Skip, There was an method posted many years ago that used a lexicon of common words, and passwords, to encrypt a UID and match it to the value stored in RACF. Is this what you are referring to?
The OP of that post mentioned this as an auditing tool, but I recall a lengthy and robust discussion as to whether it was actually an audit tool, or a crack. I'm no expert, but I would not count this as a brute force crack as the scope of the attack would be the size of the lexicon, and how well it matches the user and/or the community. I think it would be true to say that lax password standards or enforcement would make this an easier crack. I'm not enamored of brute force crackers. After five years trying to crack a word 97 document that I forgot the password to I simply gave up. Not running continuously, but for weeks at a time. Ron > -----Original Message----- > From: IBM Mainframe Discussion List [mailto:IBM-MAIN@LISTSERV.UA.EDU] > On Behalf Of Skip Robinson > Sent: Saturday, August 17, 2013 10:31 AM > To: IBM-MAIN@LISTSERV.UA.EDU > Subject: Re: [IBM-MAIN] RACF Database protection > > This exposure has been known--and discussed publicly--for several years. > It is NOT true that 'passwords are not stored'. If they weren't 'stored' > at all, then how could RACF validate the password you supply? They are in > fact stored in encrypted form. The encryption method itself is not a state > secret. It can be simulated. > > The brute force method alluded to here starts with a copy of a RACF data > base. Then generated character strings are fed into an encryption program > until the encrypted form of some random string matches what's found in the > data base for a given userid. Voila. The password has been hacked. > > Once upon a time, it would have taken so long to perform this string match > that passwords would likely have changed in the meantime. Nowadays > computers all the way down to smart phones have gotten faster while the > encryption algorithms have remained the same. There is to my knowledge > no canonical defense for this hacking method. Best you can do is to prevent > the data base from being copied in the first place. > > As for what to do with the 'culprit', did he abscond with data or commit some > other mischief? Or did he reveal his activity to management as a wake-up > call? The news today is replete with tales of 'ethical hackers'. > Should we lock them up or bestow medals? Motivation is everything. > > . > . > JO.Skip Robinson > Southern California Edison Company > Electric Dragon Team Paddler > SHARE MVS Program Co-Manager > 626-302-7535 Office > 323-715-0595 Mobile > jo.skip.robin...@sce.com > > > > From: mmjuma <mmj...@yahoo.com> > To: IBM-MAIN@LISTSERV.UA.EDU, > Date: 08/17/2013 01:04 AM > Subject: RACF Database protection > Sent by: IBM Mainframe Discussion List <IBM-MAIN@LISTSERV.UA.EDU> > > > > Hi list > > Some one in our section, he was able to download RACF data base file > SYS1.RACF.PRIM via ftp to PC, then he used some tool. He was able to get > uid and password of some users. He had now access to the file in > mainframe. I want to understand what happend, and how to protect against > such issue. > > > ---------------------------------------------------------------------- > For IBM-MAIN subscribe / signoff / archive access instructions, > send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN ---------------------------------------------------------------------- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN
