[Default] On 6 May 2019 20:10:27 -0700, in bit.listserv.ibm-main 00000047540adefe-dmarc-requ...@listserv.ua.edu (Bill Johnson) wrote:
>In most shops only 2 people have the required access to the RACF database. > Could someone use DF/DSS, DF/HSM, FDR or FDR/ABR to copy the database and then download the dump of the database? Clark Morris > >Sent from Yahoo Mail for iPhone > > >On Monday, May 6, 2019, 11:06 PM, Bob Bridges <robhbrid...@gmail.com> wrote: > >"Once theyd downloaded the RACF database, they subjected it to a >password-cracking tool. John the Ripper is one such tool, widely available on >the internet. On Feb 28, about the same time the RACF database was >downloaded, some questions appeared on the mailing list PaulDotCom about >hashing methods for RACF; by March 3rd, apparently in response, John the >Ripper had been enhanced to include the capability of working on RACF >passwords, in collaboration with another tool call CRACF. > >"In the Zauf article is this description: 'Creating a password hash algorithm >works like this: After entering the password, it is padded with spaces, if >necessary, to a length of 8 bytes. Each character is then XORed with x55 >and shifted left one bit. Then the user ID is DES-encrypted, using the >modified password as the DES key. Developers took a few days to determine the >algorithm and modify John the Ripper. Now the utility excels at hashing the >RACF database.' It also mentioned a source-code module named racf2john.c, 'a >tool that converts database file exported in the input data, read for JTR' >[Googles translation from Polish]. > >"By way of testing, investigators attempted to use these tools themselves to >crack RACF passwords. They found that a great many passwords could be >extracted, that they were easy to discover by dictionary attack, that they >were not very complex and in many cases that theyd been unchanged from the >default when the ID was created. Using a standalone PC they cracked about 30 >000 passwords (out of 120 000 on Applicats database) in 'a couple of days'." > >--- >Bob Bridges, robhbrid...@gmail.com, cell 336 382-7313 > >/* If the Earth were flat, cats would have pushed everything off it by now. */ > > >-----Original Message----- >From: IBM Mainframe Discussion List [mailto:IBM-MAIN@LISTSERV.UA.EDU] On >Behalf Of Charles Mills >Sent: Monday, May 6, 2019 13:14 > >I *believe* that was done by investigators after the fact, attempting to >determine how the attack might have been done. I don't recall that there is >compelling evidence that Svartholm actually did that. > >It *is* trivially easy to do, assuming (a.) read access to the DB and (b.) >old-style password storage. > >-----Original Message----- >From: IBM Mainframe Discussion List [mailto:IBM-MAIN@LISTSERV.UA.EDU] On >Behalf Of David Spiegel >Sent: Sunday, May 5, 2019 8:02 AM > >One of the tricks he pulled was to offload the RACF Database to a PC and >Dictionary Attack it. > >---------------------------------------------------------------------- >For IBM-MAIN subscribe / signoff / archive access instructions, >send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN > > > >---------------------------------------------------------------------- >For IBM-MAIN subscribe / signoff / archive access instructions, >send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN ---------------------------------------------------------------------- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN
