Enumerating User IDs (was: CANCEL TSO Logon?)

2015-01-05 Thread Paul Gilmartin
passwords (in our situation)? And here we have a cultural divide. Open systems folks are quite sensitive to the possibility of enumerating user IDs; less sensitive to exhaustive password search, and feel that revoking a user's ID upon detecting password probing invites that form of DoS. If I hadn't

Re: Enumerating User IDs (was: CANCEL TSO Logon?)

2015-01-05 Thread Joel Ewing
On 01/05/2015 09:35 AM, Paul Gilmartin wrote: On Mon, 5 Jan 2015 07:21:28 -0800, Charles Mills wrote: For TSO, you can probe for known user ids, but you will see a lot of LOGON and IEA989I message in the SYSLOG. Only if you set a specific SLIP trap for this condition. In the video cited:

Re: Enumerating User IDs (was: CANCEL TSO Logon?)

2015-01-05 Thread Charles Mills
] On Behalf Of Joel Ewing Sent: Monday, January 05, 2015 8:18 AM To: IBM-MAIN@LISTSERV.UA.EDU Subject: Re: Enumerating User IDs (was: CANCEL TSO Logon?) On 01/05/2015 09:35 AM, Paul Gilmartin wrote: On Mon, 5 Jan 2015 07:21:28 -0800, Charles Mills wrote: For TSO, you can probe for known user ids

Re: Enumerating User IDs (was: CANCEL TSO Logon?)

2015-01-05 Thread Charles Mills
@LISTSERV.UA.EDU Subject: Re: Enumerating User IDs (was: CANCEL TSO Logon?) Back years ago I worked at a Top Secret shop. That product wrote a console message when a log on attempt has occurred that specified an unknown user. Sadly, what was usually seen was a password. It's been years since I

Re: Enumerating User IDs (was: CANCEL TSO Logon?)

2015-01-05 Thread Sam Siegel
id which already had considerable capabilities. -Original Message- From: IBM Mainframe Discussion List [mailto:IBM-MAIN@LISTSERV.UA.EDU] On Behalf Of Charles Mills Sent: Monday, January 05, 2015 10:35 AM To: IBM-MAIN@LISTSERV.UA.EDU Subject: Re: Enumerating User IDs (was: CANCEL TSO

Re: Enumerating User IDs (was: CANCEL TSO Logon?)

2015-01-05 Thread Lou Losee
I do not believe you will get RACF SMF and console messages for this type of probing. It is my understanding that TSO performs a RACROUTE REQUEST=EXTRACT to obtain the data to fill in the various fields in the logon panel. When retrieving or replacing fields, the RACF manual explicitly states:

Re: Enumerating User IDs (was: CANCEL TSO Logon?)

2015-01-05 Thread Tony's Basement Computer
@LISTSERV.UA.EDU] On Behalf Of Frank Swarbrick Sent: Monday, January 05, 2015 6:06 PM To: IBM-MAIN@LISTSERV.UA.EDU Subject: Re: Enumerating User IDs (was: CANCEL TSO Logon?) Something like this?ICH408I USER(MYPSWD99) GROUP() NAME(??? ) LOGON/JOB INITIATION - USER AT TERMINAL

Re: Enumerating User IDs (was: CANCEL TSO Logon?)

2015-01-05 Thread Tony Harminc
On 5 January 2015 at 19:19, Tony's Basement Computer tbabo...@comcast.net wrote: Yep. BTW, how did Mr. Mainframehacker get to the TSO log on screen? Did someone provide the magic VTAM command? I ask from ignorance because I didn't watch 100% of the video and I'm not connect literate. His

Re: Enumerating User IDs (was: CANCEL TSO Logon?)

2015-01-05 Thread Frank Swarbrick
@LISTSERV.UA.EDU Sent: Monday, January 5, 2015 9:57 AM Subject: Re: Enumerating User IDs (was: CANCEL TSO Logon?) Back years ago I worked at a Top Secret shop.  That product wrote a console message when a log on attempt has occurred that specified an unknown user.  Sadly, what was usually seen

Re: Enumerating User IDs (was: CANCEL TSO Logon?)

2015-01-05 Thread Charles Mills
-MAIN@LISTSERV.UA.EDU Subject: Re: Enumerating User IDs (was: CANCEL TSO Logon?) Something like this?ICH408I USER(MYPSWD99) GROUP() NAME(??? ) LOGON/JOB INITIATION - USER AT TERMINAL DVDU NOT RACF-DEFINED The above was generated using the CICS CESN signon

Re: Enumerating User IDs (was: CANCEL TSO Logon?)

2015-01-05 Thread Charles Mills
I have no idea how he got the addresses I suspect by scanning. Charles -Original Message- From: IBM Mainframe Discussion List [mailto:IBM-MAIN@LISTSERV.UA.EDU] On Behalf Of Tony Harminc Sent: Monday, January 05, 2015 4:44 PM To: IBM-MAIN@LISTSERV.UA.EDU Subject: Re: Enumerating User

Re: Enumerating User IDs (was: CANCEL TSO Logon?)

2015-01-05 Thread Lou Losee
5, 2015 9:57 AM Subject: Re: Enumerating User IDs (was: CANCEL TSO Logon?) Back years ago I worked at a Top Secret shop. That product wrote a console message when a log on attempt has occurred that specified an unknown user. Sadly, what was usually seen was a password. It's been years

Re: Enumerating User IDs

2015-01-05 Thread Joel Ewing
was generated using the CICS CESN signon transaction. From: Tony's Basement Computer tbabo...@comcast.net To: IBM-MAIN@LISTSERV.UA.EDU Sent: Monday, January 5, 2015 9:57 AM Subject: Re: Enumerating User IDs (was: CANCEL TSO Logon?) Back years ago I worked at a Top Secret shop

Re: Enumerating User IDs

2015-01-05 Thread Tom Brennan
I watched the flick and agree with a lot of what he said. He obviously has no scruples about disclosing any and all information, but isn't that how Open Source software protects itself? And if someone opens their TN3270 port to the public internet, whose fault is that really? One thing he

Enumerating User IDs (was: CANCEL TSO Logon?)

2015-01-05 Thread Paul Gilmartin
On Mon, 5 Jan 2015 07:21:28 -0800, Charles Mills wrote: For TSO, you can probe for known user ids, but you will see a lot of LOGON and IEA989I message in the SYSLOG. Only if you set a specific SLIP trap for this condition. In the video cited: On Jan 2, 2015, at 3:31 PM, Mark Regan wrote: