Re: OT: In regard to password cracking Who is Abbie Sciuto was Re: A New Threat for password hacking

[Ken Porowski]

And I'll raise you a Bryce Lynch 

-Original Message-
Robert A. Rosenberg

At 18:39 -0500 on 12/01/2010, Don Leahy wrote about Re: OT: In regard to
password cracking Who is Abbie Sciuto :

>So could Chloe O'Brien.

I took me a IMDB lookup to find that she was a 24 hacker. I'll take your
Chloe O'Brien and respond with Warehouse 13's Claudia Donovan (who
hacked W13's servers and bypassed all their security plus locating W13's
location and existence in the first place).

>
>On Wed, Dec 1, 2010 at 17:37, Robert A. Rosenberg 
wrote:
>
>>  At 11:32 -0500 on 12/01/2010, August Carideo wrote about Re: OT: In 
>> regard  to password cracking Who is Abbie Sciuto :
>>
>>
>>   Of course, it could be cracked by somebody like Abbie Sciuto (and 
>> maybe
>>>  the NSA or FBI) in just a few minutes .
>>>
>>
>>  Tim McGee also could do it. He is the major hacker on the NCIS team 
>> and  often he and Annie collaborate on computer forensic matters. 
>> Abbie is
>  > usually the one to do Brute Force work like the password cracking
however.

--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@bama.ua.edu with the message: GET IBM-MAIN INFO
Search the archives at http://bama.ua.edu/archives/ibm-main.html

Re: OT: In regard to password cracking Who is Abbie Sciuto was Re: A New Threat for password hacking

[Robert A. Rosenberg]

At 18:39 -0500 on 12/01/2010, Don Leahy wrote about Re: OT: In regard 
to password cracking Who is Abbie Sciuto :



So could Chloe O'Brien.


I took me a IMDB lookup to find that she was a 24 hacker. I'll take 
your Chloe O'Brien and respond with Warehouse 13's Claudia Donovan 
(who hacked W13's servers and bypassed all their security plus 
locating W13's location and existence in the first place).




On Wed, Dec 1, 2010 at 17:37, Robert A. Rosenberg  wrote:


 At 11:32 -0500 on 12/01/2010, August Carideo wrote about Re: OT: In regard
 to password cracking Who is Abbie Sciuto :


  Of course, it could be cracked by somebody like Abbie Sciuto (and maybe

 the NSA or FBI) in just a few minutes .



 Tim McGee also could do it. He is the major hacker on the NCIS team and
 often he and Annie collaborate on computer forensic matters. Abbie is

 > usually the one to do Brute Force work like the password cracking however.


--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@bama.ua.edu with the message: GET IBM-MAIN INFO
Search the archives at http://bama.ua.edu/archives/ibm-main.html

Re: OT: In regard to password cracking Who is Abbie Sciuto was Re: A New Threat for password hacking

[Don Leahy]

So could Chloe O'Brien.

On Wed, Dec 1, 2010 at 17:37, Robert A. Rosenberg  wrote:

> At 11:32 -0500 on 12/01/2010, August Carideo wrote about Re: OT: In regard
> to password cracking Who is Abbie Sciuto :
>
>
>  Of course, it could be cracked by somebody like Abbie Sciuto (and maybe
>> the NSA or FBI) in just a few minutes .
>>
>
> Tim McGee also could do it. He is the major hacker on the NCIS team and
> often he and Annie collaborate on computer forensic matters. Abbie is
> usually the one to do Brute Force work like the password cracking however.
>
>
> --
> For IBM-MAIN subscribe / signoff / archive access instructions,
> send email to lists...@bama.ua.edu with the message: GET IBM-MAIN INFO
> Search the archives at http://bama.ua.edu/archives/ibm-main.html
>

--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@bama.ua.edu with the message: GET IBM-MAIN INFO
Search the archives at http://bama.ua.edu/archives/ibm-main.html

Re: OT: In regard to password cracking Who is Abbie Sciuto was Re: A New Threat for password hacking

[Robert A. Rosenberg]

At 11:32 -0500 on 12/01/2010, August Carideo wrote about Re: OT: In 
regard to password cracking Who is Abbie Sciuto :


Of course, it could be cracked by somebody like Abbie Sciuto (and 
maybe the NSA or FBI) in just a few minutes .


Tim McGee also could do it. He is the major hacker on the NCIS team 
and often he and Annie collaborate on computer forensic matters. 
Abbie is usually the one to do Brute Force work like the password 
cracking however.


--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@bama.ua.edu with the message: GET IBM-MAIN INFO
Search the archives at http://bama.ua.edu/archives/ibm-main.html

Re: In regard to password cracking Who is Abbie Sciuto was Re: A New Threat for password hacking

[McKown, John]

> -Original Message-
> From: IBM Mainframe Discussion List 
> [mailto:ibm-m...@bama.ua.edu] On Behalf Of Clark Morris
> Sent: Wednesday, December 01, 2010 10:22 AM
> To: IBM-MAIN@bama.ua.edu
> Subject: OT: In regard to password cracking Who is Abbie 
> Sciuto was Re: A New Threat for password hacking
> 
> On 30 Nov 2010 07:42:00 -0800, in bit.listserv.ibm-main you wrote:

> Who is Abbie Sciuto?
> 
> Clark Morris

Who is Abbie Sciuto???!!!? A character on my favorite U.S. TV series - 
NCIS. She is a forensic scientist. And a bit of a "goth", but in a fun way. 
Google will give you more.

--
John McKown 
Systems Engineer IV
IT

Administrative Services Group

HealthMarkets(r)

9151 Boulevard 26 * N. Richland Hills * TX 76010
(817) 255-3225 phone * 
john.mck...@healthmarkets.com * www.HealthMarkets.com

Confidentiality Notice: This e-mail message may contain confidential or 
proprietary information. If you are not the intended recipient, please contact 
the sender by reply e-mail and destroy all copies of the original message. 
HealthMarkets(r) is the brand name for products underwritten and issued by the 
insurance subsidiaries of HealthMarkets, Inc. -The Chesapeake Life Insurance 
Company(r), Mid-West National Life Insurance Company of TennesseeSM and The 
MEGA Life and Health Insurance Company.SM

 

--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@bama.ua.edu with the message: GET IBM-MAIN INFO
Search the archives at http://bama.ua.edu/archives/ibm-main.html

Re: OT: In regard to password cracking Who is Abbie Sciuto was Re: A New Threat for password hacking

[August Carideo]

Abigail "Abby" Sciuto is a fictional character from the NCIS television
series by CBS Television, and is portrayed by Pauley Perrette.



   
 Clark Morris  
  To 
 Sent by: IBM  IBM-MAIN@bama.ua.edu
 Mainframe  cc 
 Discussion List   
  OT: In regard to password cracking  
   Who is Abbie Sciuto was Re: A New   
       Threat for password hacking 
 12/01/2010 11:22  
 AM
   
   
 Please respond to 
   IBM Mainframe   
  Discussion List  

   
   




On 30 Nov 2010 07:42:00 -0800, in bit.listserv.ibm-main you wrote:

>> -Original Message-
>> From: IBM Mainframe Discussion List
>> [mailto:ibm-m...@bama.ua.edu] On Behalf Of Clark Morris
>> Sent: Tuesday, November 30, 2010 9:27 AM
>> To: IBM-MAIN@bama.ua.edu
>> Subject: Re: A New Threat for password hacking
>>
>> On 29 Nov 2010 08:43:23 -0800, in bit.listserv.ibm-main you wrote:
>>
>>> snip
>>
>> If you have a product that insists on special characters in passwords,
>> this can be a major pain given the variability of code points for many
>> of the characters.  Also how many passwords do you have to remember?
>>
>> Clark Morris
>
>Personally? About 5: (1) Work LAN; (2) Work mainframe; (3) Work "benefits"
web site (outsourced); (4) home LAN; (4) Amazon; (5) home/ISP email. Those
are the ones I use most of the time. I have a USB flash drive which is ext4
formatted and uses a GPT partition table which contains an encrypted file
which contains my other passwords (i.e. just confuses Windows users). And I
have a backup of that encrypted file at home in a couple of places. Hope I
never forget __that__ password! Not that I am likely to do so. And it is,
for all intents and purposes, unguessable by anyone. No, I won't say more
on that or why I would say it. Of course, it could be cracked by somebody
like Abbie Sciuto (and maybe the NSA or FBI) in just a few minutes .
Who is Abbie Sciuto?

Clark Morris

--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@bama.ua.edu with the message: GET IBM-MAIN INFO
Search the archives at http://bama.ua.edu/archives/ibm-main.html

--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@bama.ua.edu with the message: GET IBM-MAIN INFO
Search the archives at http://bama.ua.edu/archives/ibm-main.html

Re: EXTERNAL: OT: In regard to password cracking Who is Abbie Sciuto was Re: A New Threat for password hacking

[Roach, Dennis (N-GHG)]

Clark is obviously not an NCIS fan. Google Abby Sciuto (spelling corrected)

Dennis Roach
GHG Corporation
Lockheed Martin Mission Services
Facilities Design and Operations Contract
Strategic Technical Engineering
NASA/JSC
Address:
   2100 Space Park Drive 
   LM-15-4BH
   Houston, Texas 77058
Mail:
   P.O. Box 58487
   Mail Code H4C
   Houston, Texas 77258-8487
Phone:
   Voice:  (281)336-5027
   Cell:   (713)591-1059
   Fax:(281)336-5410
E-Mail:  dennis.ro...@lmco.com

All opinions expressed by me are mine and may not agree with my employer or any 
person, company, or thing, living or dead, on or near this or any other planet, 
moon, asteroid, or other spatial object, natural or manufactured, since the 
beginning of time.


From: IBM Mainframe Discussion List [mailto:ibm-m...@bama.ua.edu] On Behalf Of 
Clark Morris
Sent: Wednesday, December 01, 2010 10:22 AM

>> From: IBM Mainframe Discussion List 
>> [mailto:ibm-m...@bama.ua.edu] On Behalf Of Clark Morris
>> Sent: Tuesday, November 30, 2010 9:27 AM
>Personally? About 5: (1) Work LAN; (2) Work mainframe; (3) Work "benefits" web 
>site (outsourced); (4) home LAN; (4) Amazon; (5) home/ISP email. Those are the 
>ones I use most of the time. I have a USB flash drive which is ext4 formatted 
>and uses a GPT partition table which contains an encrypted file which contains 
>my other passwords (i.e. just confuses Windows users). And I have a backup of 
>that encrypted file at home in a couple of places. Hope I never forget 
>__that__ password! Not that I am likely to do so. And it is, for all intents 
>and purposes, unguessable by anyone. No, I won't say more on that or why I 
>would say it. Of course, it could be cracked by somebody like Abbie Sciuto 
>(and maybe the NSA or FBI) in just a few minutes .
Who is Abbie Sciuto?

Clark Morris

--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@bama.ua.edu with the message: GET IBM-MAIN INFO
Search the archives at http://bama.ua.edu/archives/ibm-main.html

OT: In regard to password cracking Who is Abbie Sciuto was Re: A New Threat for password hacking

[Clark Morris]

On 30 Nov 2010 07:42:00 -0800, in bit.listserv.ibm-main you wrote:

>> -Original Message-
>> From: IBM Mainframe Discussion List 
>> [mailto:ibm-m...@bama.ua.edu] On Behalf Of Clark Morris
>> Sent: Tuesday, November 30, 2010 9:27 AM
>> To: IBM-MAIN@bama.ua.edu
>> Subject: Re: A New Threat for password hacking
>> 
>> On 29 Nov 2010 08:43:23 -0800, in bit.listserv.ibm-main you wrote:
>> 
>>> snip
>> 
>> If you have a product that insists on special characters in passwords,
>> this can be a major pain given the variability of code points for many
>> of the characters.  Also how many passwords do you have to remember?  
>> 
>> Clark Morris
>
>Personally? About 5: (1) Work LAN; (2) Work mainframe; (3) Work "benefits" web 
>site (outsourced); (4) home LAN; (4) Amazon; (5) home/ISP email. Those are the 
>ones I use most of the time. I have a USB flash drive which is ext4 formatted 
>and uses a GPT partition table which contains an encrypted file which contains 
>my other passwords (i.e. just confuses Windows users). And I have a backup of 
>that encrypted file at home in a couple of places. Hope I never forget 
>__that__ password! Not that I am likely to do so. And it is, for all intents 
>and purposes, unguessable by anyone. No, I won't say more on that or why I 
>would say it. Of course, it could be cracked by somebody like Abbie Sciuto 
>(and maybe the NSA or FBI) in just a few minutes .
Who is Abbie Sciuto?

Clark Morris

--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@bama.ua.edu with the message: GET IBM-MAIN INFO
Search the archives at http://bama.ua.edu/archives/ibm-main.html

Re: A New Threat for password hacking

[Shmuel Metz (Seymour J.)]

In , on 11/30/2010
   at 11:26 AM, Clark Morris  said:

>Security is not that high a priority in many organizations where the
>mantra is get the job done whatever it takes. 

ITYM get part of the job done even if it sabotages another part of the
job.
 
-- 
 Shmuel (Seymour J.) Metz, SysProg and JOAT
 ISO position; see  
We don't care. We don't have to care, we're Congress.
(S877: The Shut up and Eat Your spam act of 2003)

--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@bama.ua.edu with the message: GET IBM-MAIN INFO
Search the archives at http://bama.ua.edu/archives/ibm-main.html

Re: A New Threat for password hacking

[Ed Gould]

--- On Mon, 11/29/10, McKown, John  wrote:

From: McKown, John 
Subject: Re: A New Threat for password hacking
To: IBM-MAIN@bama.ua.edu
Date: Monday, November 29, 2010, 9:57 AM

Each to his own. I prefer "the human touch" on password resets. But I'm an old 
paranoid . In my arrogance, somebody who cannot remember their RACF 
password likely can't remember their own name, either. A passphrase may be more 
difficult. But 8 stupid characters, max? Sure, it could be forgotten early on. 
And after a vacation. But we've had literally 8 or 10 password reset requests 
in a row from some of our off-shore users. Personally, I think they violate our 
standards and are sharing ids. But I can't prove it.

John McKown 

Systems Engineer IV

IT

 

Administrative Services Group

 

HealthMarkets(r)

 

9151 Boulevard 26 * N. Richland Hills * TX 76010

(817) 255-3225 phone * 

john.mck...@healthmarkets.com * www.HealthMarkets.com


John:A couple of sites I use on the internet now use phrase checking. What I 
have found is that they are inconsistant in checking the response which makes 
it really confusing. Example: Birth City:Some sites insist on capital letters 
eg New Yorkwhile some sites do not care if one types: new york I do not know if 
it is on purpose that it matters or what.I certianly hope IBM does not care.
Ed





--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@bama.ua.edu with the message: GET IBM-MAIN INFO
Search the archives at http://bama.ua.edu/archives/ibm-main.html

Re: A New Threat for password hacking

[McKown, John]

> -Original Message-
> From: IBM Mainframe Discussion List 
> [mailto:ibm-m...@bama.ua.edu] On Behalf Of Clark Morris
> Sent: Tuesday, November 30, 2010 9:27 AM
> To: IBM-MAIN@bama.ua.edu
> Subject: Re: A New Threat for password hacking
> 
> On 29 Nov 2010 08:43:23 -0800, in bit.listserv.ibm-main you wrote:
> 
> >I would tend to agree with ' they violate our standards and 
> are sharing ids'. Security is not priority one in some other 
> countries. (At least not OUR security).
> 
> Security is not that high a priority in many organizations where the
> mantra is get the job done whatever it takes.  If the security
> department is too restrictive and viewed as being a major roadblock,
> the other departments will get creative.
> 
> If you have a product that insists on special characters in passwords,
> this can be a major pain given the variability of code points for many
> of the characters.  Also how many passwords do you have to remember?  
> 
> Clark Morris

Personally? About 5: (1) Work LAN; (2) Work mainframe; (3) Work "benefits" web 
site (outsourced); (4) home LAN; (4) Amazon; (5) home/ISP email. Those are the 
ones I use most of the time. I have a USB flash drive which is ext4 formatted 
and uses a GPT partition table which contains an encrypted file which contains 
my other passwords (i.e. just confuses Windows users). And I have a backup of 
that encrypted file at home in a couple of places. Hope I never forget __that__ 
password! Not that I am likely to do so. And it is, for all intents and 
purposes, unguessable by anyone. No, I won't say more on that or why I would 
say it. Of course, it could be cracked by somebody like Abbie Sciuto (and maybe 
the NSA or FBI) in just a few minutes .

--
John McKown 
Systems Engineer IV
IT

Administrative Services Group

HealthMarkets(r)

9151 Boulevard 26 * N. Richland Hills * TX 76010
(817) 255-3225 phone * 
john.mck...@healthmarkets.com * www.HealthMarkets.com

Confidentiality Notice: This e-mail message may contain confidential or 
proprietary information. If you are not the intended recipient, please contact 
the sender by reply e-mail and destroy all copies of the original message. 
HealthMarkets(r) is the brand name for products underwritten and issued by the 
insurance subsidiaries of HealthMarkets, Inc. -The Chesapeake Life Insurance 
Company(r), Mid-West National Life Insurance Company of TennesseeSM and The 
MEGA Life and Health Insurance Company.SM

 

--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@bama.ua.edu with the message: GET IBM-MAIN INFO
Search the archives at http://bama.ua.edu/archives/ibm-main.html

Re: A New Threat for password hacking

[Clark Morris]

On 29 Nov 2010 08:43:23 -0800, in bit.listserv.ibm-main you wrote:

>I would tend to agree with ' they violate our standards and are sharing ids'. 
>Security is not priority one in some other countries. (At least not OUR 
>security).

Security is not that high a priority in many organizations where the
mantra is get the job done whatever it takes.  If the security
department is too restrictive and viewed as being a major roadblock,
the other departments will get creative.

If you have a product that insists on special characters in passwords,
this can be a major pain given the variability of code points for many
of the characters.  Also how many passwords do you have to remember?  

Clark Morris
>
>-Original Message-
>From: IBM Mainframe Discussion List [mailto:ibm-m...@bama.ua.edu] On Behalf Of 
>McKown, John
>Sent: Monday, November 29, 2010 10:58 AM
>To: IBM-MAIN@bama.ua.edu
>Subject: Re: A New Threat for password hacking
>
>Each to his own. I prefer "the human touch" on password resets. But I'm an old 
>paranoid . In my arrogance, somebody who cannot remember their RACF 
>password likely can't remember their own name, either. A passphrase may be 
>more difficult. But 8 stupid characters, max? Sure, it could be forgotten 
>early on. And after a vacation. But we've had literally 8 or 10 password reset 
>requests in a row from some of our off-shore users. Personally, I think they 
>violate our standards and are sharing ids. But I can't prove it.
>
>John McKown 
>
>Systems Engineer IV
>
>IT
>
> 
>
>Administrative Services Group
>
> 
>
>HealthMarkets(r)
>
> 
>
>9151 Boulevard 26 * N. Richland Hills * TX 76010
>
>(817) 255-3225 phone * 
>
>john.mck...@healthmarkets.com * www.HealthMarkets.com
>
> 
>
>Confidentiality Notice: This e-mail message may contain confidential or 
>proprietary information. If you are not the intended recipient, please contact 
>the sender by reply e-mail and destroy all copies of the original message. 
>HealthMarkets(r) is the brand name for products underwritten and issued by the 
>insurance subsidiaries of HealthMarkets, Inc. -The Chesapeake Life Insurance 
>Company(r), Mid-West National Life Insurance Company of TennesseeSM and The 
>MEGA Life and Health Insurance Company.SM
>
> 
>
>> -Original Message-----
>> From: IBM Mainframe Discussion List
>> [mailto:ibm-m...@bama.ua.edu] On Behalf Of Paul Gilmartin
>> Sent: Monday, November 29, 2010 9:44 AM
>> To: IBM-MAIN@bama.ua.edu
>> Subject: Re: A New Threat for password hacking
>> 
>> On Mon, 29 Nov 2010 05:27:56 -0600, John McKown wrote:
>> >
>> >What gets me on this is that, in the recent past, some people at work 
>> >were wanting an "automatic resume" of any RACF id which got too many 
>> >password violations after some interval - like 10 minutes. So try "n"
>> >times, wait "m" minutes, rinse and repeat. Luckily this was killed.
>> >
>> The proposal isn't totally unreasonable in that it multiplies the time 
>> required for a brute force attack by a few orders of magnitude.
>> I knew a product which imposed an escalating lockout time before retry 
>> for each unsuccessful attempt.
>> 
>> -- gil
>> 

--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@bama.ua.edu with the message: GET IBM-MAIN INFO
Search the archives at http://bama.ua.edu/archives/ibm-main.html

Re: A New Threat for password hacking

[Shmuel Metz (Seymour J.)]

In ,
on 11/29/2010
   at 09:57 AM, "McKown, John"  said:

>Each to his own. I prefer "the human touch" on password resets. But
>I'm an old paranoid . In my arrogance, somebody who cannot
>remember their RACF password likely can't remember their own name,
>either. A passphrase may be more difficult. But 8 stupid characters,
>max?

One of the curses of the computer industry is people who believe that
their &foo[1] is the only one, and aren't concerned about what happens
when &bar has to use both your &foo and &baz's &foo. Eith characters
isn't very much to remember if you only have one password. By the time
you have half a dozen, it becomes an issue.

[1] E.g., dongle, password
 
-- 
 Shmuel (Seymour J.) Metz, SysProg and JOAT
 ISO position; see  
We don't care. We don't have to care, we're Congress.
(S877: The Shut up and Eat Your spam act of 2003)

--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@bama.ua.edu with the message: GET IBM-MAIN INFO
Search the archives at http://bama.ua.edu/archives/ibm-main.html

Re: A New Threat for password hacking

[Ted MacNEIL]

>IMHO it's better (safer) that "self service password reset".

A full service reset could be costly.
I was once a customer of a service provider that charged us for each reset.
Each year we paid them twice as much as the cost of a self-service solution.

And, we're not talking about one of the cheap ones.
We're talking about a redundant server with connections to windows, z, *nix, 
including LINUX, active directory, and things we didn't have.

They can be very secure.
We had 3-question challenge response, full profiling of users -- the works.

-
Ted MacNEIL
eamacn...@yahoo.ca

--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@bama.ua.edu with the message: GET IBM-MAIN INFO
Search the archives at http://bama.ua.edu/archives/ibm-main.html

Re: A New Threat for password hacking

[R.S.]

W dniu 2010-11-29 16:43, Paul Gilmartin pisze:

On Mon, 29 Nov 2010 05:27:56 -0600, John McKown wrote:


What gets me on this is that, in the recent past, some people at work
were wanting an "automatic resume" of any RACF id which got too many
password violations after some interval - like 10 minutes. So try "n"
times, wait "m" minutes, rinse and repeat. Luckily this was killed.


The proposal isn't totally unreasonable in that it multiplies the
time required for a brute force attack by a few orders of magnitude.
I knew a product which imposed an escalating lockout time before
retry for each unsuccessful attempt.


The proposal is *very* reasonable. Such functionality could be very 
convenient and it's NOT security breach. Note: YOU CAN SWITCH IT OFF!
A choice is good. For those who do not accept such solution the 
functionality would be disabled. For others that means saved FTE's. IMHO 
it's better (safer) that "self service password reset".


Would I switch it on? I wouldn't decide, IT'S NOT MY DOG. ;-)
My dog is to abide by (observe) the rules.

--
Radoslaw Skorupka
Lodz, Poland


--
BRE Bank SA
ul. Senatorska 18
00-950 Warszawa
www.brebank.pl

Sąd Rejonowy dla m. st. Warszawy 
XII Wydział Gospodarczy Krajowego Rejestru Sądowego, 
nr rejestru przedsiębiorców KRS 025237

NIP: 526-021-50-88
Według stanu na dzień 16.07.2010 r. kapitał zakładowy BRE Banku SA (w całości wpłacony) wynosi 168.248.328 złotych. 


--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@bama.ua.edu with the message: GET IBM-MAIN INFO
Search the archives at http://bama.ua.edu/archives/ibm-main.html

Re: A New Threat for password hacking

[Veilleux, Jon L]

I would tend to agree with ' they violate our standards and are sharing ids'. 
Security is not priority one in some other countries. (At least not OUR 
security).

-Original Message-
From: IBM Mainframe Discussion List [mailto:ibm-m...@bama.ua.edu] On Behalf Of 
McKown, John
Sent: Monday, November 29, 2010 10:58 AM
To: IBM-MAIN@bama.ua.edu
Subject: Re: A New Threat for password hacking

Each to his own. I prefer "the human touch" on password resets. But I'm an old 
paranoid . In my arrogance, somebody who cannot remember their RACF 
password likely can't remember their own name, either. A passphrase may be more 
difficult. But 8 stupid characters, max? Sure, it could be forgotten early on. 
And after a vacation. But we've had literally 8 or 10 password reset requests 
in a row from some of our off-shore users. Personally, I think they violate our 
standards and are sharing ids. But I can't prove it.

John McKown 

Systems Engineer IV

IT

 

Administrative Services Group

 

HealthMarkets(r)

 

9151 Boulevard 26 * N. Richland Hills * TX 76010

(817) 255-3225 phone * 

john.mck...@healthmarkets.com * www.HealthMarkets.com

 

Confidentiality Notice: This e-mail message may contain confidential or 
proprietary information. If you are not the intended recipient, please contact 
the sender by reply e-mail and destroy all copies of the original message. 
HealthMarkets(r) is the brand name for products underwritten and issued by the 
insurance subsidiaries of HealthMarkets, Inc. -The Chesapeake Life Insurance 
Company(r), Mid-West National Life Insurance Company of TennesseeSM and The 
MEGA Life and Health Insurance Company.SM

 

> -Original Message-
> From: IBM Mainframe Discussion List
> [mailto:ibm-m...@bama.ua.edu] On Behalf Of Paul Gilmartin
> Sent: Monday, November 29, 2010 9:44 AM
> To: IBM-MAIN@bama.ua.edu
> Subject: Re: A New Threat for password hacking
> 
> On Mon, 29 Nov 2010 05:27:56 -0600, John McKown wrote:
> >
> >What gets me on this is that, in the recent past, some people at work 
> >were wanting an "automatic resume" of any RACF id which got too many 
> >password violations after some interval - like 10 minutes. So try "n"
> >times, wait "m" minutes, rinse and repeat. Luckily this was killed.
> >
> The proposal isn't totally unreasonable in that it multiplies the time 
> required for a brute force attack by a few orders of magnitude.
> I knew a product which imposed an escalating lockout time before retry 
> for each unsuccessful attempt.
> 
> -- gil
> 
> --
> For IBM-MAIN subscribe / signoff / archive access instructions, send 
> email to lists...@bama.ua.edu with the message: GET IBM-MAIN INFO 
> Search the archives at http://bama.ua.edu/archives/ibm-main.html
> 
> 

--
For IBM-MAIN subscribe / signoff / archive access instructions, send email to 
lists...@bama.ua.edu with the message: GET IBM-MAIN INFO Search the archives at 
http://bama.ua.edu/archives/ibm-main.html
This e-mail may contain confidential or privileged information. If
you think you have received this e-mail in error, please advise the
sender by reply e-mail and then delete this e-mail immediately.
Thank you. Aetna   

--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@bama.ua.edu with the message: GET IBM-MAIN INFO
Search the archives at http://bama.ua.edu/archives/ibm-main.html

Re: A New Threat for password hacking

[McKown, John]

Each to his own. I prefer "the human touch" on password resets. But I'm an old 
paranoid . In my arrogance, somebody who cannot remember their RACF 
password likely can't remember their own name, either. A passphrase may be more 
difficult. But 8 stupid characters, max? Sure, it could be forgotten early on. 
And after a vacation. But we've had literally 8 or 10 password reset requests 
in a row from some of our off-shore users. Personally, I think they violate our 
standards and are sharing ids. But I can't prove it.

John McKown 

Systems Engineer IV

IT

 

Administrative Services Group

 

HealthMarkets(r)

 

9151 Boulevard 26 * N. Richland Hills * TX 76010

(817) 255-3225 phone * 

john.mck...@healthmarkets.com * www.HealthMarkets.com

 

Confidentiality Notice: This e-mail message may contain confidential or 
proprietary information. If you are not the intended recipient, please contact 
the sender by reply e-mail and destroy all copies of the original message. 
HealthMarkets(r) is the brand name for products underwritten and issued by the 
insurance subsidiaries of HealthMarkets, Inc. -The Chesapeake Life Insurance 
Company(r), Mid-West National Life Insurance Company of TennesseeSM and The 
MEGA Life and Health Insurance Company.SM

 

> -Original Message-
> From: IBM Mainframe Discussion List 
> [mailto:ibm-m...@bama.ua.edu] On Behalf Of Paul Gilmartin
> Sent: Monday, November 29, 2010 9:44 AM
> To: IBM-MAIN@bama.ua.edu
> Subject: Re: A New Threat for password hacking
> 
> On Mon, 29 Nov 2010 05:27:56 -0600, John McKown wrote:
> >
> >What gets me on this is that, in the recent past, some people at work
> >were wanting an "automatic resume" of any RACF id which got too many
> >password violations after some interval - like 10 minutes. So try "n"
> >times, wait "m" minutes, rinse and repeat. Luckily this was killed.
> >
> The proposal isn't totally unreasonable in that it multiplies the
> time required for a brute force attack by a few orders of magnitude.
> I knew a product which imposed an escalating lockout time before
> retry for each unsuccessful attempt.
> 
> -- gil
> 
> --
> For IBM-MAIN subscribe / signoff / archive access instructions,
> send email to lists...@bama.ua.edu with the message: GET IBM-MAIN INFO
> Search the archives at http://bama.ua.edu/archives/ibm-main.html
> 
> 

--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@bama.ua.edu with the message: GET IBM-MAIN INFO
Search the archives at http://bama.ua.edu/archives/ibm-main.html

Re: A New Threat for password hacking

[Paul Gilmartin]

On Mon, 29 Nov 2010 05:27:56 -0600, John McKown wrote:
>
>What gets me on this is that, in the recent past, some people at work
>were wanting an "automatic resume" of any RACF id which got too many
>password violations after some interval - like 10 minutes. So try "n"
>times, wait "m" minutes, rinse and repeat. Luckily this was killed.
>
The proposal isn't totally unreasonable in that it multiplies the
time required for a brute force attack by a few orders of magnitude.
I knew a product which imposed an escalating lockout time before
retry for each unsuccessful attempt.

-- gil

--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@bama.ua.edu with the message: GET IBM-MAIN INFO
Search the archives at http://bama.ua.edu/archives/ibm-main.html

Re: A New Threat for password hacking

[McKown, John]

Correct. I meant FDR or DFDSS or even IRRUTnnn unload. Not IRRDBU00.

John McKown 

Systems Engineer IV

IT

 

Administrative Services Group

 

HealthMarkets(r)

 

9151 Boulevard 26 * N. Richland Hills * TX 76010

(817) 255-3225 phone * 

john.mck...@healthmarkets.com * www.HealthMarkets.com

 

Confidentiality Notice: This e-mail message may contain confidential or 
proprietary information. If you are not the intended recipient, please contact 
the sender by reply e-mail and destroy all copies of the original message. 
HealthMarkets(r) is the brand name for products underwritten and issued by the 
insurance subsidiaries of HealthMarkets, Inc. -The Chesapeake Life Insurance 
Company(r), Mid-West National Life Insurance Company of TennesseeSM and The 
MEGA Life and Health Insurance Company.SM

 

> -Original Message-
> From: IBM Mainframe Discussion List 
> [mailto:ibm-m...@bama.ua.edu] On Behalf Of Chase, John
> Sent: Monday, November 29, 2010 6:54 AM
> To: IBM-MAIN@bama.ua.edu
> Subject: Re: A New Threat for password hacking
> 
> > -Original Message-
> > From: IBM Mainframe Discussion List On Behalf Of Binyamin Dissen
> > 
> > On Mon, 29 Nov 2010 04:39:54 -0600 Brian Westerman
> >  wrote:
> > 
> > :>It's kind of difficult to use a brute force attack when 
> RACF revokes
> the ID
> > :>after a site specified number of attempts.  Assuming the site
> doesn't allow
> > :>1 or 2 character passwords (you don't do you), even if 
> the site were
> to
> > :>allow 100 attempts, it's statistically a REALLY long shot to guess
> the
> > :>password.  I would imagine that most sites have 3 or 4 as 
> the number
> of
> > :>attempts, making the probability for success of a brute 
> force attack
> too
> > :>remote to consider as they wouldn't even get out of the single
> character
> > :>attempts.
> > 
> > If you have the offload, you can make as many attempts as you wish.
> 
> But the "offload" (did you mean "unload", as produced by IRRDBU00?)
> doesn't contain the password
> 
> If you meant "backup", then your point is valid.
> 
> -jc-
> 
> --
> For IBM-MAIN subscribe / signoff / archive access instructions,
> send email to lists...@bama.ua.edu with the message: GET IBM-MAIN INFO
> Search the archives at http://bama.ua.edu/archives/ibm-main.html
> 
> 

--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@bama.ua.edu with the message: GET IBM-MAIN INFO
Search the archives at http://bama.ua.edu/archives/ibm-main.html

Re: A New Threat for password hacking

[McKown, John]

Could well be. I vaguely remember something about Triple DES somewhere. But my 
mind is a bit "loose" right now on meds.

John McKown 

Systems Engineer IV

IT

 

Administrative Services Group

 

HealthMarkets(r)

 

9151 Boulevard 26 * N. Richland Hills * TX 76010

(817) 255-3225 phone * 

john.mck...@healthmarkets.com * www.HealthMarkets.com

 

Confidentiality Notice: This e-mail message may contain confidential or 
proprietary information. If you are not the intended recipient, please contact 
the sender by reply e-mail and destroy all copies of the original message. 
HealthMarkets(r) is the brand name for products underwritten and issued by the 
insurance subsidiaries of HealthMarkets, Inc. -The Chesapeake Life Insurance 
Company(r), Mid-West National Life Insurance Company of TennesseeSM and The 
MEGA Life and Health Insurance Company.SM

 

> -Original Message-
> From: IBM Mainframe Discussion List 
> [mailto:ibm-m...@bama.ua.edu] On Behalf Of Robert S. Hansel (RSH)
> Sent: Monday, November 29, 2010 5:25 AM
> To: IBM-MAIN@bama.ua.edu
> Subject: Re: A New Threat for password hacking
> 
> John,
> 
> I believe RACF only uses single DES, not Triple DES.
> 
> Regards, Bob
> 
> Robert S. Hansel
> Lead RACF Specialist
> RSH Consulting, Inc.
> 617-969-8211
> www.linkedin.com/in/roberthansel
> www.rshconsulting.com
> 
> -
> 2011 RACF Training
> > Intro & Basic Admin - WebEx  - JAN 24-28
> > Securing z/OS Unix  - WebEx  - FEB 8-10
> > Audit for Results   - Boston - APR 12-14
> > Intro & Basic Admin - Boston - MAY 10-12
> Visit our website for registration & details
> ---------
> 
> -----Original Message-
> Date:Sun, 28 Nov 2010 19:37:37 -0600
> From:John McKown 
> Subject: Re: A New Threat for password hacking
> 
> RACF password encryption is explained here:
> 
> http://publibz.boulder.ibm.com/cgi-bin/bookmgr_OS390/BOOKS/ich
> za290/3.3.1
> 
> It uses Triple DES where the password is a key to encrypt the userid,
> which encrypted value is then stored in the DB. So two different users
> with the same password would have two different encrypted values. It
> also states it is a "one way" encryption. There is no way to 
> "back out".
> To crack a password would require having the unencrypted RACF id, the
> encrypted stored value, and the exact algorithm. Now, I'm not a
> cryptographer, but I don't think you can use that information to
> recreate a valid password easily. So you're more likely to try a brute
> force dictionary attack. Again, using an NSA quality supercomputer, I
> have no idea how long this would take. I think I'd just play the lotto
> and win sooner. But that is my ignorance speaking.
> 
> On Sun, 2010-11-28 at 19:15 -0600, Paul Gilmartin wrote:
> > On Sun, 28 Nov 2010 15:56:36 -0600, Russell Witt wrote:
> >
> > >Easy to say "do not share your RACF db"; harder in 
> reality. Most sites
> > >believe they are safe because their RACF db is security 
> protected and the
> > >dasd is not shared. And then completely forget that 
> backups (to physical
> or
> > >virtual tape) contain the exact same information. And 
> quite often the DSN
> > >used for the backup tapes is some type of dasd-manager 
> HLQ, since it was
> > >most likely a full-volume backup that happen'ed to contain 
> the RACF db.
> And
> > >even if the HLQ for the full-volume backups is 
> read-protected; it is
> still
> > >far easier to hack a tape dataset. Often, tape libraries 
> (physical and
> > >virtual) are shared with less-secure test machines and 
> quite often even
> with
> > >non z/OS systems. Granted, you will need the physical 
> layout of the RACF
> db;
> > >but not the entire layout. Just enough to identify where 
> the passphrases
> are
> > >maintained.
> > >
> > Aren't the passwords encrypted?  But how strong is the encryption?
> >
> > It would be peculiarly pointless to store fewer bits of the 
> encrypted
> > password than are used in the encrypting key.
> >
> > -- gil
> >
> > 
> --
> > For IBM-MAIN subscribe / signoff / archive access instructions,
> > send email to lists...@bama.ua.edu with the message: GET 
> IBM-MAIN INFO
> > Search the archives at http://bama.ua.edu/archives/ibm-main.html
> --
> John McKown
> Maranatha! <><
> 
> --
> For IBM-MAIN subscribe / signoff / archive access instructions,
> send email to lists...@bama.ua.edu with the message: GET IBM-MAIN INFO
> Search the archives at http://bama.ua.edu/archives/ibm-main.html
> 
> 

--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@bama.ua.edu with the message: GET IBM-MAIN INFO
Search the archives at http://bama.ua.edu/archives/ibm-main.html

Re: A New Threat for password hacking

[Chase, John]

> -Original Message-
> From: IBM Mainframe Discussion List On Behalf Of Binyamin Dissen
> 
> On Mon, 29 Nov 2010 04:39:54 -0600 Brian Westerman
>  wrote:
> 
> :>It's kind of difficult to use a brute force attack when RACF revokes
the ID
> :>after a site specified number of attempts.  Assuming the site
doesn't allow
> :>1 or 2 character passwords (you don't do you), even if the site were
to
> :>allow 100 attempts, it's statistically a REALLY long shot to guess
the
> :>password.  I would imagine that most sites have 3 or 4 as the number
of
> :>attempts, making the probability for success of a brute force attack
too
> :>remote to consider as they wouldn't even get out of the single
character
> :>attempts.
> 
> If you have the offload, you can make as many attempts as you wish.

But the "offload" (did you mean "unload", as produced by IRRDBU00?)
doesn't contain the password

If you meant "backup", then your point is valid.

-jc-

--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@bama.ua.edu with the message: GET IBM-MAIN INFO
Search the archives at http://bama.ua.edu/archives/ibm-main.html

Re: A New Threat for password hacking

[John McKown]

On Mon, 2010-11-29 at 04:39 -0600, Brian Westerman wrote:
> It's kind of difficult to use a brute force attack when RACF revokes the ID
> after a site specified number of attempts.  Assuming the site doesn't allow
> 1 or 2 character passwords (you don't do you), even if the site were to
> allow 100 attempts, it's statistically a REALLY long shot to guess the
> password.  I would imagine that most sites have 3 or 4 as the number of
> attempts, making the probability for success of a brute force attack too
> remote to consider as they wouldn't even get out of the single character
> attempts.  
> 
> Brian
> 

I was thinking more of an off-line attack by having captured some sort
of dump of the database. 

What gets me on this is that, in the recent past, some people at work
were wanting an "automatic resume" of any RACF id which got too many
password violations after some interval - like 10 minutes. So try "n"
times, wait "m" minutes, rinse and repeat. Luckily this was killed. They
also want a "Web like" interface so that a person could reset their own
password via their browser. Luckily, we were able to kill most of this
stuff with HIPAA requirements. And the "dangling of multi-million dollar
penalities" should this be used to crack our system.

-- 
John McKown
Maranatha! <><

--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@bama.ua.edu with the message: GET IBM-MAIN INFO
Search the archives at http://bama.ua.edu/archives/ibm-main.html

Re: A New Threat for password hacking

[Robert S. Hansel (RSH)]

John,

I believe RACF only uses single DES, not Triple DES.

Regards, Bob

Robert S. Hansel
Lead RACF Specialist
RSH Consulting, Inc.
617-969-8211
www.linkedin.com/in/roberthansel
www.rshconsulting.com

-
2011 RACF Training
> Intro & Basic Admin - WebEx  - JAN 24-28
> Securing z/OS Unix  - WebEx  - FEB 8-10
> Audit for Results   - Boston - APR 12-14
> Intro & Basic Admin - Boston - MAY 10-12
Visit our website for registration & details
-

-Original Message-
Date:Sun, 28 Nov 2010 19:37:37 -0600
From:    John McKown 
Subject: Re: A New Threat for password hacking

RACF password encryption is explained here:

http://publibz.boulder.ibm.com/cgi-bin/bookmgr_OS390/BOOKS/ichza290/3.3.1

It uses Triple DES where the password is a key to encrypt the userid,
which encrypted value is then stored in the DB. So two different users
with the same password would have two different encrypted values. It
also states it is a "one way" encryption. There is no way to "back out".
To crack a password would require having the unencrypted RACF id, the
encrypted stored value, and the exact algorithm. Now, I'm not a
cryptographer, but I don't think you can use that information to
recreate a valid password easily. So you're more likely to try a brute
force dictionary attack. Again, using an NSA quality supercomputer, I
have no idea how long this would take. I think I'd just play the lotto
and win sooner. But that is my ignorance speaking.

On Sun, 2010-11-28 at 19:15 -0600, Paul Gilmartin wrote:
> On Sun, 28 Nov 2010 15:56:36 -0600, Russell Witt wrote:
>
> >Easy to say "do not share your RACF db"; harder in reality. Most sites
> >believe they are safe because their RACF db is security protected and the
> >dasd is not shared. And then completely forget that backups (to physical
or
> >virtual tape) contain the exact same information. And quite often the DSN
> >used for the backup tapes is some type of dasd-manager HLQ, since it was
> >most likely a full-volume backup that happen'ed to contain the RACF db.
And
> >even if the HLQ for the full-volume backups is read-protected; it is
still
> >far easier to hack a tape dataset. Often, tape libraries (physical and
> >virtual) are shared with less-secure test machines and quite often even
with
> >non z/OS systems. Granted, you will need the physical layout of the RACF
db;
> >but not the entire layout. Just enough to identify where the passphrases
are
> >maintained.
> >
> Aren't the passwords encrypted?  But how strong is the encryption?
>
> It would be peculiarly pointless to store fewer bits of the encrypted
> password than are used in the encrypting key.
>
> -- gil
>
> --
> For IBM-MAIN subscribe / signoff / archive access instructions,
> send email to lists...@bama.ua.edu with the message: GET IBM-MAIN INFO
> Search the archives at http://bama.ua.edu/archives/ibm-main.html
--
John McKown
Maranatha! <><

--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@bama.ua.edu with the message: GET IBM-MAIN INFO
Search the archives at http://bama.ua.edu/archives/ibm-main.html

Re: A New Threat for password hacking

[Binyamin Dissen]

On Mon, 29 Nov 2010 04:39:54 -0600 Brian Westerman
 wrote:

:>It's kind of difficult to use a brute force attack when RACF revokes the ID
:>after a site specified number of attempts.  Assuming the site doesn't allow
:>1 or 2 character passwords (you don't do you), even if the site were to
:>allow 100 attempts, it's statistically a REALLY long shot to guess the
:>password.  I would imagine that most sites have 3 or 4 as the number of
:>attempts, making the probability for success of a brute force attack too
:>remote to consider as they wouldn't even get out of the single character
:>attempts.  

If you have the offload, you can make as many attempts as you wish.

--
Binyamin Dissen 
http://www.dissensoftware.com

Director, Dissen Software, Bar & Grill - Israel


Should you use the mailblocks package and expect a response from me,
you should preauthorize the dissensoftware.com domain.

I very rarely bother responding to challenge/response systems,
especially those from irresponsible companies.

--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@bama.ua.edu with the message: GET IBM-MAIN INFO
Search the archives at http://bama.ua.edu/archives/ibm-main.html

Re: A New Threat for password hacking

[Brian Westerman]

It's kind of difficult to use a brute force attack when RACF revokes the ID
after a site specified number of attempts.  Assuming the site doesn't allow
1 or 2 character passwords (you don't do you), even if the site were to
allow 100 attempts, it's statistically a REALLY long shot to guess the
password.  I would imagine that most sites have 3 or 4 as the number of
attempts, making the probability for success of a brute force attack too
remote to consider as they wouldn't even get out of the single character
attempts.  

Brian

--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@bama.ua.edu with the message: GET IBM-MAIN INFO
Search the archives at http://bama.ua.edu/archives/ibm-main.html

Re: A New Threat for password hacking

[John McKown]

RACF password encryption is explained here:

http://publibz.boulder.ibm.com/cgi-bin/bookmgr_OS390/BOOKS/ichza290/3.3.1

It uses Triple DES where the password is a key to encrypt the userid,
which encrypted value is then stored in the DB. So two different users
with the same password would have two different encrypted values. It
also states it is a "one way" encryption. There is no way to "back out".
To crack a password would require having the unencrypted RACF id, the
encrypted stored value, and the exact algorithm. Now, I'm not a
cryptographer, but I don't think you can use that information to
recreate a valid password easily. So you're more likely to try a brute
force dictionary attack. Again, using an NSA quality supercomputer, I
have no idea how long this would take. I think I'd just play the lotto
and win sooner. But that is my ignorance speaking. 

On Sun, 2010-11-28 at 19:15 -0600, Paul Gilmartin wrote:
> On Sun, 28 Nov 2010 15:56:36 -0600, Russell Witt wrote:
> 
> >Easy to say "do not share your RACF db"; harder in reality. Most sites
> >believe they are safe because their RACF db is security protected and the
> >dasd is not shared. And then completely forget that backups (to physical or
> >virtual tape) contain the exact same information. And quite often the DSN
> >used for the backup tapes is some type of dasd-manager HLQ, since it was
> >most likely a full-volume backup that happen'ed to contain the RACF db. And
> >even if the HLQ for the full-volume backups is read-protected; it is still
> >far easier to hack a tape dataset. Often, tape libraries (physical and
> >virtual) are shared with less-secure test machines and quite often even with
> >non z/OS systems. Granted, you will need the physical layout of the RACF db;
> >but not the entire layout. Just enough to identify where the passphrases are
> >maintained.
> >
> Aren't the passwords encrypted?  But how strong is the encryption?
> 
> It would be peculiarly pointless to store fewer bits of the encrypted
> password than are used in the encrypting key.
> 
> -- gil
> 
> --
> For IBM-MAIN subscribe / signoff / archive access instructions,
> send email to lists...@bama.ua.edu with the message: GET IBM-MAIN INFO
> Search the archives at http://bama.ua.edu/archives/ibm-main.html
-- 
John McKown
Maranatha! <><

--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@bama.ua.edu with the message: GET IBM-MAIN INFO
Search the archives at http://bama.ua.edu/archives/ibm-main.html

Re: A New Threat for password hacking

[Paul Gilmartin]

On Sun, 28 Nov 2010 15:56:36 -0600, Russell Witt wrote:

>Easy to say "do not share your RACF db"; harder in reality. Most sites
>believe they are safe because their RACF db is security protected and the
>dasd is not shared. And then completely forget that backups (to physical or
>virtual tape) contain the exact same information. And quite often the DSN
>used for the backup tapes is some type of dasd-manager HLQ, since it was
>most likely a full-volume backup that happen'ed to contain the RACF db. And
>even if the HLQ for the full-volume backups is read-protected; it is still
>far easier to hack a tape dataset. Often, tape libraries (physical and
>virtual) are shared with less-secure test machines and quite often even with
>non z/OS systems. Granted, you will need the physical layout of the RACF db;
>but not the entire layout. Just enough to identify where the passphrases are
>maintained.
>
Aren't the passwords encrypted?  But how strong is the encryption?

It would be peculiarly pointless to store fewer bits of the encrypted
password than are used in the encrypting key.

-- gil

--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@bama.ua.edu with the message: GET IBM-MAIN INFO
Search the archives at http://bama.ua.edu/archives/ibm-main.html

Re: A New Threat for password hacking

[Russell Witt]

Easy to say "do not share your RACF db"; harder in reality. Most sites
believe they are safe because their RACF db is security protected and the
dasd is not shared. And then completely forget that backups (to physical or
virtual tape) contain the exact same information. And quite often the DSN
used for the backup tapes is some type of dasd-manager HLQ, since it was
most likely a full-volume backup that happen'ed to contain the RACF db. And
even if the HLQ for the full-volume backups is read-protected; it is still
far easier to hack a tape dataset. Often, tape libraries (physical and
virtual) are shared with less-secure test machines and quite often even with
non z/OS systems. Granted, you will need the physical layout of the RACF db;
but not the entire layout. Just enough to identify where the passphrases are
maintained.

The number of sites that forget about tape security is scary. And
unprotected tape (both physical and virtual) allows anyone in the
organization to read a backup of almost any file in the data center.

Russell Witt
my own 2-cents worth

-Original Message-
From: IBM Mainframe Discussion List [mailto:ibm-m...@bama.ua.edu]on
Behalf Of R.S.
Sent: Sunday, November 28, 2010 1:52 AM
To: IBM-MAIN@bama.ua.edu
Subject: Re: A New Threat for password hacking


Ed Gould pisze:
> http://preview.tinyurl.com/2djttta
> Hacker Cracks Secure Hashing Algorithm Using Amazon CloudUsing EC2's
cluster GPU power, security researcher spent only $2.10 to decrypt 14 SHA1
passwords in under an hour; other experts aren't concerned.

Fortunately mainframe has no GPU 
more seriously:
1. Passwords in RACF db are stored using DES, not SHA (actually the
password is the key used to encrypt the userid).
2. It's wide known that SHA1 is not enough strong.
3. The best idea is not to share RACF db with potential hackers. No db
means nothing to crack, doesn't matter neither algorithm, nor CPU power
available for cracking.

--
Radoslaw Skorupka
Lodz, Poland


--
BRE Bank SA
ul. Senatorska 18
00-950 Warszawa
www.brebank.pl

Sd Rejonowy dla m. st. Warszawy
XII Wydzia Gospodarczy Krajowego Rejestru Sdowego,
nr rejestru przedsibiorców KRS 025237
NIP: 526-021-50-88
Wedug stanu na dzie 16.07.2010 r. kapita zakadowy BRE Banku SA (w
caoci wpacony) wynosi 168.248.328 zotych.

--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@bama.ua.edu with the message: GET IBM-MAIN INFO
Search the archives at http://bama.ua.edu/archives/ibm-main.html

--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@bama.ua.edu with the message: GET IBM-MAIN INFO
Search the archives at http://bama.ua.edu/archives/ibm-main.html

Re: A New Threat for password hacking

[R.S.]

Ed Gould pisze:

http://preview.tinyurl.com/2djttta
Hacker Cracks Secure Hashing Algorithm Using Amazon CloudUsing EC2's cluster GPU power, security researcher spent only $2.10 to decrypt 14 SHA1 passwords in under an hour; other experts aren't concerned. 


Fortunately mainframe has no GPU 
more seriously:
1. Passwords in RACF db are stored using DES, not SHA (actually the 
password is the key used to encrypt the userid).

2. It's wide known that SHA1 is not enough strong.
3. The best idea is not to share RACF db with potential hackers. No db 
means nothing to crack, doesn't matter neither algorithm, nor CPU power 
available for cracking.


--
Radoslaw Skorupka
Lodz, Poland


--
BRE Bank SA
ul. Senatorska 18
00-950 Warszawa
www.brebank.pl

Sd Rejonowy dla m. st. Warszawy 
XII Wydzia Gospodarczy Krajowego Rejestru Sdowego, 
nr rejestru przedsibiorców KRS 025237

NIP: 526-021-50-88
Wedug stanu na dzie 16.07.2010 r. kapita zakadowy BRE Banku SA (w caoci wpacony) wynosi 168.248.328 zotych. 


--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@bama.ua.edu with the message: GET IBM-MAIN INFO
Search the archives at http://bama.ua.edu/archives/ibm-main.html