To answer the OP question, Yes, assuming - The perp has the ability to run some sort of volume backup, such as authority to the volume and to run a volume backup program. - The ability to copy the backup off of the system, such as with FTP, access to a physical tape drive, or downloading to a PC and converting to some sort of format accessible to item 3 below. - Access to a "friendly" system, such as Hercules, on which the perp has the ability to restore the backup. Any RACF-type restrictions on access to the database would not persist onto this system.
Charles -----Original Message----- From: IBM Mainframe Discussion List [mailto:IBM-MAIN@LISTSERV.UA.EDU] On Behalf Of Clark Morris Sent: Tuesday, May 7, 2019 5:27 AM To: IBM-MAIN@LISTSERV.UA.EDU Subject: Can backup mechanisms be used to steal RACF database? was Re: mainframe hacking "success stories"? [Default] On 6 May 2019 20:10:27 -0700, in bit.listserv.ibm-main 00000047540adefe-dmarc-requ...@listserv.ua.edu (Bill Johnson) wrote: >In most shops only 2 people have the required access to the RACF database. > Could someone use DF/DSS, DF/HSM, FDR or FDR/ABR to copy the database and then download the dump of the database? Clark Morris > >Sent from Yahoo Mail for iPhone > > >On Monday, May 6, 2019, 11:06 PM, Bob Bridges <robhbrid...@gmail.com> wrote: > >"Once theyd downloaded the RACF database, they subjected it to a password-cracking tool. John the Ripper is one such tool, widely available on the internet. On Feb 28, about the same time the RACF database was downloaded, some questions appeared on the mailing list PaulDotCom about hashing methods for RACF; by March 3rd, apparently in response, John the Ripper had been enhanced to include the capability of working on RACF passwords, in collaboration with another tool call CRACF. > >"In the Zauf article is this description: 'Creating a password hash algorithm works like this: After entering the password, it is padded with spaces, if necessary, to a length of 8 bytes. Each character is then XORed with x55 and shifted left one bit. Then the user ID is DES-encrypted, using the modified password as the DES key. Developers took a few days to determine the algorithm and modify John the Ripper. Now the utility excels at hashing the RACF database.' It also mentioned a source-code module named racf2john.c, 'a tool that converts database file exported in the input data, read for JTR' [Googles translation from Polish]. > >"By way of testing, investigators attempted to use these tools themselves to crack RACF passwords. They found that a great many passwords could be extracted, that they were easy to discover by dictionary attack, that they were not very complex and in many cases that theyd been unchanged from the default when the ID was created. Using a standalone PC they cracked about 30 000 passwords (out of 120 000 on Applicats database) in 'a couple of days'." > >--- >Bob Bridges, robhbrid...@gmail.com, cell 336 382-7313 > >/* If the Earth were flat, cats would have pushed everything off it by now. */ > > >-----Original Message----- >From: IBM Mainframe Discussion List [mailto:IBM-MAIN@LISTSERV.UA.EDU] On Behalf Of Charles Mills >Sent: Monday, May 6, 2019 13:14 > >I *believe* that was done by investigators after the fact, attempting to determine how the attack might have been done. I don't recall that there is compelling evidence that Svartholm actually did that. > >It *is* trivially easy to do, assuming (a.) read access to the DB and (b.) old-style password storage. > >-----Original Message----- >From: IBM Mainframe Discussion List [mailto:IBM-MAIN@LISTSERV.UA.EDU] On Behalf Of David Spiegel >Sent: Sunday, May 5, 2019 8:02 AM > >One of the tricks he pulled was to offload the RACF Database to a PC and Dictionary Attack it. > >---------------------------------------------------------------------- >For IBM-MAIN subscribe / signoff / archive access instructions, >send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN > > > >---------------------------------------------------------------------- >For IBM-MAIN subscribe / signoff / archive access instructions, >send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN ---------------------------------------------------------------------- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN ---------------------------------------------------------------------- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN
