:>: -----Original Message-----
:>: From: IBM Mainframe Discussion List [mailto:IBM-MAIN@LISTSERV.UA.EDU] On
:>: Behalf Of mmjuma
:>: Sent: Saturday, August 17, 2013 1:02 AM
:>: To: IBM-MAIN@LISTSERV.UA.EDU
:>: Subject: RACF Database protection
:>:
:>: Hi list
:>:
:>: Some one in our section, he was able to download RACF data base file
:>: SYS1.RACF.PRIM via ftp to PC, then he used some tool. He was able to get
:>: uid and password of some users. He had now access to the file in
:>: mainframe. I want to understand what happend, and how to protect against
:>: such issue.
There are several steps you should consider.
To limit the potential damage:
Since some accounts have been compromised, they should be revoked. Have
each user physically come to your desk to have the account resumed and the
password reset.
Since the passwords were cracked so quickly, I think a dictionary
attack was used. In any event, the accounts that were compromised obviously
had very weak passwords. You should create rules that require passwords to
be at or near the max length and to contain letters (both upper and lower
case unless you are using a very old version of z/OS) as well as numbers.
User IDs used exclusively to run production jobs should not have
passwords. Users who run these jobs should have surrogate authority to the
production IDs.
To prevent it from happening again:
If your section mate's job description requires him to test the
effectiveness of your security practices, he did exactly what he was
supposed to but then I expect you would not be asking for help.
If not, he should be immediately reported to management for
disciplinary action. In the interim, his access to the RACF database should
be terminated. Any "high level" privileges such as special, auditor,
operations, etc should also be terminated.
----------------------------------------------------------------------
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN
