What causes IBM integrity (code-based) APARs to be generated? Surely not all of them are found internally. The thing is, with the way integrity APARs are handled the source of the problem is never disclosed. Many are, I believe, zero-days, that would cause a hack if found by the wrong person.
Lou -- Artificial Intelligence is no match for Natural Stupidity - Unknown On Thu, May 9, 2019 at 2:45 PM Bill Johnson < 00000047540adefe-dmarc-requ...@listserv.ua.edu> wrote: > 5 LPARS, shared DASD, same rules for each LPAR. Full volume backups were > controlled by 1 DASD Admin.(now deceased) I no longer work there. As the > installer of the security product, TSS, even I had very limited access to > the security datasets. > If hacking the mainframe was easy, or even slightly below extremely > difficult, you would have hacks happening all the time since it’s where the > money is. Nearly every bank in the world runs on a mainframe. > > > Sent from Yahoo Mail for iPhone > > > On Thursday, May 9, 2019, 2:22 PM, Charles Mills <charl...@mcn.org> wrote: > > How about a volume backup? How about from a sandbox LPAR that shares DASD? > > Charles > > > -----Original Message----- > From: IBM Mainframe Discussion List [mailto:IBM-MAIN@LISTSERV.UA.EDU] On > Behalf Of Bill Johnson > Sent: Thursday, May 9, 2019 10:32 AM > To: IBM-MAIN@LISTSERV.UA.EDU > Subject: Re: Can backup mechanisms be used to steal RACF database? was Re: > mainframe hacking "success stories"? > > All of the security datasets are locked down to all but a select few. It > would be next to impossible for someone not considered highly trustworthy > to do anything with them. > > > Sent from Yahoo Mail for iPhone > > > On Thursday, May 9, 2019, 1:16 PM, Charles Mills <charl...@mcn.org> wrote: > > To answer the OP question, Yes, assuming > > - The perp has the ability to run some sort of volume backup, such as > authority to the volume and to run a volume backup program. > - The ability to copy the backup off of the system, such as with FTP, > access > to a physical tape drive, or downloading to a PC and converting to some > sort > of format accessible to item 3 below. > - Access to a "friendly" system, such as Hercules, on which the perp has > the > ability to restore the backup. Any RACF-type restrictions on access to the > database would not persist onto this system. > > Charles > > > -----Original Message----- > From: IBM Mainframe Discussion List [mailto:IBM-MAIN@LISTSERV.UA.EDU] On > Behalf Of Clark Morris > Sent: Tuesday, May 7, 2019 5:27 AM > To: IBM-MAIN@LISTSERV.UA.EDU > Subject: Can backup mechanisms be used to steal RACF database? was Re: > mainframe hacking "success stories"? > > [Default] On 6 May 2019 20:10:27 -0700, in bit.listserv.ibm-main > 00000047540adefe-dmarc-requ...@listserv.ua.edu (Bill Johnson) wrote: > > >In most shops only 2 people have the required access to the RACF > database. > > > Could someone use DF/DSS, DF/HSM, FDR or FDR/ABR to copy the database > and then download the dump of the database? > > Clark Morris > > > >Sent from Yahoo Mail for iPhone > > > > > >On Monday, May 6, 2019, 11:06 PM, Bob Bridges <robhbrid...@gmail.com> > wrote: > > > >"Once they’d downloaded the RACF database, they subjected it to a > password-cracking tool. John the Ripper is one such tool, widely available > on the internet. On Feb 28, about the same time the RACF database was > downloaded, some questions appeared on the mailing list PaulDotCom about > hashing methods for RACF; by March 3rd, apparently in response, John the > Ripper had been enhanced to include the capability of working on RACF > passwords, in collaboration with another tool call CRACF. > > > >"In the Zauf article is this description: 'Creating a password hash > algorithm works like this: After entering the password, it is padded with > spaces, if necessary, to a length of 8 bytes. Each character is then XORed > with x‘55’ and shifted left one bit. Then the user ID is DES-encrypted, > using the modified password as the DES key. Developers took a few days to > determine the algorithm and modify John the Ripper. Now the utility excels > at hashing the RACF database.' It also mentioned a source-code module > named > racf2john.c, 'a tool that converts database file exported in the input > data, > read for JTR' [Google’s translation from Polish]. > > > >"By way of testing, investigators attempted to use these tools themselves > to crack RACF passwords. They found that a great many passwords could be > extracted, that they were easy to discover by dictionary attack, that they > were not very complex and in many cases that they’d been unchanged from the > default when the ID was created. Using a standalone PC they cracked about > 30 000 passwords (out of 120 000 on Applicat’s database) in 'a couple of > days'." > > > >--- > >Bob Bridges, robhbrid...@gmail.com, cell 336 382-7313 > > > >/* If the Earth were flat, cats would have pushed everything off it by > now. > */ > > > > > >-----Original Message----- > >From: IBM Mainframe Discussion List [mailto:IBM-MAIN@LISTSERV.UA.EDU] On > Behalf Of Charles Mills > >Sent: Monday, May 6, 2019 13:14 > > > >I *believe* that was done by investigators after the fact, attempting to > determine how the attack might have been done. I don't recall that there is > compelling evidence that Svartholm actually did that. > > > >It *is* trivially easy to do, assuming (a.) read access to the DB and (b.) > old-style password storage. > > > >-----Original Message----- > >From: IBM Mainframe Discussion List [mailto:IBM-MAIN@LISTSERV.UA.EDU] On > Behalf Of David Spiegel > >Sent: Sunday, May 5, 2019 8:02 AM > > > >One of the tricks he pulled was to offload the RACF Database to a PC and > Dictionary Attack it. > > > >---------------------------------------------------------------------- > >For IBM-MAIN subscribe / signoff / archive access instructions, > >send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN > > > > > > > >---------------------------------------------------------------------- > >For IBM-MAIN subscribe / signoff / archive access instructions, > >send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN > > ---------------------------------------------------------------------- > For IBM-MAIN subscribe / signoff / archive access instructions, > send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN > > ---------------------------------------------------------------------- > For IBM-MAIN subscribe / signoff / archive access instructions, > send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN > > > > ---------------------------------------------------------------------- > For IBM-MAIN subscribe / signoff / archive access instructions, > send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN > > ---------------------------------------------------------------------- > For IBM-MAIN subscribe / signoff / archive access instructions, > send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN > > > > ---------------------------------------------------------------------- > For IBM-MAIN subscribe / signoff / archive access instructions, > send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN > ---------------------------------------------------------------------- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN
