29
Fri, Nov
0 New Articles

Security Patrol

IBM i (OS/400, i5/OS)
Typography
  • Smaller Small Medium Big Bigger
  • Default Helvetica Segoe Georgia Times

Application Vendor Insecurities

Question: Much of your advice about security may be good in theory, but, in our case, our application software vendor tells us how the AS/400 must be set up. If we don’t follow its rules about the system security level (i.e., level 30 or level 40), object authority, and the like, it tells us we will void our maintenance agreement and it will no longer support us. What can we do?

Answer: It never ceases to appall me that so many application software vendors force their customers into unsafe, wide-open system configurations. Many practices, such as setting the system value QSECURITY to level 40 or 50, have been part of IBM’s recommendations for almost 10 years. Other, more obvious security vulnerabilities include hardcoded user IDs and passwords and object code owned by a profile that also serves as the user group profile (meaning your users have ownership rights to your production environment!).

Now that I’m done ranting and raving, I will attempt to provide some useful advice for you and others. The first thing you should do is thoroughly review the vendor’s security practices before purchasing the software. Wayne O. Evans, former author of this column, has an excellent checklist for starting this process. Check out his Web site at www.woevans.com for the security software checklist. Consider his questionnaire as a starting point and feel free to include additional points of concern to your environment. Even if you end up buying the software anyway, the fact that you have raised the issue with the vendor’s sales force will get some attention.

Assuming you already have the software, consider dropping maintenance and maintaining the software in-house. If the vendor is unable to support something as basic as IBM’s recommended security practices, chances are it does not support other essential features either. Maintaining the software yourself may be a smart thing to do in this case. You not only will have control over your environment but also will be exerting economic pressure on the vendor to clean up its practices. Software maintenance is a big moneymaker for software vendors. A few large customers dropping lucrative maintenance contracts because of inadequate security may exert pressure to change these practices.

If neither of these are an option, consider adopting compensating controls around your AS/400 to make up for the lack of security in the vendor’s mandated configuration. As an example, if the software has an embedded user ID and password, you should audit


all use of this account, filtering out legitimate access and noting illegitimate efforts to log onto or submit jobs via the account. If the software requires that you run at QSECURITY level 30, you should ensure you audit for program failure and blocked instruction execution. Level 30 also requires tight control over job descriptions with user profiles specified. Remove all of these unless they are absolutely required and, of those that are required, ensure that the profile is “least privilege” (that it has the lowest authority necessary to get the job done).

Lastly, try to get the backing of your company and put some pressure on the vendor to change its practices. Doing prior groundwork with top management in building a business case for security will help. Your CFO hopefully would understand the risk to company financial assets stemming from inadequately secured financial data and know his liability as a company officer for not properly protecting these assets. I’ve seen Fortune 500 companies with very large IT budgets convinced that they must maintain an unsecured AS/400 because of vendor pressure. I’m sure if pressure were applied in the other direction, these software vendors would very quickly change their practices to make a sale.

Don’t Be Denied

Question: Recently, some big-name Web sites were knocked out by hackers as part of a denial-of-service attack—Yahoo!, eBay, etc. How did this happen? Why didn’t their firewalls stop these attacks? Am I at risk? Are AS/400-based Web sites at risk?

Answer: Actually, no one is sure exactly how these attacks were launched, though there is evidence that certain well-known hacker applications caused these problems. As of this writing , the investigation is still going on, with no suspects publicly identified.

The main agents thought to be at work are programs called Trin00, Tribal Flood Network (TFN), and Stacheldraht (German for “Barbed Wire”). These programs are all freely available on the Internet and require a minimal skill level to use. The “architecture” of these attack tools consists of daemons controlled by a master program. To set up the attack, the hacker breaks into computers at third-party sites. These sites generally have nothing to do with the ultimate target; they are breached simply because it is easy to do so and because they have access to high-speed Internet links. Once the third-party machines are broken into, inconspicuous software referred to as daemons is installed and waits quietly for some signal from the master program to set off the attack. It is typically a User Datagram Packet (UDP) on a high port, with the default Master-to-daemon port being 2744 for Trin00. A UDP in this range may slip by many firewalls but is immediately recognizable by the daemons software as a command to action. Upon receiving the signal, the daemons start attacking the targets.

The daemons deliver a flood of traffic to the target as their final blow. Several different methods are used, depending on the program. One particularly effective method uses what is called a broadcast PING. In TCP/IP, a PING request is used to tell if a particular host is online or offline. PING is a very useful utility for network diagnosis, so much so that many firewalls do not block it. In each TCP/IP subnet, there is a specific network address called the broadcast address. In effect, sending a packet to this address submits it to all the hosts on the subnet. One use of the broadcast address is to send a broadcast PING request to an entire subnet. Again, this can be used for entirely legitimate network management purposes. A broadcast PING will tell you exactly which systems on a subnet are responding and which aren’t.

Suppose you were to forge the source, or “from,” address of the PING request. The reply would go not to your own system but, instead, to the one whose address you forged. A subnet can contain a lot of hosts. An entire Internet “class C” network, for example, has up to 254 possible hosts. What would happen if you were to send a broadcast


PING to several class C networks, each with the source address of your attack target? The attack target (your forged “from” address) would be bombarded with many hundreds or thousands of PING replies all at once. Such a volume of traffic could overwhelm the server’s capacity or even the network itself. The massive number of PING replies would constitute a denial-of-service attack. This very attack has been around for at least three years and is commonly known as a Smurf attack. What’s new is the automated remote coordination of a large group of these attacks all at once.

The weak points that the hacker will exploit are the systems that were compromised and on which the daemons were installed, not the ultimate targets of the attack. Installing the daemon software requires that the attacker obtain root access. In a UNIX system, “root” is the all-powerful system administrator account, similar in function to QSECOFR on an AS/400. Daemon software is known to be installable on Sun Solaris and Linux versions of UNIX. Recent information indicates that Windows systems may also be vulnerable. The possibility that an AS/400 would host the daemon software is remote.

While not a likely host for launching attacks, as an end target an AS/400 is as vulnerable to denial-of-service attacks as any other system, no more and no less. The target of the attack is the network connection, not the Web server itself. Regardless of how secure or robust the server is, enough bogus traffic will prevent legitimate users from getting through. A firewall can’t help much against a massive flood of traffic, either. If the firewall is configured to block the PING requests, it will protect internal systems from being flooded but will itself become unusable, as the amount of illegitimate ping attacks will overwhelm its ability to pass desired traffic.

What can you do to avoid being an unwitting accomplice to these attacks? For starters, you can make sure your systems are sufficiently secured to prevent agents and daemons from being installed on them as well. You certainly would not want a call from the FBI explaining that your computers were used to bring down a nationally known company’s Web site. Ensure that your systems have broadcast PING disabled. The actual need for a broadcast PING service is very small these days and not worth the risk of it being hijacked by an attacker.

Some routers allow you to limit the bandwidth that certain traffic is allowed to use. Cisco routers now have a quality-of-service attribute that ensures that designated traffic will always get priority. This feature is designed for use with IP-based telephony services, where it is important that real-time telephony traffic always gets through quickly. It can also be used to ensure that essential Internet traffic of other types always get some priority, even if your system is flooded with attack traffic.

Several tools are available for scanning your systems for agent and daemon software. The National Infrastructure Protection Center (NIPC) has published a free tool called find_ddos. It is designed to work like a virus scanner, looking for traces of agent and daemon software on various systems. It is designed to work only with Sun UNIX systems and Linux, and only the binary executable is provided, without the source code. Also, Trend Micro (www.antivirus.com) has a free online scanning tool that will work with Windows 32-bit platforms.


BLOG COMMENTS POWERED BY DISQUS

LATEST COMMENTS

Support MC Press Online

$

Book Reviews

Resource Center

  • SB Profound WC 5536 Have you been wondering about Node.js? Our free Node.js Webinar Series takes you from total beginner to creating a fully-functional IBM i Node.js business application. You can find Part 1 here. In Part 2 of our free Node.js Webinar Series, Brian May teaches you the different tooling options available for writing code, debugging, and using Git for version control. Brian will briefly discuss the different tools available, and demonstrate his preferred setup for Node development on IBM i or any platform. Attend this webinar to learn:

  • SB Profound WP 5539More than ever, there is a demand for IT to deliver innovation. Your IBM i has been an essential part of your business operations for years. However, your organization may struggle to maintain the current system and implement new projects. The thousands of customers we've worked with and surveyed state that expectations regarding the digital footprint and vision of the company are not aligned with the current IT environment.

  • SB HelpSystems ROBOT Generic IBM announced the E1080 servers using the latest Power10 processor in September 2021. The most powerful processor from IBM to date, Power10 is designed to handle the demands of doing business in today’s high-tech atmosphere, including running cloud applications, supporting big data, and managing AI workloads. But what does Power10 mean for your data center? In this recorded webinar, IBMers Dan Sundt and Dylan Boday join IBM Power Champion Tom Huntington for a discussion on why Power10 technology is the right strategic investment if you run IBM i, AIX, or Linux. In this action-packed hour, Tom will share trends from the IBM i and AIX user communities while Dan and Dylan dive into the tech specs for key hardware, including:

  • Magic MarkTRY the one package that solves all your document design and printing challenges on all your platforms. Produce bar code labels, electronic forms, ad hoc reports, and RFID tags – without programming! MarkMagic is the only document design and print solution that combines report writing, WYSIWYG label and forms design, and conditional printing in one integrated product. Make sure your data survives when catastrophe hits. Request your trial now!  Request Now.

  • SB HelpSystems ROBOT GenericForms of ransomware has been around for over 30 years, and with more and more organizations suffering attacks each year, it continues to endure. What has made ransomware such a durable threat and what is the best way to combat it? In order to prevent ransomware, organizations must first understand how it works.

  • SB HelpSystems ROBOT GenericIT security is a top priority for businesses around the world, but most IBM i pros don’t know where to begin—and most cybersecurity experts don’t know IBM i. In this session, Robin Tatam explores the business impact of lax IBM i security, the top vulnerabilities putting IBM i at risk, and the steps you can take to protect your organization. If you’re looking to avoid unexpected downtime or corrupted data, you don’t want to miss this session.

  • SB HelpSystems ROBOT GenericCan you trust all of your users all of the time? A typical end user receives 16 malicious emails each month, but only 17 percent of these phishing campaigns are reported to IT. Once an attack is underway, most organizations won’t discover the breach until six months later. A staggering amount of damage can occur in that time. Despite these risks, 93 percent of organizations are leaving their IBM i systems vulnerable to cybercrime. In this on-demand webinar, IBM i security experts Robin Tatam and Sandi Moore will reveal:

  • FORTRA Disaster protection is vital to every business. Yet, it often consists of patched together procedures that are prone to error. From automatic backups to data encryption to media management, Robot automates the routine (yet often complex) tasks of iSeries backup and recovery, saving you time and money and making the process safer and more reliable. Automate your backups with the Robot Backup and Recovery Solution. Key features include:

  • FORTRAManaging messages on your IBM i can be more than a full-time job if you have to do it manually. Messages need a response and resources must be monitored—often over multiple systems and across platforms. How can you be sure you won’t miss important system events? Automate your message center with the Robot Message Management Solution. Key features include:

  • FORTRAThe thought of printing, distributing, and storing iSeries reports manually may reduce you to tears. Paper and labor costs associated with report generation can spiral out of control. Mountains of paper threaten to swamp your files. Robot automates report bursting, distribution, bundling, and archiving, and offers secure, selective online report viewing. Manage your reports with the Robot Report Management Solution. Key features include:

  • FORTRAFor over 30 years, Robot has been a leader in systems management for IBM i. With batch job creation and scheduling at its core, the Robot Job Scheduling Solution reduces the opportunity for human error and helps you maintain service levels, automating even the biggest, most complex runbooks. Manage your job schedule with the Robot Job Scheduling Solution. Key features include:

  • LANSA Business users want new applications now. Market and regulatory pressures require faster application updates and delivery into production. Your IBM i developers may be approaching retirement, and you see no sure way to fill their positions with experienced developers. In addition, you may be caught between maintaining your existing applications and the uncertainty of moving to something new.

  • LANSAWhen it comes to creating your business applications, there are hundreds of coding platforms and programming languages to choose from. These options range from very complex traditional programming languages to Low-Code platforms where sometimes no traditional coding experience is needed. Download our whitepaper, The Power of Writing Code in a Low-Code Solution, and:

  • LANSASupply Chain is becoming increasingly complex and unpredictable. From raw materials for manufacturing to food supply chains, the journey from source to production to delivery to consumers is marred with inefficiencies, manual processes, shortages, recalls, counterfeits, and scandals. In this webinar, we discuss how:

  • The MC Resource Centers bring you the widest selection of white papers, trial software, and on-demand webcasts for you to choose from. >> Review the list of White Papers, Trial Software or On-Demand Webcast at the MC Press Resource Center. >> Add the items to yru Cart and complet he checkout process and submit

  • Profound Logic Have you been wondering about Node.js? Our free Node.js Webinar Series takes you from total beginner to creating a fully-functional IBM i Node.js business application.

  • SB Profound WC 5536Join us for this hour-long webcast that will explore:

  • Fortra IT managers hoping to find new IBM i talent are discovering that the pool of experienced RPG programmers and operators or administrators with intimate knowledge of the operating system and the applications that run on it is small. This begs the question: How will you manage the platform that supports such a big part of your business? This guide offers strategies and software suggestions to help you plan IT staffing and resources and smooth the transition after your AS/400 talent retires. Read on to learn: