless you have read access to the RACF database. Even if two users have identical passwords they would be different in the database so cracking a password once does not allow simple checks to see if other users are using the same password. > Once upon a time, it would have taken so long to perform this string match > that passwords would likely have changed in the meantime. Nowadays > computers all the way down to smart phones have gotten faster while the > encryption algorithms have remained the same. There is to my knowledge no > canonical defense for this hacking method. Best you can do is to prevent > the data base from being copied in the first place. > > As for what to do with the 'culprit', did he abscond with data or commit > some other mischief? Or did he reveal his activity to management as a > wake-up call? The news today is replete with tales of 'ethical hackers'. > Should we lock them up or bestow medals? Motivation is everything. > > . > . > JO.Skip Robinson > Southern California Edison Company > Electric Dragon Team Paddler > SHARE MVS Program Co-Manager > 626-302-7535 Office > 323-715-0595 Mobile > jo.skip.robin...@sce.com > > > > From: mmjuma <mmj...@yahoo.com> > To: IBM-MAIN@LISTSERV.UA.EDU, > Date: 08/17/2013 01:04 AM > Subject: RACF Database protection > Sent by: IBM Mainframe Discussion List <IBM-MAIN@LISTSERV.UA.EDU> > > > > Hi list > > Some one in our section, he was able to download RACF data base file > SYS1.RACF.PRIM via ftp to PC, then he used some tool. He was able to get > uid and password of some users. He had now access to the file in > mainframe. I want to understand what happend, and how to protect against > such issue. > > > ---------------------------------------------------------------------- > For IBM-MAIN subscribe / signoff / archive access instructions, > send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN ---------------------------------------------------------------------- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN
