Walt, I might used worng wording, but when I said LOGON to CICS (or any other VTAM application on partner sight, I ment it. The only limit I have when Pentesting is the partner company to agree for the signon. I have seen few sites using no GMTRAN at all, so you signon to CICS with no password and get the default user auth! There are also few other VTAM applications that uses internal userid and passowrd that is stored in a file. NDM is a sumple for super user that is described in a parameter library.
ITschak On Wed, Jan 14, 2009 at 4:42 PM, Walt Farrell <wfarr...@us.ibm.com> wrote: > In response to a Wed, 14 Jan 2009 08:00:36 +0200 message from Itschak > Mugzach <imugz...@gmail.com>: > > You seem to be mixing terminology, and possibly causing confusion, Itschak. > (Though I think Chris understands what you've said and has provided some > good pointers.) > > You start out by saying > > Now, there is no way to stop some one in org "A" to simply logon to org > "B" > > CICS. > > Logging on to CICS is controlled by the user ID and password provided > during > the CICS signon processing. > > You go on to say: > >Believe me, I tried it and accessed many vtam applications. few of > >them where no protected well. Some of them uses default ACB names. the > >ability to finally logon into is depend on the level of security > implemented > >at org "B". > > What you're talking about there is NOT "logging on to CICS" but connecting > to org B's system, via VTAM, and logging on to other VTAM applications they > have, not CICS. > > I'm not disputing that you were able to do that, but I feel it's important > to properly express what has happened and thus, perhaps, avoid confusion. > > And yes, the ability to logon to B's applications, if you can reach B via > an > LU2 connection, is dependent on the security implemented at B and in its > applications. > > -- > Walt Farrell, CISSP > IBM STSM, z/OS Security Design > > ---------------------------------------------------------------------- > For IBM-MAIN subscribe / signoff / archive access instructions, > send email to lists...@bama.ua.edu with the message: GET IBM-MAIN INFO > Search the archives at http://bama.ua.edu/archives/ibm-main.html > ---------------------------------------------------------------------- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@bama.ua.edu with the message: GET IBM-MAIN INFO Search the archives at http://bama.ua.edu/archives/ibm-main.html
