Re: OT: In regard to password cracking Who is Abbie Sciuto was Re: A New Threat for password hacking

[Ken Porowski]

And I'll raise you a Bryce Lynch 

-Original Message-
Robert A. Rosenberg

At 18:39 -0500 on 12/01/2010, Don Leahy wrote about Re: OT: In regard to
password cracking Who is Abbie Sciuto :

So could Chloe O'Brien.

I took me a IMDB lookup to find that she was a 24 hacker. I'll take your
Chloe O'Brien and respond with Warehouse 13's Claudia Donovan (who
hacked W13's servers and bypassed all their security plus locating W13's
location and existence in the first place).


On Wed, Dec 1, 2010 at 17:37, Robert A. Rosenberg hal9...@panix.com
wrote:

  At 11:32 -0500 on 12/01/2010, August Carideo wrote about Re: OT: In 
 regard  to password cracking Who is Abbie Sciuto :


   Of course, it could be cracked by somebody like Abbie Sciuto (and 
 maybe
  the NSA or FBI) in just a few minutes grin.


  Tim McGee also could do it. He is the major hacker on the NCIS team 
 and  often he and Annie collaborate on computer forensic matters. 
 Abbie is
   usually the one to do Brute Force work like the password cracking
however.

--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@bama.ua.edu with the message: GET IBM-MAIN INFO
Search the archives at http://bama.ua.edu/archives/ibm-main.html

Re: OT: In regard to password cracking Who is Abbie Sciuto was Re: A New Threat for password hacking

[Robert A. Rosenberg]

At 18:39 -0500 on 12/01/2010, Don Leahy wrote about Re: OT: In regard 
to password cracking Who is Abbie Sciuto :



So could Chloe O'Brien.


I took me a IMDB lookup to find that she was a 24 hacker. I'll take 
your Chloe O'Brien and respond with Warehouse 13's Claudia Donovan 
(who hacked W13's servers and bypassed all their security plus 
locating W13's location and existence in the first place).




On Wed, Dec 1, 2010 at 17:37, Robert A. Rosenberg hal9...@panix.com wrote:


 At 11:32 -0500 on 12/01/2010, August Carideo wrote about Re: OT: In regard
 to password cracking Who is Abbie Sciuto :


  Of course, it could be cracked by somebody like Abbie Sciuto (and maybe

 the NSA or FBI) in just a few minutes grin.



 Tim McGee also could do it. He is the major hacker on the NCIS team and
 often he and Annie collaborate on computer forensic matters. Abbie is

  usually the one to do Brute Force work like the password cracking however.


--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@bama.ua.edu with the message: GET IBM-MAIN INFO
Search the archives at http://bama.ua.edu/archives/ibm-main.html

Re: A New Threat for password hacking

[Shmuel Metz (Seymour J.)]

In mm5af61vbrcsh8q2936g0d195sbvh16...@4ax.com, on 11/30/2010
   at 11:26 AM, Clark Morris cfmpub...@ns.sympatico.ca said:

Security is not that high a priority in many organizations where the
mantra is get the job done whatever it takes. 

ITYM get part of the job done even if it sabotages another part of the
job.
 
-- 
 Shmuel (Seymour J.) Metz, SysProg and JOAT
 ISO position; see http://patriot.net/~shmuel/resume/brief.html 
We don't care. We don't have to care, we're Congress.
(S877: The Shut up and Eat Your spam act of 2003)

--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@bama.ua.edu with the message: GET IBM-MAIN INFO
Search the archives at http://bama.ua.edu/archives/ibm-main.html

OT: In regard to password cracking Who is Abbie Sciuto was Re: A New Threat for password hacking

[Clark Morris]

On 30 Nov 2010 07:42:00 -0800, in bit.listserv.ibm-main you wrote:

 -Original Message-
 From: IBM Mainframe Discussion List 
 [mailto:ibm-m...@bama.ua.edu] On Behalf Of Clark Morris
 Sent: Tuesday, November 30, 2010 9:27 AM
 To: IBM-MAIN@bama.ua.edu
 Subject: Re: A New Threat for password hacking
 
 On 29 Nov 2010 08:43:23 -0800, in bit.listserv.ibm-main you wrote:
 
 snip
 
 If you have a product that insists on special characters in passwords,
 this can be a major pain given the variability of code points for many
 of the characters.  Also how many passwords do you have to remember?  
 
 Clark Morris

Personally? About 5: (1) Work LAN; (2) Work mainframe; (3) Work benefits web 
site (outsourced); (4) home LAN; (4) Amazon; (5) home/ISP email. Those are the 
ones I use most of the time. I have a USB flash drive which is ext4 formatted 
and uses a GPT partition table which contains an encrypted file which contains 
my other passwords (i.e. just confuses Windows users). And I have a backup of 
that encrypted file at home in a couple of places. Hope I never forget 
__that__ password! Not that I am likely to do so. And it is, for all intents 
and purposes, unguessable by anyone. No, I won't say more on that or why I 
would say it. Of course, it could be cracked by somebody like Abbie Sciuto 
(and maybe the NSA or FBI) in just a few minutes grin.
Who is Abbie Sciuto?

Clark Morris

--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@bama.ua.edu with the message: GET IBM-MAIN INFO
Search the archives at http://bama.ua.edu/archives/ibm-main.html

Re: EXTERNAL: OT: In regard to password cracking Who is Abbie Sciuto was Re: A New Threat for password hacking

[Roach, Dennis (N-GHG)]

Clark is obviously not an NCIS fan. Google Abby Sciuto (spelling corrected)

Dennis Roach
GHG Corporation
Lockheed Martin Mission Services
Facilities Design and Operations Contract
Strategic Technical Engineering
NASA/JSC
Address:
   2100 Space Park Drive 
   LM-15-4BH
   Houston, Texas 77058
Mail:
   P.O. Box 58487
   Mail Code H4C
   Houston, Texas 77258-8487
Phone:
   Voice:  (281)336-5027
   Cell:   (713)591-1059
   Fax:(281)336-5410
E-Mail:  dennis.ro...@lmco.com

All opinions expressed by me are mine and may not agree with my employer or any 
person, company, or thing, living or dead, on or near this or any other planet, 
moon, asteroid, or other spatial object, natural or manufactured, since the 
beginning of time.


From: IBM Mainframe Discussion List [mailto:ibm-m...@bama.ua.edu] On Behalf Of 
Clark Morris
Sent: Wednesday, December 01, 2010 10:22 AM

 From: IBM Mainframe Discussion List 
 [mailto:ibm-m...@bama.ua.edu] On Behalf Of Clark Morris
 Sent: Tuesday, November 30, 2010 9:27 AM
Personally? About 5: (1) Work LAN; (2) Work mainframe; (3) Work benefits web 
site (outsourced); (4) home LAN; (4) Amazon; (5) home/ISP email. Those are the 
ones I use most of the time. I have a USB flash drive which is ext4 formatted 
and uses a GPT partition table which contains an encrypted file which contains 
my other passwords (i.e. just confuses Windows users). And I have a backup of 
that encrypted file at home in a couple of places. Hope I never forget 
__that__ password! Not that I am likely to do so. And it is, for all intents 
and purposes, unguessable by anyone. No, I won't say more on that or why I 
would say it. Of course, it could be cracked by somebody like Abbie Sciuto 
(and maybe the NSA or FBI) in just a few minutes grin.
Who is Abbie Sciuto?

Clark Morris

--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@bama.ua.edu with the message: GET IBM-MAIN INFO
Search the archives at http://bama.ua.edu/archives/ibm-main.html

Re: OT: In regard to password cracking Who is Abbie Sciuto was Re: A New Threat for password hacking

[August Carideo]

Abigail Abby Sciuto is a fictional character from the NCIS television
series by CBS Television, and is portrayed by Pauley Perrette.



   
 Clark Morris  
 cfmpub...@ns.sym 
 PATICO.CA To 
 Sent by: IBM  IBM-MAIN@bama.ua.edu
 Mainframe  cc 
 Discussion List   
 ibm-m...@bama.ua Subject 
 .edu OT: In regard to password cracking  
   Who is Abbie Sciuto was Re: A New   
   Threat for password hacking 
 12/01/2010 11:22  
 AM
   
   
 Please respond to 
   IBM Mainframe   
  Discussion List  
 ibm-m...@bama.ua 
   .edu   
   
   




On 30 Nov 2010 07:42:00 -0800, in bit.listserv.ibm-main you wrote:

 -Original Message-
 From: IBM Mainframe Discussion List
 [mailto:ibm-m...@bama.ua.edu] On Behalf Of Clark Morris
 Sent: Tuesday, November 30, 2010 9:27 AM
 To: IBM-MAIN@bama.ua.edu
 Subject: Re: A New Threat for password hacking

 On 29 Nov 2010 08:43:23 -0800, in bit.listserv.ibm-main you wrote:

 snip

 If you have a product that insists on special characters in passwords,
 this can be a major pain given the variability of code points for many
 of the characters.  Also how many passwords do you have to remember?

 Clark Morris

Personally? About 5: (1) Work LAN; (2) Work mainframe; (3) Work benefits
web site (outsourced); (4) home LAN; (4) Amazon; (5) home/ISP email. Those
are the ones I use most of the time. I have a USB flash drive which is ext4
formatted and uses a GPT partition table which contains an encrypted file
which contains my other passwords (i.e. just confuses Windows users). And I
have a backup of that encrypted file at home in a couple of places. Hope I
never forget __that__ password! Not that I am likely to do so. And it is,
for all intents and purposes, unguessable by anyone. No, I won't say more
on that or why I would say it. Of course, it could be cracked by somebody
like Abbie Sciuto (and maybe the NSA or FBI) in just a few minutes grin.
Who is Abbie Sciuto?

Clark Morris

--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@bama.ua.edu with the message: GET IBM-MAIN INFO
Search the archives at http://bama.ua.edu/archives/ibm-main.html

--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@bama.ua.edu with the message: GET IBM-MAIN INFO
Search the archives at http://bama.ua.edu/archives/ibm-main.html

Re: In regard to password cracking Who is Abbie Sciuto was Re: A New Threat for password hacking

[McKown, John]

 -Original Message-
 From: IBM Mainframe Discussion List 
 [mailto:ibm-m...@bama.ua.edu] On Behalf Of Clark Morris
 Sent: Wednesday, December 01, 2010 10:22 AM
 To: IBM-MAIN@bama.ua.edu
 Subject: OT: In regard to password cracking Who is Abbie 
 Sciuto was Re: A New Threat for password hacking
 
 On 30 Nov 2010 07:42:00 -0800, in bit.listserv.ibm-main you wrote:
snip
 Who is Abbie Sciuto?
 
 Clark Morris

Who is Abbie Sciuto???!!!? A character on my favorite U.S. TV series - 
NCIS. She is a forensic scientist. And a bit of a goth, but in a fun way. 
Google will give you more.

--
John McKown 
Systems Engineer IV
IT

Administrative Services Group

HealthMarkets(r)

9151 Boulevard 26 * N. Richland Hills * TX 76010
(817) 255-3225 phone * 
john.mck...@healthmarkets.com * www.HealthMarkets.com

Confidentiality Notice: This e-mail message may contain confidential or 
proprietary information. If you are not the intended recipient, please contact 
the sender by reply e-mail and destroy all copies of the original message. 
HealthMarkets(r) is the brand name for products underwritten and issued by the 
insurance subsidiaries of HealthMarkets, Inc. -The Chesapeake Life Insurance 
Company(r), Mid-West National Life Insurance Company of TennesseeSM and The 
MEGA Life and Health Insurance Company.SM

 

--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@bama.ua.edu with the message: GET IBM-MAIN INFO
Search the archives at http://bama.ua.edu/archives/ibm-main.html

Re: OT: In regard to password cracking Who is Abbie Sciuto was Re: A New Threat for password hacking

[Robert A. Rosenberg]

At 11:32 -0500 on 12/01/2010, August Carideo wrote about Re: OT: In 
regard to password cracking Who is Abbie Sciuto :


Of course, it could be cracked by somebody like Abbie Sciuto (and 
maybe the NSA or FBI) in just a few minutes grin.


Tim McGee also could do it. He is the major hacker on the NCIS team 
and often he and Annie collaborate on computer forensic matters. 
Abbie is usually the one to do Brute Force work like the password 
cracking however.


--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@bama.ua.edu with the message: GET IBM-MAIN INFO
Search the archives at http://bama.ua.edu/archives/ibm-main.html

Re: OT: In regard to password cracking Who is Abbie Sciuto was Re: A New Threat for password hacking

[Don Leahy]

So could Chloe O'Brien.

On Wed, Dec 1, 2010 at 17:37, Robert A. Rosenberg hal9...@panix.com wrote:

 At 11:32 -0500 on 12/01/2010, August Carideo wrote about Re: OT: In regard
 to password cracking Who is Abbie Sciuto :


  Of course, it could be cracked by somebody like Abbie Sciuto (and maybe
 the NSA or FBI) in just a few minutes grin.


 Tim McGee also could do it. He is the major hacker on the NCIS team and
 often he and Annie collaborate on computer forensic matters. Abbie is
 usually the one to do Brute Force work like the password cracking however.


 --
 For IBM-MAIN subscribe / signoff / archive access instructions,
 send email to lists...@bama.ua.edu with the message: GET IBM-MAIN INFO
 Search the archives at http://bama.ua.edu/archives/ibm-main.html


--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@bama.ua.edu with the message: GET IBM-MAIN INFO
Search the archives at http://bama.ua.edu/archives/ibm-main.html

Re: A New Threat for password hacking

[Shmuel Metz (Seymour J.)]

In a6b9336cdb62bb46b9f8708e686a7ea005d5e05...@nrhmms8p02.uicnrh.dom,
on 11/29/2010
   at 09:57 AM, McKown, John john.mck...@healthmarkets.com said:

Each to his own. I prefer the human touch on password resets. But
I'm an old paranoid grin. In my arrogance, somebody who cannot
remember their RACF password likely can't remember their own name,
either. A passphrase may be more difficult. But 8 stupid characters,
max?

One of the curses of the computer industry is people who believe that
their foo[1] is the only one, and aren't concerned about what happens
when bar has to use both your foo and baz's foo. Eith characters
isn't very much to remember if you only have one password. By the time
you have half a dozen, it becomes an issue.

[1] E.g., dongle, password
 
-- 
 Shmuel (Seymour J.) Metz, SysProg and JOAT
 ISO position; see http://patriot.net/~shmuel/resume/brief.html 
We don't care. We don't have to care, we're Congress.
(S877: The Shut up and Eat Your spam act of 2003)

--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@bama.ua.edu with the message: GET IBM-MAIN INFO
Search the archives at http://bama.ua.edu/archives/ibm-main.html

Re: A New Threat for password hacking

[Clark Morris]

On 29 Nov 2010 08:43:23 -0800, in bit.listserv.ibm-main you wrote:

I would tend to agree with ' they violate our standards and are sharing ids'. 
Security is not priority one in some other countries. (At least not OUR 
security).

Security is not that high a priority in many organizations where the
mantra is get the job done whatever it takes.  If the security
department is too restrictive and viewed as being a major roadblock,
the other departments will get creative.

If you have a product that insists on special characters in passwords,
this can be a major pain given the variability of code points for many
of the characters.  Also how many passwords do you have to remember?  

Clark Morris

-Original Message-
From: IBM Mainframe Discussion List [mailto:ibm-m...@bama.ua.edu] On Behalf Of 
McKown, John
Sent: Monday, November 29, 2010 10:58 AM
To: IBM-MAIN@bama.ua.edu
Subject: Re: A New Threat for password hacking

Each to his own. I prefer the human touch on password resets. But I'm an old 
paranoid grin. In my arrogance, somebody who cannot remember their RACF 
password likely can't remember their own name, either. A passphrase may be 
more difficult. But 8 stupid characters, max? Sure, it could be forgotten 
early on. And after a vacation. But we've had literally 8 or 10 password reset 
requests in a row from some of our off-shore users. Personally, I think they 
violate our standards and are sharing ids. But I can't prove it.

John McKown 

Systems Engineer IV

IT

 

Administrative Services Group

 

HealthMarkets(r)

 

9151 Boulevard 26 * N. Richland Hills * TX 76010

(817) 255-3225 phone * 

john.mck...@healthmarkets.com * www.HealthMarkets.com

 

Confidentiality Notice: This e-mail message may contain confidential or 
proprietary information. If you are not the intended recipient, please contact 
the sender by reply e-mail and destroy all copies of the original message. 
HealthMarkets(r) is the brand name for products underwritten and issued by the 
insurance subsidiaries of HealthMarkets, Inc. -The Chesapeake Life Insurance 
Company(r), Mid-West National Life Insurance Company of TennesseeSM and The 
MEGA Life and Health Insurance Company.SM

 

 -Original Message-
 From: IBM Mainframe Discussion List
 [mailto:ibm-m...@bama.ua.edu] On Behalf Of Paul Gilmartin
 Sent: Monday, November 29, 2010 9:44 AM
 To: IBM-MAIN@bama.ua.edu
 Subject: Re: A New Threat for password hacking
 
 On Mon, 29 Nov 2010 05:27:56 -0600, John McKown wrote:
 
 What gets me on this is that, in the recent past, some people at work 
 were wanting an automatic resume of any RACF id which got too many 
 password violations after some interval - like 10 minutes. So try n
 times, wait m minutes, rinse and repeat. Luckily this was killed.
 
 The proposal isn't totally unreasonable in that it multiplies the time 
 required for a brute force attack by a few orders of magnitude.
 I knew a product which imposed an escalating lockout time before retry 
 for each unsuccessful attempt.
 
 -- gil
 

--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@bama.ua.edu with the message: GET IBM-MAIN INFO
Search the archives at http://bama.ua.edu/archives/ibm-main.html

Re: A New Threat for password hacking

[McKown, John]

 -Original Message-
 From: IBM Mainframe Discussion List 
 [mailto:ibm-m...@bama.ua.edu] On Behalf Of Clark Morris
 Sent: Tuesday, November 30, 2010 9:27 AM
 To: IBM-MAIN@bama.ua.edu
 Subject: Re: A New Threat for password hacking
 
 On 29 Nov 2010 08:43:23 -0800, in bit.listserv.ibm-main you wrote:
 
 I would tend to agree with ' they violate our standards and 
 are sharing ids'. Security is not priority one in some other 
 countries. (At least not OUR security).
 
 Security is not that high a priority in many organizations where the
 mantra is get the job done whatever it takes.  If the security
 department is too restrictive and viewed as being a major roadblock,
 the other departments will get creative.
 
 If you have a product that insists on special characters in passwords,
 this can be a major pain given the variability of code points for many
 of the characters.  Also how many passwords do you have to remember?  
 
 Clark Morris

Personally? About 5: (1) Work LAN; (2) Work mainframe; (3) Work benefits web 
site (outsourced); (4) home LAN; (4) Amazon; (5) home/ISP email. Those are the 
ones I use most of the time. I have a USB flash drive which is ext4 formatted 
and uses a GPT partition table which contains an encrypted file which contains 
my other passwords (i.e. just confuses Windows users). And I have a backup of 
that encrypted file at home in a couple of places. Hope I never forget __that__ 
password! Not that I am likely to do so. And it is, for all intents and 
purposes, unguessable by anyone. No, I won't say more on that or why I would 
say it. Of course, it could be cracked by somebody like Abbie Sciuto (and maybe 
the NSA or FBI) in just a few minutes grin.

--
John McKown 
Systems Engineer IV
IT

Administrative Services Group

HealthMarkets(r)

9151 Boulevard 26 * N. Richland Hills * TX 76010
(817) 255-3225 phone * 
john.mck...@healthmarkets.com * www.HealthMarkets.com

Confidentiality Notice: This e-mail message may contain confidential or 
proprietary information. If you are not the intended recipient, please contact 
the sender by reply e-mail and destroy all copies of the original message. 
HealthMarkets(r) is the brand name for products underwritten and issued by the 
insurance subsidiaries of HealthMarkets, Inc. -The Chesapeake Life Insurance 
Company(r), Mid-West National Life Insurance Company of TennesseeSM and The 
MEGA Life and Health Insurance Company.SM

 

--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@bama.ua.edu with the message: GET IBM-MAIN INFO
Search the archives at http://bama.ua.edu/archives/ibm-main.html

Re: A New Threat for password hacking

[Ed Gould]

--- On Mon, 11/29/10, McKown, John john.mck...@healthmarkets.com wrote:

From: McKown, John john.mck...@healthmarkets.com
Subject: Re: A New Threat for password hacking
To: IBM-MAIN@bama.ua.edu
Date: Monday, November 29, 2010, 9:57 AM

Each to his own. I prefer the human touch on password resets. But I'm an old 
paranoid grin. In my arrogance, somebody who cannot remember their RACF 
password likely can't remember their own name, either. A passphrase may be more 
difficult. But 8 stupid characters, max? Sure, it could be forgotten early on. 
And after a vacation. But we've had literally 8 or 10 password reset requests 
in a row from some of our off-shore users. Personally, I think they violate our 
standards and are sharing ids. But I can't prove it.

John McKown 

Systems Engineer IV

IT

 

Administrative Services Group

 

HealthMarkets(r)

 

9151 Boulevard 26 * N. Richland Hills * TX 76010

(817) 255-3225 phone * 

john.mck...@healthmarkets.com * www.HealthMarkets.com


John:A couple of sites I use on the internet now use phrase checking. What I 
have found is that they are inconsistant in checking the response which makes 
it really confusing. Example: Birth City:Some sites insist on capital letters 
eg New Yorkwhile some sites do not care if one types: new york I do not know if 
it is on purpose that it matters or what.I certianly hope IBM does not care.
Ed





--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@bama.ua.edu with the message: GET IBM-MAIN INFO
Search the archives at http://bama.ua.edu/archives/ibm-main.html

Re: A New Threat for password hacking

[Brian Westerman]

It's kind of difficult to use a brute force attack when RACF revokes the ID
after a site specified number of attempts.  Assuming the site doesn't allow
1 or 2 character passwords (you don't do you), even if the site were to
allow 100 attempts, it's statistically a REALLY long shot to guess the
password.  I would imagine that most sites have 3 or 4 as the number of
attempts, making the probability for success of a brute force attack too
remote to consider as they wouldn't even get out of the single character
attempts.  

Brian

--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@bama.ua.edu with the message: GET IBM-MAIN INFO
Search the archives at http://bama.ua.edu/archives/ibm-main.html

Re: A New Threat for password hacking

[Binyamin Dissen]

On Mon, 29 Nov 2010 04:39:54 -0600 Brian Westerman
brian_wester...@syzygyinc.com wrote:

:It's kind of difficult to use a brute force attack when RACF revokes the ID
:after a site specified number of attempts.  Assuming the site doesn't allow
:1 or 2 character passwords (you don't do you), even if the site were to
:allow 100 attempts, it's statistically a REALLY long shot to guess the
:password.  I would imagine that most sites have 3 or 4 as the number of
:attempts, making the probability for success of a brute force attack too
:remote to consider as they wouldn't even get out of the single character
:attempts.  

If you have the offload, you can make as many attempts as you wish.

--
Binyamin Dissen bdis...@dissensoftware.com
http://www.dissensoftware.com

Director, Dissen Software, Bar  Grill - Israel


Should you use the mailblocks package and expect a response from me,
you should preauthorize the dissensoftware.com domain.

I very rarely bother responding to challenge/response systems,
especially those from irresponsible companies.

--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@bama.ua.edu with the message: GET IBM-MAIN INFO
Search the archives at http://bama.ua.edu/archives/ibm-main.html

Re: A New Threat for password hacking

[Robert S. Hansel (RSH)]

John,

I believe RACF only uses single DES, not Triple DES.

Regards, Bob

Robert S. Hansel
Lead RACF Specialist
RSH Consulting, Inc.
617-969-8211
www.linkedin.com/in/roberthansel
www.rshconsulting.com

-
2011 RACF Training
 Intro  Basic Admin - WebEx  - JAN 24-28
 Securing z/OS Unix  - WebEx  - FEB 8-10
 Audit for Results   - Boston - APR 12-14
 Intro  Basic Admin - Boston - MAY 10-12
Visit our website for registration  details
-

-Original Message-
Date:Sun, 28 Nov 2010 19:37:37 -0600
From:John McKown joa...@swbell.net
Subject: Re: A New Threat for password hacking

RACF password encryption is explained here:

http://publibz.boulder.ibm.com/cgi-bin/bookmgr_OS390/BOOKS/ichza290/3.3.1

It uses Triple DES where the password is a key to encrypt the userid,
which encrypted value is then stored in the DB. So two different users
with the same password would have two different encrypted values. It
also states it is a one way encryption. There is no way to back out.
To crack a password would require having the unencrypted RACF id, the
encrypted stored value, and the exact algorithm. Now, I'm not a
cryptographer, but I don't think you can use that information to
recreate a valid password easily. So you're more likely to try a brute
force dictionary attack. Again, using an NSA quality supercomputer, I
have no idea how long this would take. I think I'd just play the lotto
and win sooner. But that is my ignorance speaking.

On Sun, 2010-11-28 at 19:15 -0600, Paul Gilmartin wrote:
 On Sun, 28 Nov 2010 15:56:36 -0600, Russell Witt wrote:

 Easy to say do not share your RACF db; harder in reality. Most sites
 believe they are safe because their RACF db is security protected and the
 dasd is not shared. And then completely forget that backups (to physical
or
 virtual tape) contain the exact same information. And quite often the DSN
 used for the backup tapes is some type of dasd-manager HLQ, since it was
 most likely a full-volume backup that happen'ed to contain the RACF db.
And
 even if the HLQ for the full-volume backups is read-protected; it is
still
 far easier to hack a tape dataset. Often, tape libraries (physical and
 virtual) are shared with less-secure test machines and quite often even
with
 non z/OS systems. Granted, you will need the physical layout of the RACF
db;
 but not the entire layout. Just enough to identify where the passphrases
are
 maintained.
 
 Aren't the passwords encrypted?  But how strong is the encryption?

 It would be peculiarly pointless to store fewer bits of the encrypted
 password than are used in the encrypting key.

 -- gil

 --
 For IBM-MAIN subscribe / signoff / archive access instructions,
 send email to lists...@bama.ua.edu with the message: GET IBM-MAIN INFO
 Search the archives at http://bama.ua.edu/archives/ibm-main.html
--
John McKown
Maranatha! 

--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@bama.ua.edu with the message: GET IBM-MAIN INFO
Search the archives at http://bama.ua.edu/archives/ibm-main.html

Re: A New Threat for password hacking

[John McKown]

On Mon, 2010-11-29 at 04:39 -0600, Brian Westerman wrote:
 It's kind of difficult to use a brute force attack when RACF revokes the ID
 after a site specified number of attempts.  Assuming the site doesn't allow
 1 or 2 character passwords (you don't do you), even if the site were to
 allow 100 attempts, it's statistically a REALLY long shot to guess the
 password.  I would imagine that most sites have 3 or 4 as the number of
 attempts, making the probability for success of a brute force attack too
 remote to consider as they wouldn't even get out of the single character
 attempts.  
 
 Brian
 

I was thinking more of an off-line attack by having captured some sort
of dump of the database. 

What gets me on this is that, in the recent past, some people at work
were wanting an automatic resume of any RACF id which got too many
password violations after some interval - like 10 minutes. So try n
times, wait m minutes, rinse and repeat. Luckily this was killed. They
also want a Web like interface so that a person could reset their own
password via their browser. Luckily, we were able to kill most of this
stuff with HIPAA requirements. And the dangling of multi-million dollar
penalities should this be used to crack our system.

-- 
John McKown
Maranatha! 

--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@bama.ua.edu with the message: GET IBM-MAIN INFO
Search the archives at http://bama.ua.edu/archives/ibm-main.html

Re: A New Threat for password hacking

[Chase, John]

 -Original Message-
 From: IBM Mainframe Discussion List On Behalf Of Binyamin Dissen
 
 On Mon, 29 Nov 2010 04:39:54 -0600 Brian Westerman
 brian_wester...@syzygyinc.com wrote:
 
 :It's kind of difficult to use a brute force attack when RACF revokes
the ID
 :after a site specified number of attempts.  Assuming the site
doesn't allow
 :1 or 2 character passwords (you don't do you), even if the site were
to
 :allow 100 attempts, it's statistically a REALLY long shot to guess
the
 :password.  I would imagine that most sites have 3 or 4 as the number
of
 :attempts, making the probability for success of a brute force attack
too
 :remote to consider as they wouldn't even get out of the single
character
 :attempts.
 
 If you have the offload, you can make as many attempts as you wish.

But the offload (did you mean unload, as produced by IRRDBU00?)
doesn't contain the password

If you meant backup, then your point is valid.

-jc-

--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@bama.ua.edu with the message: GET IBM-MAIN INFO
Search the archives at http://bama.ua.edu/archives/ibm-main.html

Re: A New Threat for password hacking

[McKown, John]

Could well be. I vaguely remember something about Triple DES somewhere. But my 
mind is a bit loose right now on meds.

John McKown 

Systems Engineer IV

IT

 

Administrative Services Group

 

HealthMarkets(r)

 

9151 Boulevard 26 * N. Richland Hills * TX 76010

(817) 255-3225 phone * 

john.mck...@healthmarkets.com * www.HealthMarkets.com

 

Confidentiality Notice: This e-mail message may contain confidential or 
proprietary information. If you are not the intended recipient, please contact 
the sender by reply e-mail and destroy all copies of the original message. 
HealthMarkets(r) is the brand name for products underwritten and issued by the 
insurance subsidiaries of HealthMarkets, Inc. -The Chesapeake Life Insurance 
Company(r), Mid-West National Life Insurance Company of TennesseeSM and The 
MEGA Life and Health Insurance Company.SM

 

 -Original Message-
 From: IBM Mainframe Discussion List 
 [mailto:ibm-m...@bama.ua.edu] On Behalf Of Robert S. Hansel (RSH)
 Sent: Monday, November 29, 2010 5:25 AM
 To: IBM-MAIN@bama.ua.edu
 Subject: Re: A New Threat for password hacking
 
 John,
 
 I believe RACF only uses single DES, not Triple DES.
 
 Regards, Bob
 
 Robert S. Hansel
 Lead RACF Specialist
 RSH Consulting, Inc.
 617-969-8211
 www.linkedin.com/in/roberthansel
 www.rshconsulting.com
 
 -
 2011 RACF Training
  Intro  Basic Admin - WebEx  - JAN 24-28
  Securing z/OS Unix  - WebEx  - FEB 8-10
  Audit for Results   - Boston - APR 12-14
  Intro  Basic Admin - Boston - MAY 10-12
 Visit our website for registration  details
 -
 
 -Original Message-
 Date:Sun, 28 Nov 2010 19:37:37 -0600
 From:John McKown joa...@swbell.net
 Subject: Re: A New Threat for password hacking
 
 RACF password encryption is explained here:
 
 http://publibz.boulder.ibm.com/cgi-bin/bookmgr_OS390/BOOKS/ich
 za290/3.3.1
 
 It uses Triple DES where the password is a key to encrypt the userid,
 which encrypted value is then stored in the DB. So two different users
 with the same password would have two different encrypted values. It
 also states it is a one way encryption. There is no way to 
 back out.
 To crack a password would require having the unencrypted RACF id, the
 encrypted stored value, and the exact algorithm. Now, I'm not a
 cryptographer, but I don't think you can use that information to
 recreate a valid password easily. So you're more likely to try a brute
 force dictionary attack. Again, using an NSA quality supercomputer, I
 have no idea how long this would take. I think I'd just play the lotto
 and win sooner. But that is my ignorance speaking.
 
 On Sun, 2010-11-28 at 19:15 -0600, Paul Gilmartin wrote:
  On Sun, 28 Nov 2010 15:56:36 -0600, Russell Witt wrote:
 
  Easy to say do not share your RACF db; harder in 
 reality. Most sites
  believe they are safe because their RACF db is security 
 protected and the
  dasd is not shared. And then completely forget that 
 backups (to physical
 or
  virtual tape) contain the exact same information. And 
 quite often the DSN
  used for the backup tapes is some type of dasd-manager 
 HLQ, since it was
  most likely a full-volume backup that happen'ed to contain 
 the RACF db.
 And
  even if the HLQ for the full-volume backups is 
 read-protected; it is
 still
  far easier to hack a tape dataset. Often, tape libraries 
 (physical and
  virtual) are shared with less-secure test machines and 
 quite often even
 with
  non z/OS systems. Granted, you will need the physical 
 layout of the RACF
 db;
  but not the entire layout. Just enough to identify where 
 the passphrases
 are
  maintained.
  
  Aren't the passwords encrypted?  But how strong is the encryption?
 
  It would be peculiarly pointless to store fewer bits of the 
 encrypted
  password than are used in the encrypting key.
 
  -- gil
 
  
 --
  For IBM-MAIN subscribe / signoff / archive access instructions,
  send email to lists...@bama.ua.edu with the message: GET 
 IBM-MAIN INFO
  Search the archives at http://bama.ua.edu/archives/ibm-main.html
 --
 John McKown
 Maranatha! 
 
 --
 For IBM-MAIN subscribe / signoff / archive access instructions,
 send email to lists...@bama.ua.edu with the message: GET IBM-MAIN INFO
 Search the archives at http://bama.ua.edu/archives/ibm-main.html
 
 

--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@bama.ua.edu with the message: GET IBM-MAIN INFO
Search the archives at http://bama.ua.edu/archives/ibm-main.html

Re: A New Threat for password hacking

[McKown, John]

Correct. I meant FDR or DFDSS or even IRRUTnnn unload. Not IRRDBU00.

John McKown 

Systems Engineer IV

IT

 

Administrative Services Group

 

HealthMarkets(r)

 

9151 Boulevard 26 * N. Richland Hills * TX 76010

(817) 255-3225 phone * 

john.mck...@healthmarkets.com * www.HealthMarkets.com

 

Confidentiality Notice: This e-mail message may contain confidential or 
proprietary information. If you are not the intended recipient, please contact 
the sender by reply e-mail and destroy all copies of the original message. 
HealthMarkets(r) is the brand name for products underwritten and issued by the 
insurance subsidiaries of HealthMarkets, Inc. -The Chesapeake Life Insurance 
Company(r), Mid-West National Life Insurance Company of TennesseeSM and The 
MEGA Life and Health Insurance Company.SM

 

 -Original Message-
 From: IBM Mainframe Discussion List 
 [mailto:ibm-m...@bama.ua.edu] On Behalf Of Chase, John
 Sent: Monday, November 29, 2010 6:54 AM
 To: IBM-MAIN@bama.ua.edu
 Subject: Re: A New Threat for password hacking
 
  -Original Message-
  From: IBM Mainframe Discussion List On Behalf Of Binyamin Dissen
  
  On Mon, 29 Nov 2010 04:39:54 -0600 Brian Westerman
  brian_wester...@syzygyinc.com wrote:
  
  :It's kind of difficult to use a brute force attack when 
 RACF revokes
 the ID
  :after a site specified number of attempts.  Assuming the site
 doesn't allow
  :1 or 2 character passwords (you don't do you), even if 
 the site were
 to
  :allow 100 attempts, it's statistically a REALLY long shot to guess
 the
  :password.  I would imagine that most sites have 3 or 4 as 
 the number
 of
  :attempts, making the probability for success of a brute 
 force attack
 too
  :remote to consider as they wouldn't even get out of the single
 character
  :attempts.
  
  If you have the offload, you can make as many attempts as you wish.
 
 But the offload (did you mean unload, as produced by IRRDBU00?)
 doesn't contain the password
 
 If you meant backup, then your point is valid.
 
 -jc-
 
 --
 For IBM-MAIN subscribe / signoff / archive access instructions,
 send email to lists...@bama.ua.edu with the message: GET IBM-MAIN INFO
 Search the archives at http://bama.ua.edu/archives/ibm-main.html
 
 

--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@bama.ua.edu with the message: GET IBM-MAIN INFO
Search the archives at http://bama.ua.edu/archives/ibm-main.html

Re: A New Threat for password hacking

[Paul Gilmartin]

On Mon, 29 Nov 2010 05:27:56 -0600, John McKown wrote:

What gets me on this is that, in the recent past, some people at work
were wanting an automatic resume of any RACF id which got too many
password violations after some interval - like 10 minutes. So try n
times, wait m minutes, rinse and repeat. Luckily this was killed.

The proposal isn't totally unreasonable in that it multiplies the
time required for a brute force attack by a few orders of magnitude.
I knew a product which imposed an escalating lockout time before
retry for each unsuccessful attempt.

-- gil

--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@bama.ua.edu with the message: GET IBM-MAIN INFO
Search the archives at http://bama.ua.edu/archives/ibm-main.html

Re: A New Threat for password hacking

[McKown, John]

Each to his own. I prefer the human touch on password resets. But I'm an old 
paranoid grin. In my arrogance, somebody who cannot remember their RACF 
password likely can't remember their own name, either. A passphrase may be more 
difficult. But 8 stupid characters, max? Sure, it could be forgotten early on. 
And after a vacation. But we've had literally 8 or 10 password reset requests 
in a row from some of our off-shore users. Personally, I think they violate our 
standards and are sharing ids. But I can't prove it.

John McKown 

Systems Engineer IV

IT

 

Administrative Services Group

 

HealthMarkets(r)

 

9151 Boulevard 26 * N. Richland Hills * TX 76010

(817) 255-3225 phone * 

john.mck...@healthmarkets.com * www.HealthMarkets.com

 

Confidentiality Notice: This e-mail message may contain confidential or 
proprietary information. If you are not the intended recipient, please contact 
the sender by reply e-mail and destroy all copies of the original message. 
HealthMarkets(r) is the brand name for products underwritten and issued by the 
insurance subsidiaries of HealthMarkets, Inc. -The Chesapeake Life Insurance 
Company(r), Mid-West National Life Insurance Company of TennesseeSM and The 
MEGA Life and Health Insurance Company.SM

 

 -Original Message-
 From: IBM Mainframe Discussion List 
 [mailto:ibm-m...@bama.ua.edu] On Behalf Of Paul Gilmartin
 Sent: Monday, November 29, 2010 9:44 AM
 To: IBM-MAIN@bama.ua.edu
 Subject: Re: A New Threat for password hacking
 
 On Mon, 29 Nov 2010 05:27:56 -0600, John McKown wrote:
 
 What gets me on this is that, in the recent past, some people at work
 were wanting an automatic resume of any RACF id which got too many
 password violations after some interval - like 10 minutes. So try n
 times, wait m minutes, rinse and repeat. Luckily this was killed.
 
 The proposal isn't totally unreasonable in that it multiplies the
 time required for a brute force attack by a few orders of magnitude.
 I knew a product which imposed an escalating lockout time before
 retry for each unsuccessful attempt.
 
 -- gil
 
 --
 For IBM-MAIN subscribe / signoff / archive access instructions,
 send email to lists...@bama.ua.edu with the message: GET IBM-MAIN INFO
 Search the archives at http://bama.ua.edu/archives/ibm-main.html
 
 

--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@bama.ua.edu with the message: GET IBM-MAIN INFO
Search the archives at http://bama.ua.edu/archives/ibm-main.html

Re: A New Threat for password hacking

[Veilleux, Jon L]

I would tend to agree with ' they violate our standards and are sharing ids'. 
Security is not priority one in some other countries. (At least not OUR 
security).

-Original Message-
From: IBM Mainframe Discussion List [mailto:ibm-m...@bama.ua.edu] On Behalf Of 
McKown, John
Sent: Monday, November 29, 2010 10:58 AM
To: IBM-MAIN@bama.ua.edu
Subject: Re: A New Threat for password hacking

Each to his own. I prefer the human touch on password resets. But I'm an old 
paranoid grin. In my arrogance, somebody who cannot remember their RACF 
password likely can't remember their own name, either. A passphrase may be more 
difficult. But 8 stupid characters, max? Sure, it could be forgotten early on. 
And after a vacation. But we've had literally 8 or 10 password reset requests 
in a row from some of our off-shore users. Personally, I think they violate our 
standards and are sharing ids. But I can't prove it.

John McKown 

Systems Engineer IV

IT

 

Administrative Services Group

 

HealthMarkets(r)

 

9151 Boulevard 26 * N. Richland Hills * TX 76010

(817) 255-3225 phone * 

john.mck...@healthmarkets.com * www.HealthMarkets.com

 

Confidentiality Notice: This e-mail message may contain confidential or 
proprietary information. If you are not the intended recipient, please contact 
the sender by reply e-mail and destroy all copies of the original message. 
HealthMarkets(r) is the brand name for products underwritten and issued by the 
insurance subsidiaries of HealthMarkets, Inc. -The Chesapeake Life Insurance 
Company(r), Mid-West National Life Insurance Company of TennesseeSM and The 
MEGA Life and Health Insurance Company.SM

 

 -Original Message-
 From: IBM Mainframe Discussion List
 [mailto:ibm-m...@bama.ua.edu] On Behalf Of Paul Gilmartin
 Sent: Monday, November 29, 2010 9:44 AM
 To: IBM-MAIN@bama.ua.edu
 Subject: Re: A New Threat for password hacking
 
 On Mon, 29 Nov 2010 05:27:56 -0600, John McKown wrote:
 
 What gets me on this is that, in the recent past, some people at work 
 were wanting an automatic resume of any RACF id which got too many 
 password violations after some interval - like 10 minutes. So try n
 times, wait m minutes, rinse and repeat. Luckily this was killed.
 
 The proposal isn't totally unreasonable in that it multiplies the time 
 required for a brute force attack by a few orders of magnitude.
 I knew a product which imposed an escalating lockout time before retry 
 for each unsuccessful attempt.
 
 -- gil
 
 --
 For IBM-MAIN subscribe / signoff / archive access instructions, send 
 email to lists...@bama.ua.edu with the message: GET IBM-MAIN INFO 
 Search the archives at http://bama.ua.edu/archives/ibm-main.html
 
 

--
For IBM-MAIN subscribe / signoff / archive access instructions, send email to 
lists...@bama.ua.edu with the message: GET IBM-MAIN INFO Search the archives at 
http://bama.ua.edu/archives/ibm-main.html
This e-mail may contain confidential or privileged information. If
you think you have received this e-mail in error, please advise the
sender by reply e-mail and then delete this e-mail immediately.
Thank you. Aetna   

--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@bama.ua.edu with the message: GET IBM-MAIN INFO
Search the archives at http://bama.ua.edu/archives/ibm-main.html

Re: A New Threat for password hacking

[R.S.]

W dniu 2010-11-29 16:43, Paul Gilmartin pisze:

On Mon, 29 Nov 2010 05:27:56 -0600, John McKown wrote:


What gets me on this is that, in the recent past, some people at work
were wanting an automatic resume of any RACF id which got too many
password violations after some interval - like 10 minutes. So try n
times, wait m minutes, rinse and repeat. Luckily this was killed.


The proposal isn't totally unreasonable in that it multiplies the
time required for a brute force attack by a few orders of magnitude.
I knew a product which imposed an escalating lockout time before
retry for each unsuccessful attempt.


The proposal is *very* reasonable. Such functionality could be very 
convenient and it's NOT security breach. Note: YOU CAN SWITCH IT OFF!
A choice is good. For those who do not accept such solution the 
functionality would be disabled. For others that means saved FTE's. IMHO 
it's better (safer) that self service password reset.


Would I switch it on? I wouldn't decide, IT'S NOT MY DOG. ;-)
My dog is to abide by (observe) the rules.

--
Radoslaw Skorupka
Lodz, Poland


--
BRE Bank SA
ul. Senatorska 18
00-950 Warszawa
www.brebank.pl

Sąd Rejonowy dla m. st. Warszawy 
XII Wydział Gospodarczy Krajowego Rejestru Sądowego, 
nr rejestru przedsiębiorców KRS 025237

NIP: 526-021-50-88
Według stanu na dzień 16.07.2010 r. kapitał zakładowy BRE Banku SA (w całości wpłacony) wynosi 168.248.328 złotych. 


--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@bama.ua.edu with the message: GET IBM-MAIN INFO
Search the archives at http://bama.ua.edu/archives/ibm-main.html

Re: A New Threat for password hacking

[Ted MacNEIL]

IMHO it's better (safer) that self service password reset.

A full service reset could be costly.
I was once a customer of a service provider that charged us for each reset.
Each year we paid them twice as much as the cost of a self-service solution.

And, we're not talking about one of the cheap ones.
We're talking about a redundant server with connections to windows, z, *nix, 
including LINUX, active directory, and things we didn't have.

They can be very secure.
We had 3-question challenge response, full profiling of users -- the works.

-
Ted MacNEIL
eamacn...@yahoo.ca

--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@bama.ua.edu with the message: GET IBM-MAIN INFO
Search the archives at http://bama.ua.edu/archives/ibm-main.html

Re: A New Threat for password hacking

[Russell Witt]

Easy to say do not share your RACF db; harder in reality. Most sites
believe they are safe because their RACF db is security protected and the
dasd is not shared. And then completely forget that backups (to physical or
virtual tape) contain the exact same information. And quite often the DSN
used for the backup tapes is some type of dasd-manager HLQ, since it was
most likely a full-volume backup that happen'ed to contain the RACF db. And
even if the HLQ for the full-volume backups is read-protected; it is still
far easier to hack a tape dataset. Often, tape libraries (physical and
virtual) are shared with less-secure test machines and quite often even with
non z/OS systems. Granted, you will need the physical layout of the RACF db;
but not the entire layout. Just enough to identify where the passphrases are
maintained.

The number of sites that forget about tape security is scary. And
unprotected tape (both physical and virtual) allows anyone in the
organization to read a backup of almost any file in the data center.

Russell Witt
my own 2-cents worth

-Original Message-
From: IBM Mainframe Discussion List [mailto:ibm-m...@bama.ua.edu]on
Behalf Of R.S.
Sent: Sunday, November 28, 2010 1:52 AM
To: IBM-MAIN@bama.ua.edu
Subject: Re: A New Threat for password hacking


Ed Gould pisze:
 http://preview.tinyurl.com/2djttta
 Hacker Cracks Secure Hashing Algorithm Using Amazon CloudUsing EC2's
cluster GPU power, security researcher spent only $2.10 to decrypt 14 SHA1
passwords in under an hour; other experts aren't concerned.

Fortunately mainframe has no GPU vbg
more seriously:
1. Passwords in RACF db are stored using DES, not SHA (actually the
password is the key used to encrypt the userid).
2. It's wide known that SHA1 is not enough strong.
3. The best idea is not to share RACF db with potential hackers. No db
means nothing to crack, doesn't matter neither algorithm, nor CPU power
available for cracking.

--
Radoslaw Skorupka
Lodz, Poland


--
BRE Bank SA
ul. Senatorska 18
00-950 Warszawa
www.brebank.pl

Sd Rejonowy dla m. st. Warszawy
XII Wydzia Gospodarczy Krajowego Rejestru Sdowego,
nr rejestru przedsibiorców KRS 025237
NIP: 526-021-50-88
Wedug stanu na dzie 16.07.2010 r. kapita zakadowy BRE Banku SA (w
caoci wpacony) wynosi 168.248.328 zotych.

--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@bama.ua.edu with the message: GET IBM-MAIN INFO
Search the archives at http://bama.ua.edu/archives/ibm-main.html

--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@bama.ua.edu with the message: GET IBM-MAIN INFO
Search the archives at http://bama.ua.edu/archives/ibm-main.html

Re: A New Threat for password hacking

[Paul Gilmartin]

On Sun, 28 Nov 2010 15:56:36 -0600, Russell Witt wrote:

Easy to say do not share your RACF db; harder in reality. Most sites
believe they are safe because their RACF db is security protected and the
dasd is not shared. And then completely forget that backups (to physical or
virtual tape) contain the exact same information. And quite often the DSN
used for the backup tapes is some type of dasd-manager HLQ, since it was
most likely a full-volume backup that happen'ed to contain the RACF db. And
even if the HLQ for the full-volume backups is read-protected; it is still
far easier to hack a tape dataset. Often, tape libraries (physical and
virtual) are shared with less-secure test machines and quite often even with
non z/OS systems. Granted, you will need the physical layout of the RACF db;
but not the entire layout. Just enough to identify where the passphrases are
maintained.

Aren't the passwords encrypted?  But how strong is the encryption?

It would be peculiarly pointless to store fewer bits of the encrypted
password than are used in the encrypting key.

-- gil

--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@bama.ua.edu with the message: GET IBM-MAIN INFO
Search the archives at http://bama.ua.edu/archives/ibm-main.html

Re: A New Threat for password hacking

[John McKown]

RACF password encryption is explained here:

http://publibz.boulder.ibm.com/cgi-bin/bookmgr_OS390/BOOKS/ichza290/3.3.1

It uses Triple DES where the password is a key to encrypt the userid,
which encrypted value is then stored in the DB. So two different users
with the same password would have two different encrypted values. It
also states it is a one way encryption. There is no way to back out.
To crack a password would require having the unencrypted RACF id, the
encrypted stored value, and the exact algorithm. Now, I'm not a
cryptographer, but I don't think you can use that information to
recreate a valid password easily. So you're more likely to try a brute
force dictionary attack. Again, using an NSA quality supercomputer, I
have no idea how long this would take. I think I'd just play the lotto
and win sooner. But that is my ignorance speaking. 

On Sun, 2010-11-28 at 19:15 -0600, Paul Gilmartin wrote:
 On Sun, 28 Nov 2010 15:56:36 -0600, Russell Witt wrote:
 
 Easy to say do not share your RACF db; harder in reality. Most sites
 believe they are safe because their RACF db is security protected and the
 dasd is not shared. And then completely forget that backups (to physical or
 virtual tape) contain the exact same information. And quite often the DSN
 used for the backup tapes is some type of dasd-manager HLQ, since it was
 most likely a full-volume backup that happen'ed to contain the RACF db. And
 even if the HLQ for the full-volume backups is read-protected; it is still
 far easier to hack a tape dataset. Often, tape libraries (physical and
 virtual) are shared with less-secure test machines and quite often even with
 non z/OS systems. Granted, you will need the physical layout of the RACF db;
 but not the entire layout. Just enough to identify where the passphrases are
 maintained.
 
 Aren't the passwords encrypted?  But how strong is the encryption?
 
 It would be peculiarly pointless to store fewer bits of the encrypted
 password than are used in the encrypting key.
 
 -- gil
 
 --
 For IBM-MAIN subscribe / signoff / archive access instructions,
 send email to lists...@bama.ua.edu with the message: GET IBM-MAIN INFO
 Search the archives at http://bama.ua.edu/archives/ibm-main.html
-- 
John McKown
Maranatha! 

--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@bama.ua.edu with the message: GET IBM-MAIN INFO
Search the archives at http://bama.ua.edu/archives/ibm-main.html

A New Threat for password hacking

[Ed Gould]

http://preview.tinyurl.com/2djttta
Hacker Cracks Secure Hashing Algorithm Using Amazon CloudUsing EC2's cluster 
GPU power, security researcher spent only $2.10 to decrypt 14 SHA1 passwords in 
under an hour; other experts aren't concerned. 




--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@bama.ua.edu with the message: GET IBM-MAIN INFO
Search the archives at http://bama.ua.edu/archives/ibm-main.html

Re: A New Threat for password hacking

[R.S.]

Ed Gould pisze:

http://preview.tinyurl.com/2djttta
Hacker Cracks Secure Hashing Algorithm Using Amazon CloudUsing EC2's cluster GPU power, security researcher spent only $2.10 to decrypt 14 SHA1 passwords in under an hour; other experts aren't concerned. 


Fortunately mainframe has no GPU vbg
more seriously:
1. Passwords in RACF db are stored using DES, not SHA (actually the 
password is the key used to encrypt the userid).

2. It's wide known that SHA1 is not enough strong.
3. The best idea is not to share RACF db with potential hackers. No db 
means nothing to crack, doesn't matter neither algorithm, nor CPU power 
available for cracking.


--
Radoslaw Skorupka
Lodz, Poland


--
BRE Bank SA
ul. Senatorska 18
00-950 Warszawa
www.brebank.pl

Sd Rejonowy dla m. st. Warszawy 
XII Wydzia Gospodarczy Krajowego Rejestru Sdowego, 
nr rejestru przedsibiorców KRS 025237

NIP: 526-021-50-88
Wedug stanu na dzie 16.07.2010 r. kapita zakadowy BRE Banku SA (w caoci wpacony) wynosi 168.248.328 zotych. 


--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@bama.ua.edu with the message: GET IBM-MAIN INFO
Search the archives at http://bama.ua.edu/archives/ibm-main.html