This exposure has been known--and discussed publicly--for several years. It is NOT true that 'passwords are not stored'. If they weren't 'stored' at all, then how could RACF validate the password you supply? They are in fact stored in encrypted form. The encryption method itself is not a state secret. It can be simulated.
The brute force method alluded to here starts with a copy of a RACF data base. Then generated character strings are fed into an encryption program until the encrypted form of some random string matches what's found in the data base for a given userid. Voila. The password has been hacked. Once upon a time, it would have taken so long to perform this string match that passwords would likely have changed in the meantime. Nowadays computers all the way down to smart phones have gotten faster while the encryption algorithms have remained the same. There is to my knowledge no canonical defense for this hacking method. Best you can do is to prevent the data base from being copied in the first place. As for what to do with the 'culprit', did he abscond with data or commit some other mischief? Or did he reveal his activity to management as a wake-up call? The news today is replete with tales of 'ethical hackers'. Should we lock them up or bestow medals? Motivation is everything. . . JO.Skip Robinson Southern California Edison Company Electric Dragon Team Paddler SHARE MVS Program Co-Manager 626-302-7535 Office 323-715-0595 Mobile jo.skip.robin...@sce.com From: mmjuma <mmj...@yahoo.com> To: IBM-MAIN@LISTSERV.UA.EDU, Date: 08/17/2013 01:04 AM Subject: RACF Database protection Sent by: IBM Mainframe Discussion List <IBM-MAIN@LISTSERV.UA.EDU> Hi list Some one in our section, he was able to download RACF data base file SYS1.RACF.PRIM via ftp to PC, then he used some tool. He was able to get uid and password of some users. He had now access to the file in mainframe. I want to understand what happend, and how to protect against such issue. ---------------------------------------------------------------------- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN
