Skip, I agree but spent a lot of time on Wall Street, I can tell you several of the brokerage houses had three plus firewalls between the mainframes and outside world. We had to setup ftps etc, it wasn't easy and very very time consuming. If the want in bad enough, yeah your right they can get in for sure, if I understand your posting.
Sent from my iPad Scott Ford Senior Systems Engineer www.identityforge.com On Mar 27, 2012, at 2:09 PM, Skip Robinson <[email protected]> wrote: > The reason I brought up this 'vulnerability' is that we hired a consultant > a while back to look for weaknesses. Of course they were able to logon > with a vanilla userid that had no special authority. And this is what they > did. > > We all spend a lot of time and mental energy focused on how to protect > ourselves from sophisticated attack. We look at APF. We look at SVC > screening. We look at access to sensitive libraries. But this particular > 'denial of service' can be accomplished by anyone with a valid userid and > password. And *only* because we lock up users for invalid password > attempts. I'm just sayin'... > > . > . > JO.Skip Robinson > SCE Infrastructure Technology Services > Electric Dragon Team Paddler > SHARE MVS Program Co-Manager > 626-302-7535 Office > 323-715-0595 Mobile > [email protected] > > > > From: Scott Ford <[email protected]> > To: [email protected] > Date: 03/27/2012 10:51 AM > Subject: Re: Malicious Software Protection > Sent by: IBM Mainframe Discussion List <[email protected]> > > > > Lets step through this logically: > > TN3270 .... > > 1. Must have RACF/ACF2/TSS userid/lid/acid > 2. Must have a valid password > 3. Must have valid IP address > 4. Must have valid port > 5. Must have Firewall rule for #3 and #4 ... > > Other issues: How many firewalls ? How is the network architected ? > > This is just a favor ..FTP the same > > Scott J Ford > Software Engineer > http://www.identityforge.com > > > > ________________________________ > From: Skip Robinson <[email protected]> > To: [email protected] > Sent: Tuesday, March 27, 2012 1:37 PM > Subject: Re: Malicious Software Protection > > We're all pretty sanguine about our mainframe invulnerability. But we > should not overlook how one of our most valuable protections can be turned > > against us. We all have some limit set for logon attempts. If an invalid > password is entered too many times, the userid gets suspended--or referred > > to the OS console for verification. A malicious rascal (any other kind?) > can disable a really important userid in this way. Of course the person > has to get into the network first and must know the userid to target, but > beyond that no special authority is required. Even console referral would > be disruptive to normal production. > > . > . > JO.Skip Robinson > SCE Infrastructure Technology Services > Electric Dragon Team Paddler > SHARE MVS Program Co-Manager > 626-302-7535 Office > 323-715-0595 Mobile > [email protected] > > > > From: Steve Comstock <[email protected]> > To: [email protected] > Date: 03/27/2012 10:22 AM > Subject: Re: Malicious Software Protection > Sent by: IBM Mainframe Discussion List <[email protected]> > > > > On 3/27/2012 10:46 AM, Greg Dorner wrote: >> Thank you, Elardus for your verbosity. >> >> >> - you can replace/fire those auditors as mentioned earlier in this > thread >> >> - As Ted MacNeil insists, the auditors only RECOMMENDS, it is your >> management > who can APPLY those recommendations. >> >> Unfortunately, we have no say with these auditors. They are working on >> behalf > of the Feds, and if we don't comply we can lose billions of $$ in federal > contracts. >> >> The beauty of this is, someone from my company contacted the person at > PWC > that made this claim that MCAFEE is coming out with a product, and he > backtracked, saying he may have been thinking of Mac OS. MAC OS??? >> >> They just took a big chuck of our company offline for several hours to > research this phantom. > > Wow. And did they reprimand this doofus in any way? Slap on > the wrist? Letter in his personnel file? > > More likely he got commended for being concerned about company > security, even though he had no idea what he was talking about. > > ---------------------------------------------------------------------- > For IBM-MAIN subscribe / signoff / archive access instructions, > send email to [email protected] with the message: INFO IBM-MAIN ---------------------------------------------------------------------- For IBM-MAIN subscribe / signoff / archive access instructions, send email to [email protected] with the message: INFO IBM-MAIN
