W dniu 2014-10-01 o 19:41, John McKown pisze:
Well, some of the HMC's are Linux based on what is basically a
standard Intel PC. Most Linux systems have BASH installed. So it might
not actually surprise me to find it on the disk, if I were to remove
it and put it in another PC.
Now, being able to _get_ to BASH is another story. But then I don't
know how the GUI is implemented, so I can't say. For all that _I_
know, all that dragging and dropping runs BASH shell scripts to set up
and run other programs. Might be fun to see. But not worth my job
should I "destroy" the HMC.
Well,
As you noted, it is very hard if possible to get bash on HMC. Sometimes
drag'n'drop can run shell script. What script? A script prepared by IBM.
Note that both activities require at least logon to HMC. Do you want to
destroy* YOUR* HMC? Voila! Get some hammer and just do it. Or insert
HMC's HDD into your PC and change some funny things. You want keylogger?
There are HW keyloggers installable on the keyboard cable. Or connect
your own, prepared keyboard. However all the things above require
physical access to HMC.
Of course there are worse cases: network vulnerability. In such
*theorethical* case a HMC could be attacked from network. Of course it's
still company network (let's leave Internet connection for a while), it
can be separate LAN, not accessible for anyone in the company.
BTW: There are such devices (with non-fixable network vulnerability), to
mention 3494 web interface. What to do? Either unplug the device from
the network and don't use remote interface. Or place the device in
separate, isolated network with access limited to your PC and given
ports/services. As enhancement you can use RDP (remote desktop) session
to another (virtual) PC machine and then establish a session to the
device. Of course the machine in the middle is in (another) isolated
network.
What about Internet? The connection should be well set up, using
corporate firewalls and IBM documentation! HMC do not need connection to
Internet. I needs connection to few Internet IP addresses, few ports.
The rest should be blocked. That's base of HMC setup! Of course it can
happen that on remote site it's not IBM, but some phony system. That's
why all communications do require two-side authentication.
--
Radoslaw Skorupka
Lodz, Poland
---
Treść tej wiadomości może zawierać informacje prawnie chronione Banku
przeznaczone wyłącznie do użytku służbowego adresata. Odbiorcą może być jedynie
jej adresat z wyłączeniem dostępu osób trzecich. Jeżeli nie jesteś adresatem
niniejszej wiadomości lub pracownikiem upoważnionym do jej przekazania
adresatowi, informujemy, że jej rozpowszechnianie, kopiowanie, rozprowadzanie
lub inne działanie o podobnym charakterze jest prawnie zabronione i może być
karalne. Jeżeli otrzymałeś tę wiadomość omyłkowo, prosimy niezwłocznie
zawiadomić nadawcę wysyłając odpowiedź oraz trwale usunąć tę wiadomość
włączając w to wszelkie jej kopie wydrukowane lub zapisane na dysku.
This e-mail may contain legally privileged information of the Bank and is
intended solely for business use of the addressee. This e-mail may only be
received by the addressee and may not be disclosed to any third parties. If you
are not the intended addressee of this e-mail or the employee authorized to
forward it to the addressee, be advised that any dissemination, copying,
distribution or any other similar activity is legally prohibited and may be
punishable. If you received this e-mail by mistake please advise the sender
immediately by using the reply facility in your e-mail software and delete
permanently this e-mail including any copies of it either printed or saved to
hard drive.
mBank S.A. z siedzibą w Warszawie, ul. Senatorska 18, 00-950 Warszawa, www.mBank.pl, e-mail: [email protected]
Sąd Rejonowy dla m. st. Warszawy XII Wydział Gospodarczy Krajowego Rejestru Sądowego, nr rejestru przedsiębiorców KRS 0000025237, NIP: 526-021-50-88. Według stanu na dzień 01.01.2014 r. kapitał zakładowy mBanku S.A. (w całości wpłacony) wynosi 168.696.052 złote.
----------------------------------------------------------------------
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to [email protected] with the message: INFO IBM-MAIN
