02
Sat, Nov
2 New Articles

"Mission Attainable: Rogue Server"

IBM i (OS/400, i5/OS)
Typography
  • Smaller Small Medium Big Bigger
  • Default Helvetica Segoe Georgia Times

A Hollywood Blockbuster Cluster

 

Government agent Heathen Runt slips into his specialized climbing gear, and in a pocket of his magnetic backpack, he stashes the thumb drive he will use to access the server. He then embarks on the long, arduous ascent to the top of the precipice that marks home to the impenetrable data center belonging to the evil organization known as Server People Hampering Integration of New Core Technologies, or SPHINCTer.

 

While many Power Systems servers host applications on the web, the biggest hurdle to connecting to the typical back-end server running IBM i involves accessing the network that hosts it. Of course, the word "biggest" is relative. A quick Google search for "biggest breaches" returns more than 10 million (yes, million!) hits, disclosing the dizzying array of headline-hitting security failures, along with a multitude of experts speculating on how the various security controls were traversed. There's the fairly mundane, such as a misconfigured router or firewall, and then there's the plain gutsy, such as physically swapping out Point of Sale (POS) devices in a retail store in order to introduce malware. The bottom line is that if you're convinced your network could never be compromised, then you've already lost the battle!

 

When he finally reaches the peak of the mountain, Runt observes two heavily-armed guards (or is that heavy, two-armed guards?) patrolling the rear entrance to SPHINCTer's data center. Hiding in the crack between two huge boulders, he unclips his backpack and removes his climbing suit, revealing a uniform identical to those worn by the guards except for the "I'm The Boss" name tag. The plan is daringly simple: walk right past the guards and hope they're intimidated by his senior position. If that doesn't work, the daringly simple plan will be swapped with the Chuck Norris plan.

 

Hackers have realized that humans are the weakest link in the security chain. Exploiting man's unquenchable thirst for love, sex, and money, as well as our natural curiosity and our social training to do as instructed, fraudsters trick us into clicking email links and surrendering personal information over the phone and Internet. Social media has become one of the most bountiful sources of once-private information. We simply can't wait to tweet about new jobs and hairstyles and to Instagram cute photos of Fido celebrating his birthday as if it's breaking news! Do criminals really care about hacking our kids' new VTech-branded toy or breaching our dating preferences on BinaryOnly.com? Of course not! But criminals have discovered that credentials to these websites are often reused on more critical ones, such as our corporate VPN and our banking website. Criminals have also discovered that the better they profile their victims through online public sources, the more targeted and successful the attack will be. And, as mind-boggling as it may seem, it's not unheard of for criminals to dress in a suit and walk into a building acting as if they own the place, easily gaining access to restricted areas. If you're scoffing, think about the last time you stopped and grilled someone who appeared to be a part of the executive team. When I'm handed a visitor pass, I enjoy testing the water by wearing it blank side out—or not wearing it at all—when I walk through office areas on my way to the men's room. I don't remember the last time I was stopped or questioned by anyone. Admittedly, being the size of an NFL linebacker might have something to do with that, but the appearance of authority really is an easy "in" to the trusted perimeter.

 

Access was less challenging than expected, and, having chastised the apologetic guards for their sloppy appearance, Runt strolls nonchalantly into the building. Using the GPS function on his Snapple Watch, he makes his way quickly to the server room, seeking data on all criminals in the SPHINCTer organization. As he opens the door, Runt scans the room and quickly recognizes the glowing front panel of the IBM Power server, reputed by Ripley's Believe It or Not! as one of the most secure server technologies in the world!

 

Reputations can be grossly misleading. In the case of the IBM i operating system—often considered to be virtually impenetrable—the difference between a server being secure versus securable has to be acknowledged. For some inexplicable reason, we expect the security controls to have been preconfigured to their perfect values for every company, application, and industry regulation. Even if magic were truly possible, applications and security configurations are commonly migrated from each generation of the server to the next, negating any attempt by IBM to update the defaults to be more representative of this era of ever-evolving regulatory mandates. Ironically, success of a migration is usually indicated by the fact that the shiny new server mirrors the dusty old one purchased years ago, which, incidentally, was itself a server that was migrated from a system purchased years before that! A popular study reports that the vast majority of servers running IBM i remain in default configurations, or worse, and reflect a 1990s security mindset.

 

Inserting the thumb drive into a nearby PC executes a script that attempts to connect to the server. Runt has done his research and, through reading hair-raising security articles on MC Press Online, he is aware that over 50 percent of Power Servers do not monitor or log powerful services like FTP and DDM. He also knows that profiles are typically created with a matching password and often remain that way until someone discovers them (but never seems to fix them) during a subsequent audit. Other controls, such as disabling only a workstation as a result of too many invalid sign on attempts, will be ineffective against this script! It's not like it really matters anyway as there's only a 77 percent chance that auditing is active. And, even if it is, no one ever checks the logs and would notice an attackat least not until Runt's sipping celebratory champagne up in first class as the final credits roll. The script runs faster than a deer, taking less than 3 seconds to locate a profile with a default password, and connects to the server. Thanks to the unfortunate "allow-all" default configuration, he quickly downloads the SPHNCTRMST master file to the thumb drive. This breach was even easier than Runt expected!

 

Assuming you don't deliberately maintain a policy of permitting everyone in your organization to view, change, and delete data, and assuming you prefer that end users are unable to reboot the server or reconfigure profiles and TCP communications, then it's time to take a new stance. While the genesis of many poor security practices can be traced back to simpler days of Twinax cabling and RPG II code, it's past time to allocate funds and assign resources to first stop the bleeding and then to put this train wreck in reverse and start to clean up erroneous configurations to correct the situation. Within the past year, I have encountered a system that was connected to the Internet with no firewall protection and was operating with an open TELNET port. I won't disclose all of the sordid details, but the IP address was revealed on an underground website in a list of "AS/400" servers that scans had determined were open. If that wasn't bad enough, we then uncovered that the QPGMR profile had a matching password (QPGMR) and had been granted the Holy Grail of IBM i power, *ALLOBJ! This is perhaps an extreme example, but there are many more almost as bad. I've audited systems configured with their minimum password length set all the way down to one character. I have lost count of the number of profiles operating with "root" access levels via *ALLOBJ special authority as well as the systems that were not even using the free auditing capabilities. All of these scenarios may be shocking and dismissed as obvious, but it happens more often than it doesn't, and I don't see folks clambering to resolve the issues.

 

Sadly, in the real world, super-spies are interchangeable with end-users, and Heathen Runt might actually be a warehouse worker or an accounts receivable clerk. If the crimanagers (criminal mangers) at SPHINCTer had attended COMMON and then budgeted for audits and remediation services for this server instead of relying solely upon perimeter controls, then the breach would have been far more difficult. This is no different from the average organization over-confidently putting their security eggs in one proverbial basket by employing only a single security layer: the perimeter. Once Runt got through the one door, nothing else stood in his way. Many of us assume that a server and data can't be accessed outside of the official application and don't implement security in layers as experts recommend, with each layer designed to slow down the perpetrators until they're discovered or they move on to an easier victim.

 

Audits are highly valuable when performed by an auditor who understands that not all worlds are populated exclusively by Microsoft's adorable mischievous minions, and when the auditor's observations and resulting recommendations are acted upon. Audits are intended to validate that established procedures are being followed and that security settings remain correctly configuredon an ongoing basis, not just the day before the auditor arrives. Information abounds about how to correctly configure IBM i security as well as where common mistakes are made. Sadly, often administrators and executives either are unaware of how bad the situation is or choose to ignore the warning signs because of resource constraints or financial implications. After all, we could never be breached, right? WRONG!

 

Tales of government-sponsored breaches, globally coordinated ATM attacks, and the compromising of major corporate networks using an HVAC contractor's credentials might read like Hollywood scripts, but each has occurred in the real world in the past couple of years, all with devastating consequences. Virtually all data has value even if it seems it may not, and not adequately protecting it comes with a price tag: As I wrap up this riveting article, the University of Washington Medicine is the latest to pay after being slapped with a $750,000 fine for a HIPAA violation after falling victim to an email-based phishing attack in 2013. Servers are a target as they contain the data that has financial value to the attacker. Employees are the conduits to the servers and applications, making them targets to be coerced, enticed, tricked, and blackmailed.

 

You don't have to be a Citibank or Sony or eBay to be at risk of a breach. Do you think VTech executives sat in their board room and allocated millions of budget dollars to protecting their online social network that caters to tech-savvy infants? Not according to recent headlines. Sadly, I am pretty sure that's what they're doing now! A data breach can happen to anyone who is not realistic enough to think that it can—and most likely will—happen to them at some point and who thinks their data isn't valuable to anyone but them. While a motivated criminal who has set their sights on your database is probably unstoppable, that doesn't mean you roll over and expose your vulnerable underside to the attacker. Get serious, folks! The first step is an easy one and won't cost anything or require any resources: stop thinking that IBM i comes with a "breach-proof" guarantee! Then contract an audit to reveal weaknesses. And remediate the findings.

 

I leave the ending to this movie open. You are now the director. You have the power to share this doomsday warning—or the hundreds of others written by folks like me—with your management team. Make them aware that Power Servers and the IBM i operating system have a staggering suite of enviable features, many of which are security-related. Then inform them that these features work only if they are correctly configured and used. This is no longer an AS/400 from 1991, so don't secure it like one!

 

Your mission, should you choose to accept it, is to correctly secure an IBM i server. As always, should you or any of your security force be caught (or mention Java), the organization will disavow any knowledge of your existence and you will be forced to spend the rest of your career in a room filled with Windows servers!

 

For more information on configuring IBM i security, including establishing a well-defined audit environment, download the IBM Security Reference manual (SC41-5302-12) from IBM.com, consult IBM's online Knowledge Center, or contract a reputable IBM i security expert.

Robin Tatam

Robin Tatam is the Director of Security Technologies for PowerTech, a leading provider of security solutions for the System i. As a frequent speaker on security topics, he was also co-author of the Redbook IBM System i Security: Protecting i5/OS Data with Encryption. Robin can be reached at 952.563.2768 or This email address is being protected from spambots. You need JavaScript enabled to view it..

BLOG COMMENTS POWERED BY DISQUS

LATEST COMMENTS

Support MC Press Online

$

Book Reviews

Resource Center

  • SB Profound WC 5536 Have you been wondering about Node.js? Our free Node.js Webinar Series takes you from total beginner to creating a fully-functional IBM i Node.js business application. You can find Part 1 here. In Part 2 of our free Node.js Webinar Series, Brian May teaches you the different tooling options available for writing code, debugging, and using Git for version control. Brian will briefly discuss the different tools available, and demonstrate his preferred setup for Node development on IBM i or any platform. Attend this webinar to learn:

  • SB Profound WP 5539More than ever, there is a demand for IT to deliver innovation. Your IBM i has been an essential part of your business operations for years. However, your organization may struggle to maintain the current system and implement new projects. The thousands of customers we've worked with and surveyed state that expectations regarding the digital footprint and vision of the company are not aligned with the current IT environment.

  • SB HelpSystems ROBOT Generic IBM announced the E1080 servers using the latest Power10 processor in September 2021. The most powerful processor from IBM to date, Power10 is designed to handle the demands of doing business in today’s high-tech atmosphere, including running cloud applications, supporting big data, and managing AI workloads. But what does Power10 mean for your data center? In this recorded webinar, IBMers Dan Sundt and Dylan Boday join IBM Power Champion Tom Huntington for a discussion on why Power10 technology is the right strategic investment if you run IBM i, AIX, or Linux. In this action-packed hour, Tom will share trends from the IBM i and AIX user communities while Dan and Dylan dive into the tech specs for key hardware, including:

  • Magic MarkTRY the one package that solves all your document design and printing challenges on all your platforms. Produce bar code labels, electronic forms, ad hoc reports, and RFID tags – without programming! MarkMagic is the only document design and print solution that combines report writing, WYSIWYG label and forms design, and conditional printing in one integrated product. Make sure your data survives when catastrophe hits. Request your trial now!  Request Now.

  • SB HelpSystems ROBOT GenericForms of ransomware has been around for over 30 years, and with more and more organizations suffering attacks each year, it continues to endure. What has made ransomware such a durable threat and what is the best way to combat it? In order to prevent ransomware, organizations must first understand how it works.

  • SB HelpSystems ROBOT GenericIT security is a top priority for businesses around the world, but most IBM i pros don’t know where to begin—and most cybersecurity experts don’t know IBM i. In this session, Robin Tatam explores the business impact of lax IBM i security, the top vulnerabilities putting IBM i at risk, and the steps you can take to protect your organization. If you’re looking to avoid unexpected downtime or corrupted data, you don’t want to miss this session.

  • SB HelpSystems ROBOT GenericCan you trust all of your users all of the time? A typical end user receives 16 malicious emails each month, but only 17 percent of these phishing campaigns are reported to IT. Once an attack is underway, most organizations won’t discover the breach until six months later. A staggering amount of damage can occur in that time. Despite these risks, 93 percent of organizations are leaving their IBM i systems vulnerable to cybercrime. In this on-demand webinar, IBM i security experts Robin Tatam and Sandi Moore will reveal:

  • FORTRA Disaster protection is vital to every business. Yet, it often consists of patched together procedures that are prone to error. From automatic backups to data encryption to media management, Robot automates the routine (yet often complex) tasks of iSeries backup and recovery, saving you time and money and making the process safer and more reliable. Automate your backups with the Robot Backup and Recovery Solution. Key features include:

  • FORTRAManaging messages on your IBM i can be more than a full-time job if you have to do it manually. Messages need a response and resources must be monitored—often over multiple systems and across platforms. How can you be sure you won’t miss important system events? Automate your message center with the Robot Message Management Solution. Key features include:

  • FORTRAThe thought of printing, distributing, and storing iSeries reports manually may reduce you to tears. Paper and labor costs associated with report generation can spiral out of control. Mountains of paper threaten to swamp your files. Robot automates report bursting, distribution, bundling, and archiving, and offers secure, selective online report viewing. Manage your reports with the Robot Report Management Solution. Key features include:

  • FORTRAFor over 30 years, Robot has been a leader in systems management for IBM i. With batch job creation and scheduling at its core, the Robot Job Scheduling Solution reduces the opportunity for human error and helps you maintain service levels, automating even the biggest, most complex runbooks. Manage your job schedule with the Robot Job Scheduling Solution. Key features include:

  • LANSA Business users want new applications now. Market and regulatory pressures require faster application updates and delivery into production. Your IBM i developers may be approaching retirement, and you see no sure way to fill their positions with experienced developers. In addition, you may be caught between maintaining your existing applications and the uncertainty of moving to something new.

  • LANSAWhen it comes to creating your business applications, there are hundreds of coding platforms and programming languages to choose from. These options range from very complex traditional programming languages to Low-Code platforms where sometimes no traditional coding experience is needed. Download our whitepaper, The Power of Writing Code in a Low-Code Solution, and:

  • LANSASupply Chain is becoming increasingly complex and unpredictable. From raw materials for manufacturing to food supply chains, the journey from source to production to delivery to consumers is marred with inefficiencies, manual processes, shortages, recalls, counterfeits, and scandals. In this webinar, we discuss how:

  • The MC Resource Centers bring you the widest selection of white papers, trial software, and on-demand webcasts for you to choose from. >> Review the list of White Papers, Trial Software or On-Demand Webcast at the MC Press Resource Center. >> Add the items to yru Cart and complet he checkout process and submit

  • Profound Logic Have you been wondering about Node.js? Our free Node.js Webinar Series takes you from total beginner to creating a fully-functional IBM i Node.js business application.

  • SB Profound WC 5536Join us for this hour-long webcast that will explore:

  • Fortra IT managers hoping to find new IBM i talent are discovering that the pool of experienced RPG programmers and operators or administrators with intimate knowledge of the operating system and the applications that run on it is small. This begs the question: How will you manage the platform that supports such a big part of your business? This guide offers strategies and software suggestions to help you plan IT staffing and resources and smooth the transition after your AS/400 talent retires. Read on to learn: