Re: CyberSecurity Risk

2023-04-17 Thread Dustin Hayes 
Vanguard Integrity Professionals - External


I'm guessing the way you worded it means that you were using your laptop to 
connect to ClientX.  I frequently do the same and understand from their view 
they have no ability to see what is on my PC nor any ability to manage it.  
Copy/Paste in that model will bypass most of their DLP protection/detection 
systems so I understand why they disable it.  Same conversation with remote 
mapping of drives or drag/dropping files between the session.  

I don’t think this is the same risk as image capture devices (screenshot, 
snagit, cell phone camera, etc) because that’s 1 picture at a time and with 
copy/paste you can move entire documents in one task... or documents if the 
actually let you copy/paste files (and just not text).  

So I guess, I'm more surprised that it was still enabled than them withdrawing 
it. 

d
-Original Message-
From: IBM Mainframe Discussion List  On Behalf Of Tom 
Brennan
Sent: Monday, 2023 April-17 06:34
To: IBM-MAIN@LISTSERV.UA.EDU
Subject: Re: CyberSecurity Risk

WARNING: This email originated outside of Vanguard.

DO NOT CLICK links or attachments unless you recognize the sender and know the 
content is safe.

Yep.  And I'd bet copy/paste was disabled where Jack Teixeira worked.

On 4/17/2023 4:56 AM, Binyamin Dissen wrote:
> On Mon, 17 Apr 2023 11:52:24 +0100 Jack Zukt  wrote:
>
> :>This is  way off topic, sorry, but I am curious, so please be patient
> :>In one of the clients for which I have to work the Auditors found out that
> :>the Copy/Paste between the client Citrix session and our PCs is a risk and
> :>the client disabled the function.
> :>Has anyone else ever has such an issue?
>
> Protect the data, not the means to copy the data.
>
> What about print screen?
>
> --
> Binyamin Dissen 
> http://www.dissensoftware.com
>
> Director, Dissen Software, Bar & Grill - Israel
>
> --
> For IBM-MAIN subscribe / signoff / archive access instructions,
> send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN
>
>

--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN
External
Classified by dustin.ha...@go2vanguard.com on 2023.04.17 06:39:23

--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN

Re: Don't feed the trolls

2022-06-06 Thread Dustin Hayes 
Vanguard Integrity Professionals - External - Public
For those interested, if you want to block a particular sender then look into 
[message headers] as a means to do this.  This enables you to get around the 
problems with message relays (IBM-L, RACF-L, etc).

When you look at the message headers you can get the user's real email address 
and configure your mail client to perform actions based on this.
Check google for more details, but in the shortest version your looking for the 
first (oldest) "Received" or "Received-SPF" component of the message header.  
This will include their actual email, ip address, etc.

Obviously there are many clients, I do this with both Thunderbird and Outlook 
successfully.

(And agree about Outlook's junk filtering)


External - Public
Classified by dustin.ha...@go2vanguard.com on 2022.06.06 08:01:59

-Original Message-
From: IBM Mainframe Discussion List  On Behalf Of 
Phil Smith III
Sent: Monday, 2022 June-06 07:45
To: IBM-MAIN@LISTSERV.UA.EDU
Subject: Re: Don't feed the trolls

WARNING: This email originated outside of Vanguard.

DO NOT CLICK links or attachments unless you recognize the sender and know the 
content is safe.

Outlook's junk filtering has "block sender", but I just did some
experimenting with list postings (another list) and it didn't block Senders,
just From.



Microsoft has a history of not understanding the Sender/Reply-To/From
hierarchy.


--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN

--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN

Re: AT-TLS & FTP troubles - cannot get very simple setup working

2022-05-25 Thread Dustin Hayes 
Vanguard Integrity Professionals - External - Public
What Michael is trying to tell you is that your confusing "sFTP" and "FTPs", 
these are two very different protocols which have nothing to do with each other 
(think beta vs vhs).

sFTP is "ftp tunneled though the SSH interface" and runs on TCP/22.  Getting 
that functional is a conversation covered in the USS books, check out the SSH 
section.

FTPs is "plain old ftp, wrapped with digital certificates to make it secure" 
(think http vs https) and this is done via PAGENT.  Depending on how its 
configured (e.g. insecure, implicit, explicit, passive) this can run on the 
following ports; TCP20,TCP21,TCP990 and a range of user-specified ports.  FYI, 
this complexity is why PAGENT has the "ApplicationControlled" parm. 

z/OS supports both sFTP and FTPs.  Though, in z/OS, there are feature 
differences between them... 
Likewise, WinSCP supports both sFTP and FTPs, as do many other programs on 
windows.

I would suggest picking one to work with (either sFTP or FTPs) and then ensure 
that z/OS and WinSCP to use the one you selected.  If your unclear on the 
differences you probably want FTPs due to it's greater functionality (on z/OS).
Also as Michael indicated, if you are trying to debug issues with FTPs (ATTLS) 
you must turn up trace and read the logs.  There really is no other (practical) 
way to troubleshoot ATTLS issues.

External - Public
Classified by dustin.ha...@go2vanguard.com on 2022.05.25 08:30:10

-Original Message-
From: IBM Mainframe Discussion List  On Behalf Of 
Michael Babcock
Sent: Wednesday, 2022 May-25 08:19
To: IBM-MAIN@LISTSERV.UA.EDU
Subject: Re: AT-TLS & FTP troubles - cannot get very simple setup working

WARNING: This email originated outside of Vanguard.

DO NOT CLICK links or attachments unless you recognize the sender and know the 
content is safe.

I don’t think you can use PAGENT for port 22 (not 100% sure on that).   If
using port 22 configure SSHD.

Did you set the trace parm in PAGENT to 255?   You will get much more info
in SYSLOG by doing that.

On Wed, May 25, 2022 at 10:05 AM Bob  wrote:

> That's one I have changed back and forth 21 ... 22 ... 21 .. 22 ... 21
> &22.  The config I started with had 21 in it, but the WinSCP references 22
> so I have been trying both ... without success.  I changed it back to 21
> now. Still fails.
>
> I just added an ftp configuration parameter of FTPLOGGING TRUE and received
> this message:
>
> EZYFS51I ID=FTPD10 CONN   fails  Reason=3 Text=getpeername failed
>
> Now I'm trying to figure out what that is telling me.
>
> On Wed, May 25, 2022 at 8:46 AM Michael Babcock 
> wrote:
>
> > I can SSH into z/OS USS but I don’t use pagent for port 22.  You should
> > configure SSHD for that.   Remove port 22 from PAGENT.
> >
> > On Wed, May 25, 2022 at 8:46 AM Bob  wrote:
> >
> > > I am struggling to get AT-TLS and FTP working on my new z/OS 2.5 system
> > and
> > > I don’t know why. I’m sure I am
> > >
> > > missing something very simple, but I have spent a lot of time over the
> > last
> > > few weeks trying to figure it out
> > >
> > > and I cannot.  Note that ftp without encryption does work and I have
> > > nothing else using PAGENT or AT-TLS.
> > >
> > >
> > >
> > > I originally started with a configuration created by z/OSMF Network
> > > Configuration Assistant, but after
> > >
> > > numerous attempts to get it working I have pared it down to the very
> > > minimum configuration below.
> > >
> > >
> > >
> > > I’m not even sure what info to share.
> > >
> > >
> > >
> > > When I try to connect using WinSCP I just get this:
> > >
> > >
> > >
> > > d:\>"c:\Program Files (x86)\WinSCP\WinSCP" /log=d:\WinSCP.log
> /loglevel=2
> > > testmvs
> > >
> > > Searching for host...
> > >
> > > Network error: Connection to "testmvs" refused.
> > >
> > > The server rejected SFTP connection, but it listens for FTP
> connections.
> > >
> > > Did you want to use FTP protocol instead of SFTP? Prefer using
> > encryption.
> > >
> > > winscp>
> > >
> > >
> > >
> > > And the WinSCP log doesn’t show much more:
> > >
> > >
> > >
> > > Looking up host "testmvs" for SSH connection
> > >
> > > Connecting to 10.80.63.94 port 22
> > >
> > > Failed to connect to 10.80.63.94: Network error: Connection refused
> > >
> > >
> > >
> > > And here are the related configuration files.
> > >
> > >
> > >
> > > Here’s the pagent.conf:
> > >
> > >
> > >
> > > LogLevel   511
> > >
> > > TcpImage   TCPIP FLUSH
> > >
> > > TTLSConfig /etc/TTLSConfig.conf FLUSH
> > >
> > >
> > >
> > > And here is the TTLSConfig.conf:
> > >
> > >
> > >
> > > TTLSGroupAction   ftp_server_group
> > >
> > > {
> > >
> > >TTLSEnabled On
> > >
> > >Trace 30
> > >
> > > }
> > >
> > > TTLSEnvironmentAction ftp_server_env
> > >
> > > {
> > >
> > >HandshakeRole  Server
> > >
> > >TTLSCipherParmsRef ftp_server_ciphers
> > >
> > >TTLSKeyringParms
> > >
> > >{
> > >
> > >   Keyring mtskeyring
> > >
> > >}
> > >
> > >