On Mon, Jan 5, 2015 at 8:57 AM, Tony's Basement Computer < [email protected]> wrote:
> Back years ago I worked at a Top Secret shop. That product wrote a > console message when a log on attempt has occurred that specified an > unknown user. Sadly, what was usually seen was a password. It's been > years since I was in that business so I don't know if that display is a > configurable option. > > Sidebar: I watched video and I found it dismaying. The presenter spoke > in demeaning tone of the traditional terminology to which we are all > familiar which I found insulting. I felt he acted proud that *his* > technology was superior because *his* terms are more "current", thus > better. I felt he made some assumptions in his presentation that would lead > the uninitiated to believe that these exposures exist in all cases and in > all environments. Stipulating that a deficiently configured z/OS-RACF (or > TS or ACF2) shop could present these opportunities, I feel he should have > made this disclaimer at the outset. Had he done so I might have taken him > more seriously. > Agreed. What I found interesting was that the vulnerabilities presented all related to the Unix side and add-ons related to the web world. I think the only exception to this was the comments related to job submission related to FTP. In the presentation, I did not see (perhaps i missed it) was how to obtain root (special) access to a z/OS system. All of the thing presented seemed to assume you were dealing with a logon id which already had considerable capabilities. > -----Original Message----- > From: IBM Mainframe Discussion List [mailto:[email protected]] On > Behalf Of Charles Mills > Sent: Monday, January 05, 2015 10:35 AM > To: [email protected] > Subject: Re: Enumerating User IDs (was: CANCEL TSO Logon?) > > > SMF and console messages to record logon/authentication failures. > > These could be intercepted in real time to alert someone of unusual > > probing while it is occurring > > Yup! Come to either of my sessions at SHARE to learn about how to do that > (albeit with one of several commercial products). > > Unfortunately I know of no way to intercept in real time the invalid > userid at its initial usage and possible "validation" as opposed to when it > is actually used for a logon with password. > > Charles > > -----Original Message----- > From: IBM Mainframe Discussion List [mailto:[email protected]] On > Behalf Of Joel Ewing > Sent: Monday, January 05, 2015 8:18 AM > To: [email protected] > Subject: Re: Enumerating User IDs (was: CANCEL TSO Logon?) > > On 01/05/2015 09:35 AM, Paul Gilmartin wrote: > > On Mon, 5 Jan 2015 07:21:28 -0800, Charles Mills wrote: > > > >>> For TSO, you can probe for known user ids, but you will see a lot of > LOGON and IEA989I message in the SYSLOG. > >> > >> Only if you set a specific SLIP trap for this condition. > >> > > In the video cited: > > > >> On Jan 2, 2015, at 3:31 PM, Mark Regan wrote: > >>> > >>> Black Hat 2013 - Mainframes: The Past Will Come to Haunt You, by a > >>> Philip Young and it's about an hour long. > >>> > >>> http://youtu.be/uL65zWrofvk > > > > ... the speaker opined that such probing is less likely to be detected > > by Security than by Operations as a spike in CPU usage. > > > > -- gil > > > RACF uses SMF and console messages to record logon/authentication > failures. These could be intercepted in real time to alert someone of > unusual probing while it is occurring. We used independent review of daily > summary reports generated from RACF SMF records to verify that such probing > had not occurred, just the typical typos and forgotten passwords from > terminals within the corporation. With our normal system workload, someone > would have been more likely to notice a flood of unusual console messages > than see any noticeable impact on CPU. > > ---------------------------------------------------------------------- > For IBM-MAIN subscribe / signoff / archive access instructions, send email > to [email protected] with the message: INFO IBM-MAIN > > ---------------------------------------------------------------------- > For IBM-MAIN subscribe / signoff / archive access instructions, > send email to [email protected] with the message: INFO IBM-MAIN > ---------------------------------------------------------------------- For IBM-MAIN subscribe / signoff / archive access instructions, send email to [email protected] with the message: INFO IBM-MAIN
