The reason I brought up this 'vulnerability' is that we hired a consultant a while back to look for weaknesses. Of course they were able to logon with a vanilla userid that had no special authority. And this is what they did.
We all spend a lot of time and mental energy focused on how to protect ourselves from sophisticated attack. We look at APF. We look at SVC screening. We look at access to sensitive libraries. But this particular 'denial of service' can be accomplished by anyone with a valid userid and password. And *only* because we lock up users for invalid password attempts. I'm just sayin'... . . JO.Skip Robinson SCE Infrastructure Technology Services Electric Dragon Team Paddler SHARE MVS Program Co-Manager 626-302-7535 Office 323-715-0595 Mobile jo.skip.robin...@sce.com From: Scott Ford <scott_j_f...@yahoo.com> To: IBM-MAIN@bama.ua.edu Date: 03/27/2012 10:51 AM Subject: Re: Malicious Software Protection Sent by: IBM Mainframe Discussion List <IBM-MAIN@bama.ua.edu> Lets step through this logically: TN3270 .... 1. Must have RACF/ACF2/TSS userid/lid/acid 2. Must have a valid password 3. Must have valid IP address 4. Must have valid port 5. Must have Firewall rule for #3 and #4 ... Other issues: How many firewalls ? How is the network architected ? This is just a favor ..FTP the same Scott J Ford Software Engineer http://www.identityforge.com ________________________________ From: Skip Robinson <jo.skip.robin...@sce.com> To: IBM-MAIN@bama.ua.edu Sent: Tuesday, March 27, 2012 1:37 PM Subject: Re: Malicious Software Protection We're all pretty sanguine about our mainframe invulnerability. But we should not overlook how one of our most valuable protections can be turned against us. We all have some limit set for logon attempts. If an invalid password is entered too many times, the userid gets suspended--or referred to the OS console for verification. A malicious rascal (any other kind?) can disable a really important userid in this way. Of course the person has to get into the network first and must know the userid to target, but beyond that no special authority is required. Even console referral would be disruptive to normal production. . . JO.Skip Robinson SCE Infrastructure Technology Services Electric Dragon Team Paddler SHARE MVS Program Co-Manager 626-302-7535 Office 323-715-0595 Mobile jo.skip.robin...@sce.com From: Steve Comstock <st...@trainersfriend.com> To: IBM-MAIN@bama.ua.edu Date: 03/27/2012 10:22 AM Subject: Re: Malicious Software Protection Sent by: IBM Mainframe Discussion List <IBM-MAIN@bama.ua.edu> On 3/27/2012 10:46 AM, Greg Dorner wrote: > Thank you, Elardus for your verbosity. > > > - you can replace/fire those auditors as mentioned earlier in this thread > > - As Ted MacNeil insists, the auditors only RECOMMENDS, it is your > management who can APPLY those recommendations. > > Unfortunately, we have no say with these auditors. They are working on > behalf of the Feds, and if we don't comply we can lose billions of $$ in federal contracts. > > The beauty of this is, someone from my company contacted the person at PWC that made this claim that MCAFEE is coming out with a product, and he backtracked, saying he may have been thinking of Mac OS. MAC OS??? > > They just took a big chuck of our company offline for several hours to research this phantom. Wow. And did they reprimand this doofus in any way? Slap on the wrist? Letter in his personnel file? More likely he got commended for being concerned about company security, even though he had no idea what he was talking about. ---------------------------------------------------------------------- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@bama.ua.edu with the message: INFO IBM-MAIN
