Washington Post: 40 Million Credit Card #s Hacked

10 views
Skip to first unread message

Timothy Sipples

unread,
Jun 18, 2005, 10:48:27 AM6/18/05
to
Saturday's Washington Post reports on the woes of CardSystems in Tucson, a
credit card processor. A hacker got access to 40 million credit cards.
MasterCard, Visa, and the FBI are not amused. The article briefly alludes
to how the attack succeeded:


http://www.washingtonpost.com/wp-dyn/content/article/2005/06/17/AR2005061701031.html

According to http://www.cardsystems.com/careers.html (the recruiting page
for the company), CardSystems has the following types of systems
installed:

Microsoft .NET (and Windows servers)
Oracle databases
VMS

Not a single mention of an IBM zSeries system, RACF, CICS, or IMS in all
its job recruiting pages. Which is really too bad, because if they had
been processing credit cards through those systems, chances are that
hacker wouldn't be having as much "fun" right now.

Now, that's not to suggest anyone should rest comfortably. We all face
threats like these, and this is no time to get cocky. But, really, isn't
it best to start with the right tools for the job, to mitigate the risks?
CardSystems will no doubt have some dark weeks and months ahead, and
they'll now have to compete against companies that do use zSeries-based
technologies for processing credit cards. (FISERV and Fidelity come to
mind.) Maybe more IT people need to reassess what works, and business
managers need to carefully evaluate IT risk. As technology becomes ever
more ingrained in business operations, what are the true costs of security
breaches and outages? What systems and software fail less? Are most
resistant to security breaches? And who are the talented IT people than
can address these concerns?

[Speaking for myself.]

- - - - -
Timothy F. Sipples
Senior Software Architect, Enterprise Transformation
IBM Americas zSeries Software
Phone: (312) 245-4003
E-Mail: Timothy...@us.ibm.com (PGP key available.)

----------------------------------------------------------------------
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to list...@bama.ua.edu with the message: GET IBM-MAIN INFO
Search the archives at http://bama.ua.edu/archives/ibm-main.html

Steve Comstock

unread,
Jun 18, 2005, 11:02:06 AM6/18/05
to

Right. And IBM has done the worst job of speaking up.

I sometimes think the folks in Armonk sit around and
chuckle, "Yes, yes, it's going just like we planned!"

After all, if they can get everyone to move off z/OS
but still use mainframes to run Linux, they can get
rid of those expensive software development and
support costs. And, of course, services are where
the biggest profit margins are. "It's nothing personal,
guys, it's just business."

Kind regards,

-Steve Comstock

Robert Justice

unread,
Jun 18, 2005, 11:45:59 AM6/18/05
to
"Microsoft .NET (and Windows servers)".

Microsoft systems involved in another virus outbreak?
Well, now, that's certainly a total and complete shock and surprise.

R.S.

unread,
Jun 18, 2005, 12:03:29 PM6/18/05
to
Timothy Sipples wrote:
[...]

> CardSystems will no doubt have some dark weeks and months ahead, and
> they'll now have to compete against companies that do use zSeries-based
> technologies for processing credit cards. (FISERV and Fidelity come to
> mind.)

AFAIK FISERV uses AS/400 aka iSeries aka i5.

BTW: Was it hacker or insider ?
Does he break in because of the system/platform security flaws or rather
because of someone screw up something ?

Good door lock is worthless when not in use.

--
Radoslaw Skorupka
Lodz, Poland

Efinn...@ibm-main.lst

unread,
Jun 18, 2005, 12:29:02 PM6/18/05
to

In a message dated 6/18/2005 9:48:39 A.M. Central Standard Time,
timothy...@US.IBM.COM writes:

managers need to carefully evaluate IT risk. As technology becomes ever
more ingrained in business operations, what are the true costs of security
breaches and outages? What systems and software fail less? Are most
resistant to security breaches? And who are the talented IT people than
can address these concerns?

>>
Yeah, but that's where IBM's really and truly dropped the ball.
They dropped support of education, they fumbled OS/2 and PS/2
big time now have outsource the PC division. Got a whole generation
of PFCSKs with no exposure to the rich architecture of MVS and
no incentive to get interested. When it comes to making purchasing
decisions their gonna go with their comfort zone-Windows, UNIX and
ORACLE.

And people are getting really mad about the irresponsible, cavalier
approaches being foisted on them by "processing centers". If the
industry doesn't police itself with more rigorous policies and procedures
the government will.

Edward E. Jaffe

unread,
Jun 18, 2005, 12:46:33 PM6/18/05
to
R.S. wrote:

> AFAIK FISERV uses AS/400 aka iSeries aka i5.


Like most large organizations, FISERV uses different platforms for
different purposes -- including mainframes.

--
-----------------------------------------------------------------.
| Edward E. Jaffe | |
| Mgr, Research & Development | edj...@phoenixsoftware.com |
| Phoenix Software International | Tel: (310) 338-0400 x318 |
| 5200 W Century Blvd, Suite 800 | Fax: (310) 338-0801 |
| Los Angeles, CA 90045 | http://www.phoenixsoftware.com |
'-----------------------------------------------------------------'

Craddock, Chris

unread,
Jun 18, 2005, 2:57:57 PM6/18/05
to
its hard to tell what was hacked. Most of the world's
credit card data lives on mainframes and there's almost no
chance of a hack there. But lots of data has to move around
at the margins and that's where the exposures usually are.

Steve Comstock wrote;


>
> Right. And IBM has done the worst job of speaking up.

True enough, but they have been trying to do a better
job of that lately. Probably still a fairly comical
effort, but I give them points for entertainment value
as well as effort.

> I sometimes think the folks in Armonk sit around and
> chuckle, "Yes, yes, it's going just like we planned!"

They have been successful at getting the server platforms
into the #1 or #2 slot in each competitive sector. So maybe
its going the way they planned... I suppose they might grin
about that. I am not sure I would go so far as to believe
there is some master plan that's just playing out like a
movie script. They are doing a lot of things in a lot of
areas at the same time and some are working well. Others
are less so... like, oh, PCs.

> After all, if they can get everyone to move off z/OS
> but still use mainframes to run Linux, they can get
> rid of those expensive software development and
> support costs.

I doubt that. There are big dollar projects (Can you say
"enduring value" boys and girls?) going on inside the IBM
behemoth TODAY that are (in theory) trying to bring the z
business back into a more competitive position. Those are
largely in response to demands from top tier customers
who understand how much of their own business depends on
the ongoing viability of the z business.

In a place as big as IBM there will be a lot of people
with different agendas, including some who would like to
see Linux uber alles. Doesn't mean they call the shots
or that the corporation has some sinister plan to move
the world to Linux. Linux gets mindshare inside IBM because
it has huge mindshare outside and IBM is first last and
always a for-profit business.

> And, of course, services are where
> the biggest profit margins are. "It's nothing personal,
> guys, it's just business."

They might be the biggest profits in terms of the gross
numbers, but not in terms of margins. Services is a people
intensive business. You make money by charging enough to
make a profit, but not so much that your customer wants to
bear the direct cost of doing it themselves. How often today
do you hear how expensive people are? It makes for relatively
low margins, but you can still make big profits on low margins
if you sell enough of it, as shown by Dell, McDonalds etc.

Hardware on the other hand is massively profitable, even
with the maniacal degree of engineering IBM puts into the
z and p series platforms. Shared design and tooling has
really pushed the costs down for both platforms.

Software is somewhere in between and a lot closer to hardware
than to services. Good margins in those business areas are
the engine that funds all of the other stuff. Linux currently
drives some hardware revenues (highly profitable) and some
services revenues (profitable but less so) and I would guess
that the (Linux) software is about a wash. It would be a dumb
businessman that would trade the current mix for an all-Linux
mix.

CC

ground hum

unread,
Jun 18, 2005, 4:07:58 PM6/18/05
to
And the kicker is Microsoft requires new hires to
essentially take an IQ test for
pre-screening/interviewing. All those smart people
and such a crappy operating system.

Really makes ya wonder, doesn't it.


____________________________________________________
Yahoo! Sports
Rekindle the Rivalries. Sign up for Fantasy Football
http://football.fantasysports.yahoo.com

Efinn...@ibm-main.lst

unread,
Jun 18, 2005, 4:36:42 PM6/18/05
to

In a message dated 6/18/2005 3:17:59 P.M. Central Standard Time,
groun...@YAHOO.COM writes:

And the kicker is Microsoft requires new hires to
essentially take an IQ test for
pre-screening/interviewing. All those smart people
and such a crappy operating system.


Think the Gates, Allen, and Balfor are still in the top ten richest people
in the world and Windows has over 80% share of PC's. What's
stupid is there's not enough IT knowledge left at the upper management tiers
to be able to differentiate fact from fiction,
playdough from concrete, security from secretion.

Guess it'll finally get through. My friends down the street with the three
legged cat sell Insurance and Real Estate. Said they
finally stopped selling private airplane coverage to high profile
professionals 'cause they would only stay marginally qualified and
crash when they got in trouble. Guess it's gonna take the same
thing in DP. Insurers won't cover losses unless you can prove
technical competence in upper management.

John S. Giltner, Jr.

unread,
Jun 18, 2005, 10:15:04 PM6/18/05
to
If you go here:

http://www.cardsystems.com/careers/ComputerOperator_0410.pdf

They talk about the Windows servers as running NT. The documents seems
to have been last updated Oct. 2004.

Also it seems that the theft took place late LAST YEAR and they did not
find out until May of this year.

Gil Peleg

unread,
Jun 19, 2005, 1:20:48 PM6/19/05
to
On the other hand, anyone who worked at the same shop for a long time knows
how to "trick" its systems. How to run jobs with any jobclass (and maybe
form some kind of a denial of service attack?), how passwords are managed,
who are the powerful users, what resources are not properly protected, how
to falsify identities under CICS/IMS, how to run batch jobs under other
users, how to become APF-authorized, how to utilize error in 3rd party
products, and the list goes on... Every shop and every experienced system
programmer (some times not even a system programmer, but an experienced
programmer) has their tricks.
Of course, all of this comes from bad implementation of the security tools
and not the infrastructure provided by the operating system, but still, IMO,
if mainframes were holding a larger market share, we would be hearing of
more security breaches on mainframes.
I agree the mainframe has all it takes to be a highly secured platform, but
I have seen not 1 and not 2 shops that just dont facilitate all the required
mechanisms to become highly secured. Simply running on mainframe doesnt make
it harder to breach into your system, it only makes it unlikely. Only
implementing a strong and correct security policy makes it harder to breach
into your system.
Gil.

Gabe

unread,
Jun 19, 2005, 3:05:59 PM6/19/05
to
Security through obscurity?!

> On the other hand, anyone who worked at the same shop for a long time knows
> how to "trick" its systems.

I used to work at a shop that used CLAS to manage passwords for the
mainframes and when reset were mailed out to the user's VM account.
It was a trivial command to transfer those messages out of the users
RDR. You can imagine the possibilities.

We've all heard it before: Security is a business process not a program or OS.

As far a Microsoft and security, this is interesting:

http://news.com.com/Microsoft+meets+the+hackers/2009-1002_3-5747813.html

Gabriel

Edward E. Jaffe

unread,
Jun 19, 2005, 5:29:02 PM6/19/05
to
Gil Peleg wrote:

>... anyone who worked at the same shop for a long time knows
>how to become APF-authorized ...
>

This just can't be true. No amount of work experience should provide the
knowledge and tools to become APF authorized. Otherwise, MVS system
integrity is nothing more than a myth! And maybe that's you're point. I
simply don't believe it's true in the general case.

--
-----------------------------------------------------------------.
| Edward E. Jaffe | |
| Mgr, Research & Development | edj...@phoenixsoftware.com |
| Phoenix Software International | Tel: (310) 338-0400 x318 |
| 5200 W Century Blvd, Suite 800 | Fax: (310) 338-0801 |
| Los Angeles, CA 90045 | http://www.phoenixsoftware.com |
'-----------------------------------------------------------------'

----------------------------------------------------------------------

david...@ibm-main.lst

unread,
Jun 19, 2005, 5:38:37 PM6/19/05
to
>>SNIP

As far a Microsoft and security, this is interesting:

http://news.com.com/Microsoft+meets+the+hackers/2009-1002_3-5747813.html
>> UNSNIP

Yes, interesting. I too enjoy meeting with those in the business who are
smarter than I am, if you get my drift.


Dave Thorn
Senior Technology Analyst
SunGard eSourcing
600 Laurel Oak Road
Voorhees, NJ 08043
Office 856-566-5412
Fax 856-566-3656
Cell 609-781-0353
Email david...@sungard.com
-------------------------------------------------------------------------
Keeping People and Information Connected (TM)
HTTP://www.availability.sungard.com

Ed Gould

unread,
Jun 19, 2005, 5:53:01 PM6/19/05
to
On Jun 19, 2005, at 4:28 PM, Edward E. Jaffe wrote:

> Gil Peleg wrote:
>
>> ... anyone who worked at the same shop for a long time knows how to
>> become APF-authorized ...
>>
>
> This just can't be true. No amount of work experience should provide
> the knowledge and tools to become APF authorized. Otherwise, MVS
> system integrity is nothing more than a myth! And maybe that's you're
> point. I simply don't believe it's true in the general case.
>

> ----SNIP-----------

Ed,

Could he mean adding the library to apf list?

Ed

DASD...@ibm-main.lst

unread,
Jun 19, 2005, 6:11:02 PM6/19/05
to

In a message dated 6/19/2005 4:53:02 P.M. Central Daylight Time, edgould@
AMERITECH.NET writes:

>> ... anyone who worked at the same shop for a long time knows how to
>> become APF-authorized ...

Knowing how to become APF-authorized and being allowed to by the security
rules are two different matters.

A decent security audit will look for loopholes that let you bypass the
normal security rules, such as undocumented local SVCs that return control in
authorized states if you put a magic value in GPR1, a Program Interrupt front
end that looks for an illegal op code like X'CA' (CA uses this technique)
followed by magic values to request various authorized functions, and the like.
All these loopholes should be long gone in any system that takes security
serious.

Bill Fairchild

Arthur T.

unread,
Jun 19, 2005, 7:13:31 PM6/19/05
to
On 19 Jun 2005 14:53:01 -0700, in bit.listserv.ibm-main
(Message-ID:<14de4b3010dfe423...@ameritech.net>)
edg...@ibm-main.lst (Ed Gould) wrote:

>On Jun 19, 2005, at 4:28 PM, Edward E. Jaffe wrote:
>
>>Gil Peleg wrote:
>>

>>>... anyone who worked at the same shop for a long time
>>>knows how to become APF-authorized ...
>>

>>This just can't be true. No amount of work experience
>>should provide the knowledge and tools to become APF
>>authorized. Otherwise, MVS system integrity is nothing
>>more than a myth! And maybe that's you're point. I simply
>>don't believe it's true in the general case.
>>
>>----SNIP-----------
>
>Ed,
>
>Could he mean adding the library to apf list?
>
>Ed

Ed Jaffe snipped too much. Take a look at more of
Gil's post:

>On the other hand, anyone who worked at the same shop for
>a long time knows


>how to "trick" its systems. How to run jobs with any
>jobclass (and maybe
>form some kind of a denial of service attack?), how
>passwords are managed,
>who are the powerful users, what resources are not
>properly protected, how
>to falsify identities under CICS/IMS, how to run batch
>jobs under other
>users, how to become APF-authorized, how to utilize error
>in 3rd party
>products, and the list goes on

Once you know which power users (sysprog or RACF
SPECIAL) don't log off when they leave their desks, it
doesn't take long to get the access you need to APF
datasets. If you know of flaws that let you submit jobs to
run under a power user's userid, again you can do just
about anything.

I was going to mention some more of my favorite
methods I know of for getting passwords or getting jobs run
under others' userids. I decided it was not a good idea to
publicize them. The above are quite general. (Not that I
made use of those methods; it was enough for me to know
they worked, and to try to plug the holes.)

Basically, as others have said:
1. Security is a process; and
2. usually, the biggest security hole is people.

John P Baker

unread,
Jun 19, 2005, 7:22:32 PM6/19/05
to
I have been at installations which had a special policy in respect to
terminal security. If a terminal was found logged on (and not locked) and
the user was not present, management immediately had security locate the
user and escort them off the premises.

No excuses. No second chances. Gone.

It is a policy in which I believe strongly.

If you don't have enough common sense to secure your workspace, then you
don't deserve to have a workspace.

John P Baker
Software Engineer

> Once you know which power users (sysprog or RACF
>SPECIAL) don't log off when they leave their desks, it
>doesn't take long to get the access you need to APF
>datasets. If you know of flaws that let you submit jobs to
>run under a power user's userid, again you can do just
>about anything.

----------------------------------------------------------------------

Tom Longfellow

unread,
Jun 19, 2005, 8:00:41 PM6/19/05
to

> And the kicker is Microsoft requires new hires to
> essentially take an IQ test for
> pre-screening/interviewing. All those smart people
> and such a crappy operating system.
>
> Really makes ya wonder, doesn't it.

Not as much as I used to. I have met several people with genius IQs that
gave me the impression that they needed help tying their shoes in the
morning. Intelligence tests may measure potential, but they don't measure
performance.

And of the Computer Science PhD's that I have worked with, all have been
better at arrogance and smokescreens than actual working solutions to
problems. I suspect it is something in the education process.

Tom Longfellow

unread,
Jun 19, 2005, 8:07:06 PM6/19/05
to

> Gil Peleg wrote:
>
>>... anyone who worked at the same shop for a long time knows
>>how to become APF-authorized ...
>>
>
> This just can't be true. No amount of work experience should provide the
> knowledge and tools to become APF authorized. Otherwise, MVS system
> integrity is nothing more than a myth! And maybe that's you're point. I
> simply don't believe it's true in the general case.
>
Integrity is what you make of it. A "Correctly Configured" system has the
integrity. Most MVS security failures are not in the software, but in the
implementation.

Here is one common way that APF control gets "out". A batch application
(lets say IMS) has code that must be concatenated in the STEPLIB with other
APF libraries. Therefore, the application library must be APF authorized.
A badly configured system that gives applications staff uncontrolled WRITE
to that library has lost it's APF integrity.

Hence, anyone who worked at the same shop for a long time "could" know how
to become APF authorized.

Ted MacNEIL

unread,
Jun 19, 2005, 8:25:31 PM6/19/05
to
..
If you don't have enough common sense to secure your workspace, then you
don't deserve to have a workspace.
..
That is a little too strong.
Unless you're in a totally unsecured area.

You could/would lose a lot of skilled personal that way.

-teD
(The secret to success is sincerity.
If you can fake that,
you've got it made!)

John P Baker

unread,
Jun 19, 2005, 8:53:46 PM6/19/05
to
I have spent years in computer security, both in the civilian software
industry and in the US military. I don't take computer security lightly.

In the civilian world, mistakes can destroy companies and ruin individual
livelihoods.

In the military, mistakes can kill people.

You think my position is too strong. I respect your point of view.
However, I disagree.

Computer security is a serious matter.

The identity thefts we are seeing today are a direct consequence of sloppy
procedures and the lack of consequences thereto.

John P Baker
Software Engineer

Graeme Gibson

unread,
Jun 19, 2005, 9:02:17 PM6/19/05
to
Manacles? You didn't mention if they were manacled before being marched
out! And what about leg-irons? Oh, wait, it would interfere with the
ability to frog-march the perp, wouldn't it. Dang, ok.

> No excuses. No second chances. Gone.

This zero-tolerance (ie. intolerant) stuff might play ok on a 10-second TV
grab. In practice, using real people as opposed to robots, it's an
attitude that will bleed the organisation of important talent when,
occasionally, and for goodness knows what particular reason, some otherwise
very useful member of the staff is unable to comply with the edict.

What about if they had just been notified that their wife had just been
killed in a car wreck? Or their child diagnosed with a fatal
condition? I'm sure, most of you will agree that there ARE going to be
reasons, excuses, use what words you will, that even UN-reasonable
management will accept for a temporary loss of responsibility and
consequent inability to perform to their usual high standards.

Sure, a person who shows that they have little or no ability to perform
responsibly should not be given significant responsibility in the first
place. Someone who has carried it well for five or ten years and then has
a single lapse, that's totally different.

Furthermore, when other staff see what they may well judge to be an unfair
dismissal, even maltreatment, of respected and likeable fellow workers,
they become demoralised, they start to keep an eye open for an opportunity
to move out. Fear of leaving one's terminal unlocked may become their
overriding priority at work, rather than work itself. The smarter ones are
generally the ones that will go first. Guess what happens to those
organisations that persistently lose their smarter people.

Good management doesn't paint itself into such absolutist corners to start
with.

Hrrmpf.


And best wishes to all
Graeme.

At 09:22 AM 6/20/2005, you wrote:
>I have been at installations which had a special policy in respect to
>terminal security. If a terminal was found logged on (and not locked) and
>the user was not present, management immediately had security locate the
>user and escort them off the premises.
>
>No excuses. No second chances. Gone.
>
>It is a policy in which I believe strongly.
>
>If you don't have enough common sense to secure your workspace, then you
>don't deserve to have a workspace.

----------------------------------------------------------------------

Gerhard Postpischil

unread,
Jun 19, 2005, 10:24:14 PM6/19/05
to
Arthur T. wrote:
> Basically, as others have said:
> 1. Security is a process; and
> 2. usually, the biggest security hole is people.

About ten years ago I had a consulting gig at the IRS. One of my
coworkers, an otherwise intelligent and personable man, kept his
password on a Post-It stuck to the screen. For some reason he didn't
last very long at the job.

Gerhard Postpischil
Bradford, VT

Rolf Ernst

unread,
Jun 19, 2005, 10:44:25 PM6/19/05
to
It's the American way. This is why it is the only industrialized,
civilized country in the world with capital punishment. Smooth
retribution. It's a strange mix of technological development and barbarism.

/re

Leonard Woren

unread,
Jun 19, 2005, 10:42:29 PM6/19/05
to
On Sun, Jun 19, 2005 at 07:20:36PM +0200, Gil Peleg (pele...@GMAIL.COM) wrote:
> On the other hand, anyone who worked at the same shop for a long time knows
> how to "trick" its systems.

Not if the people responsible for security of those systems are doing
their jobs properly.

[snip]


> Of course, all of this comes from bad implementation of the security tools
> and not the infrastructure provided by the operating system,

Exactly.

> but still, IMO,
> if mainframes were holding a larger market share, we would be hearing of
> more security breaches on mainframes.

My feeling on that is that I disagree with the above.

> I agree the mainframe has all it takes to be a highly secured platform, but
> I have seen not 1 and not 2 shops that just dont facilitate all the required
> mechanisms to become highly secured. Simply running on mainframe doesnt make
> it harder to breach into your system, it only makes it unlikely. Only
> implementing a strong and correct security policy makes it harder to breach
> into your system.

I think that the architecture of the system (MVS, or whatever it's
called this week) makes it much easier for competent administrators
to set up a secure system than on any other platform.

As has already been discussed, the biggest security loophole on any
system is unsecured unattended logons. Even my PC at home has a short
timeout to screensaver requiring a password. Back in the days of only
hardwired 327x terminals, I worked in a shop where the systems
programmers were in a very unsecure area. (Yes, you needed a badge to
get into the building. There were 70,000 valid badges.) I wrote a
TSO command called LOCK which required the logon password to unlock.
To get people to use it, the JWT timeout was set very short, and LOCK
had a subtask which woke up every few minutes to prevent timeouts.
The whole scheme worked quite well. Many people in the systems group
had "TSO LOCK" on an ISPF PFKey -- one keystroke when leaving your
workarea. OS/2 had a simple way to bring up the lock screen
immediately. (Two clicks, I think, but I'm too lazy to boot up my
OS/2 machine and look.) Where is this capability in Windoze?

In another shop where any of tens of thousands of people could wander
into my office, I had my PC timeout-to-lock set to about 3 minutes.
Used to sit there poking it while talking to someone in the office or
on the phone.

Back in the 1970s when I was a student at UCLA, it was common practice
when encountering an unattended logged on terminal in the public area
to change the user's password and then log it off. I highly recommend
this approach.


/Leonard

Efinn...@ibm-main.lst

unread,
Jun 19, 2005, 10:49:08 PM6/19/05
to

In a message dated 6/19/2005 9:42:37 P.M. Central Standard Time,
ibm-m...@LDWOREN.NET writes:

when encountering an unattended logged on terminal in the public area
to change the user's password and then log it off. I highly recommend
this approach.

>>
With today's worms and phish it's pretty easy to throw something
up resembling login prompt and capture ids and passwords. We
had to invalidate one of our first attempts at electronic elections
'cause the student DB had been compromised. Guess it was from one
open lab. Encrypted sockets and all, the lab hadn't run a virus scan in
about 18 months-"takes too much time".

Ed Gould

unread,
Jun 19, 2005, 11:13:07 PM6/19/05
to
>> ------SNIP--------------------


>> Ed,
>>
>> Could he mean adding the library to apf list?
>>
>> Ed
>
> Ed Jaffe snipped too much. Take a look at more of Gil's post:
>
>> On the other hand, anyone who worked at the same shop for a long time
>> knows
>> how to "trick" its systems. How to run jobs with any jobclass (and
>> maybe
>> form some kind of a denial of service attack?), how passwords are
>> managed,
>> who are the powerful users, what resources are not properly
>> protected, how
>> to falsify identities under CICS/IMS, how to run batch jobs under
>> other
>> users, how to become APF-authorized, how to utilize error in 3rd party
>> products, and the list goes on
>
> Once you know which power users (sysprog or RACF SPECIAL) don't
> log off when they leave their desks, it doesn't take long to get the
> access you need to APF datasets. If you know of flaws that let you
> submit jobs to run under a power user's userid, again you can do just
> about anything.

Hmmm.. I never needed that authority and I was a lead. Besides we had
TPX and if I left my desk after 5 minutes anyone needed my password to
get to my ID. I was usually in the computer room then and just stole my
session to there (another great feature of TPX). The AUDITOR was one of
the two people that had a special ID. The other was in a locked cabinet
for emergencies. All hell broke loose if anyone used it. The auditor
and I were good friends and I even had him locked out of my datasets,
this was TSO only of course. Even so, I ran ACF2 reports daily to see
who tried to access my datasets. People knew it and would stay away.

>
> I was going to mention some more of my favorite methods I know of
> for getting passwords or getting jobs run under others' userids. I
> decided it was not a good idea to publicize them. The above are quite
> general. (Not that I made use of those methods; it was enough for me
> to know they worked, and to try to plug the holes.)
>
> Basically, as others have said:
> 1. Security is a process; and
> 2. usually, the biggest security hole is people.
>

Agreed but again it maybe installation dependent. Some installations,
IMO, are loosey goosey and others are by the rules

Ed

Craddock, Chris

unread,
Jun 19, 2005, 11:32:58 PM6/19/05
to
> I wrote a
> TSO command called LOCK which required the logon password to unlock.
> To get people to use it, the JWT timeout was set very short, and LOCK
> had a subtask which woke up every few minutes to prevent timeouts.
> The whole scheme worked quite well. Many people in the systems group
> had "TSO LOCK" on an ISPF PFKey -- one keystroke when leaving your
> workarea. OS/2 had a simple way to bring up the lock screen
> immediately. (Two clicks, I think, but I'm too lazy to boot up my
> OS/2 machine and look.) Where is this capability in Windoze?

Ct-alt-del-k

R.S.

unread,
Jun 20, 2005, 3:23:31 AM6/20/05
to
Leonard Woren wrote:
[...]

> As has already been discussed, the biggest security loophole on any
> system is unsecured unattended logons. Even my PC at home has a short
> timeout to screensaver requiring a password. Back in the days of only
> hardwired 327x terminals, I worked in a shop where the systems
> programmers were in a very unsecure area. (Yes, you needed a badge to
> get into the building. There were 70,000 valid badges.) I wrote a
> TSO command called LOCK which required the logon password to unlock.
> To get people to use it, the JWT timeout was set very short, and LOCK
> had a subtask which woke up every few minutes to prevent timeouts.
> The whole scheme worked quite well. Many people in the systems group
> had "TSO LOCK" on an ISPF PFKey -- one keystroke when leaving your
> workarea. OS/2 had a simple way to bring up the lock screen
> immediately. (Two clicks, I think, but I'm too lazy to boot up my
> OS/2 machine and look.) Where is this capability in Windoze?

It is built-in Windows NT (2000, XP) for years. CTRL-ALT-DEL and ENTER.
Voila.
Don't you know that ?
Other method:
Smart card in PC (or even PC keyboard). When you remove it, the pc
automatically get locked. The same card can be used as badge - I saw it
working in several companies.

What I didn't see is LOCK program. Yes, I know - you wrote it. But I
didn't. Many others also. I have never seen MVS installation with
similar facility.

IMHO M$ Win and IBM OS/2 wins over MVS in this competition.

--
Radoslaw Skorupka
Lodz, Poland

Gil Peleg

unread,
Jun 20, 2005, 6:56:04 AM6/20/05
to
Ed,
What I meant was that in many shops there are a lot of users who have
implicit access to APF-authorized data sets. And if they wished to
compromise the system they would be able to do so, even though they were
never explicitly authorized to run their own written APF-authorized
programs. There are many potential ways to do this, if the shop is not
properly secured. I could give some common examples from my experience, but
I believe you understand what I mean. A lot of the times they users a not
aware to what they are actually capable (some shops even rely on that fact)

Ted MacNEIL

unread,
Jun 20, 2005, 7:31:50 AM6/20/05
to
..

OS/2 had a simple way to bring up the lock screen
immediately. (Two clicks, I think, but I'm too lazy to boot up my
OS/2 machine and look.) Where is this capability in Windoze?
..

<CTRL><ALT><DEL>-k

-teD
(The secret to success is sincerity.
If you can fake that,
you've got it made!)

----------------------------------------------------------------------

Ted MacNEIL

unread,
Jun 20, 2005, 7:36:09 AM6/20/05
to
..
Back in the 1970s when I was a student at UCLA, it was common practice
when encountering an unattended logged on terminal in the public area
to change the user's password and then log it off. I highly recommend
this approach.
..

At the University of Waterloo (same time-frame), this kind of stunt was grounds for expulsion.

How can you recommend using someone else's I'd for anything (including password changes) on a thread related to security?

The onlything we were allowed to do in that situation was to disconnect them (CTRL-Y), or wait 10 minutes for it to time out.

Ted MacNEIL

unread,
Jun 20, 2005, 7:44:03 AM6/20/05
to
..

I ran ACF2 reports daily to see
who tried to access my datasets.
..

The issue has never been who tried, rather who succeeded.

BTW, since the disk, programmes, & data belonged to the company,
they have never been “my datasets”, and it should never matter who
within the company “tried”.

Gray, Larry - Larry A

unread,
Jun 20, 2005, 8:29:43 AM6/20/05
to
On my office PC, if I hold down the Windows menu key and hit L, the
screen will lock.

-----Original Message-----
From: IBM Mainframe Discussion List [mailto:IBM-...@ibm-main.lst
Behalf Of Craddock, Chris
Sent: Sunday, June 19, 2005 11:33 PM
To: IBM-...@BAMA.UA.EDU
Subject: Re: Washington Post: 40 Million Credit Card #s Hacked

> I wrote a
> TSO command called LOCK which required the logon password to unlock.
> To get people to use it, the JWT timeout was set very short, and LOCK
> had a subtask which woke up every few minutes to prevent timeouts.
> The whole scheme worked quite well. Many people in the systems group
> had "TSO LOCK" on an ISPF PFKey -- one keystroke when leaving your

> workarea. OS/2 had a simple way to bring up the lock screen


> immediately. (Two clicks, I think, but I'm too lazy to boot up my
> OS/2 machine and look.) Where is this capability in Windoze?

Ct-alt-del-k

DASD...@ibm-main.lst

unread,
Jun 20, 2005, 8:26:03 AM6/20/05
to

In a message dated 6/19/2005 8:12:34 P.M. Central Daylight Time,
gra...@ASE.COM.AU writes:

This zero-tolerance (ie. intolerant) stuff might play ok on a 10-second TV
grab. In practice, using real people as opposed to robots, it's an
attitude that will bleed the organisation of important talent when,
occasionally, and for goodness knows what particular reason, some otherwise
very useful member of the staff is unable to comply with the edict.


Presumably when you accept the offer of employment at such a place the
conditions of continued employment are spelled out to you, and if you have a
problem with their zero tolerance then you will not be hired. I know of one place
where armed guards are positioned at each corner of each floor of each
building. This particular work environment has zero tolerance for visitors
wandering around unescorted, among other policies. If you want a job there, you
accept these conditions. Being bled of important talent is not their highest
priority.

Bill Fairchild

John P Baker

unread,
Jun 20, 2005, 8:37:28 AM6/20/05
to
I have friends who have been victims of identity theft due to sloppy
security practices.

My "zero tolerance" attitude is tame in comparison with their feelings on
the matter

John P Baker
Software Engineer

>In a message dated 6/19/2005 8:12:34 P.M. Central Daylight Time,
>gra...@ASE.COM.AU writes:

>This zero-tolerance (ie. intolerant) stuff might play ok on a 10-second TV

>grab. In practice, using real people as opposed to robots, it's an
>attitude that will bleed the organisation of important talent when,
>occasionally, and for goodness knows what particular reason, some
>otherwise
>very useful member of the staff is unable to comply with the edict.

----------------------------------------------------------------------

R.S.

unread,
Jun 20, 2005, 8:53:56 AM6/20/05
to
Bill Fairchild wrote:

>
> In a message dated 6/19/2005 8:12:34 P.M. Central Daylight Time,
> gra...@ASE.COM.AU writes:
>
> This zero-tolerance (ie. intolerant) stuff might play ok on a 10-second TV
> grab. In practice, using real people as opposed to robots, it's an
> attitude that will bleed the organisation of important talent when,
> occasionally, and for goodness knows what particular reason, some otherwise
> very useful member of the staff is unable to comply with the edict.
>
>
>
>
> Presumably when you accept the offer of employment at such a place the
> conditions of continued employment are spelled out to you, and if you have a
> problem with their zero tolerance then you will not be hired. I know of one place
> where armed guards are positioned at each corner of each floor of each
> building. This particular work environment has zero tolerance for visitors
> wandering around unescorted, among other policies. If you want a job there, you
> accept these conditions. Being bled of important talent is not their highest
> priority.

What is the priority ? <g>
Why the guards are armed ? Since no visitors are allowed, there are only
insiders there. Is the gun needed to shoot programmer who just got
crazy? So, maybe they should have two guns for better security ? Or
machine guns ? Or granades ?

Or just because "this is security, and we won't laugh or discuss it".
IMHO the *logic* is most important.

BTW: I understand and fully accept strict security rules (when needed),
but the rules could be enforced by really effective means. Example:
instead of firing or shooting a person who left terminal it's better to
equip the people with security badges put in the smart card reader of
the terminal (PC). When you cannot leave the your room without card, you
cannot forget it even when going to the toilet. It works. Been there. I
wasn't able to leave the room and forget the card. Nobody fired me, no
guard shot me.

Just my $0.02

--
Radoslaw Skorupka
Lodz, Poland

----------------------------------------------------------------------

Graeme Gibson

unread,
Jun 20, 2005, 9:17:50 AM6/20/05
to
Nah, I'm not advocating sloppy security practices. I am suggesting that
"zero tolerance" itself is a form of in-attention to the real problems of
maintaining a high level of computer security given that human beings are
inevitably fallible. Ejecting each person at the point where they fail,
without regard for *why* they failed, cannot guarantee that no other person
will ever fail. Zero-tolerance can motivate otherwise-innocent people to
cover up mistakes. Good security requires continual effort and a good grip
on hearts and minds, as well as on short and curlies.

Now, smelling gunpowder and sisal, I'll g, d and r :-).

Graeme.

6/20/2005, you wrote:
>I have friends who have been victims of identity theft due to sloppy
>security practices.
>
>My "zero tolerance" attitude is tame in comparison with their feelings on
>the matter

----------------------------------------------------------------------

Paul Hanrahan

unread,
Jun 20, 2005, 9:17:10 AM6/20/05
to
Hi,

Sounds like an Army Base IBM sent me to once. I even had an armed guard
accompany me to the men's room and stand within inches of me while I took
care of nature's demands.

Anyway this topic seems unpopular here in the past. Is there still a,
"National Computer Security Association?" Maybe you can take the
conversation down the road.

Paul Hanrahan

-----Original Message-----
From: IBM Mainframe Discussion List [mailto:IBM-...@ibm-main.lst
Of R.S.
Sent: Monday, June 20, 2005 8:54 AM
To: IBM-...@BAMA.UA.EDU
Subject: Re: Washington Post: 40 Million Credit Card #s Hacked

Graeme Gibson

unread,
Jun 20, 2005, 9:11:55 AM6/20/05
to

Graeme Gibson. Director
Since 1980 we've made tools for MVS, OS/390, z/OS
* SLiKZiP ZIP file compress/uncompress http://www.slikzip.com
* OMCS/MVS SYSOUT archiving, analysis, Report distribution
* LTXF/MVS TSO timeout management and session security
http://www.ase.com.au

Knutson, Sam

unread,
Jun 20, 2005, 9:08:23 AM6/20/05
to
As Larry mentioned on Windows XP the Windows-L combo will lock the PC. I
use this on my laptop. I still have a Windows 200 desktop and I have a
little lock icon on my Quick Launch tray I added using what I found in this
tip some time ago.

We have a globally enforced screen saver lockout but I lock my PC when I am
going to walk away rather than leave it to kick in later. If you make it
easy to do the right thing you help yourself form good habits.

Thanks, Sam

TIPS: Faster than CTRL+ALT+DEL

By Diana Huggins

For me, life is all about simplicity and finding ways to do things more
efficiently and more quickly. Well, this also seems to apply to my
computing life. I'm always looking for easier ways to do things. Once you
start working with new software, you soon discover little hidden tips and
tricks that can be used to perform your tasks. The same can be said of
Windows XP; as you start maneuvering around the operating system, you are
bound to come across new and interesting things you did not know existed.
So with that, here is yet another way to perform a common task even quicker.

It's now become personal habit for me to lock my workstation. Before I get
up and walk away from my computer, my fingers automatically hit
CTRL+ALT+DEL and then press Enter (call me a creature of habit). Now
keeping in mind that I'm all about simplicity, I can perform this simple
task even quicker by creating a shortcut to lock my computer right on my
desktop. Instead of four keystrokes, I can now do it in a single click and
here is how:
* Right click an empty area on your desktop. From the Context menu,
point to New and click Shortcut.
* In the Create Shortcut dialog as shown in the following figure, type
the following:
* drive:\ Windows\System32\ rundll32.exe user32.dll, LockWorkStation.
Click Next.
* Type in a name for the shortcut. Click Finish.

You'll now have a shortcut on your desktop that you can use to quickly lock
your workstation.

-----Original Message-----
From: IBM Mainframe Discussion List [mailto:IBM-...@ibm-main.lst

Of Gray, Larry - Larry A

On my office PC, if I hold down the Windows menu key and hit L, the screen
will lock.

<>
====================
This email/fax message is for the sole use of the intended recipient(s) and
may contain confidential and privileged information. Any unauthorized
review, use, disclosure or distribution of this email/fax is prohibited. If
you are not the intended recipient, please destroy all paper and electronic
copies of the original message.

DASD...@ibm-main.lst

unread,
Jun 20, 2005, 9:13:40 AM6/20/05
to
In a message dated 6/20/2005 7:54:03 A.M. Central Daylight Time,
R.Sko...@BREMULTIBANK.COM.PL writes:

Being bled of important talent is not their highest
> priority.

What is the priority ? <g>

Their highest priority is security. In fact the word "security" might even
be part of the name of this organization.

Why the guards are armed ? Since no visitors are allowed, there are only
insiders there.

Visitors are allowed. They are not allowed to wander around unescorted. If
you are a visitor, you wait at the entrance until your escort arrives to
take you into the building. Some employee or another must stay with you at all
times. The guards are armed because security is this place's middle name
(figuratively and literally).

Is the gun needed to shoot programmer who just got
crazy?

The gun is needed to shoot anyone who gets crazy, including unescorted
visitors, programmers, managers, ANYONE.

So, maybe they should have two guns for better security ? Or
machine guns ? Or granades ?

If upper management at this organization feels such weapons are necessary,
then the weapons will be deployed.

Been there. I
wasn't able to leave the room and forget the card. Nobody fired me, no
guard shot me.

I didn't say these guards would shoot employees who forget their cards. I
said they prevent visitors from wandering around unescorted. I don't know
what this organization's policy is on leaving the room with a card or if they
even have cards. I only know of the one policy involving armed guards.

Bill Fairchild

R.S.

unread,
Jun 20, 2005, 9:32:17 AM6/20/05
to
Bill Fairchild wrote:
[...]

> Visitors are allowed. They are not allowed to wander around unescorted. If
> you are a visitor, you wait at the entrance until your escort arrives to
> take you into the building. Some employee or another must stay with you at all
> times. The guards are armed because security is this place's middle name
> (figuratively and literally).

National SECURITY Agency ?
Nevermind, IMHO word 'security' in the name is very bad reason to wear a
gun. Security as the need sounds better.
BTW: Let's assume the following "Hollywood" scenario:
A visitor comes in. It's enemy. We don't know it, yet. The visitor is
very special one - like Rambo + Chuck Norris + Schwarzenegger. He is not
armed - it is surely checked. However when he get in he gets the weapon
from first killed guard. Now he is armed and really dangerous.
OK, let's drop Rambo (he's immortable,a t least to the last part of the
movie), it is normal human. Normal human can be neutralized by 2-3-4
guards. When normal human gets the gun, he more dangerous.
AFAIK (vaguely recollection) many of the killed policemen in U.S. were
killed by their own guns.

Of course there are guns which works only when in owners hand, but this
becomes far off topic...

--
Radoslaw Skorupka
Lodz, Poland

----------------------------------------------------------------------

Gil Peleg

unread,
Jun 20, 2005, 9:29:09 AM6/20/05