Re: Strange Auditor Questions
I have to agree with Hal's post. When we first started to use Host OnDemand one of the PC guys traced the traffic and was amazed that IBM by default would encrypt TN3270 traffic. I was amazed because I did not know that HOD supported encryption at that time, we are talking V1. Well fast forward a couple years and I am tracing the same HOD traffic and its not encrypted. I asked the PC guy why he thought it was encrypted and he said when he looked at it, it was not in clear text. I showed him the trace and he said see look its garbage so it must be encrypted. I said, no is EBCDIC, using Ethereal I clicked on the EBCDIC button and magically it was clear text. He had been using MS network trace tool and had never seen EBCDIC before. I have also had somebody show me how they were using SSH to encyrpt XWindows. ssh to remote box and then start KDE, without redirecting to the ssh session. He thought that X-Windows would know to use the ssh session that he issued the command from. That is until I showed him that it was using port 6000 on his box and not the ssh session. Terry Linsley wrote: The organization we service is suffering through an audit at the moment. One of the things the auditors looked at was the secure file transfer proces I had setup for that organization (OpenSSH based). They explained it sufficiently, but the auditor had one last requirement. She wanted proof that the data was actually being encrypted. It is my understanding that OpenSSH encrypts the file in transit and does not leave an encrypted copy of the data file lying around anywhere. So, I cannot show them a copy of the encrypted file. I ran a transfer using the most verbose debug level and it does not say anything like now encrypting file. So, to satisfy the auditor (and my own curiosity), does anyone know how to prove that OpenSSH is really encrypting the file? Of course one could hang a sniffer on the network and sniff the datastream, but I did not want to go that far. Thanks. -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to [EMAIL PROTECTED] with the message: GET IBM-MAIN INFO Search the archives at http://bama.ua.edu/archives/ibm-main.html
Re: Strange Auditor Questions
Not so strange. Other posters suggested asking what is 'proof', and that
is excellent advise. Do that.
I once heard of a situation where the data was thought to be encrypted
but turned out to be open. I have seen trace messages that suggested
encryption but turned out to be misleading.
For your own curiosity, see info APAR II12014 on how to do a packet
trace. You can format and print the trace with IPCS (see below). If the
data is compressed then the trace may not prove anything.
//IPCS EXEC PGM=IKJEFT01
//IPCSDDIR DD DSN=My.DDIR,DISP=OLD
//IPCSPRNT DD DSN=My.WORK.TXT,DISP=(OLD,KEEP,KEEP)
//SYSTSPRT DD SYSOUT=*
//SYSTSIN DD *
IPCS NOPARM
SETDEF NOCONFIRM PRINT NOTERM
SETDEF DSN('SYS2.CTRACE1') LIST NOCONFIRM
PROFILE NOPAGESIZE LINESIZE(80)
CTRACE COMP(SYSTCPDA) SHORT OPTIONS((FORMAT,DUMP))
SETDEF CONFIRM NOPRINT TERM
END
HTH.
-Original Message-
From: IBM Mainframe Discussion List [mailto:[EMAIL PROTECTED] On
Behalf Of Terry Linsley
Sent: Thursday, June 09, 2005 12:24 PM
To: IBM-MAIN@BAMA.UA.EDU
Subject: Strange Auditor Questions
The organization we service is suffering through an audit at the moment.
One of the things the auditors looked at was the secure file transfer
proces I
had setup for that organization (OpenSSH based). They explained it
sufficiently, but the auditor had one last requirement. She wanted
proof that
the data was actually being encrypted.
--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to [EMAIL PROTECTED] with the message: GET IBM-MAIN INFO
Search the archives at http://bama.ua.edu/archives/ibm-main.html
Re: Strange Auditor Questions
You could get IP/Trace from TDSLink (www.tdslink.com). It's free, and installs in about 20 minutes. It's not a sniffer. It will show you all the IP packets in a series of 'dump' type formats using your favourite web browser. Use it 'before and after' you flick your encryption switch, and it's dead obvious. Brian -Original Message- From: IBM Mainframe Discussion List [mailto:[EMAIL PROTECTED] Behalf Of Terry Linsley Sent: 09 June 2005 18:24 To: IBM-MAIN@BAMA.UA.EDU Subject: Strange Auditor Questions The organization we service is suffering through an audit at the moment. One of the things the auditors looked at was the secure file transfer proces I had setup for that organization (OpenSSH based). They explained it sufficiently, but the auditor had one last requirement. She wanted proof that the data was actually being encrypted. It is my understanding that OpenSSH encrypts the file in transit and does not leave an encrypted copy of the data file lying around anywhere. So, I cannot show them a copy of the encrypted file. I ran a transfer using the most verbose debug level and it does not say anything like now encrypting file. So, to satisfy the auditor (and my own curiosity), does anyone know how to prove that OpenSSH is really encrypting the file? Of course one could hang a sniffer on the network and sniff the datastream, but I did not want to go that far. Thanks. This e-mail message is for the sole use of the intended recipient(s)and may contain confidential and privileged information of Transaction NetworkServices. Any unauthorized review, use, disclosure or distribution isprohibited. If you are not the intended recipient, please contact thesender by reply e-mail and destroy all copies of the original message. -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to [EMAIL PROTECTED] with the message: GET IBM-MAIN INFO Search the archives at http://bama.ua.edu/archives/ibm-main.html
Re: Strange Auditor Questions
-Original Message- From: IBM Mainframe Discussion List [mailto:[EMAIL PROTECTED] On Behalf Of Kevin Clark Sent: Thursday, June 09, 2005 7:11 PM To: IBM-MAIN@BAMA.UA.EDU Subject: Re: Strange Auditor Questions Terry, snip Put the requirement back onto the auditor. After all this is IBM's product not yours. Kevin Clark Just one, minor, point. The code is not IBM's code. It is OpenSSH code which was ported by IBM or under contract to IBM. IIRC, they disavow any responsibility. -- John McKown Senior Systems Programmer UICI Insurance Center Information Technology This message (including any attachments) contains confidential information intended for a specific individual and purpose, and its' content is protected by law. If you are not the intended recipient, you should delete this message and are hereby notified that any disclosure, copying, or distribution of this transmission, or taking any action based on it, is strictly prohibited. -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to [EMAIL PROTECTED] with the message: GET IBM-MAIN INFO Search the archives at http://bama.ua.edu/archives/ibm-main.html
Re: Strange Auditor Questions
On Thu, 9 Jun 2005 12:23:33 -0500, Terry Linsley wrote: The organization we service is suffering through an audit at the moment. One of the things the auditors looked at was the secure file transfer process I had setup for that organization (OpenSSH based). They explained it sufficiently, but the auditor had one last requirement. She wanted proof that the data was actually being encrypted. If you want to make this potentially long story short you really ought to ask the auditor directly (perhaps in writing) exactly what proof she will accept. Provide it. She should be satisfied, you will do what is actually required and all will otherwise be right with the world. In my experience trying to do anything else is an exercise in pain. -- Tom Schmidt Madison, WI (All auditor questions are strange at first glance. Only a few become less strange over time. - Schmidt's Law) -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to [EMAIL PROTECTED] with the message: GET IBM-MAIN INFO Search the archives at http://bama.ua.edu/archives/ibm-main.html
Re: Strange Auditor Questions
Terry Linsley wrote: The organization we service is suffering through an audit at the moment. One of the things the auditors looked at was the secure file transfer proces I had setup for that organization (OpenSSH based). They explained it sufficiently, but the auditor had one last requirement. She wanted proof that the data was actually being encrypted. It is my understanding that OpenSSH encrypts the file in transit and does not leave an encrypted copy of the data file lying around anywhere. So, I cannot show them a copy of the encrypted file. I ran a transfer using the most verbose debug level and it does not say anything like now encrypting file. So, to satisfy the auditor (and my own curiosity), does anyone know how to prove that OpenSSH is really encrypting the file? Of course one could hang a sniffer on the network and sniff the datastream, but I did not want to go that far. Thanks. If you really need to provide proof that the packets in transit are encrypted, the probably easiest thing to do is to install Ethereal on a PC, start an SFTP file transfer between the PC and the z/OS system (you could use PUTTY on a Windows system for that purpose) and capture the packets with Ethereal. You don't even have to capture in promiscuous mode for this purpose. Ethereal will format the TCP packets nicely so you can see the negotiation and the encrypted data and provide the needed proof. -- Ulrich Boche SVA GmbH, Germany IBM Premier Business Partner -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to [EMAIL PROTECTED] with the message: GET IBM-MAIN INFO Search the archives at http://bama.ua.edu/archives/ibm-main.html
Re: Strange Auditor Questions
Thanks for the suggestion! Sounds very promising and has the added benefit of totally befuddling the auditor. ;-) I shall download and give it a whirl. On Thu, 9 Jun 2005 20:16:06 +0200, Ulrich Boche [EMAIL PROTECTED] wrote: If you really need to provide proof that the packets in transit are encrypted, the probably easiest thing to do is to install Ethereal on a PC, start an SFTP file transfer between the PC and the z/OS system (you could use PUTTY on a Windows system for that purpose) and capture the packets with Ethereal. You don't even have to capture in promiscuous mode for this purpose. Ethereal will format the TCP packets nicely so you can see the negotiation and the encrypted data and provide the needed proof. -- Ulrich Boche SVA GmbH, Germany IBM Premier Business Partner -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to [EMAIL PROTECTED] with the message: GET IBM-MAIN INFO Search the archives at http://bama.ua.edu/archives/ibm-main.html -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to [EMAIL PROTECTED] with the message: GET IBM-MAIN INFO Search the archives at http://bama.ua.edu/archives/ibm-main.html
Re: Strange Auditor Questions
Terry, Creating your own test would be much like asking the FOX to count the Chickens. This is serious auditing issue that should be solved by the auditor. They should suppy test data and you should supply the resulting file. You could supplement the file with a trace (network, TCP trace, Byte count,translastion, etc..) Put the requirement back onto the auditor. After all this is IBM's product not yours. Kevin Clark -- Original message -- The organization we service is suffering through an audit at the moment. One of the things the auditors looked at was the secure file transfer proces I had setup for that organization (OpenSSH based). They explained it sufficiently, but the auditor had one last requirement. She wanted proof that the data was actually being encrypted. It is my understanding that OpenSSH encrypts the file in transit and does not leave an encrypted copy of the data file lying around anywhere. So, I cannot show them a copy of the encrypted file. I ran a transfer using the most verbose debug level and it does not say anything like now encrypting file. So, to satisfy the auditor (and my own curiosity), does anyone know how to prove that OpenSSH is really encrypting the file? Of course one could hang a sniffer on the network and sniff the datastream, but I did not want to go that far. Thanks. [xposting to IBMTCP-L and MVS-OE lists] -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to [EMAIL PROTECTED] with the message: GET IBM-MAIN INFO Search the archives at http://bama.ua.edu/archives/ibm-main.html -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to [EMAIL PROTECTED] with the message: GET IBM-MAIN INFO Search the archives at http://bama.ua.edu/archives/ibm-main.html
