June 6, 2012 - Vol 2, Issue 10
SecureMyi.com Security Workshop

Feature Article

Invisible Data Access - Undetectable Data Theft on IBM i

By Dan Riehl

Have your ultra-sensitive files been stolen today?  How can you tell?

Our IBM i (iSeries and AS/400) has long been considered a security strongbox—a hacker's worst nightmare. Some even consider it to be un-hackable. This perception has caused some to become complacent in the area of due diligence related to system and database security. But security through perceived obscurity is insufficient protection in a world of wily and very well-financed cyber criminals and the malicious insiders.

According to the Open Security Foundation Year-to-Date 2011, a total of 126,749,634 people have had their personal information hacked, stolen, lost, or misplaced. Hundreds of computer-related data thefts occur every year—often one or more per day. To view those of public record, you can visit the OSF's Data Loss Database. According to their Data Loss Database's published list of compromised companies, we can tell that some of these incidents are occurring at IBM i shops, both large and small.


In This Issue

Featured Article - Invisible Data Access

Featured Video - Vulnerable User Profiles

Security Shorts - IBM i 6.1 Password Differences

Industry News and Calendar

Security Resources

Quick Links

SecureMyi Website

Security Training from The 400 School

SecureMyi Newsletter Home/Archives

Need Access to an IBM i?   Visit RZKH.de

Please Visit Our Sponsors

Platinum Sponsor
      The 400 School, Inc

Gold Sponsor
      The PowerTech Group

      Cilasoft Security Solutions

IBM i Security and Audit Resources

IBM i Security Videos from SecureMyi.com

SecureMyi Newsletter Home and Archives

IBM i Security Reference - IBM i 6.1

IBM i Security Reference - IBM i 7.1

QAUDJRN Audit Types By AUDLVL 6.1

QAUDJRN Entry Type Record Layout 6.1

RedBook - Security Guide for IBM i 6.1

PCI SSC Data Security Standards

COBIT Framework - ISACA

HIPAA Resources

HITECH Enforcement

CISSP - Certification

Follow SecureMyi on Twitter

Follow SecureMyi on YouTube

IBM i Security News Bytes

Skyview Partners Introduces Managed Services for IBM i and AIX Compliance
SkyView Partners announced a new managed service for both the IBM i and AIX platforms. The new service covers monthly compliance monitoring and annual vulnerability assessments and includes licenses of SkyView’s compliance related software.
See More Information from Skyview

Linoma adds FIPS 140-2 Encryption Module to GoAnyWhere
Linoma Software has partnered with RSA to "incorporate the RSA security module" into Linoma's GoAnywhere file transfer solution. RSA's contribution adds FIPS 140-2 compliant encryption technology to the Linoma suite.
See More Information from Linoma.

IBM i Security Calendar of Events

Live Security Related Webcasts and Training for IBM i

10 Things You Don’t Want to Miss in the Audit Journal.
Webcast - Featuring Carol Woodbury - Sponsored by Skyview Partners
Wednesday June 6 10:00 AM CDT
More Information and Register to Attend

IFS Security – Don't Leave Your Server Vulnerable
Webcast - Featuring Robin Tatam - Sponsored by The PowerTech Group
Thursday June 14 1:00 PM CDT
More Information and Register to Attend

Coffee with Carol
Step by Step Approach to Implementing Object Level Security

Webcast - Featuring Carol Woodbury - Sponsored by Skyview Partners
Wednesday June 27 10:00 AM CDT
More Information and Register to Attend

Live 4-Day Hands-On Expanded Security Workshop for IBM i
Full Length Training Workshop - August 21-24 9:00am - 4:00pm Central Time
Dan Riehl presents his 4-Day Live Online Hands-on Security Workshop for the IBM i.
More Information and Register to Attend

Security Related Seminars and Conferences for IBM i

June 9-12 - - COMMON Europe Congress of 2012
The Diamond Jubilee Continues!
    Common Europe is Celebrating their
50Th Anniversary Conference, held in beautiful Vienna, Austria

Featured YouTube Educational Video

IBM i Security

Are your User Profiles Vulnerable to Profile Hijacking?

Featured Video - Misconceptions on Ownership and Authority to User Profiles

Security Shorts -
Stronger Enforcement of Password Differences in IBM i 6.1

By Dan Riehl

The System Value QPWDRQDDIF has been available for many years as a means of forcing users to choose new or previously 'unused' passwords when changing their password. The number you specify for the System Value determines 'How many previous passwords are checked' to ensure that the new password has not been used, or not been used recently.

The number specified in the System Value corresponds to the number of previous passwords that are checked.

Value  Specified Number of previous passwords checked
0      0 – No Previous passwords are checked, Can be the same
1      32
2      24
3      18
4      12
5      10
6      8
7      6
8      4

I always wonder at "technology" like that exhibited in this System Value. Why not just allow me to specify the number of previous passwords to check, instead of a number that corresponds to a number of previous passwords to check?

If I want to check the previous 6 passwords, I specify the number 7 for the System Value. DOH!   Who thinks this stuff up?

What if I want to check for the previous 5 passwords? It can't be done. It reminds me of my first assembler programming class, in which I had severe brain freeze trying to comprehend how to resolve "The Address of the Address of TIME.".

In the 6.1 release of the IBM i operating system, IBM provided an additional system value that allows you to more strictly enforce the 'password difference' rule. The new system value is QPWDCHGBLK(Block Password Changes), which allows you to specify a number of hours in which a newly changed password cannot be changed again. A password change is temporarily blocked.

The shipped value is *NONE, which means that a newly changed password can be changed again immediately. That is also the behavior we have prior to 6.1. And that is where our users have taken advantage of the lack of a password change blocking mechanism.

Prior to 6.1, users can repeatedly change their password until they have exhausted your Password Difference System Value. Their goal, and the ultimate result is that they have been able to reset their password back to the same password that they have used for years. It's so much easier to remember, Ya Know?

The QPWDCHGBLK System Value allows you to enforce a timer which says 'You cannot change your password again for n number of hours'; where n is a number from 1 to 99. So, once a user has successfully changed their password, they are prohibited from changing their password again for the number of hours that you specify in the System Value.

For added security, a security administrator can always change a user's password using the CHGUSRPRF(Change User Profile) command. On another note; the password change block is not in effect when the user's password has been 'Set to Expired'.

The Password Change Block System Value can be overridden at the User Profile level using the PWDCHGBLK parameter of the CRTUSRPRF and CHGUSRPRF commands as shown here:


Sponsored Links

IBM i, iSeries and AS/400
Security Services from SecureMyi

Expert Level Security Consulting
IT Security and Compliance Group, LLC

In Depth Security Assessment of IBM i
Upgrade to QSECURITY level 40 or 50
Forensic Research and Analysis
Audit Assistance and Remediation
Security Training for IT and Audit Staff
Security Software Selection & Configuration
Customized Security/System Programming

Subscribe to the SecureMyi Security Newsletter - Get Dan Riehl's book PowerTips for IBM i Security

Live Training from The 400 School, Inc

Live Online Hands-On Workshops
Special Fall/Winter Class Discounts

Now Accepting Credit Cards

IBM i System Administration Jun 25-29

IBM i System Operations Jul 16-19

IBM i Security Workshop Aug 21-24

Send your IBM i Security Related News and Events!           Advertise in SecureMyi.com Security Newsletter

Copyright 2012 - SecureMyi.com, all rights reserved

SecureMyi.com | St Louis MO 63017