Dubious Achievement: iSeries Gets Some Attention From Hackers
by Hesh Wiener
A presentation on the iSeries was one of the many topics featured at the Fifth HOPE conference, held at New York's Hotel Pennsylvania from July 9 through 11. This would be just another of many talks about the product line at gatherings, except for one difference. HOPE stands for Hackers On Planet Earth.
More than 2,000 people are said to have attended HOPE this year, and the number could have been twice as high. Enough HOPE attendees were interested in the iSeries to pack the large hall that served as the origination center for the presentation. It's hard to say how many people actually listened in, because video feed from the talks was piped to other rooms used by the large conference and also beamed out on the Internet as a streaming video feed.
Many of the attendees and presenters at HOPE use pseudonyms, and the iSeries show was no exception. The speaker for the iSeries session made himself known only as Stankdawg, and the only other thing he revealed about himself is that he's from Florida, where he is active in the hacker's organization Florida 2600. HOPE is run by 2600, the hacker's quarterly magazine.
While some of the sessions at HOPE delved into specific techniques to get into systems and networks or to snoop on wireless transmissions, the iSeries session was relatively tame. It presented an overview of what Stankdawg said any interested party might find after getting to an OS/400 platform via Telnet 5250. And what this person might see, according to Stankdawg, is a lot more than the systems managers would want him to see.
Basically, as OS/400 users know, visitors logging on to OS/400 get menus and these menus are presumably limited to the ones that are legit for that user. But lots of screens also offer command line processing, and it's often the case that a user can enter a command line that's not on a menu and not intended to be available. From there, with a little knowledge of the basic OS/400 shell commands, or a little use of Help, it's pretty easy for a nosy person to do things like check out queued output, where lots of information that's kept under lock and key while it's in files is totally exposed to view. Stankdawg pointed out that there's no reason for this to be the case, given the excellent permission management capabilities of OS/400, but, he added, the people who manage OS/400 slip up and, perhaps, do so far more often than not.
Then there's always the chance that an unintended visitor can guess at a password. Any user of OS/400 knows some default usernames, such as QSYSOPR, an operator, or QSECOFR, a nice name that gets you to what would be the root of a Unix or Linux system, and so on.
Stankdawg closed his session by pointing out that OS/400 created extensive, detailed logs, so people hacking around on an iSeries are bound to leave a trail. He didn't have to say that by the time somebody spots a trail of killed jobs or other peculiar stuff, it might be a bit late to do much about whatever left the trail. Nor did he go into ways to cover a trail by wrecking or flooding log files.
OS/400 users who think their systems are secure because there are few reports of security problems, particularly compared to things in the Windows world, would get little comfort from the HOPE session. In the view of Stankdawg, at least, the relative obscurity of OS/400 is its main protective measure; it's probably no harder to crack than Linux or Unix, even if it's probably sturdier than Windows.
Perhaps this isn't true. But a roomful of computer hotshots, some of whom might have had mischief on their minds, are now a little better educated in the shape and character of OS/400. Just how a chance at fame in the hackers' world will play among iSeries experts is hard to say, but it might not be widely appreciated.