Long ago I was brought in to help the consulting company where I worked
audit a government agency's VM system. The agency was running multiple
levels of classified work under VM, claiming it was secure. The folks
doing the security audit wanted to talk about all sorts of technical
penetrations
this is no joke - we had an govt-approved audit program that attempted to
check for 'user-id as password' by attempting to login as that user with
his/her userid as password (and noting where the login was successful) -
reasonable - right? - WELL - someone decided to run this program twice in
the
snip-
I still don't see how anyone can hack a userid and password and log on
to a RACF protected system. If you have security set up correctly, you
only get 3 tries or so, and then the ID is revoked.
---unsnip-
You would be
--snip
There is no easy way to counter such a one and done approach - unless you
either improve your database's physical security (don't let it get into the
wrong hands) or also require the cracker to physically possess something
presumably uniquely
Rick Fochtman wrote:
snip-
I still don't see how anyone can hack a userid and password and log on
to a RACF protected system. If you have security set up correctly, you
only get 3 tries or so, and then the ID is revoked.
-snip--
Let me ask this question - although this is not directly related to
RACF - but to any access control system that locks out people upon
failed access attempts..
Isn't locking out or revoking someone because of unsuccessful access
attempts a
Rick Fochtman wrote:
---unsnip
The scenario you describe is quite possible. In shops where I've
worked, getting caught doing something like that would result in a
speedy promotion: to the street. And DON'T ASK FOR REFERENCES!
I know... But we are talking
---snip-
The scenario you describe is quite possible. In shops where I've
worked, getting caught doing something like that would result in a
speedy promotion: to the street. And DON'T ASK FOR REFERENCES!
I know... But we are talking security issues here.
--snip--
Well.. I know (or at least it, so it appears - since I don't *KNOW* you)
you are indeed a thoughtful security officer.. (And.. err.. started
tasks bypassing authentication is definitely a solution - yet - doesn't
it give people with access to the
On Thu, 22 May 2008 10:06:33 -0500, Bass, Walter W [EMAIL PROTECTED] wrote:
I recall the password encryption algorithm for IDMS back in the late
80's worked by repeatedly multiplying and then discarding the upper byte
of the result. We actually duplicated this logic in COBOL so that we
could
On Wed, 21 May 2008 12:19:16 -0500, Chase, John [EMAIL PROTECTED]
wrote:
You could also have said (truthfully) that RACF doesn't store passwords.
As documented in the SecAdmin Guide, RACF uses the tendered password as
a key to one-way encrypt the userID, and stores the encrypted userID.
Thus,
On Wed, 21 May 2008 09:01:04 -0500, Hal Merritt [EMAIL PROTECTED] wrote:
If possible, I would be using the phone system PBX for this. Find out the
numbers that the IBM equipment is dialing, and then have the PBX handle the
rest. Send emails or call someone telling them that the evil piece of IBM
:[EMAIL PROTECTED] On
Behalf Of Gary Eheman
Sent: Thursday, May 22, 2008 9:24 AM
To: IBM-MAIN@BAMA.UA.EDU
Subject: Re: Hardware Alerts
On Wed, 21 May 2008 09:01:04 -0500, Hal Merritt [EMAIL PROTECTED]
wrote:
If possible, I would be using the phone system PBX for this. Find out
the
numbers that the IBM
Subject: Re: Off-the-wall Auditor Requests (was RE: Hardware Alerts)
On Wed, 21 May 2008 12:19:16 -0500, Chase, John [EMAIL PROTECTED]
wrote:
You could also have said (truthfully) that RACF doesn't
store passwords.
As documented in the SecAdmin Guide, RACF uses the tendered
password
--snip---
I'm now wondering if this is an urban myth. At the GSE LSWG meeting last
Tuesday Ray Evans the IBM UK Penetration Testing Manager claimed several
times to be able to recover passwords from a copy of the RACF database.
I have a recording of the
On Thu, 22 May 2008 09:17:34 -0500, Dave Cartwright
[EMAIL PROTECTED] wrote:
On Wed, 21 May 2008 12:19:16 -0500, Chase, John [EMAIL PROTECTED]
wrote:
You could also have said (truthfully) that RACF doesn't store passwords.
As documented in the SecAdmin Guide, RACF uses the tendered password as
Heck, Nigel Pentland has two utilities that look for weak passwords (DOS-
based) that I'ved used for quite some time to ensure a client is using strong
passwords - CRACF and WEAKWORD. One just checks the USERID or
DFLTGRP name, and the other uses a dictionary list. WEAKWORD (the
dictionary
On Thu, 22 May 2008 11:46:18 -0500, Walt Farrell [EMAIL PROTECTED] wrote:
On Thu, 22 May 2008 09:17:34 -0500, Dave Cartwright
[EMAIL PROTECTED] wrote:
...snipped...
I'm now wondering if this is an urban myth. At the GSE LSWG meeting last
Tuesday Ray Evans the IBM UK Penetration Testing Manager
2008/5/22 Gary Eheman [EMAIL PROTECTED]:
If possible, I would be using the phone system PBX for this. Find out the
numbers that the IBM equipment is dialing, and then have the PBX handle the
rest. Send emails or call someone telling them that the evil piece of IBM
equipment is phoning that
I still don't see how anyone can hack a userid and password and log on to a
RACF protected system. If you have security set up correctly, you only get 3
tries or so, and then the ID is revoked.
Eric
Doc Farmer [EMAIL PROTECTED] wrote:
Heck, Nigel Pentland has two utilities that look
On Thu, 22 May 2008 14:23:53 -0500, Eric Bielefeld wrote:
I still don't see how anyone can hack a userid and password and log on to a
RACF protected system. If you have security set up correctly, you only get 3
tries or so, and then the ID is revoked.
If you have been successful in
Ray Evans the IBM UK Penetration Testing Manager claimed several times to be
able to recover passwords from a copy of the RACF database. I
have a recording of the presentation. I hope this doesn't get him into trouble
as it was a very good presentation. Look after your RACF D/B - security
I still don't see how anyone can hack a userid and password and log on to a
RACF protected system. If you have security set up correctly, you only get 3
tries or so, and then the ID is revoked.
Brute force against a copy of the RACF D/B.
Solution: protect the D/B and all copies.
As for the 3
Our auditors are asking us if there is any way we can receive automatic
email alerts when the gear phones home. I am aware of some email
features on devices such as the DS8100, but we don't currently allow any
external exposure to those devices.
Does anyone know if there some way IBM could
Subject
Hardware Alerts
-- Information from the mail header
---
Sender: IBM Mainframe Discussion List IBM-MAIN@BAMA.UA.EDU
Poster: Hal Merritt [EMAIL PROTECTED]
Subject: Hardware Alerts
-Original Message-
From: IBM Mainframe Discussion List
[mailto:[EMAIL PROTECTED] On Behalf Of Hal Merritt
Sent: Wednesday, May 21, 2008 9:01 AM
To: IBM-MAIN@BAMA.UA.EDU
Subject: Hardware Alerts
Our auditors are asking us if there is any way we can receive
automatic
email
-Original Message-
From: IBM Mainframe Discussion List
[mailto:[EMAIL PROTECTED] On Behalf Of Daniel McLaughlin
Sent: Wednesday, May 21, 2008 9:12 AM
To: IBM-MAIN@BAMA.UA.EDU
Subject: Re: Hardware Alerts
Of what value is that to an auditor?
Daniel McLaughlin
Who knows
Mainframe Discussion List IBM-MAIN@BAMA.UA.EDU
05/21/2008 10:19 AM
Please respond to
IBM Mainframe Discussion List IBM-MAIN@BAMA.UA.EDU
To
IBM-MAIN@BAMA.UA.EDU
cc
Subject
Re: Hardware Alerts
-- Information from the mail header
coming.
-Original Message-
From: IBM Mainframe Discussion List [mailto:[EMAIL PROTECTED] On
Behalf Of Daniel McLaughlin
Sent: Wednesday, May 21, 2008 9:12 AM
To: IBM-MAIN@BAMA.UA.EDU
Subject: Re: Hardware Alerts
Of what value is that to an auditor?
Daniel McLaughlin
Z-Series Systems
My favorite was an auditor that wanted a printout of our /etc/passwd. This
was a VM/SP system. When we stopped laughing at him and told him we didn't
have such security holes, he went away.
/Tom Kern
On Wed, 21 May 2008 10:32:27 -0400, Daniel McLaughlin
[EMAIL PROTECTED] wrote:
One of my
-Original Message-
From: IBM Mainframe Discussion List
[mailto:[EMAIL PROTECTED] On Behalf Of Thomas Kern
Sent: Wednesday, May 21, 2008 10:52 AM
To: IBM-MAIN@BAMA.UA.EDU
Subject: Bad Auditor Requests (Was Re: Hardware Alerts)
My favorite was an auditor that wanted a printout
Our instructions were to give them EXACTLY what they ask for or nothing. If
he had asked in a more general way for a listing of user definitions, I
would have prepared a sanitized USER DIRECT, but he was explicit and
insistent on getting /etc/passwd. That was what was on his unix checklist.
/Tom
---snip---
One of my favorite requests was for a vendor doing a conversion. He
wanted all the passwords for user accounts in RACF. After being told
three times that it was encrypted and not obtainable he went away muttering.
-Original Message-
From: IBM Mainframe Discussion List
[mailto:[EMAIL PROTECTED] On Behalf Of Rick Fochtman
Sent: Wednesday, May 21, 2008 11:11 AM
To: IBM-MAIN@BAMA.UA.EDU
Subject: Re: Hardware Alerts
---snip---
One of my favorite
I do like the idea of the alert when there is a failure. Our carbon based
life form interactive units tend to miss these things and call when it's
too late. Case in point - POR and IPL this past weekend. Operator IPL'd
three times, and who knows why, before calling for help at 4:30 AM.
I also
On Wed, 21 May 2008 10:11:54 -0400, Daniel McLaughlin
[EMAIL PROTECTED] wrote:
Of what value is that to an auditor?
...
Our auditors are asking us if there is any way we can receive
automatic
email alerts when the gear phones home. ...
I suspect hearing about the phone home capability raises
Of what value is that to an auditor?
Who knows? It is likely on some check list somewhere. Many auditors, the poor
kind, love those don't-have-to-think-about-it check lists!
I disagree.
Auditors do not set standards, nor do they enforce them.
Subject Matter Experts (SMEs) set standards
37 matches
Mail list logo
