No, ~I~ quoted "there are solid indications" etc. Mr Mills asserts that they did not, which is contrary to my own reading but at this remove perhaps it doesn't matter. Whatever actually happened at Logica, the important point is that with read access a hacker would be able to do so, a situation most ardently to be avoided :). The lesson I take from this, and pass on to my clients, is that read access to the security database is a huge exposure and in most cases - that is, for most user IDs - completely unnecessary.
--- Bob Bridges, robhbrid...@gmail.com, cell 336 382-7313 /* re-cur-sive (ri: 'kr sIv), from "re-" + Lat. "cursire" (to say "Oh, hell, not AGAIN!"): See "recursive". */ -----Original Message----- From: IBM Mainframe Discussion List [mailto:IBM-MAIN@LISTSERV.UA.EDU] On Behalf Of Seymour J Metz Sent: Thursday, May 9, 2019 17:23 The only thing that I see that is relevant is where you quoted "There are also solid indications that they downloaded the RACF database (about 28MB", which certainly seems consistent with Bob's claim. ________________________________________ From: IBM Mainframe Discussion List <IBM-MAIN@LISTSERV.UA.EDU> on behalf of Charles Mills <charl...@mcn.org> Sent: Thursday, May 9, 2019 2:35 PM Yes, that assertion is incorrect. Read my post. -----Original Message----- From: Seymour J Metz Sent: Thursday, May 9, 2019 11:29 AM Are you saying that Bob Bridges was wrong when he wrote "The stolen ID also had read access to the RACF database.."? It's not a vulnerability of the lock when you leave your key on the porch for anyone to use. ________________________________________ From: Charles Mills <charl...@mcn.org> Sent: Thursday, May 9, 2019 2:20 PM I have read the entire, very thorough police report, as has Chad R. Phil Young has done considerable research on this. There were two parts to it. Svartholm somehow got the MPAA lawyer's user login for the Infotorg legal database, hosted on USS. (The "somehow" may be known but I do not know or recall it.) That userid was insignificant to the overall integrity of the Z box. He was able to harass the lawyer by changing her password, etc., etc., but that was all. No real threat to system integrity. It would be like if I had the userid and password for one of your vanilla CICS users. Not good, but not the end of the world. He leveraged that, via the http vulnerability, into pwning the whole box: multiple RACF SPECIAL id's, etc., etc. That was the huge, huge, huge problem for the service bureau. So the z/OS vulnerability was the key here, not one random userid. And yes, it was a z/OS vulnerability. It was a zero-day defect in system software running as a service of z/OS. If that's not a z/OS vulnerability I don't know what is. -----Original Message----- From: Bob Bridges Sent: Thursday, May 9, 2019 10:28 AM I believe Peter's right. The hackers got a stolen ID with some RACF power, by means not positively identified but social engineering is as likely as any other hypothesis. (I read ~speculation~ about an HTTP vulnerability, but the forensic investigators never established how the initial breakin occurred.) Once they were in, they fooled around in OMVS and were able to get more power. The stolen ID also had read access to the RACF database. "There are also solid indications that they downloaded the RACF database (about 28MB)....Once they'd downloaded the RACF database, they subjected it to a password-cracking tool....On Feb 28, about the same time the RACF database was downloaded, some questions appeared on the mailing list PaulDotCom about hashing methods for RACF; by March 3rd, apparently in response, John the Ripper had been enhanced to include the capability of working on RACF passwords, in collaboration with another tool call CRACF....By way of testing, investigators attempted to use these tools themselves to crack RACF passwords. They found that a great many passwords could be extracted, that they were easy to discover by dictionary attack, that they were not very complex and in many cases that they'd been unchanged from the default when the ID was created. Using a standalone PC they cracked about 30 000 passwords (out of 120 000 on Applicat's database) in 'a couple of days'." So yeah, the investigators did it too, but just to establish how effective might be the new version of John the Ripper. -----Original Message----- From: Charles Mills Sent: Thursday, May 9, 2019 11:39 No. Read the original thread here. It was a vulnerability in a Web server. Hacking the RACF database was done well after the fact, by investigators. -----Original Message----- From: Peter Vander Woude Sent: Thursday, May 9, 2019 6:56 AM That's what happened in the Swedish bank hack, back in 2012. In that, once they got the database copy on their pc, they used hacker tools that are out there, to crack all the passwords. ---------------------------------------------------------------------- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN
