7/27/2019 Secure Your As400

1/6

7/27/2019 Secure Your As400

2/6

7/27/2019 Secure Your As400

3/6

in, so the next step is to get the card numbers.

This step proved that database metadata can be queried without a menu or commandline.

Phase 3: The hacker get list of credit card numbersFrom navigator we can generate the list of credit cards

Click image for larger version

Since QUSER is not part of ERP group they can not alter data but they can read data, and the list of credit cards is exposed.

The audit journal will tell the system administrator someone looked into the credit cards file but this someone is QUSER a generic user.

Phase 4: Find users that we can use for damaging dataQUSER is not allowed to update data on library SAMPLE. So, a hacker needs accesswith different user. The easiest approach is to find a user profile that user QUSER is allowed to use. The hacker will try to produce a list of user profiles QUSER is allowed to display, this is done by displaying the user profile to out file and then query the outfile:

Click images for larger versions

Now it is possible to send commands and query the command results.

Phase 5: Damage the systemSince QUSER has authority to ERP user profile it is now easy for example to clear library SAMPLE. We did not include this last step in the article because we believed it would not be wise to include detailed instructions; however, company ABC can now suffer severe damages.

Security infrastructure is insufficientCompany ABC has a security policy that takes care of security; however, the security infrastructure is no longer sufficient. For example,

It is possible to query data base remotely.It is possible to send command strings to be executed on the server.It is possible to see important configuration data and quickly find the "important stuff."It is easy to hide everything by using a well known generic user.

Penetration tests should be performed to check AS/400 security controls againstknown net attacks and intrusions.

The company needs to re evaluate the security measurements it uses. A security tool to monitor and control remote access to the system should be procured. Penetration tests should be performed to check the AS/400 security controls against known net attacks and intrusions. These security tests should be designed to testthe security countermeasures in use in the AS/400 environment by carrying out penetration attacks from the customer's network and to achieve the following goal

7/27/2019 Secure Your As400

4/6

s:

Gaining access to the machineGaining access to sensitive databasesTesting the ability to change business information especially financial data ofthe customer applicationAttempting to gain control on the computer, by identifying the system manager password, or creating a user profile with authorities of system manager.The AS/400 computer is considered to be one of the most secured systems in the world. However, the changes in the IT infrastructure cause the AS/400 resources to become more available to network users and the vulnerability of the computer increases accordingly. So watch out!

ABOUT THE AUTHOR: Shahar Mor is president of Barmor Information Systems, a consulting firm in Israel, which employs over 20 people that work on projects for theAS/400 in the network environment. He also has written a Redbook for IBM on iSeries e-commerce and he is Search400.com site expert for connectivity issues on the iSeries.

Rate this TipTo rate tips, you must be a member of Search400.com.Register now to start rating these tips. Log in if you are already a member.

Submit a Tip

Digg This! StumbleUpon Del.icio.us

ISERIES 400 RELATED LINKS

Ads by Google

Need more 5250 OLTP?AS400 Slow? Try MAX400 for free Use your Batch CPW insteadwww.max400.net

Mainframe TrainingAnswers to your training needs Courseware that delivers results!www.Datatrain.com

Open Source BPEL EngineDesign & execute BPEL processes designed with eclipse BPMN Designerbpms.intalio.com

SNMPDRV AS400 Printing

Eliminates Remote Output Queue Provides Range Printing and Errorswww.CustomBusinessLink.com

Internet EvolutionWhere is Web 2.0 heading? Our experts have the answerswww.InternetEvolution.com

RELATED CONTENT

7/27/2019 Secure Your As400

5/6

iSeries security tipsSystem i security report round-upA guide to System i security, part 2: Landing and establishing accessCreating a System i database security policy: ImplementationA guide to System i security: Descending into the heart of darkness of IT securityCreating a System i database security policy: First stepsEnhancements in the intrusion detection system for i5/OS V6R1Six common System i security lapsesWorking with exit programs in i5/OS V6New password-control security features for i5/OS V6R1Fill in your System i security knowledge gaps

iSeries system and application securitySystem i security report round-upA guide to System i security, part 2: Landing and establishing accessCreating a System i database security policy: ImplementationCreating a System i database security policy: First stepsOverriding the timeout interval on specific terminalsDeleting iSeries audit logsMoving to security level 40Enhancements in the intrusion detection system for i5/OS V6R1Six common System i security lapsesWorking with exit programs in i5/OS V6

Security ToolsSystem i security report round-upNecessity leads to iSeries Watchdog developmentMaintaining user profiles boosts iSeries securityLearning guide: Steps to a secure System iSystem i security issues: Application software package12 security tips in 12 minutesUnsecured devices worry IT professionalsLearning guide: Simple steps to a secure iSeriesTake control of your iSeries network security -- Part 2COMMON: New security tools for iSeries

RELATED GLOSSARY TERMSTerms from Whatis.com - the technology online dictionarymidrange (Search400.com)

RELATED RESOURCES2020software.com, trial software downloads for accounting software, ERP software, CRM software and business software systemsSearch Bitpipe.com for the latest white papers and business webcasts

Whatis.com, the online computer dictionary

DISCLAIMER: Our Tips Exchange is a forum for you to share technical advice and expertise with your peers and to learn from other enterprise IT professionals. TechTarget provides the infrastructure to facilitate this sharing of information.However, we cannot guarantee the accuracy or validity of the material submitted.You agree that your use of the Ask The Expert services and your reliance on any

7/27/2019 Secure Your As400

6/6

questions, answers, information or other materials received through this Web site is at your own risk.

About Us | Contact Us | For Advertisers | For Business Partners | SiteIndex | RSS SEARCH

TechTarget provides enterprise IT professionals with the information they need to perform their jobs - from developing strategy, to making cost-effective IT purchase decisions and managing their organizations' IT projects - with its networkof technology-specific Web sites, events and magazines.

TechTarget Corporate Web Site | Media Kits | Reprints | Site Map

All Rights Reserved, Copyright 1999 - 2008, TechTarget | Read our Privacy Policy