Activate your FREE membership today | Log-in

SEARCH this site and the web

ADVANCED SEARCH | SITE INDEX

Home > AS/400 Tips > iSeries security tips > Is your AS/400 secure?: How a hack er could get valuable information from your system iSeries 400 Tips: EMAIL THIS

TIPS & NEWSLETTERS TOPICS

ISERIES SECURITY TIPS Is your AS/400 secure?: How a hacker could get valuable information from your sy stem Shahar Mor, Contributor 07.14.2008 Rating: -3.80- (out of 5) iSeries news and advice Digg This! StumbleUpon Del.icio.us

Shahar Mor The AS/400 is considered one of the most secured platforms, however many shops f ail to consider the risk from users accessing the platform via desktop applicati on rather than green screen applications. Here we will demonstrate the simplicit y of compromising AS/400 security using standard desktop tools by presenting a f ew scenarios. To begin with, a hacker wishes to gain access to a fictitious company called ABC in order to gain access read and change sensitive data.

The scenario for Company ABC Company ABC is using AS/400 with green-screen-based enterprise resource planning (ERP) system and iSeries Access PC5250 is used as the emulation client. The com pany has established the following policy for the ERP security: The ERP users are all part of the group ERP. The group ERP has *ALL authorities to all files in the application. Users not from group ERP has read only access to the tables. All users of the ERP are required to change their password periodically , passwo rd policy prevent default or trivial passwords. All users of the ERP system are configured to be with no command line option (LM TCPB parameter in the user profile is set to *YES). Auditing in the system is active. All authority failures are logged to the QAUDJ RN. Access to highly sensitive files is also audited. In active users are disabled from the system after 90 days of in activity. Only required TCP IP servers are active. Telnet, sign on, FTP and database are o pen for application reasons. For auto login to sign on server the company uses user profile QUSER with passwo rd QUSER . QUSER is defined with LMTCPB set to *YES and no initial program or me nu. The hacker mission Perform the following with minimum trace available, Login into ABC's system. Retrieve customer list with credit card information. Damage financial data. Implementation The hacker will use QUSER user profile. QUSER default password is QUSER and alth ough QUSER is not allowed use green screen it can be used for other access metho ds to the system. The hacker will use the well known iSeries Access , it is installed on ABC's off ices to allow 5250 emulation. Phase 1: Find the name of the production library The hacker's first task is to try and find the exact location of sensitive data in the system. The most convenient way is to look at what other people are doing . So the hacker will login to iSeries Navigator (part of iSeries Access that is installed to provide 5250 emulation). In Navigator, the hacker chooses the option to display active jobs, and look in the open files of interactive jobs -> open files. Click image for larger version Conclusion: Navigator is not limited to users with limited capabilities. In our scenario let's assume we found out company ABC ERP main library is called SAMPLE . Phase 2: Get list of sensitive tables The hacker is now looking for tables related to credit cards, and the easiest wa y is to query metadata: Click image for larger version The hacker gets a result. The suspected file is in a library they are interested

in, so the next step is to get the card numbers. This step proved that database metadata can be queried without a menu or command line. Phase 3: The hacker get list of credit card numbers From navigator we can generate the list of credit cards Click image for larger version Since QUSER is not part of ERP group they can not alter data but they can read d ata, and the list of credit cards is exposed. The audit journal will tell the system administrator someone looked into the cre dit cards file but this someone is QUSER a generic user. Phase 4: Find users that we can use for damaging data QUSER is not allowed to update data on library SAMPLE. So, a hacker needs access with different user. The easiest approach is to find a user profile that user Q USER is allowed to use. The hacker will try to produce a list of user profiles Q USER is allowed to display, this is done by displaying the user profile to out f ile and then query the outfile:

Click images for larger versions Now it is possible to send commands and query the command results. Phase 5: Damage the system Since QUSER has authority to ERP user profile it is now easy for example to clea r library SAMPLE. We did not include this last step in the article because we be lieved it would not be wise to include detailed instructions; however, company A BC can now suffer severe damages. Security infrastructure is insufficient Company ABC has a security policy that takes care of security; however, the secu rity infrastructure is no longer sufficient. For example, It It It nt It is possible to query data base remotely. is possible to send command strings to be executed on the server. is possible to see important configuration data and quickly find the "importa stuff." is easy to hide everything by using a well known generic user.

Penetration tests should be performed to check AS/400 security controls against known net attacks and intrusions.

The company needs to re evaluate the security measurements it uses. A security t ool to monitor and control remote access to the system should be procured. Penet ration tests should be performed to check the AS/400 security controls against k nown net attacks and intrusions. These security tests should be designed to test the security countermeasures in use in the AS/400 environment by carrying out p enetration attacks from the customer's network and to achieve the following goal

s: Gaining access to the machine Gaining access to sensitive databases Testing the ability to change business information especially financial data of the customer application Attempting to gain control on the computer, by identifying the system manager pa ssword, or creating a user profile with authorities of system manager. The AS/400 computer is considered to be one of the most secured systems in the w orld. However, the changes in the IT infrastructure cause the AS/400 resources t o become more available to network users and the vulnerability of the computer i ncreases accordingly. So watch out! ABOUT THE AUTHOR: Shahar Mor is president of Barmor Information Systems, a consu lting firm in Israel, which employs over 20 people that work on projects for the AS/400 in the network environment. He also has written a Redbook for IBM on iSe ries e-commerce and he is Search400.com site expert for connectivity issues on t he iSeries. Rate this Tip To rate tips, you must be a member of Search400.com. Register now to start rating these tips. Log in if you are already a member. Submit a Tip

Digg This!

StumbleUpon

Del.icio.us

ISERIES 400 RELATED LINKS Ads by Google Need more 5250 OLTP? AS400 Slow? Try MAX400 for free Use your Batch CPW instead www.max400.net Mainframe Training Answers to your training needs Courseware that delivers results! www.Datatrain.com Open Source BPEL Engine Design & execute BPEL processes designed with eclipse BPMN Designer bpms.intalio.com SNMPDRV AS400 Printing Eliminates Remote Output Queue Provides Range Printing and Errors www.CustomBusinessLink.com Internet Evolution Where is Web 2.0 heading? Our experts have the answers www.InternetEvolution.com

RELATED CONTENT

iSeries security tips System i security report round-up A guide to System i security, part 2: Landing and establishing access Creating a System i database security policy: Implementation A guide to System i security: Descending into the heart of darkness of IT secur ity Creating a System i database security policy: First steps Enhancements in the intrusion detection system for i5/OS V6R1 Six common System i security lapses Working with exit programs in i5/OS V6 New password-control security features for i5/OS V6R1 Fill in your System i security knowledge gaps iSeries system and application security System i security report round-up A guide to System i security, part 2: Landing and establishing access Creating a System i database security policy: Implementation Creating a System i database security policy: First steps Overriding the timeout interval on specific terminals Deleting iSeries audit logs Moving to security level 40 Enhancements in the intrusion detection system for i5/OS V6R1 Six common System i security lapses Working with exit programs in i5/OS V6 Security Tools System i security report round-up Necessity leads to iSeries Watchdog development Maintaining user profiles boosts iSeries security Learning guide: Steps to a secure System i System i security issues: Application software package 12 security tips in 12 minutes Unsecured devices worry IT professionals Learning guide: Simple steps to a secure iSeries Take control of your iSeries network security -- Part 2 COMMON: New security tools for iSeries

RELATED GLOSSARY TERMS Terms from Whatis.com - the technology online dictionary midrange (Search400.com)

RELATED RESOURCES 2020software.com, trial software downloads for accounting software, ERP softwar e, CRM software and business software systems Search Bitpipe.com for the latest white papers and business webcasts Whatis.com, the online computer dictionary

DISCLAIMER: Our Tips Exchange is a forum for you to share technical advice and e xpertise with your peers and to learn from other enterprise IT professionals. Te chTarget provides the infrastructure to facilitate this sharing of information. However, we cannot guarantee the accuracy or validity of the material submitted. You agree that your use of the Ask The Expert services and your reliance on any

questions, answers, information or other materials received through this Web si te is at your own risk.

About Us | Contact Us | For Advertisers | For Business Partners | Site Index | RSS SEARCH TechTarget provides enterprise IT professionals with the information they need t o perform their jobs - from developing strategy, to making cost-effective IT pur chase decisions and managing their organizations' IT projects - with its network of technology-specific Web sites, events and magazines. TechTarget Corporate Web Site | Media Kits | Reprints | Site Map

All Rights Reserved, Copyright 1999 - 2008, TechTarget | Read our Privacy Policy