I found many security and system programmers assuming that in order to manage security, one need access to the security database.I many assessments I was able to copy the file with no problem. While this assumption is completely untrue, many of you make use of (at least one) racf administration product that directly read the racf database, so you need to have read access to use it. all products built around this product also requires at least read access. In some cases, when I recommended to switch to "server" mode, the vendor said that not all products support that.
So, even if you have ROAUDIT attribute you got read access to the racf db. and this is a security and audit product! ITschak On Thu, May 9, 2019 at 8:16 PM Charles Mills <charl...@mcn.org> wrote: > To answer the OP question, Yes, assuming > > - The perp has the ability to run some sort of volume backup, such as > authority to the volume and to run a volume backup program. > - The ability to copy the backup off of the system, such as with FTP, > access > to a physical tape drive, or downloading to a PC and converting to some > sort > of format accessible to item 3 below. > - Access to a "friendly" system, such as Hercules, on which the perp has > the > ability to restore the backup. Any RACF-type restrictions on access to the > database would not persist onto this system. > > Charles > > > -----Original Message----- > From: IBM Mainframe Discussion List [mailto:IBM-MAIN@LISTSERV.UA.EDU] On > Behalf Of Clark Morris > Sent: Tuesday, May 7, 2019 5:27 AM > To: IBM-MAIN@LISTSERV.UA.EDU > Subject: Can backup mechanisms be used to steal RACF database? was Re: > mainframe hacking "success stories"? > > [Default] On 6 May 2019 20:10:27 -0700, in bit.listserv.ibm-main > 00000047540adefe-dmarc-requ...@listserv.ua.edu (Bill Johnson) wrote: > > >In most shops only 2 people have the required access to the RACF > database. > > > Could someone use DF/DSS, DF/HSM, FDR or FDR/ABR to copy the database > and then download the dump of the database? > > Clark Morris > > > >Sent from Yahoo Mail for iPhone > > > > > >On Monday, May 6, 2019, 11:06 PM, Bob Bridges <robhbrid...@gmail.com> > wrote: > > > >"Once they’d downloaded the RACF database, they subjected it to a > password-cracking tool. John the Ripper is one such tool, widely available > on the internet. On Feb 28, about the same time the RACF database was > downloaded, some questions appeared on the mailing list PaulDotCom about > hashing methods for RACF; by March 3rd, apparently in response, John the > Ripper had been enhanced to include the capability of working on RACF > passwords, in collaboration with another tool call CRACF. > > > >"In the Zauf article is this description: 'Creating a password hash > algorithm works like this: After entering the password, it is padded with > spaces, if necessary, to a length of 8 bytes. Each character is then XORed > with x‘55’ and shifted left one bit. Then the user ID is DES-encrypted, > using the modified password as the DES key. Developers took a few days to > determine the algorithm and modify John the Ripper. Now the utility excels > at hashing the RACF database.' It also mentioned a source-code module > named > racf2john.c, 'a tool that converts database file exported in the input > data, > read for JTR' [Google’s translation from Polish]. > > > >"By way of testing, investigators attempted to use these tools themselves > to crack RACF passwords. They found that a great many passwords could be > extracted, that they were easy to discover by dictionary attack, that they > were not very complex and in many cases that they’d been unchanged from the > default when the ID was created. Using a standalone PC they cracked about > 30 000 passwords (out of 120 000 on Applicat’s database) in 'a couple of > days'." > > > >--- > >Bob Bridges, robhbrid...@gmail.com, cell 336 382-7313 > > > >/* If the Earth were flat, cats would have pushed everything off it by > now. > */ > > > > > >-----Original Message----- > >From: IBM Mainframe Discussion List [mailto:IBM-MAIN@LISTSERV.UA.EDU] On > Behalf Of Charles Mills > >Sent: Monday, May 6, 2019 13:14 > > > >I *believe* that was done by investigators after the fact, attempting to > determine how the attack might have been done. I don't recall that there is > compelling evidence that Svartholm actually did that. > > > >It *is* trivially easy to do, assuming (a.) read access to the DB and (b.) > old-style password storage. > > > >-----Original Message----- > >From: IBM Mainframe Discussion List [mailto:IBM-MAIN@LISTSERV.UA.EDU] On > Behalf Of David Spiegel > >Sent: Sunday, May 5, 2019 8:02 AM > > > >One of the tricks he pulled was to offload the RACF Database to a PC and > Dictionary Attack it. > > > >---------------------------------------------------------------------- > >For IBM-MAIN subscribe / signoff / archive access instructions, > >send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN > > > > > > > >---------------------------------------------------------------------- > >For IBM-MAIN subscribe / signoff / archive access instructions, > >send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN > > ---------------------------------------------------------------------- > For IBM-MAIN subscribe / signoff / archive access instructions, > send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN > > ---------------------------------------------------------------------- > For IBM-MAIN subscribe / signoff / archive access instructions, > send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN > -- ITschak Mugzach *|** IronSphere Platform* *|* *Information Security Contiguous Monitoring for Legacy **| * ---------------------------------------------------------------------- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN
