Wednesday, 4 August 2010

OCEAN AS/400 Conference Notes

I attended the July 16 OCEAN annual technical conference on the iSeries (which I will always call the AS/400). I've spent a good chunk of my professional career working on this system and while it seems to be slowly fading away, I still like to keep up on it. Who knows when you might run across one? Being one of the last people around familiar with this technology may prove useful.

Some general notes: There was a session on iPhone integration with the iSeries, showing this venerable back end is still being adapted to the latest client gadgets. A whole series of PHP development sessions was provided, including ones on the Zend environment.

My main focus here is the session on security, given by John Earl (who immediately recognized me in the audience after over 10 years). He covered some of the laws governing breach reporting and personal information protection, noting that Massachusetts has the strictest state laws in the US. His main focus was on insider threats, as he believes the iSeries is hard for an outsider to attach without some sort of inside access and knowledge.

John noted that default passwords are still a problem, especially for vendor software. The ANZDFTPWD command will help by checking for many of these. Unencrypted passwords on the wire is another problem, with FTP, telnet and the iSeries Access Servers (formerly Client Access). He noted some common mechanisms for finding user IDs and user profile information that can be exploited even with a limited capability account that supposedly restricts command line access. Read access to a user profile provides the ability to take over the profile - so do not allow *PUBLIC (world in unix-speak) read access. Taking over a profile involves using it in the SBMJOB commands, in a JOBD, or through ADDJOBSCDE (look these up if they don't make sense!). John is a strong believer in relying on object authority rather than exit programs for security.

Having been outside the iSeries world for a while, it was discouraging to hear the same flaws mentioned that I had known about ten and fifteen years ago. The approach to taking over an AS/400 seems similar to that used in Windows systems - get the authentication credentials, execute a command using that credential, use the command to gain command line access. What ADDJOBSCDE does in an iSeries, "schtasks" (or "at") does for Windows.

The article was originally published at Security Blog

No comments:

Post a Comment