I believe Peter's right. The hackers got a stolen ID with some RACF power, by means not positively identified but social engineering is as likely as any other hypothesis. (I read ~speculation~ about an HTTP vulnerability, but the forensic investigators never established how the initial breakin occurred.) Once they were in, they fooled around in OMVS and were able to get more power. The stolen ID also had read access to the RACF database.
"There are also solid indications that they downloaded the RACF database (about 28MB)....Once they’d downloaded the RACF database, they subjected it to a password-cracking tool....On Feb 28, about the same time the RACF database was downloaded, some questions appeared on the mailing list PaulDotCom about hashing methods for RACF; by March 3rd, apparently in response, John the Ripper had been enhanced to include the capability of working on RACF passwords, in collaboration with another tool call CRACF....By way of testing, investigators attempted to use these tools themselves to crack RACF passwords. They found that a great many passwords could be extracted, that they were easy to discover by dictionary attack, that they were not very complex and in many cases that they’d been unchanged from the default when the ID was created. Using a standalone PC they cracked about 30 000 passwords (out of 120 000 on Applicat’s database) in 'a couple of days'." So yeah, the investigators did it too, but just to establish how effective might be the new version of John the Ripper. --- Bob Bridges, robhbrid...@gmail.com, cell 336 382-7313 /* Be careful of your thoughts; they may become words at any moment. -Ira Gassen */ -----Original Message----- From: IBM Mainframe Discussion List [mailto:IBM-MAIN@LISTSERV.UA.EDU] On Behalf Of Charles Mills Sent: Thursday, May 9, 2019 11:39 No. Read the original thread here. It was a vulnerability in a Web server. Hacking the RACF database was done well after the fact, by investigators. -----Original Message----- From: IBM Mainframe Discussion List [mailto:IBM-MAIN@LISTSERV.UA.EDU] On Behalf Of Peter Vander Woude Sent: Thursday, May 9, 2019 6:56 AM That's what happened in the Swedish bank hack, back in 2012. In that, once they got the database copy on their pc, they used hacker tools that are out there, to crack all the passwords. ---------------------------------------------------------------------- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN
