Re: Open 3270 connection on the net??
Jim You seem also not to be familiar with the true USS (Unformatted System Services) as it is usually customized. Also it's not really a *VTAM* logon screen - either when used natively or, indeed, in this context since the USS function has been borrowed by the IP side of Communications Server in order to give something very similar to the same look and feel to the end user as if the 3270 - in this case - connection were purely SNA. I say you appear not to be familiar since, as USS is typically customised, you don't have to *guess* application names (applids); an user-friendly token is usually offered in order to access the application. For example, the application name may be A77CICS but you will find simply CICS being offered as the way to gain access to this CICS application. You can also typically enter the relevant userid following the application token but this is generally only a short cut to entering the userid once the first application panel is presented. It is here also where you will be expected to enter the password, assuming the application requires a password. Whether or not guessing perhaps programmatically would have a chance of being successful will depend upon how many tries you get before further attempts are in some way barred. I don't think you need to have feared any consequences for accessing what is strictly that particular customer's USS message 10 panel - or indeed entering various invalid tokens and getting the other USS messages in return. VTAM does not have a facility which logs invalid attempts to enter USS commands. It may even be interesting to examine the inventiveness in exploiting USS functions in the shape of the various USS messages, in particular USS message 5 - although that, rather stupidly, cannot be used very effectively by TN3270E. Chris Mason - Original Message - From: Jim Harrison [EMAIL PROTECTED] Newsgroups: bit.listserv.ibm-main To: IBM-MAIN@BAMA.UA.EDU Sent: Friday, September 21, 2007 10:28 PM Subject: Open 3270 connection on the net?? I was Googling for some MQ information this afternoon and happened upon a state IT website. Since it was a state I've often thought of moving to, I began browsing further to look at job postings and tried to find out where they were physically located. Somehow I came upon a link for HOD and of course I had to click on it. Guess what? The software loads and I have the magic button sitting in front of me - and of couse, I had to click it. Lo and behold, I got the VTAM logon screen for their z/os system! My question is, is this common? I can see doing it via a VPN, but open to the public? Granted, guessing their applids, userIDs passwords would be quite difficult, but I am not a professional hacker, so I don't know for sure how big an exposure it is. I know our security people would freak if we had an open connect point. BTW, I closed the window, backed out immediately and didn't even try looking further. -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to [EMAIL PROTECTED] with the message: GET IBM-MAIN INFO Search the archives at http://bama.ua.edu/archives/ibm-main.html
Re: Open 3270 connection on the net??
Gerhard This reminds me that, in principle, there is open access to my bank account. However, I have a little pocket calculator-like thing to hand which requires me to enter a code for the purposes of generating a number which I then enter into a password-style field. This proves - I believe also on the basis of the time and a timer - that I am who I claim to be. Also getting hold of the userid isn't that easy since it was assigned by the bank. It's definitely not my name as userid and the name of my dog - not that I have one - as password. Chris Mason - Original Message - From: Gerhard Postpischil [EMAIL PROTECTED] Newsgroups: bit.listserv.ibm-main To: IBM-MAIN@BAMA.UA.EDU Sent: Saturday, September 22, 2007 2:46 AM Subject: Re: Open 3270 connection on the net?? ... I once worked for a company that had open access. They also had an egg-shaped device for each user, clock synchronized to software, that generated a pseudo-random number on demand. That was the password; if you missed the window, you had to wait a few minutes and try again. The logon was handled in a Network Solicitor, and other than requiring occasional recalibration, was reliable. Definitely safer than a static password. Gerhard Postpischil Bradford, VT new e-mail address: gerhardp (at) charter (dot) net -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to [EMAIL PROTECTED] with the message: GET IBM-MAIN INFO Search the archives at http://bama.ua.edu/archives/ibm-main.html
Re: Open 3270 connection on the net??
Ed Normally I expect there to be a chance I could contribute something when VTAM appears in an IBM-MAIN post. With this one I'm at a loss. I looked for .za at the end of your e-mail address in the expectation that RSA might be the Republic of South Africa but it wasn't there - and it wouldn't have helped anyhow! Chris Mason - Original Message - From: Ed Finnell [EMAIL PROTECTED] Newsgroups: bit.listserv.ibm-main To: IBM-MAIN@BAMA.UA.EDU Sent: Saturday, September 22, 2007 5:32 AM Subject: Re: Open 3270 connection on the net?? ... Yeah, we ran this way for a number of years when our Library(NOTIS) system was on MVS. Depending on VTAM application the Solicitor would pass to read only Library or tag you to the RSA VTAM sign-in. -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to [EMAIL PROTECTED] with the message: GET IBM-MAIN INFO Search the archives at http://bama.ua.edu/archives/ibm-main.html
Re: Open 3270 connection on the net??
Len I expect by It's not a VTAM login, it's SuperSession, in precise terms, what you mean is that you bypass both the TN3270 application selection panel - also called the solicitor screen - *and* the USS system borrowed from VTAM - the VTAM login - by use of the DEFAULTAPPL statement. The named default application would be SuperSession. Chris Mason - Original Message - From: Rugen, Len [EMAIL PROTECTED] Newsgroups: bit.listserv.ibm-main To: IBM-MAIN@BAMA.UA.EDU Sent: Sunday, September 23, 2007 12:51 AM Subject: Re: Open 3270 connection on the net?? As a University the campus still on the mainframe (all all in the past) used HOD for student registration. Since students could be anywhere, it was open to the world. It's not a VTAM login, it's SuperSession, so you can only get to certain things. We have had a few DOS attacks at certain userid's but they are either non existant or protected. Likewise, the replacement web application (PeopleSoft) is available via the web. -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to [EMAIL PROTECTED] with the message: GET IBM-MAIN INFO Search the archives at http://bama.ua.edu/archives/ibm-main.html
Re: Open 3270 connection on the net??
Yes... all I meant was you just can't try any VTAM APPLID, just the entry points we offer. -Original Message- From: IBM Mainframe Discussion List [mailto:[EMAIL PROTECTED] On Behalf Of Chris Mason Sent: Tuesday, September 25, 2007 10:07 AM To: IBM-MAIN@BAMA.UA.EDU Subject: Re: Open 3270 connection on the net?? Len I expect by It's not a VTAM login, it's SuperSession, in precise terms, what you mean is that you bypass both the TN3270 application selection panel - also called the solicitor screen - *and* the USS system borrowed from VTAM - the VTAM login - by use of the DEFAULTAPPL statement. The named default application would be SuperSession. Chris Mason /ibm-main.html -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to [EMAIL PROTECTED] with the message: GET IBM-MAIN INFO Search the archives at http://bama.ua.edu/archives/ibm-main.html
Re: Open 3270 connection on the net??
Ed Finnell wrote: In a message dated 9/21/2007 7:46:48 P.M. Central Daylight Time, [EMAIL PROTECTED] writes: This could be a huge exposure, or it could be the safest thing in the world, as these things go. I once worked for a company that had open access. They also had an egg-shaped device for each user, clock synchronized to software, that generated a pseudo-random number on demand. That was the password; if you missed the window, you had to wait a few minutes and try again. The logon was handled in a Network Solicitor, and other than requiring occasional recalibration, was reliable. Definitely safer than a static password. Yeah, we ran this way for a number of years when our Library(NOTIS) system was on MVS. Depending on VTAM application the Solicitor would pass to read only Library or tag you to the RSA VTAM sign-in. We have open connect to our z/OS system. We are a service provider that is owned by the companies that we provide the service for. They dictate to us how they connect to us. It could be over leased circuits they own, it could be via a managed network they are responsible for, it could be over the Internet. We provide the service to over 700 companies (only a few actually own us but we must treat all of them equally). The majority connect over the Internet and we can't dictate that they use any type of encrypted VPN type connection over the Internet. We can use security token devices because when they want access for a new employee they want to TODAY, not next week and not tomorrow, but right now. One company may have a single user that works from home using dial-up Internet access. Another company could have 300 users with dual DS-3's going over the Internet. -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to [EMAIL PROTECTED] with the message: GET IBM-MAIN INFO Search the archives at http://bama.ua.edu/archives/ibm-main.html
Re: Open 3270 connection on the net??
As a University the campus still on the mainframe (all all in the past) used HOD for student registration. Since students could be anywhere, it was open to the world. It's not a VTAM login, it's SuperSession, so you can only get to certain things. We have had a few DOS attacks at certain userid's but they are either non existant or protected. Likewise, the replacement web application (PeopleSoft) is available via the web. -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to [EMAIL PROTECTED] with the message: GET IBM-MAIN INFO Search the archives at http://bama.ua.edu/archives/ibm-main.html
Re: Open 3270 connection on the net??
Jim, Do you happen to remember whether there was a locked padlock symbol at the lower right of the Host On-Demand window? If so, that would indicate that the connection is encrypted. A few years ago I did an awful lot of work with a particular state government to help them get Host On-Demand installed and properly secured for their needs. In their case the accessible mainframe applications and data were (are) very valuable and very private, including such things as the state prison system records. So we had a lot of reviews, discussion, design consultations, etc. to configure Host On-Demand appropriately. What you observed would not be possible, for example. But other state systems vary. There are even a few totally open and public 3270 access points, such as university library book catalog systems. One thing that's usually a requirement for any system that demands a logon is to encrypt the connection. Otherwise it's much easier for someone to intercept the logon information (user ID, password). So if indeed there is a hole here -- and I agree about reporting it -- then probably the very first remediation I would take is to get that HOD session encrypted. (That's assuming the Internet access is needed; often it is.) I'm not talking about https in the Web address -- that's irrelevant and unnecessary, actually. HOD isn't the part that needs protection. It's the 3270 connection itself, indicated by the padlock at the lower right. Now, that may not be sufficient -- it wasn't for my particular state government customer -- and additional design steps may be warranted. But it's a basic configuration setting which is quite important for most. Ever since at least OS/390 V2R6 (I think) it has been quite easy to enable SSL for TN3270E on the host side. - - - - - Timothy Sipples IBM Consulting Enterprise Software Architect Specializing in Software Architectures Related to System z Based in Tokyo, Serving IBM Japan and IBM Asia-Pacific E-Mail: [EMAIL PROTECTED] -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to [EMAIL PROTECTED] with the message: GET IBM-MAIN INFO Search the archives at http://bama.ua.edu/archives/ibm-main.html
Open 3270 connection on the net??
I was Googling for some MQ information this afternoon and happened upon a state IT website. Since it was a state I've often thought of moving to, I began browsing further to look at job postings and tried to find out where they were physically located. Somehow I came upon a link for HOD and of course I had to click on it. Guess what? The software loads and I have the magic button sitting in front of me - and of couse, I had to click it. Lo and behold, I got the VTAM logon screen for their z/os system! My question is, is this common? I can see doing it via a VPN, but open to the public? Granted, guessing their applids, userIDs passwords would be quite difficult, but I am not a professional hacker, so I don't know for sure how big an exposure it is. I know our security people would freak if we had an open connect point. BTW, I closed the window, backed out immediately and didn't even try looking further. -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to [EMAIL PROTECTED] with the message: GET IBM-MAIN INFO Search the archives at http://bama.ua.edu/archives/ibm-main.html
Re: Open 3270 connection on the net??
My first reaction would be to go back to their web site and try to find a security individual or IT director level person and try to tell them about the hole. I know I wouldn't want that hole in MY state's system (or my company's)! If it was there, I'd want to know about it. Rex -Original Message- From: IBM Mainframe Discussion List [mailto:[EMAIL PROTECTED] On Behalf Of Jim Harrison Sent: Friday, September 21, 2007 3:28 PM To: IBM-MAIN@BAMA.UA.EDU Subject: Open 3270 connection on the net?? I was Googling for some MQ information this afternoon and happened upon a state IT website. Since it was a state I've often thought of moving to, I began browsing further to look at job postings and tried to find out where they were physically located. Somehow I came upon a link for HOD and of course I had to click on it. Guess what? The software loads and I have the magic button sitting in front of me - and of couse, I had to click it. Lo and behold, I got the VTAM logon screen for their z/os system! My question is, is this common? I can see doing it via a VPN, but open to the public? Granted, guessing their applids, userIDs passwords would be quite difficult, but I am not a professional hacker, so I don't know for sure how big an exposure it is. I know our security people would freak if we had an open connect point. BTW, I closed the window, backed out immediately and didn't even try looking further. -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to [EMAIL PROTECTED] with the message: GET IBM-MAIN INFO Search the archives at http://bama.ua.edu/archives/ibm-main.html -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to [EMAIL PROTECTED] with the message: GET IBM-MAIN INFO Search the archives at http://bama.ua.edu/archives/ibm-main.html
Re: Open 3270 connection on the net??
Jim Harrison wrote: to click it. Lo and behold, I got the VTAM logon screen for their z/os system! My question is, is this common? I can see doing it via a VPN, but open to the public? Granted, guessing their applids, userIDs This could be a huge exposure, or it could be the safest thing in the world, as these things go. I once worked for a company that had open access. They also had an egg-shaped device for each user, clock synchronized to software, that generated a pseudo-random number on demand. That was the password; if you missed the window, you had to wait a few minutes and try again. The logon was handled in a Network Solicitor, and other than requiring occasional recalibration, was reliable. Definitely safer than a static password. Gerhard Postpischil Bradford, VT new e-mail address: gerhardp (at) charter (dot) net -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to [EMAIL PROTECTED] with the message: GET IBM-MAIN INFO Search the archives at http://bama.ua.edu/archives/ibm-main.html
Re: Open 3270 connection on the net??
In a message dated 9/21/2007 7:46:48 P.M. Central Daylight Time, [EMAIL PROTECTED] writes: This could be a huge exposure, or it could be the safest thing in the world, as these things go. I once worked for a company that had open access. They also had an egg-shaped device for each user, clock synchronized to software, that generated a pseudo-random number on demand. That was the password; if you missed the window, you had to wait a few minutes and try again. The logon was handled in a Network Solicitor, and other than requiring occasional recalibration, was reliable. Definitely safer than a static password. Yeah, we ran this way for a number of years when our Library(NOTIS) system was on MVS. Depending on VTAM application the Solicitor would pass to read only Library or tag you to the RSA VTAM sign-in. ** See what's new at http://www.aol.com -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to [EMAIL PROTECTED] with the message: GET IBM-MAIN INFO Search the archives at http://bama.ua.edu/archives/ibm-main.html