Is your AS/400 secure?: How a hacker could get valuable information from your system

[IMAGE]

The AS/400 is considered one of the most secured platforms, however many shops fail to consider the risk from users accessing the platform via desktop application rather than green screen applications. Here we will demonstrate the simplicity of compromising AS/400 security using standard desktop tools by presenting a few scenarios.

To begin with, a hacker wishes to gain access to a fictitious company called ABC in order to gain access read and change sensitive data.

The scenario for Company ABC
Company ABC is using AS/400 with green-screen-based enterprise resource planning (ERP) system and iSeries Access PC5250 is used as the emulation client. The company has established the following policy for the ERP security:

For auto login to sign on server the company uses user profile QUSER with password QUSER . QUSER is defined with LMTCPB set to *YES and no initial program or menu.

The hacker mission
Perform the following with minimum trace available,

Implementation
The hacker will use QUSER user profile. QUSER default password is QUSER and although QUSER is not allowed use green screen it can be used for other access methods to the system.

The hacker will use the well known iSeries Access , it is installed on ABC's offices to allow 5250 emulation.

Phase 1: Find the name of the production library
The hacker's first task is to try and find the exact location of sensitive data in the system. The most convenient way is to look at what other people are doing. So the hacker will login to iSeries Navigator (part of iSeries Access that is inst

Digg This!     StumbleUpon     Del.icio.us

RELATED CONTENT iSeries security tips Controlling remote access on your IBM i Checking in on your IBM i authorization lists PCI data security standards and the System i Securing the integrated file system on IBM System i Contextual security on IBM i: Limit user profile access Time for a security checkup for your i Security monitoring on IBM i: Watching your super users Tracking System i program object changes Recovering your AS/400 security configuration System values on i: Setting them up and locking i down iSeries system and application security Checking in on your IBM i authorization lists Strategies for securing IBM i production files Changing password security levels and upgrading operating systems on the IBM i Determine the value of parameter UPPWEI in the DSPUSRPRF field Define journal code value "K" Modify content within a journal receiver file Change password parameters on the AS/400 without deactivating user's passwords Prevent insiders with *READ or *USE access from circumventing object authority on IBM i Prevent insiders from obtaining user ids and passwords on the IBM i Change the IBM i system to allow only certain types of SSL protocol versions Security Tools Controlling remote access on your IBM i Checking in on your IBM i authorization lists Expanded password rules available in System i/OS 6.1 How to tell if you're using the right security level Search400.com Products of the Year 2008 Detecting system changes made by outside IP address System values on i: Setting them up and locking i down A guide to System i security, Part 3: Digging in to the System i security environment Encrypting files or fields on the iSeries System i security report roundup

RELATED GLOSSARY TERMS Terms from Whatis.com − the technology online dictionary midrange  (Search400.com)

RELATED RESOURCES 2020software.com, trial software downloads for accounting software, ERP software, CRM software and business software systems Search Bitpipe.com for the latest white papers and business webcasts Whatis.com, the online computer dictionary

alled to provide 5250 emulation).

In Navigator, the hacker chooses the option to display active jobs, and look in the open files of interactive jobs -> open files.

[IMAGE]
Click image for larger version

Conclusion: Navigator is not limited to users with limited capabilities. In our scenario let's assume we found out company ABC ERP main library is called SAMPLE.

Phase 2: Get list of sensitive tables
The hacker is now looking for tables related to credit cards, and the easiest way is to query metadata:

[IMAGE]
Click image for larger version

The hacker gets a result. The suspected file is in a library they are interested in, so the next step is to get the card numbers.

This step proved that database metadata can be queried without a menu or command line.

Phase 3: The hacker get list of credit card numbers
From navigator we can generate the list of credit cards

[IMAGE]
Click image for larger version

Since QUSER is not part of ERP group they can not alter data but they can read data, and the list of credit cards is exposed.

The audit journal will tell the system administrator someone looked into the credit cards file but this someone is QUSER a generic user.

Phase 4: Find users that we can use for damaging data
QUSER is not allowed to update data on library SAMPLE. So, a hacker needs access with different user. The easiest approach is to find a user profile that user QUSER is allowed to use. The hacker will try to produce a list of user profiles QUSER is allowed to display, this is done by displaying the user profile to out file and then query the outfile:

[IMAGE]

[IMAGE]
Click images for larger versions

Now it is possible to send commands and query the command results.

Phase 5: Damage the system
Since QUSER has authority to ERP user profile it is now easy for example to clear library SAMPLE. We did not include this last step in the article because we believed it would not be wise to include detailed instructions; however, company ABC can now suffer severe damages.

Security infrastructure is insufficient
Company ABC has a security policy that takes care of security; however, the security infrastructure is no longer sufficient. For example,

The company needs to re evaluate the security measurements it uses. A security tool to monitor and control remote access to the system should be procured. Penetration tests should be performed to check the AS/400 security controls against known net attacks and intrusions. These security tests should be designed to test the security countermeasures in use in the AS/400 environment by carrying out penetration attacks from the customer's network and to achieve the following goals:

The AS/400 computer is considered to be one of the most secured systems in the world. However, the changes in the IT infrastructure cause the AS/400 resources to become more available to network users and the vulnerability of the computer increases accordingly. So watch out!

ABOUT THE AUTHOR: Shahar Mor is president of Barmor Information Systems, a consulting firm in Israel, which employs over 20 people that work on projects for the AS/400 in the network environment. He also has written a Redbook for IBM on iSeries e-commerce and he is Search400.com site expert for connectivity issues on the iSeries.

Rate this Tip To rate tips, you must be a member of Search400.com. Register now to start rating these tips. Log in if you are already a member. Submit a Tip DISCLAIMER: Our Tips Exchange is a forum for you to share technical advice and expertise with your peers and to learn from other enterprise IT professionals. TechTarget provides the infrastructure to facilitate this sharing of information. However, we cannot guarantee the accuracy or validity of the material submitted. You agree that your use of the Ask The Expert services and your reliance on any questions, answers, information or other materials received through this Web site is at your own risk.