On 19 Jun 2005 14:53:01 -0700, in bit.listserv.ibm-main
(Message-ID:<[EMAIL PROTECTED]>)
[EMAIL PROTECTED] (Ed Gould) wrote:
On Jun 19, 2005, at 4:28 PM, Edward E. Jaffe wrote:
Gil Peleg wrote:
... anyone who worked at the same shop for a long time
knows how to become APF-authorized ...
This just can't be true. No amount of work experience
should provide the knowledge and tools to become APF
authorized. Otherwise, MVS system integrity is nothing
more than a myth! And maybe that's you're point. I simply
don't believe it's true in the general case.
----SNIP-----------
Ed,
Could he mean adding the library to apf list?
Ed
Ed Jaffe snipped too much. Take a look at more of
Gil's post:
On the other hand, anyone who worked at the same shop for
a long time knows
how to "trick" its systems. How to run jobs with any
jobclass (and maybe
form some kind of a denial of service attack?), how
passwords are managed,
who are the powerful users, what resources are not
properly protected, how
to falsify identities under CICS/IMS, how to run batch
jobs under other
users, how to become APF-authorized, how to utilize error
in 3rd party
products, and the list goes on
Once you know which power users (sysprog or RACF
SPECIAL) don't log off when they leave their desks, it
doesn't take long to get the access you need to APF
datasets. If you know of flaws that let you submit jobs to
run under a power user's userid, again you can do just
about anything.
I was going to mention some more of my favorite
methods I know of for getting passwords or getting jobs run
under others' userids. I decided it was not a good idea to
publicize them. The above are quite general. (Not that I
made use of those methods; it was enough for me to know
they worked, and to try to plug the holes.)
Basically, as others have said:
1. Security is a process; and
2. usually, the biggest security hole is people.
----------------------------------------------------------------------
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to [EMAIL PROTECTED] with the message: GET IBM-MAIN INFO
Search the archives at http://bama.ua.edu/archives/ibm-main.html
