Re: Mixed Case Password on z/OS 1.7 and ACF 2 Version 8
[EMAIL PROTECTED] (Thompson, Steve) writes:
You mean, should your computer (laptop) be stolen, one could then boot
using a LIVE Linux CD, and crack the wallet contents... Come to think of
it, with a LIVE Linux CD, one can crack NTFS files used by Windows
This is why in our pursuit of security, we make ourselves unsecure
because of all the accounts we have that we have to have a userid and
password for. And if kept in that wallet, once it is hacked, what damage
could be done?
Think about this for a moment. How many web sites require you to
register before you can look at their content. This adds to the issue.
How many use the same throw-away userid across as many junk
sites/accounts as possible, but keep the same password as they use for
their banking ids? While I may have said this backwards, I think you can
see the point.
Again, I do not have a solution because the things that I would have
pointed out or pointed to have already been shown to not be so secure
after all by others on IBM-Main.
previous post in thread:
http://www.garlic.com/~lynn/2007d.html#34 Mixed Case Password on z/OS 1.7 and
ACF 2 Version 8
so the issue discussed in these recent posts
http://www.galric.com/~lynn/aadsm26.htm#35 Failure of PKI in messaging
http://www.garlic.com/~lynn/aadsm26.htm#36 New Credit Cards May Leak Personal
Information
is to transition away from shared-secret paradigm
http://www.garlic.com/~lynn/subintegrity.html#shared
an issue with (static data) shared-secret paradigm is that the same
value is used to both originate/authenticate as well as to verify.
this also leads to requirement that each unique security domain
requires unique shared-secret as countermeasure to cross-domain
attacks.
in public key paradigm, the value to originate an authentication is
different than the value to verify an authentication. also the value
being verified can be made unique for every use ... as countermeasure
to evesdropping and replay attacks.
the private key can be made sufficiently complex that it effectively
negates bute-force guessing attacks.
so threat/attack vector then starts focusing on (unauthorized)
accessing (possibly single) private key.
for some drift, archeological ('81) reference to public key proposal
http://www.garlic.com/~lynn/2006w.html#email810515 more secure communication
over the network
and old ('84) april 1st "corporate directive" password guideline proposal
http://www.garlic.com/~lynn/2001d.html#52 OT Re: A beautiful morning in AFM.
http://www.garlic.com/~lynn/2001d.html#53 April Fools Day
--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to [EMAIL PROTECTED] with the message: GET IBM-MAIN INFO
Search the archives at http://bama.ua.edu/archives/ibm-main.html
Password rules including my disdain for mixed case was Re: Mixed Case Password on z/OS 1.7 and ACF 2 Version 8
On Fri, 16 Feb 2007 10:31:35 -0700, in bit.listserv.ibm-main you wrote: >On 16 Feb 2007 09:05:19 -0800, [EMAIL PROTECTED] (Rick Fochtman) >wrote: > >>That's true, Walt. But how do you prevent the user from burying his id, >>or an anagram of it, in the password without using an exit? We found >>that to be the most prevalent security-related issue when we had to >>grant acces to non-DP oriented users, like the traders on the floor at >>the Chicago Board of Trade. >> >>(Forcing regular password changes was a whole other issue. ) > >Let me see, this is February of 2007, my password must be B02razee07. As someone who is keeping straight a large number of passwords (2 email, 2 financial, 1 for the place I sometimes contract for, 3 home passwords, one of which is written down, 1 weak password for yahoo, a password for the LAN when on a contract and a password for the mainframes), I have several rules. I will use special characters that seem invariant across code pages if allowed such as period slash and comma. My minimum password is 7 characters and it will have letters and numbers. I won't use upper case unless forced and will send memos stating why this is a BAD idea. I have enough problems typing and remembering to put up with trying to remember when to shift and don't need typing complications. Unless I believe that I have compromised a password, I won't change it unless forced to because I believe that it is an exercise in futility designed to pacify security administrators. If someone has stolen the password database, there are worse problems than my not changing a password. If there is a keystroke logger on my computer, frequent changes won't matter (note that at home I run 2 spyware checkers with online checking and an Internet Security suite that worried about Quicktax doing keystroke monitoring). While like a paranoid systems programmer, I don't automatically update Windows, I do so periodically and read the notes for the updates which seem as good as many of those I have seen for APARs. It is ironic that the only special characters allowed in things like user-ids are three that in EBCDIC are not stable across code pages. If someone wants to make the password stronger, give me the stable special characters and longer passwords. One of my financial passwords exceeds 8 characters but not all institutions will accept a longer password. Note that a fingerprint should be easy to capture and forge. The better biometric might be an audible voice q&a. >Gets me past the password cops, I don't write my password down, and >can do my work. > >Hey, it can be broken - but if I don't work, I don't get paid - >security is someone else's problem. > >Years ago I had a Vax class - my instructor was French, so she was >able to use passwords that the English language password parser did >not recognize as words. > >But just as security isn't my job - developing a useable replacement >for passwords apparently isn't the job of our local security staff - >not without a budget and support to do something better. > >And apparently nobody is solving the problem of world-wide security >with people using the same password on a hundred web sites (meaning >that they can be phished).The occasional article telling them this >is dangerous does nothing - if they read it, they can't remember a >hundred different secure passwords. -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to [EMAIL PROTECTED] with the message: GET IBM-MAIN INFO Search the archives at http://bama.ua.edu/archives/ibm-main.html
Re: Mixed Case Password on z/OS 1.7 and ACF 2 Version 8
-Original Message- From: IBM Mainframe Discussion List [mailto:[EMAIL PROTECTED] On Behalf Of McKown, John Sent: Friday, February 16, 2007 1:01 PM To: IBM-MAIN@BAMA.UA.EDU Subject: Re: Mixed Case Password on z/OS 1.7 and ACF 2 Version 8 > -Original Message- > From: IBM Mainframe Discussion List > [mailto:[EMAIL PROTECTED] On Behalf Of Thompson, Steve > Sent: Friday, February 16, 2007 12:48 PM > To: IBM-MAIN@BAMA.UA.EDU > Subject: Re: Mixed Case Password on z/OS 1.7 and ACF 2 Version 8 > > We are becoming unsecure by trying to be so secure. Not everyone has > photographic memory so that they can remember all their > userid/password > combinations (where they can write it down, look at it, then > destroy the > paper). > > This is why PDAs are becoming dangerous as are laptops with their > "wallets" and the like where people keep their userids and > passwords in > their browsers. > > I do not have the answer(s), I just started thinking about the simple > solutions that people will use, but allow risk of compromise being > increased. > > Later, > Steve Thompson One thing that can be done with the Konqueror web browser and KDE on Linux is to use "KDE Wallet". This is an encrypted file which contains various userids and passwords. Konqueror (and other software) can interface with the "KDE Wallet". The program asks for the wallet's password and pass it to the interface along with the resource whose password is needed. The wallet then gives the appropriate password back to the application. This may have been what you were talking about with "wallets", but I'm not sure. You mean, should your computer (laptop) be stolen, one could then boot using a LIVE Linux CD, and crack the wallet contents... Come to think of it, with a LIVE Linux CD, one can crack NTFS files used by Windows This is why in our pursuit of security, we make ourselves unsecure because of all the accounts we have that we have to have a userid and password for. And if kept in that wallet, once it is hacked, what damage could be done? Think about this for a moment. How many web sites require you to register before you can look at their content. This adds to the issue. How many use the same throw-away userid across as many junk sites/accounts as possible, but keep the same password as they use for their banking ids? While I may have said this backwards, I think you can see the point. Again, I do not have a solution because the things that I would have pointed out or pointed to have already been shown to not be so secure after all by others on IBM-Main. Regards, Steve Thompson -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to [EMAIL PROTECTED] with the message: GET IBM-MAIN INFO Search the archives at http://bama.ua.edu/archives/ibm-main.html
Re: Mixed Case Password on z/OS 1.7 and ACF 2 Version 8
On 16 Feb 2007 11:01:44 -0800, [EMAIL PROTECTED] (McKown, John) wrote: >One thing that can be done with the Konqueror web browser and KDE on >Linux is to use "KDE Wallet". This is an encrypted file which contains >various userids and passwords. Konqueror (and other software) can >interface with the "KDE Wallet". The program asks for the wallet's >password and pass it to the interface along with the resource whose >password is needed. The wallet then gives the appropriate password back >to the application. This may have been what you were talking about with >"wallets", but I'm not sure. > >This is somewhat better than writing it down, but only works for >programs which can interface with "KDE Wallet". If we can carry this "wallet" from computer to computer, then this could be an acceptable solution. But if we lose this wallet, we lose our passwords. -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to [EMAIL PROTECTED] with the message: GET IBM-MAIN INFO Search the archives at http://bama.ua.edu/archives/ibm-main.html
Re: Mixed Case Password on z/OS 1.7 and ACF 2 Version 8
> -Original Message- > From: IBM Mainframe Discussion List > [mailto:[EMAIL PROTECTED] On Behalf Of Thompson, Steve > Sent: Friday, February 16, 2007 12:48 PM > To: IBM-MAIN@BAMA.UA.EDU > Subject: Re: Mixed Case Password on z/OS 1.7 and ACF 2 Version 8 > > We are becoming unsecure by trying to be so secure. Not everyone has > photographic memory so that they can remember all their > userid/password > combinations (where they can write it down, look at it, then > destroy the > paper). > > This is why PDAs are becoming dangerous as are laptops with their > "wallets" and the like where people keep their userids and > passwords in > their browsers. > > I do not have the answer(s), I just started thinking about the simple > solutions that people will use, but allow risk of compromise being > increased. > > Later, > Steve Thompson One thing that can be done with the Konqueror web browser and KDE on Linux is to use "KDE Wallet". This is an encrypted file which contains various userids and passwords. Konqueror (and other software) can interface with the "KDE Wallet". The program asks for the wallet's password and pass it to the interface along with the resource whose password is needed. The wallet then gives the appropriate password back to the application. This may have been what you were talking about with "wallets", but I'm not sure. This is somewhat better than writing it down, but only works for programs which can interface with "KDE Wallet". At cutesy overview is at: http://www.marcelgagne.com/cwl012005.html -- John McKown Senior Systems Programmer HealthMarkets Keeping the Promise of Affordable Coverage Administrative Services Group Information Technology The information contained in this e-mail message may be privileged and/or confidential. It is for intended addressee(s) only. If you are not the intended recipient, you are hereby notified that any disclosure, reproduction, distribution or other use of this communication is strictly prohibited and could, in certain circumstances, be a criminal offense. If you have received this e-mail in error, please notify the sender by reply and delete this message without copying or disclosing it. -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to [EMAIL PROTECTED] with the message: GET IBM-MAIN INFO Search the archives at http://bama.ua.edu/archives/ibm-main.html
Re: Mixed Case Password on z/OS 1.7 and ACF 2 Version 8
-Original Message- From: IBM Mainframe Discussion List [mailto:[EMAIL PROTECTED] On Behalf Of Howard Brazee Sent: Friday, February 16, 2007 11:32 AM To: IBM-MAIN@BAMA.UA.EDU Subject: Re: Mixed Case Password on z/OS 1.7 and ACF 2 Version 8 But just as security isn't my job - developing a useable replacement for passwords apparently isn't the job of our local security staff - not without a budget and support to do something better. And apparently nobody is solving the problem of world-wide security with people using the same password on a hundred web sites (meaning that they can be phished).The occasional article telling them this is dangerous does nothing - if they read it, they can't remember a hundred different secure passwords. Kind of what I was driving at when I said something about all the accounts that I have to have a user id and password for. Banks, clubs, employers (and how many systems have their own password/userid and associated rules?), etc. We are becoming unsecure by trying to be so secure. Not everyone has photographic memory so that they can remember all their userid/password combinations (where they can write it down, look at it, then destroy the paper). This is why PDAs are becoming dangerous as are laptops with their "wallets" and the like where people keep their userids and passwords in their browsers. I do not have the answer(s), I just started thinking about the simple solutions that people will use, but allow risk of compromise being increased. Later, Steve Thompson -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to [EMAIL PROTECTED] with the message: GET IBM-MAIN INFO Search the archives at http://bama.ua.edu/archives/ibm-main.html
Re: Mixed Case Password on z/OS 1.7 and ACF 2 Version 8
On 16 Feb 2007 09:05:19 -0800, [EMAIL PROTECTED] (Rick Fochtman) wrote: >That's true, Walt. But how do you prevent the user from burying his id, >or an anagram of it, in the password without using an exit? We found >that to be the most prevalent security-related issue when we had to >grant acces to non-DP oriented users, like the traders on the floor at >the Chicago Board of Trade. > >(Forcing regular password changes was a whole other issue. ) Let me see, this is February of 2007, my password must be B02razee07. Gets me past the password cops, I don't write my password down, and can do my work. Hey, it can be broken - but if I don't work, I don't get paid - security is someone else's problem. Years ago I had a Vax class - my instructor was French, so she was able to use passwords that the English language password parser did not recognize as words. But just as security isn't my job - developing a useable replacement for passwords apparently isn't the job of our local security staff - not without a budget and support to do something better. And apparently nobody is solving the problem of world-wide security with people using the same password on a hundred web sites (meaning that they can be phished).The occasional article telling them this is dangerous does nothing - if they read it, they can't remember a hundred different secure passwords. -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to [EMAIL PROTECTED] with the message: GET IBM-MAIN INFO Search the archives at http://bama.ua.edu/archives/ibm-main.html
Re: Mixed Case Password on z/OS 1.7 and ACF 2 Version 8
--- Good points. Note, however, that there's a difference between requiring mixed-case passwords and having overly strict password rules. A rule requiring 8-character passwords, with at least one upper case alpha, one lower case alpha, and one numeric is not overly strict, and can be met easily by the users. That's true, Walt. But how do you prevent the user from burying his id, or an anagram of it, in the password without using an exit? We found that to be the most prevalent security-related issue when we had to grant acces to non-DP oriented users, like the traders on the floor at the Chicago Board of Trade. (Forcing regular password changes was a whole other issue. ) -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to [EMAIL PROTECTED] with the message: GET IBM-MAIN INFO Search the archives at http://bama.ua.edu/archives/ibm-main.html
Re: Mixed Case Password on z/OS 1.7 and ACF 2 Version 8
On 2/15/2007 7:59 PM, Don Leahy wrote: It is pretty obvious that weak passwords greatly increase the likelihood that a brute force attack will work. However, since most (all?) systems revoke userids after a very small number of unsuccessful password attempts, the issue of strong vs weak passwords is totally irrelevant to your end users, so why burden them with strict password policies? Even a weak password will stand up to a brute force attack if the userid is revoked after 3 failures. Protecting the password data base from theft is the security administrator's job, not the end user's. It doesn't matter how strong the safe or how complex the combination, if the thief can tuck it under his arm and take it home with him to work on at his leisure. Good points. Note, however, that there's a difference between requiring mixed-case passwords and having overly strict password rules. A rule requiring 8-character passwords, with at least one upper case alpha, one lower case alpha, and one numeric is not overly strict, and can be met easily by the users. Walt Farrell, CISSP z/OS Security Design, IBM -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to [EMAIL PROTECTED] with the message: GET IBM-MAIN INFO Search the archives at http://bama.ua.edu/archives/ibm-main.html
Re: Mixed Case Password on z/OS 1.7 and ACF 2 Version 8
Don, For Brute Force cracking our thief may need a lot of leisure time. I have a Password Protected Word document from 7 years ago that I forgot the password on. Occasionally I start up a brute force cracker to open this file as I'd like to have the contents back. Over the last 5 years I've accumulated nearly six months of 'crack time' on some pretty fast desktops, and I'm not even half way there. Ron > -Original Message- > From: IBM Mainframe Discussion List [mailto:[EMAIL PROTECTED] On > Behalf Of Don Leahy > Sent: Friday, 16 February 2007 8:59 AM > To: IBM-MAIN@BAMA.UA.EDU > Subject: Re: Mixed Case Password on z/OS 1.7 and ACF 2 Version 8 > > It is pretty obvious that weak passwords greatly increase the likelihood > that a brute force attack will work. > > However, since most (all?) systems revoke userids after a very small > number > of unsuccessful password attempts, the issue of strong vs weak passwords > is > totally irrelevant to your end users, so why burden them with strict > password policies? Even a weak password will stand up to a brute force > attack if the userid is revoked after 3 failures. > > Protecting the password data base from theft is the security > administrator's > job, not the end user's. It doesn't matter how strong the safe or how > complex the combination, if the thief can tuck it under his arm and take > it > home with him to work on at his leisure. > -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to [EMAIL PROTECTED] with the message: GET IBM-MAIN INFO Search the archives at http://bama.ua.edu/archives/ibm-main.html
Re: Mixed Case Password on z/OS 1.7 and ACF 2 Version 8
It is pretty obvious that weak passwords greatly increase the likelihood that a brute force attack will work. However, since most (all?) systems revoke userids after a very small number of unsuccessful password attempts, the issue of strong vs weak passwords is totally irrelevant to your end users, so why burden them with strict password policies? Even a weak password will stand up to a brute force attack if the userid is revoked after 3 failures. Protecting the password data base from theft is the security administrator's job, not the end user's. It doesn't matter how strong the safe or how complex the combination, if the thief can tuck it under his arm and take it home with him to work on at his leisure. -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to [EMAIL PROTECTED] with the message: GET IBM-MAIN INFO Search the archives at http://bama.ua.edu/archives/ibm-main.html
Re: Mixed Case Password on z/OS 1.7 and ACF 2 Version 8
Walt is right (as usual) about the advantages of mixed-case passwords in deterring brute-force attacks. To get a feel for the difference, take a look at http://www.goldisconsulting.com/predict.htm Mixed case passwords are also effective in deterring "dictionary" attacks. In our consulting and pen-testing work, we often run cracking tools in both ACF2 and RACF shops with a standard dictionary, and typically get "hits" on 15-25% of the userids. Testing several thousand ids for all the words in the list can take a few hours. Having to test for mixed-case passwords makes this attack a lot less useful. Here are some lists we typically use (see your password?): http://www.goldisconsulting.com/dictionaries.htm -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to [EMAIL PROTECTED] with the message: GET IBM-MAIN INFO Search the archives at http://bama.ua.edu/archives/ibm-main.html
Re: Mixed Case Password on z/OS 1.7 and ACF 2 Version 8
>Sooner or later, the criminally-inclined will find a steal-around.
Let's all go home.
Let's all dig a hole in our back-yard.
Let's all put food, clothing, hygenic material, and favourite entertainment
material in there (free, otherwise they have our contact info).
Let's then pull the dirt over us.
Then, we are protected from the 'criminally-inclined'.
Or, we can live/enjoy our lives and realise there is a risk to everything we do.
Yes, there may/will be a steal-around, but as with anything else, we can work
with what we have and improve as improvements come.
PS: how did describing crooks and crooked activity become politically correct?
Criminally-inclined? Steal-around?
I mean, REALLY!
Crooks and theft?
(8-{>}
Nyuk! Nyuk! Nyuk!
-
Too busy driving to stop for gas!
--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to [EMAIL PROTECTED] with the message: GET IBM-MAIN INFO
Search the archives at http://bama.ua.edu/archives/ibm-main.html
Re: Mixed Case Password on z/OS 1.7 and ACF 2 Version 8
NOTICE: All information in and attached to the e-mail(s) below may be proprietary, confidential, privileged and otherwise protected from improper or erroneous disclosure. If you are not the sender's intended recipient, you are not authorized to intercept, read, print, retain, copy, forward, or disseminate this message. If you have erroneously received this communication, please notify the sender immediately by phone (704-758-1000) or by e-mail and destroy all copies of this message (electronic, paper, or otherwise). Thank you. I saw that episode. Both of the main people using different methods were able to defeat the fingerprint based lock once they obtained the fingerprint of the person that programmed the lock. -Original Message- From: IBM Mainframe Discussion List [mailto:[EMAIL PROTECTED] On Behalf Of Hal Merritt Sent: Wednesday, February 14, 2007 1:46 PM To: IBM-MAIN@BAMA.UA.EDU Subject: Re: Mixed Case Password on z/OS 1.7 and ACF 2 Version 8 Doesn't anyone watch the Discovery Channel show Mythbusters? There was one episode where they defeated a fingerprint based lock. They did not disclose the details on how they accomplished one critical step, but, hey, we know it can be done. -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to [EMAIL PROTECTED] with the message: GET IBM-MAIN INFO Search the archives at http://bama.ua.edu/archives/ibm-main.html
Re: Mixed Case Password on z/OS 1.7 and ACF 2 Version 8
Howard Brazee wrote:
As with all security needs, the technology will need to improve to
match the moving target of criminals. We don't know far behind the
8-ball our credit cards technologies or our currency technologies are
- but we trust them enough so they work for our current needs. I
suspect we are more vulnerable than we would like to admit here.
We know passwords are failing though.And the primary reason is we
need too many passwords all over the place - security needs to work
the way people work.
collection of posts over the past year about deployment of hardware tokens in
that market segment ... and some of the related vulnerabilities and exploits
http://www.garlic.com/~lynn/subintegrity.html#yescard
recent thread in crypto list
http://www.garlic.com/~lynn/aadsm26.htm#32 Failure of PKI in messaging
http://www.garlic.com/~lynn/aadsm26.htm#33 Failure of PKI in messaging
http://www.garlic.com/~lynn/aadsm26.htm#34 Failure of PKI in messaging
and somewhat related thread that preceeded it
http://www.garlic.com/~lynn/aadsm26.htm#26 man in the middle, SSL
http://www.garlic.com/~lynn/aadsm26.htm#27 man in the middle, SSL
http://www.garlic.com/~lynn/aadsm26.htm#28 man in the middle, SSL
http://www.garlic.com/~lynn/aadsm26.htm#30 man in the middle, SSL
http://www.garlic.com/~lynn/aadsm26.htm#31 man in the middle, SSL
as repeatedly mentioned in the above ... (SSL) encryption involved "hiding" the
account number while it moved thru the internet ... for what came to be called electronic
commerce.
in the mid-90s, the x9a10 financial standard working group had been given the
requirement to preserve the integrity of the financial infrastructure for all
retail payments. this resulted in the x9.59 financial standard
http://www.garlic.com/~lynn/x959.html#x959
http://www.garlic.com/~lynn/subpubkey.html#x959
if you look at the security PAIN acronym
P - privacy (or somethings CAIN for confidentiality, i.e. security by hiding
information)
A - authentication
I - integrity
N - non-repudiation
in effect, x9.59 financial standard substituted "authentication" and "integrity" for
"privacy". part of this was the diametrically opposing requirements placed on account numbers. at
one end, the requirement to keep account numbers confidential and never allowed to be divulged. at the other
end, dozens of business processes that require ready and general access to the account number. this led to my
periodic comment that even if the planet was buried under miles of (information hiding) encryption, it still
wouldn't be able to prevent account number leakage.
now, part of the password paradigm analysis is from the standpoint of 3-factor
authentication:
http://www.garlic.com/~lynn/subintegrity.html#3factor
* something you know (i.e. pins and passwords)
* something you have (i.e. hardware tokens)
* something you are (i.e. biometrics)
pins and passwords ... have commoningly been deployed as "shared secrets". This
has resulted in a security requirement for a unique shared secret for every unique
security domain (as countermeasure to cross domain attacks). Other security requirements
have required passwords to be impossible to guess (as countermeasure to guessing
attacks) ... which also tends to have the side-effect that they are impossible to
remember.
40-50 years ago, when a person was possibly involved in only a single security domain ... and only
had a single password to remember ... the password ("shared-secret" "something you
know") paradigm was somewhat tolerable. However, as typical number of unique security domain
participation by individuals has grown to scores ... the scores of related passwords have become
unmanageable.
http://www.garlic.com/~lynn/subintegrity.html#secrets
now, one of the assumptions in the domain of "multi-factor" authentication ...
is the security is better based on (frequently implicit) assumption that the different
factors are subject to independent vulnerabilities. however, there are a number of
technology attacks that can invalidate such a assumption ... being able to compromise
multi-factor authentication in a single exploit.
For instance, in the previously mentioned "yes card" exploit, there is an assumption about multi-factor authentication
... with a chip-token as a "something you have" authentication in conjunction with a PIN as "something you
know". However, part of the "yes card" exploit is being able to counterfeit the "YES" in response to
query whether the correct PIN was entered
(i.e. "YES" is the response regardless of what PIN is entered, negating any
requirement for actually needing to know the correct PIN).
http://www.garlic.com/~lynn/subintegrity.html#yescard
and a recent somewhat long running general thread
http://www.garlic.com/~lynn/2007.html#0 Securing financial transactions a high
priority for 2007
http://www.garlic.com/~lynn/2007.html#5 Securing financial transactions a high
priority for 2007
http://www.garlic.com/~lynn/2007.html
Re: Mixed Case Password on z/OS 1.7 and ACF 2 Version 8
And if your token is used with a laptop for remote access, don't store the token in the laptop case, even in your own house. IBM Mainframe Discussion List wrote on 02/14/2007 11:08:34 AM: > Same goes for those tokens. Those are wonderful gadgets and offer a > strong solution. But just how many do we expect the average user to > carry? Two? Ten? The solution does not look to scale well. - The information contained in this communication (including any attachments hereto) is confidential and is intended solely for the personal and confidential use of the individual or entity to whom it is addressed. The information may also constitute a legally privileged confidential communication. If the reader of this message is not the intended recipient or an agent responsible for delivering it to the intended recipient, you are hereby notified that you have received this communication in error and that any review, dissemination, copying, or unauthorized use of this information, or the taking of any action in reliance on the contents of this information is strictly prohibited. If you have received this communication in error, please notify us immediately by e-mail, and delete the original message. Thank you -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to [EMAIL PROTECTED] with the message: GET IBM-MAIN INFO Search the archives at http://bama.ua.edu/archives/ibm-main.html
Re: Mixed Case Password on z/OS 1.7 and ACF 2 Version 8
Doesn't anyone watch the Discovery Channel show Mythbusters? There was one episode where they defeated a fingerprint based lock. They did not disclose the details on how they accomplished one critical step, but, hey, we know it can be done. -- Let's face it; no matter what security we devise, it will only serve to keep honest people out. Sooner or later, the criminally-inclined will find a steal-around. -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to [EMAIL PROTECTED] with the message: GET IBM-MAIN INFO Search the archives at http://bama.ua.edu/archives/ibm-main.html
Re: Mixed Case Password on z/OS 1.7 and ACF 2 Version 8
Doesn't anyone watch the Discovery Channel show Mythbusters? There was one episode where they defeated a fingerprint based lock. They did not disclose the details on how they accomplished one critical step, but, hey, we know it can be done. -Original Message- From: IBM Mainframe Discussion List [mailto:[EMAIL PROTECTED] On Behalf Of Paul Gilmartin Sent: Wednesday, February 14, 2007 11:14 AM To: IBM-MAIN@BAMA.UA.EDU Subject: Re: Mixed Case Password on z/OS 1.7 and ACF 2 Version 8 In a recent note, Howard Brazee said: Isn't it merely a matter of time, though, before the technology arises to spoof fingerprint readers? Then we'll need to be concerned not only that a dishonest waiter copies our credit cards, but that a dishonest busboy lifts our fingerprints from the water glasses. Fingerprints don't impress me as a good secret. -- gil -- StorageTek INFORMATION made POWERFUL NOTICE: This electronic mail message and any files transmitted with it are intended exclusively for the individual or entity to which it is addressed. The message, together with any attachment, may contain confidential and/or privileged information. Any unauthorized review, use, printing, saving, copying, disclosure or distribution is strictly prohibited. If you have received this message in error, please immediately advise the sender by reply email and delete all copies. -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to [EMAIL PROTECTED] with the message: GET IBM-MAIN INFO Search the archives at http://bama.ua.edu/archives/ibm-main.html
Re: Mixed Case Password on z/OS 1.7 and ACF 2 Version 8
In a message dated 2/14/2007 12:11:50 P.M. Central Standard Time, [EMAIL PROTECTED] writes: uh, Ed... ??? >> Just trying to reduce the back pressure on the manifolds. Search jcwhitney -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to [EMAIL PROTECTED] with the message: GET IBM-MAIN INFO Search the archives at http://bama.ua.edu/archives/ibm-main.html
Re: Mixed Case Password on z/OS 1.7 and ACF 2 Version 8
Ed Finnell wrote: In a message dated 2/14/2007 8:44:43 A.M. Central Standard Time, [EMAIL PROTECTED] writes: That would go over like "exhaust pipe resonance" in an elevator. Shoot, we got fixes for everything _http://www.jcwhitney.com/autoparts/Product/tf-Browse/s-10101/Pr-p_Product.CAT ENTRY_ID:2012155/p-2012155/N-111+10201+600015810/c-10101_ (http://www.jcwhitney.com/autoparts/Product/tf-Browse/s-10101/Pr-p_Product.CATENTRY_ID:2012155/p-2 012155/N-111+10201+600015810/c-10101) uh, Ed... ??? -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to [EMAIL PROTECTED] with the message: GET IBM-MAIN INFO Search the archives at http://bama.ua.edu/archives/ibm-main.html
Re: Mixed Case Password on z/OS 1.7 and ACF 2 Version 8
On 14 Feb 2007 09:14:34 -0800, [EMAIL PROTECTED] (Paul Gilmartin)
wrote:
>Isn't it merely a matter of time, though, before the technology
>arises to spoof fingerprint readers? Then we'll need to be
>concerned not only that a dishonest waiter copies our credit
>cards, but that a dishonest busboy lifts our fingerprints from
>the water glasses. Fingerprints don't impress me as a good
>secret.
As with all security needs, the technology will need to improve to
match the moving target of criminals. We don't know far behind the
8-ball our credit cards technologies or our currency technologies are
- but we trust them enough so they work for our current needs. I
suspect we are more vulnerable than we would like to admit here.
We know passwords are failing though.And the primary reason is we
need too many passwords all over the place - security needs to work
the way people work.
A couple or a few decades ago I read a SF story - the protagonist
appeared to be a criminal and one thing he did was pull the
fingerprint off a rich person to make a bunch of luxury purchases. It
turns out he worked for the good guys, and was testing the system for
a bet.At the end of the story, he made another bet for 6 months in
the future - after his co-workers changed the technology for such
things as making sure that the fingerprint came from a conscious
person. In that world, such crime appeared to be rare - but the
process made sense anyway. (I tend to believe that Vernor Vinge's
example of the danger of ubiquitous law enforcement is more likely to
be true).
What direction do we need to go for logon security?
The problem of counterfeiting is also a problem that extends beyond
paper money - counterfeiting data can effect us all over. Google
recently added software to counter Google Bombs ("miserable failure").
It's not hard to extrapolate this concept to all Information
Processing.
--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to [EMAIL PROTECTED] with the message: GET IBM-MAIN INFO
Search the archives at http://bama.ua.edu/archives/ibm-main.html
Re: Mixed Case Password on z/OS 1.7 and ACF 2 Version 8
In a recent note, Howard Brazee said: > Date: Wed, 14 Feb 2007 09:34:55 -0700 > > Individual shops can (but don't) spend the money for fingerprint > readers - I'm not sure if that solution would work universally (if > Microsoft, Apple, and Red Hat included standard ID software in their > operating systems). > Isn't it merely a matter of time, though, before the technology arises to spoof fingerprint readers? Then we'll need to be concerned not only that a dishonest waiter copies our credit cards, but that a dishonest busboy lifts our fingerprints from the water glasses. Fingerprints don't impress me as a good secret. -- gil -- StorageTek INFORMATION made POWERFUL -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to [EMAIL PROTECTED] with the message: GET IBM-MAIN INFO Search the archives at http://bama.ua.edu/archives/ibm-main.html
Re: Mixed Case Password on z/OS 1.7 and ACF 2 Version 8
>immediate termination. With or without prejudice? - Too busy driving to stop for gas! -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to [EMAIL PROTECTED] with the message: GET IBM-MAIN INFO Search the archives at http://bama.ua.edu/archives/ibm-main.html
Re: Mixed Case Password on z/OS 1.7 and ACF 2 Version 8
On 14 Feb 2007 06:31:32 -0800, [EMAIL PROTECTED] (McKown, John) wrote: >> I think he is - but it might be more secure than in shops that require >> passwords that are so strong that people don't remember them, but >> write them down on yellow post notes. > >This is easy to stop. Restrict distribution and use of yellow >post-it(tm) note paper. > >"Use of post-it note paper will be considered a security violation and >subject to disciplinary action up to and including immediate >termination." LOL! Trouble is, that's almost as bad as what is actually happening. Individual shops can (but don't) spend the money for fingerprint readers - I'm not sure if that solution would work universally (if Microsoft, Apple, and Red Hat included standard ID software in their operating systems). It could be that everybody's waiting for someone else to solve the problem for the Net instead of fixing their in-shop problem now. The payback time for getting fingerprint readers isn't that large for those with desktop computers.And if they are combined with good cryptology, the security advantage for laptops is tremendous. VPN software companies should be offering integration now. -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to [EMAIL PROTECTED] with the message: GET IBM-MAIN INFO Search the archives at http://bama.ua.edu/archives/ibm-main.html
Re: Mixed Case Password on z/OS 1.7 and ACF 2 Version 8
In a recent note, Walter Farrell said: > Date: Tue, 13 Feb 2007 12:57:00 -0500 > > You're right, though, that all the applications that are passing the > password along need to know to leave it as the user entered it. That > makes migrating to mixed-case passwords harder than it would have been > if we'd made the security product do the upper-casing of the input many > years ago. > A similar principle should have been applied to data set and member name transformation and enforcement -- this should have been done in a single common component at a low layer. If the intent of the Data Management design was to have a mixed case file system, all names should be taken as-is. If the intent was to have a single-case file system, any attempted use of the other case should result in a syntax error. If the intent was to have a case-insensitive file system, a low level component should perform the translation. Alas, Conway's law took its pernicious toll. The design groups didn't communicate and did not form a common objective. In consequence, allocation assumes mixed-case and takes names as-is. JCL and Catalog assume single-case and treat most uses of lower case as syntax errors. And TSO et. al. assume case-insensitive and convert to upper before calling lower level layers. -- gil -- StorageTek INFORMATION made POWERFUL -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to [EMAIL PROTECTED] with the message: GET IBM-MAIN INFO Search the archives at http://bama.ua.edu/archives/ibm-main.html
Re: Mixed Case Password on z/OS 1.7 and ACF 2 Version 8
In a message dated 2/14/2007 8:44:43 A.M. Central Standard Time, [EMAIL PROTECTED] writes: That would go over like "exhaust pipe resonance" in an elevator. >> Shoot, we got fixes for everything _http://www.jcwhitney.com/autoparts/Product/tf-Browse/s-10101/Pr-p_Product.CAT ENTRY_ID:2012155/p-2012155/N-111+10201+600015810/c-10101_ (http://www.jcwhitney.com/autoparts/Product/tf-Browse/s-10101/Pr-p_Product.CATENTRY_ID:2012155/p-2 012155/N-111+10201+600015810/c-10101) -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to [EMAIL PROTECTED] with the message: GET IBM-MAIN INFO Search the archives at http://bama.ua.edu/archives/ibm-main.html
Re: Mixed Case Password on z/OS 1.7 and ACF 2 Version 8
(Soap box deployed) You can make such policies, but folks will find ways to cope. We point a fire hose of passwords to manage at the poor user. I argue it is best to attack a root problem rather than try to pile on fix after fix. In response to Walt's wise words: yes the *individual* password may be technically stronger, but we have to consider the larger picture. It is one thing if that were the *only* password the user had to manage, but quite another if the user has to fumble with many. Same goes for those tokens. Those are wonderful gadgets and offer a strong solution. But just how many do we expect the average user to carry? Two? Ten? The solution does not look to scale well. (Soap box secured) -Original Message- From: IBM Mainframe Discussion List [mailto:[EMAIL PROTECTED] On Behalf Of McKown, John Sent: Wednesday, February 14, 2007 8:31 AM To: IBM-MAIN@BAMA.UA.EDU Subject: Re: Mixed Case Password on z/OS 1.7 and ACF 2 Version 8 > I think he is - but it might be more secure than in shops that require > passwords that are so strong that people don't remember them, but > write them down on yellow post notes. This is easy to stop. Restrict distribution and use of yellow post-it(tm) note paper. "Use of post-it note paper will be considered a security violation and subject to disciplinary action up to and including immediate termination." -- John McKown Senior Systems Programmer HealthMarkets Keeping the Promise of Affordable Coverage Administrative Services Group Information Technology NOTICE: This electronic mail message and any files transmitted with it are intended exclusively for the individual or entity to which it is addressed. The message, together with any attachment, may contain confidential and/or privileged information. Any unauthorized review, use, printing, saving, copying, disclosure or distribution is strictly prohibited. If you have received this message in error, please immediately advise the sender by reply email and delete all copies. -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to [EMAIL PROTECTED] with the message: GET IBM-MAIN INFO Search the archives at http://bama.ua.edu/archives/ibm-main.html
Re: Mixed Case Password on z/OS 1.7 and ACF 2 Version 8
On 2/13/2007 1:49 PM, [EMAIL PROTECTED] wrote: I believe that allowing mixed-case does increase security, as it makes the number of possible passwords of any given length much greater, and increases the amount of time needed for brute-force password guessing. How can you do a brute-force password guess when you have a max of 3 password attempts before the ID is revoked? Or are you saying that mixed-case increases security in those rare shops that haven't implemented revoking IDs on wrong passwords? Revocation based on number of invalid attempts should (for the most part) prevent attacks from people actually trying to login. It does not stop attacks from people who have acquired a copy of your database, and can thus see the encrypted data in the password fields. Given the encrypted authentication data, and the user ID, the brute force attack would involve examining all possible passwords until you find one that generates that same encrypted data. With mixed-case that brute force process needs to cover more possible passwords, and thus will take longer, on average. You have a possible password space (for 8-character passwords) of 65**8 rather than 39**8. Walt Farrell, CISSP z/OS Security Design, IBM -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to [EMAIL PROTECTED] with the message: GET IBM-MAIN INFO Search the archives at http://bama.ua.edu/archives/ibm-main.html
Re: Mixed Case Password on z/OS 1.7 and ACF 2 Version 8
> -Original Message- > From: IBM Mainframe Discussion List On Behalf Of McKown, John > > > -Original Message- > > From: IBM Mainframe Discussion List On Behalf Of Howard Brazee > > > > On 13 Feb 2007 10:49:55 -0800, pauls2272 wrote: > > > > >Or are you saying that mixed-case increases security in those rare > > >shops that haven't implemented revoking IDs on wrong passwords? > > > > I think he is - but it might be more secure than in shops that require > > passwords that are so strong that people don't remember them, but > > write them down on yellow post notes. > > This is easy to stop. Restrict distribution and use of yellow > post-it(tm) note paper. > > "Use of post-it note paper will be considered a security > violation and subject to disciplinary action up to and > including immediate termination." That would go over like "exhaust pipe resonance" in an elevator. -jc- -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to [EMAIL PROTECTED] with the message: GET IBM-MAIN INFO Search the archives at http://bama.ua.edu/archives/ibm-main.html
Re: Mixed Case Password on z/OS 1.7 and ACF 2 Version 8
> -Original Message- > From: IBM Mainframe Discussion List > [mailto:[EMAIL PROTECTED] On Behalf Of Howard Brazee > Sent: Tuesday, February 13, 2007 1:11 PM > To: IBM-MAIN@BAMA.UA.EDU > Subject: Re: Mixed Case Password on z/OS 1.7 and ACF 2 Version 8 > > > On 13 Feb 2007 10:49:55 -0800, [EMAIL PROTECTED] wrote: > > >Or are you saying that mixed-case increases security in those rare > >shops that haven't implemented revoking IDs on wrong passwords? > > I think he is - but it might be more secure than in shops that require > passwords that are so strong that people don't remember them, but > write them down on yellow post notes. This is easy to stop. Restrict distribution and use of yellow post-it(tm) note paper. "Use of post-it note paper will be considered a security violation and subject to disciplinary action up to and including immediate termination." -- John McKown Senior Systems Programmer HealthMarkets Keeping the Promise of Affordable Coverage Administrative Services Group Information Technology The information contained in this e-mail message may be privileged and/or confidential. It is for intended addressee(s) only. If you are not the intended recipient, you are hereby notified that any disclosure, reproduction, distribution or other use of this communication is strictly prohibited and could, in certain circumstances, be a criminal offense. If you have received this e-mail in error, please notify the sender by reply and delete this message without copying or disclosing it. -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to [EMAIL PROTECTED] with the message: GET IBM-MAIN INFO Search the archives at http://bama.ua.edu/archives/ibm-main.html
Re: Mixed Case Password on z/OS 1.7 and ACF 2 Version 8
-Original Message- From: IBM Mainframe Discussion List [mailto:[EMAIL PROTECTED] On Behalf Of Howard Brazee Sent: Tuesday, February 13, 2007 1:11 PM To: IBM-MAIN@BAMA.UA.EDU Subject: Re: Mixed Case Password on z/OS 1.7 and ACF 2 Version 8 On 13 Feb 2007 10:49:55 -0800, [EMAIL PROTECTED] wrote: >Or are you saying that mixed-case increases security in those rare >shops that haven't implemented revoking IDs on wrong passwords? I think he is - but it might be more secure than in shops that require passwords that are so strong that people don't remember them, but write them down on yellow post notes. Let's see, one bank I deal with has one requirement for uid/password. Then the other bank says that the uid is one they assign, and the password must be 8+ chars... Let's not forget the ATM cards OK, now the _ club I'm a member of requires an assigned uid with a password that must be at least 4 characters, no repeats, can't be part of my ssn,... On my own LAN I have UID and PSWD requirements, plus the WiFI keys, plus uid/pswd for each router, plus the admin/root and passwords for each workstation/laptop ... Then the library has a login that requires knowing the number on the card plus a pwd that is My employer has 12 systems that I have to login to (not including my desktop system or their laptop), each with a different pwd expiration period, with memory that prevents re-use for at least 18 times, password can only be changed once a day... My ISPs all have requirements for email and hosted web sites Then there are my voice mail accounts (home & work), plus cell phones... So since I have all these requirements, which do not match, I have to write them down w/ the pswds (history) if I have any hope of actually accomplishing anything beyond talking to the various help desks all day. It would seem that some auditor somewhere would take one look at the REAL world people live and work in and start to recognize that the whole thing becomes insecure when it is not possible to remember all this stuff. And the RSA key idea is just as complicated, when someone has to have 4 of those suckers, has to remember which one belong to which system... Me thinks by working at becoming secure, we have become non-secure because of how important a PDA becomes to keep it all straight. Mixed case RACF/ACF2 only adds to the problems (and I won't get into the programatical issues). Regards, Steve Thompson -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to [EMAIL PROTECTED] with the message: GET IBM-MAIN INFO Search the archives at http://bama.ua.edu/archives/ibm-main.html
Re: Mixed Case Password on z/OS 1.7 and ACF 2 Version 8
On 13 Feb 2007 10:49:55 -0800, [EMAIL PROTECTED] wrote: >Or are you saying that mixed-case increases security in those rare >shops that haven't implemented revoking IDs on wrong passwords? I think he is - but it might be more secure than in shops that require passwords that are so strong that people don't remember them, but write them down on yellow post notes. -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to [EMAIL PROTECTED] with the message: GET IBM-MAIN INFO Search the archives at http://bama.ua.edu/archives/ibm-main.html
Re: Mixed Case Password on z/OS 1.7 and ACF 2 Version 8
On 2/13/2007 12:30 PM, Hal Merritt wrote: Other than there is not one shred of evidence to suggest this makes for stronger security? And ample experiences of increased help desk calls that actually lead to weakened security? And complex passwords generate sticky notes? Mixed-case does not necessarily mean the password will seem more complex to the user. That kind of complexity is really a function of the rules that the security administrator tries to impose. If you tell me I can use mixed-case, but do not restrict where I put the characters, then I can, for example, use two words with initial or trailing caps, and other letters lower-case. That is then more complex for a brute-force password cracker, but no more complex for me as a user. Only auditors think that this adds value. Those with actual knowledge think otherwise. I believe that allowing mixed-case does increase security, as it makes the number of possible passwords of any given length much greater, and increases the amount of time needed for brute-force password guessing. However, whether you have mixed-case or not, the administrator can compromise security by making the password rules too restrictive. But wait. There is more. Not all applications that actually interact with the keyboard will get this right. Some might pass the password as is, but some may translate it to upper case first. And then there are the character translation issues. The character translation issues should not apply; we're only talking mixed-case A-Z, a-z, not allowing additional characters with variant mappings depending on code page. You're right, though, that all the applications that are passing the password along need to know to leave it as the user entered it. That makes migrating to mixed-case passwords harder than it would have been if we'd made the security product do the upper-casing of the input many years ago. Walt Farrell, CISSP z/OS Security Design, IBM -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to [EMAIL PROTECTED] with the message: GET IBM-MAIN INFO Search the archives at http://bama.ua.edu/archives/ibm-main.html
Re: Mixed Case Password on z/OS 1.7 and ACF 2 Version 8
Other than there is not one shred of evidence to suggest this makes for stronger security? And ample experiences of increased help desk calls that actually lead to weakened security? And complex passwords generate sticky notes? Only auditors think that this adds value. Those with actual knowledge think otherwise. But wait. There is more. Not all applications that actually interact with the keyboard will get this right. Some might pass the password as is, but some may translate it to upper case first. And then there are the character translation issues. Let Occam's razor be your guide :-) HTH and good luck. -Original Message- From: IBM Mainframe Discussion List [mailto:[EMAIL PROTECTED] On Behalf Of JONES, CHARLIE Sent: Monday, February 12, 2007 10:45 AM To: IBM-MAIN@BAMA.UA.EDU Subject: Mixed Case Password on z/OS 1.7 and ACF 2 Version 8 Are there any known pitfalls in using mixed-case passwords on z/OS 1.7 and ACF 2 Version 8? Is anyone even using the mixed case feature that could share their experiences with us? Charlie NOTICE: This electronic mail message and any files transmitted with it are intended exclusively for the individual or entity to which it is addressed. The message, together with any attachment, may contain confidential and/or privileged information. Any unauthorized review, use, printing, saving, copying, disclosure or distribution is strictly prohibited. If you have received this message in error, please immediately advise the sender by reply email and delete all copies. -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to [EMAIL PROTECTED] with the message: GET IBM-MAIN INFO Search the archives at http://bama.ua.edu/archives/ibm-main.html
