Yep. BTW, how did Mr. Mainframehacker get to the TSO log on screen? Did someone provide the magic VTAM command? I ask from ignorance because I didn't watch 100% of the video and I'm not "connect literate."
-----Original Message----- From: IBM Mainframe Discussion List [mailto:IBM-MAIN@LISTSERV.UA.EDU] On Behalf Of Frank Swarbrick Sent: Monday, January 05, 2015 6:06 PM To: IBM-MAIN@LISTSERV.UA.EDU Subject: Re: Enumerating User IDs (was: CANCEL TSO Logon?) Something like this?ICH408I USER(MYPSWD99) GROUP( ) NAME(??? ) LOGON/JOB INITIATION - USER AT TERMINAL DVDU NOT RACF-DEFINED The above was generated using the CICS CESN signon transaction. From: Tony's Basement Computer <tbabo...@comcast.net> To: IBM-MAIN@LISTSERV.UA.EDU Sent: Monday, January 5, 2015 9:57 AM Subject: Re: Enumerating User IDs (was: CANCEL TSO Logon?) Back years ago I worked at a Top Secret shop. That product wrote a console message when a log on attempt has occurred that specified an unknown user. Sadly, what was usually seen was a password. It's been years since I was in that business so I don't know if that display is a configurable option. Sidebar: I watched video and I found it dismaying. The presenter spoke in demeaning tone of the traditional terminology to which we are all familiar which I found insulting. I felt he acted proud that *his* technology was superior because *his* terms are more "current", thus better. I felt he made some assumptions in his presentation that would lead the uninitiated to believe that these exposures exist in all cases and in all environments. Stipulating that a deficiently configured z/OS-RACF (or TS or ACF2) shop could present these opportunities, I feel he should have made this disclaimer at the outset. Had he done so I might have taken him more seriously. -----Original Message----- From: IBM Mainframe Discussion List [mailto:IBM-MAIN@LISTSERV.UA.EDU] On Behalf Of Charles Mills Sent: Monday, January 05, 2015 10:35 AM To: IBM-MAIN@LISTSERV.UA.EDU Subject: Re: Enumerating User IDs (was: CANCEL TSO Logon?) > SMF and console messages to record logon/authentication failures. > These could be intercepted in real time to alert someone of unusual > probing while it is occurring Yup! Come to either of my sessions at SHARE to learn about how to do that (albeit with one of several commercial products). Unfortunately I know of no way to intercept in real time the invalid userid at its initial usage and possible "validation" as opposed to when it is actually used for a logon with password. Charles -----Original Message----- From: IBM Mainframe Discussion List [mailto:IBM-MAIN@LISTSERV.UA.EDU] On Behalf Of Joel Ewing Sent: Monday, January 05, 2015 8:18 AM To: IBM-MAIN@LISTSERV.UA.EDU Subject: Re: Enumerating User IDs (was: CANCEL TSO Logon?) On 01/05/2015 09:35 AM, Paul Gilmartin wrote: > On Mon, 5 Jan 2015 07:21:28 -0800, Charles Mills wrote: > >>> For TSO, you can probe for known user ids, but you will see a lot of LOGON >>> and IEA989I message in the SYSLOG. >> >> Only if you set a specific SLIP trap for this condition. >> > In the video cited: > >> On Jan 2, 2015, at 3:31 PM, Mark Regan wrote: >>> >>> Black Hat 2013 - Mainframes: The Past Will Come to Haunt You, by a >>> Philip Young and it's about an hour long. >>> >>> http://youtu.be/uL65zWrofvk > > ... the speaker opined that such probing is less likely to be detected > by Security than by Operations as a spike in CPU usage. > > -- gil > RACF uses SMF and console messages to record logon/authentication failures. These could be intercepted in real time to alert someone of unusual probing while it is occurring. We used independent review of daily summary reports generated from RACF SMF records to verify that such probing had not occurred, just the typical typos and forgotten passwords from terminals within the corporation. With our normal system workload, someone would have been more likely to notice a flood of unusual console messages than see any noticeable impact on CPU. ---------------------------------------------------------------------- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN ---------------------------------------------------------------------- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN ---------------------------------------------------------------------- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN ---------------------------------------------------------------------- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN
