Rick Fochtman wrote:
--------------------<snip>-----------------
I still don't see how anyone can hack a userid and password and log on
to a RACF protected system. If you have security set up correctly, you
only get 3 tries or so, and then the ID is revoked.
-------------------<unsnip>-----------------
You would be STUNNED at the number of shops that don't think of
something that simple. I could have named three large banking-related
institutions here in Greater Chicago that never thought of it until I
pointed it out to them. (Business-related discussions, when I was
still working.)
Let me ask this question - although this is not directly related to RACF
- but to any access control system that locks out people upon failed
access attempts..
Isn't locking out or revoking someone because of unsuccessful access
attempts a wonderful denial of service attack opportunity ?
You wait for your good friend in the next cubicle to go on a coffee
break.. log him off (it he hasn't already done so) - and attempt to log
in with bogus passwords 3 times.. and while you are at it, do the same
for some other userids of some highly ranked officers from HIS
terminal.. There is going to be some embarrassment for a LOT of people
and a lot of time lost.. (your co-worker, the locked out people, the
person responsible for security)..
I am of course not saying anyone should do that.. But isn't it a
potential problem with user name lockouts ?
--Ivan
----------------------------------------------------------------------
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to [EMAIL PROTECTED] with the message: GET IBM-MAIN INFO
Search the archives at http://bama.ua.edu/archives/ibm-main.html
