Volume 16, Number 14 -- April 9, 2007

Security Still an Issue in 2007 for System i5 Shops

Published: April 9, 2007

by Timothy Prickett Morgan

If you need an example of why having all the great security features in the world doesn't make your computer systems safe, look no further than TJX, the parent company behind the TJ Maxx and Marshalls department stores. Last week, the publicly traded company was horrified to have to announce that a hacker had broken into its systems and had stolen at least 47.5 million--and possibly more--credit card and debit card numbers used by its customers. If you are an OS/400 or i5/OS snob and you are laughing right now, and if you think the legendary security of the box will somehow save you from a similar disaster, it won't. Only diligence will.

The TJX hack is the largest in IT history--at least of the ones that have been discovered. According to TJX's 10K filing with the Securities and Exchange Commission, the company believes it was hacked starting in July 2005, and that the intruder had access to the systems--totally unnoticed by the IT staff--until December 18, 2006. Pinning down exactly how much data has been stolen has been problematic, since credit and debit card information is periodically flushed from the system precisely because it is so dangerous to store it. TJX is not sure, even after security experts from IBM and General Dynamics have combed through its systems for the past several months, if it has been able to lock down its systems. The company does know that no data has been stolen since the discovery on December 18 of the intruder. So whoever the hacker is, they knew that the Secret Service, the FBI, the Royal Canadian Mounted Police, and the London Metropolitan Police were on the case and they stopped, even though the announcement of the hack was not made public until January 17.

The SEC filing by TJX is fascinating reading, and all the more interesting because TJX has to spill the beans since it is a public company. (Incidentally, TJX is a big user of OS/400 and i5/OS platforms, but I do not know if these were involved in the hack. I am trying to get to the bottom of that right now.) Because the majority of the OS/400 and i5/OS systems in the world are not sitting at public companies, but at small- and mid-sized business that are more worried about selling on Main Street than cashing in on Wall Street, if there are breaches in their systems, no one will ever know. But, the lawsuits that come from people who are angry that their personal data has been stolen sting just the same way for private companies as they do for public ones.

For the past several years, security software maker PowerTech, which provides security and compliance software for the i5/OS and OS/400 platform, has issued a state of security report on this subsector of the server space. The latest one, The State of System i Security 2007, was released last week. The results of this study are based on security audit details that PowerTech compiled from 188 companies with 195 systems between January and December 2006. (Last November, PowerTech's 2006 report had a snapshot that mixed late 2005 and early 2006 data.) The companies are not a random sample of AS/400, iSeries, and System i5 shops, but rather companies that ask to get a free audit from PowerTech.

And once again, as in years past, PowerTech is chastising i5/OS and OS/400 shops for not being more careful with their security. "It is common to find critical applications such as accounting, payroll, inventory control, order entry, and customer care applications all housed on a single machine," explains Jon Scott, president and chief executive officer at PowerTech. "The study points out that a large percentage of systems are not configured correctly by IT departments with respect to security, resulting in a large number of systems being vulnerable to internal security breaches." Maybe not to exactly the same kind as that which hit TJX, but similar enough in concept to give pause.

The average AS/400, iSeries, and System i5 system in the 2007 report had 825 users and 393 libraries. On average, across these 188 companies, more than 80 had root access (*ALLOBJ) access to the systems--nearly 10 percent of the users on the boxes could do whatever they wanted. And more than twice that number had full report access to the systems (*SPLCTL) and 160 also had system operator status (*JOBCTL). Of the machines reviewed by PowerTech, only 11 percent had fewer than 10 users with *ALLOBJ access to the system, which is a recommended maximum that midrange security experts more or less agree upon.

"The systems that we looked at had too many users that are too powerful," says John Earl, chief technology officer at PowerTech. "If a disgruntled or careless employee had such access, it could result in data loss, theft, and other kinds of damage to their company. People have to wake up. They have to realize that the System i is not more secure than any other server, but that it is more securable than other servers. It isn't in a magic bubble. You have to actually do things to make it secure."

The other persistent issue at i5/OS and OS/400 shops is leaving around inactive users. If an end user is gone, then their profile should be deleted so it cannot access the system any more. Period. At those 188 companies that PowerTech reviewed, there were nearly 100 end user profiles on average per company that had not been accessed within the prior 30 days. Amazingly, 7 percent of the user passwords examined by PowerTech had the default passwords supplied by IBM still activated, and half of the machines had more than 20 users with default passwords.

That is just insane.

And so is the way people are doing passwords on the i5/OS and OS/400 platforms. The majority of the machines require six or fewer characters in a password, when at least eight or nine is a good minimum. More than 57 percent of the systems examined in the study did not require a number as well as letters in the password, and 29 percent allowed end users to plug an old password in as a new one. Some 28 percent of the systems never require users to change their passwords.

On the data front, about 60 percent of users with *PUBLIC system library authority--meaning, the default setting for an end user, not a programmer or IT manager--had *CHANGE access to data residing in the DB2/400 databases. Only 22 percent were excluded to *USE read-only access and 11 percent were given *ALL access, meaning they can add, change, or delete data any way they want. Almost a third of users have the system audit journal turned off, so if security settings get changed, there is no log of who did it. And 40 percent of the 195 machines surveyed had the QSECURITY security level set to 30 or below, when IBM recommends that security should be set to level 40 or 50 because there are known security holes in the level 10, 20, and 30 security settings.

"Organizations who utilize OS/400 architecture should not be complacent about the security of this system," says Earl. "These statistics make clear that critical data stored on the System i is as, or even more, vulnerable than data stored elsewhere in the enterprise."


PowerTech Issues Third Annual State of i5/OS Security Report

PowerTech Debuts ComplianceMonitor, Studies Security Practices

PowerTech Security Survey Says Most IT Departments Could Do Better

                     Post this story to
               Post this story to Digg
    Post this story to Slashdot

Sponsored By


Did you know that 50% of recoveries fail?

With exponential growth in data being stored,
do you know how you are going to recover?

LXI is the "EASY" solution for backup and recovery.

LXI takes your stored data from Crisis to a Managed Asset.

Call 1-800-226-6526 or

Editor: Timothy Prickett Morgan
Contributing Editors: Dan Burger, Joe Hertvik, Brian Kelly, Shannon O'Donnell,
Mary Lou Roberts, Victor Rozek, Kevin Vandever, Hesh Wiener, Alex Woodie
Publisher and Advertising Director: Jenny Thomas
Advertising Sales Representative: Kim Reed
Contact the Editors: To contact anyone on the IT Jungle Team
Go to our contacts page and send us a message.

Sponsored Links

COMMON:  Join us at the 2007 conference, April 29 May 3, in Anaheim, California
Vision Solutions:  The first new HA release from the newly merged Vision and iTera companies
LASERTEC USA:  Fully integrate MICR check printing with your existing application


IT Jungle Store Top Book Picks

The System i Pocket RPG & RPG IV Guide: List Price, $69.95
The iSeries Pocket Database Guide: List Price, $59.00
The iSeries Pocket Developers' Guide: List Price, $59.00
The iSeries Pocket SQL Guide: List Price, $59.00
The iSeries Pocket Query Guide: List Price, $49.00
The iSeries Pocket WebFacing Primer: List Price, $39.00
Migrating to WebSphere Express for iSeries: List Price, $49.00
iSeries Express Web Implementer's Guide: List Price, $59.00
Getting Started with WebSphere Development Studio for iSeries: List Price, $79.95
Getting Started With WebSphere Development Studio Client for iSeries: List Price, $89.00
Getting Started with WebSphere Express for iSeries: List Price, $49.00
WebFacing Application Design and Development Guide: List Price, $55.00
Can the AS/400 Survive IBM?: List Price, $49.00
The All-Everything Machine: List Price, $29.95
Chip Wars: List Price, $29.95


The Linux Beacon
Intel Shows Off Future Penryn and Nehalem Chip Designs

Cornerstones Laid for the Linux Foundation

Gartner Says It Was "All Over" the Virtualization Effect

Revenue Up, But Profits Take a Hit at Red Hat in Q4

Four Hundred Stuff
CYBRA Finds the 'Edge' for Native i5/OS RFID Software

Lakeview Adds More Autonomics to MIMIX

Thoughts on the Coexistence of Full Test Automation and Manual Testing

Help/Systems Boosts Graphics with Robot/NETWORK V10

Big Iron
IBM Replies To Platform: No More Compatibles

Top Mainframe Stories From Around the Web

Chats, Webinars, Seminars, Shows, and Other Happenings

Four Hundred Guru
FTP Means 'First Try Pinging'

Improving Upon WDSC's Table View

Admin Alert: Graphically Moving i5/OS Objects with OpsNav

System i PTF Guide
March 31, 2007: Volume 9, Number 13

March 24, 2007: Volume 9, Number 12

March 17, 2007: Volume 9, Number 11

March 10, 2007: Volume 9, Number 10

March 3, 2007: Volume 9, Number 9

February 24, 2007: Volume 9, Number 8

The Windows Observer
Microsoft Loosens the Licensing Screws for Vista Virtualization

Microsoft Patches Animated Cursor Flaw in Windows

XenSource Extends and Improves Windows Support with 3.2 Release

Intel Shows Off Future Penryn and Nehalem Chip Designs

The Unix Guardian
Sun Boosts Performance of UltraSparc-IV+ Chips

Intel Shows Off Future Penryn and Nehalem Chip Designs

IBM Offers Rebates on System p5 and ISV Software Bundles

The X Factor: Virtualization Belongs in the System, Not in the Software

Four Hundred Monitor
Four Hundred Monitor's
Full iSeries Events Calendar


Software Engineering of America
Profound Logic Software

Hello, New York? Buy IBM

Security Still an Issue in 2007 for System i5 Shops

A Trained IT Staff Is A Happy and Competitive One

As I See It: The Legacy

But Wait, There's More:

Is the Adoption Rate of Server Virtualization Technology Over Estimated? . . . ERP Vendors CMS Software and XKO Software to Merge . . . Goldman Sachs Says IT Spending Will Soften a Bit in 2007 . . . PHP-Based Mantis Help Desk Application Coming Soon to the System i . . . Zend Issues a PHP Innovation Challenge to i5/OS and OS/400 Shops . . . Complacency Will Get You Killed, Security Researcher Says . . .

The Four Hundred


Subscription Information:
You can unsubscribe, change your email address, or sign up for any of IT Jungle's free e-newsletters through our Web site at

Copyright © 1996-2008 Guild Companies, Inc. All Rights Reserved.
Guild Companies, Inc., 50 Park Terrace East, Suite 8F, New York, NY 10034

Privacy Statement