yes, it is an option, but the solution recommended by the vendor is srver mode. however, not all products/features that are based on this product support server mode.
On Fri, May 10, 2019 at 6:43 PM Seymour J Metz <sme...@gmu.edu> wrote: > Couldn't you grant the access only through PADS? > > > -- > Shmuel (Seymour J.) Metz > http://mason.gmu.edu/~smetz3 > > ________________________________________ > From: IBM Mainframe Discussion List <IBM-MAIN@LISTSERV.UA.EDU> on behalf > of ITschak Mugzach <imugz...@gmail.com> > Sent: Friday, May 10, 2019 1:06 AM > To: IBM-MAIN@LISTSERV.UA.EDU > Subject: Re: Can backup mechanisms be used to steal RACF database? was Re: > mainframe hacking "success stories"? > > I found many security and system programmers assuming that in order to > manage security, one need access to the security database.I many > assessments I was able to copy the file with no problem. While this > assumption is completely untrue, many of you make use of (at least one) > racf administration product that directly read the racf database, so you > need to have read access to use it. all products built around this product > also requires at least read access. In some cases, when I recommended to > switch to "server" mode, the vendor said that not all products support > that. > > So, even if you have ROAUDIT attribute you got read access to the racf db. > and this is a security and audit product! > > ITschak > > On Thu, May 9, 2019 at 8:16 PM Charles Mills <charl...@mcn.org> wrote: > > > To answer the OP question, Yes, assuming > > > > - The perp has the ability to run some sort of volume backup, such as > > authority to the volume and to run a volume backup program. > > - The ability to copy the backup off of the system, such as with FTP, > > access > > to a physical tape drive, or downloading to a PC and converting to some > > sort > > of format accessible to item 3 below. > > - Access to a "friendly" system, such as Hercules, on which the perp has > > the > > ability to restore the backup. Any RACF-type restrictions on access to > the > > database would not persist onto this system. > > > > Charles > > > > > > -----Original Message----- > > From: IBM Mainframe Discussion List [mailto:IBM-MAIN@LISTSERV.UA.EDU] On > > Behalf Of Clark Morris > > Sent: Tuesday, May 7, 2019 5:27 AM > > To: IBM-MAIN@LISTSERV.UA.EDU > > Subject: Can backup mechanisms be used to steal RACF database? was Re: > > mainframe hacking "success stories"? > > > > [Default] On 6 May 2019 20:10:27 -0700, in bit.listserv.ibm-main > > 00000047540adefe-dmarc-requ...@listserv.ua.edu (Bill Johnson) wrote: > > > > >In most shops only 2 people have the required access to the RACF > > database. > > > > > Could someone use DF/DSS, DF/HSM, FDR or FDR/ABR to copy the database > > and then download the dump of the database? > > > > Clark Morris > > > > > >Sent from Yahoo Mail for iPhone > > > > > > > > >On Monday, May 6, 2019, 11:06 PM, Bob Bridges <robhbrid...@gmail.com> > > wrote: > > > > > >"Once they’d downloaded the RACF database, they subjected it to a > > password-cracking tool. John the Ripper is one such tool, widely > available > > on the internet. On Feb 28, about the same time the RACF database was > > downloaded, some questions appeared on the mailing list PaulDotCom about > > hashing methods for RACF; by March 3rd, apparently in response, John the > > Ripper had been enhanced to include the capability of working on RACF > > passwords, in collaboration with another tool call CRACF. > > > > > >"In the Zauf article is this description: 'Creating a password hash > > algorithm works like this: After entering the password, it is padded > with > > spaces, if necessary, to a length of 8 bytes. Each character is then > XORed > > with x‘55’ and shifted left one bit. Then the user ID is DES-encrypted, > > using the modified password as the DES key. Developers took a few days > to > > determine the algorithm and modify John the Ripper. Now the utility > excels > > at hashing the RACF database.' It also mentioned a source-code module > > named > > racf2john.c, 'a tool that converts database file exported in the input > > data, > > read for JTR' [Google’s translation from Polish]. > > > > > >"By way of testing, investigators attempted to use these tools > themselves > > to crack RACF passwords. They found that a great many passwords could be > > extracted, that they were easy to discover by dictionary attack, that > they > > were not very complex and in many cases that they’d been unchanged from > the > > default when the ID was created. Using a standalone PC they cracked > about > > 30 000 passwords (out of 120 000 on Applicat’s database) in 'a couple of > > days'." > > > > > >--- > > >Bob Bridges, robhbrid...@gmail.com, cell 336 382-7313 > > > > > >/* If the Earth were flat, cats would have pushed everything off it by > > now. > > */ > > > > > > > > >-----Original Message----- > > >From: IBM Mainframe Discussion List [mailto:IBM-MAIN@LISTSERV.UA.EDU] > On > > Behalf Of Charles Mills > > >Sent: Monday, May 6, 2019 13:14 > > > > > >I *believe* that was done by investigators after the fact, attempting to > > determine how the attack might have been done. I don't recall that there > is > > compelling evidence that Svartholm actually did that. > > > > > >It *is* trivially easy to do, assuming (a.) read access to the DB and > (b.) > > old-style password storage. > > > > > >-----Original Message----- > > >From: IBM Mainframe Discussion List [mailto:IBM-MAIN@LISTSERV.UA.EDU] > On > > Behalf Of David Spiegel > > >Sent: Sunday, May 5, 2019 8:02 AM > > > > > >One of the tricks he pulled was to offload the RACF Database to a PC and > > Dictionary Attack it. > > > > > >---------------------------------------------------------------------- > > >For IBM-MAIN subscribe / signoff / archive access instructions, > > >send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN > > > > > > > > > > > >---------------------------------------------------------------------- > > >For IBM-MAIN subscribe / signoff / archive access instructions, > > >send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN > > > > ---------------------------------------------------------------------- > > For IBM-MAIN subscribe / signoff / archive access instructions, > > send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN > > > > ---------------------------------------------------------------------- > > For IBM-MAIN subscribe / signoff / archive access instructions, > > send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN > > > > > -- > ITschak Mugzach > *|** IronSphere Platform* *|* *Information Security Contiguous Monitoring > for Legacy **| * > > ---------------------------------------------------------------------- > For IBM-MAIN subscribe / signoff / archive access instructions, > send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN > > ---------------------------------------------------------------------- > For IBM-MAIN subscribe / signoff / archive access instructions, > send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN > -- ITschak Mugzach *|** IronSphere Platform* *|* *Information Security Contiguous Monitoring for Legacy **| * ---------------------------------------------------------------------- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN
