SecureMyi.com Security Newsletter for the IBM i iSeries and AS/400 - January 18, 2012 - Protecting IBM i Security System Values - IBM i 6.1 Password Difference

Tweet
June 6, 2012 - Vol 2, Issue 10

	Feature Article Invisible Data Access - Undetectable Data Theft on IBM i By Dan Riehl Have your ultra-sensitive files been stolen today? How can you tell? Our IBM i (iSeries and AS/400) has long been considered a security strongbox—a hacker's worst nightmare. Some even consider it to be un-hackable. This perception has caused some to become complacent in the area of due diligence related to system and database security. But security through perceived obscurity is insufficient protection in a world of wily and very well-financed cyber criminals and the malicious insiders. According to the Open Security Foundation Year-to-Date 2011, a total of 126,749,634 people have had their personal information hacked, stolen, lost, or misplaced. Hundreds of computer-related data thefts occur every year—often one or more per day. To view those of public record, you can visit the OSF's Data Loss Database. According to their Data Loss Database's published list of compromised companies, we can tell that some of these incidents are occurring at IBM i shops, both large and small. Read More...
In This Issue Featured Article - Invisible Data Access Featured Video - Vulnerable User Profiles Security Shorts - IBM i 6.1 Password Differences Industry News and Calendar Security Resources Quick Links SecureMyi Website Security Training from The 400 School SecureMyi Newsletter Home/Archives Need Access to an IBM i? Visit RZKH.de Please Visit Our Sponsors Platinum Sponsor The 400 School, Inc Gold Sponsor The PowerTech Group Sponsor Cilasoft Security Solutions	IBM i Security and Audit Resources IBM i Security Videos from SecureMyi.com SecureMyi Newsletter Home and Archives IBM i Security Reference - IBM i 6.1 IBM i Security Reference - IBM i 7.1 QAUDJRN Audit Types By AUDLVL 6.1 QAUDJRN Entry Type Record Layout 6.1 RedBook - Security Guide for IBM i 6.1 PCI SSC Data Security Standards COBIT Framework - ISACA HIPAA Resources HITECH Enforcement CISSP - Certification
IBM i Security News Bytes Skyview Partners Introduces Managed Services for IBM i and AIX Compliance SkyView Partners announced a new managed service for both the IBM i and AIX platforms. The new service covers monthly compliance monitoring and annual vulnerability assessments and includes licenses of SkyView’s compliance related software. See More Information from Skyview Linoma adds FIPS 140-2 Encryption Module to GoAnyWhere Linoma Software has partnered with RSA to "incorporate the RSA security module" into Linoma's GoAnywhere file transfer solution. RSA's contribution adds FIPS 140-2 compliant encryption technology to the Linoma suite. See More Information from Linoma. IBM i Security Calendar of Events Live Security Related Webcasts and Training for IBM i 10 Things You Don’t Want to Miss in the Audit Journal. Webcast - Featuring Carol Woodbury - Sponsored by Skyview Partners Wednesday June 6 10:00 AM CDT More Information and Register to Attend IFS Security – Don't Leave Your Server Vulnerable Webcast - Featuring Robin Tatam - Sponsored by The PowerTech Group Thursday June 14 1:00 PM CDT More Information and Register to Attend Coffee with Carol Step by Step Approach to Implementing Object Level Security Webcast - Featuring Carol Woodbury - Sponsored by Skyview Partners Wednesday June 27 10:00 AM CDT More Information and Register to Attend Live 4-Day Hands-On Expanded Security Workshop for IBM i Full Length Training Workshop - August 21-24 9:00am - 4:00pm Central Time Dan Riehl presents his 4-Day Live Online Hands-on Security Workshop for the IBM i. More Information and Register to Attend Security Related Seminars and Conferences for IBM i June 9-12 - - COMMON Europe Congress of 2012 The Diamond Jubilee Continues! Common Europe is Celebrating their 50Th Anniversary Conference, held in beautiful Vienna, Austria
Featured YouTube Educational Video IBM i Security Are your User Profiles Vulnerable to Profile Hijacking?
Security Shorts - Stronger Enforcement of Password Differences in IBM i 6.1 By Dan Riehl The System Value QPWDRQDDIF has been available for many years as a means of forcing users to choose new or previously 'unused' passwords when changing their password. The number you specify for the System Value determines 'How many previous passwords are checked' to ensure that the new password has not been used, or not been used recently. The number specified in the System Value corresponds to the number of previous passwords that are checked. Value Specified Number of previous passwords checked 0 0 – No Previous passwords are checked, Can be the same 1 32 2 24 3 18 4 12 5 10 6 8 7 6 8 4 I always wonder at "technology" like that exhibited in this System Value. Why not just allow me to specify the number of previous passwords to check, instead of a number that corresponds to a number of previous passwords to check? If I want to check the previous 6 passwords, I specify the number 7 for the System Value. DOH! Who thinks this stuff up? What if I want to check for the previous 5 passwords? It can't be done. It reminds me of my first assembler programming class, in which I had severe brain freeze trying to comprehend how to resolve "The Address of the Address of TIME.". In the 6.1 release of the IBM i operating system, IBM provided an additional system value that allows you to more strictly enforce the 'password difference' rule. The new system value is QPWDCHGBLK(Block Password Changes), which allows you to specify a number of hours in which a newly changed password cannot be changed again. A password change is temporarily blocked. The shipped value is NONE, which means that a newly changed password can be changed again immediately. That is also the behavior we have prior to 6.1. And that is where our users have taken advantage of the lack of a password change blocking mechanism. Prior to 6.1, users can repeatedly change their password until they have exhausted your Password Difference System Value. Their goal, and the ultimate result is that they have been able to reset their password back to the same password that they have used for years. It's so much easier to remember, Ya Know? The QPWDCHGBLK* System Value allows you to enforce a timer which says 'You cannot change your password again for n number of hours'; where n is a number from 1 to 99. So, once a user has successfully changed their password, they are prohibited from changing their password again for the number of hours that you specify in the System Value. For added security, a security administrator can always change a user's password using the CHGUSRPRF(Change User Profile) command. On another note; the password change block is not in effect when the user's password has been 'Set to Expired'. The Password Change Block System Value can be overridden at the User Profile level using the PWDCHGBLK parameter of the CRTUSRPRF and CHGUSRPRF commands as shown here: *CRT/CHGUSRPRF USRPRF(MYUSER) PWDCHGBLK(SYSVAL, or a number 1-99)**		Sponsored Links IBM i, iSeries and AS/400 Security Services from SecureMyi Expert Level Security Consulting IT Security and Compliance Group, LLC In Depth Security Assessment of IBM i Upgrade to QSECURITY level 40 or 50 Forensic Research and Analysis Audit Assistance and Remediation Security Training for IT and Audit Staff Security Software Selection & Configuration Customized Security/System Programming Live Training from The 400 School, Inc Live Online Hands-On Workshops Special Fall/Winter Class Discounts Now Accepting Credit Cards IBM i System Administration Jun 25-29 IBM i System Operations Jul 16-19 IBM i Security Workshop Aug 21-24

Send your IBM i Security Related News and Events! Advertise in SecureMyi.com Security Newsletter Copyright 2012 - SecureMyi.com, all rights reserved SecureMyi.com \| St Louis MO 63017