Security Still an Issue in 2007 for System i5 Shops
April 9, 2007 Timothy Prickett Morgan
If you need an example of why having all the great security features in the world doesn’t make your computer systems safe, look no further than TJX, the parent company behind the TJ Maxx and Marshalls department stores. Last week, the publicly traded company was horrified to have to announce that a hacker had broken into its systems and had stolen at least 47.5 million–and possibly more–credit card and debit card numbers used by its customers. If you are an OS/400 or i5/OS snob and you are laughing right now, and if you think the legendary security of the box will somehow save you from a similar disaster, it won’t. Only diligence will.
The TJX hack is the largest in IT history–at least of the ones that have been discovered. According to TJX’s 10K filing with the Securities and Exchange Commission, the company believes it was hacked starting in July 2005, and that the intruder had access to the systems–totally unnoticed by the IT staff–until December 18, 2006. Pinning down exactly how much data has been stolen has been problematic, since credit and debit card information is periodically flushed from the system precisely because it is so dangerous to store it. TJX is not sure, even after security experts from IBM and General Dynamics have combed through its systems for the past several months, if it has been able to lock down its systems. The company does know that no data has been stolen since the discovery on December 18 of the intruder. So whoever the hacker is, they knew that the Secret Service, the FBI, the Royal Canadian Mounted Police, and the London Metropolitan Police were on the case and they stopped, even though the announcement of the hack was not made public until January 17.
The SEC filing by TJX is fascinating reading, and all the more interesting because TJX has to spill the beans since it is a public company. (Incidentally, TJX is a big user of OS/400 and i5/OS platforms, but I do not know if these were involved in the hack. I am trying to get to the bottom of that right now.) Because the majority of the OS/400 and i5/OS systems in the world are not sitting at public companies, but at small- and mid-sized business that are more worried about selling on Main Street than cashing in on Wall Street, if there are breaches in their systems, no one will ever know. But, the lawsuits that come from people who are angry that their personal data has been stolen sting just the same way for private companies as they do for public ones.
For the past several years, security software maker PowerTech, which provides security and compliance software for the i5/OS and OS/400 platform, has issued a state of security report on this subsector of the server space. The latest one, The State of System i Security 2007, was released last week. The results of this study are based on security audit details that PowerTech compiled from 188 companies with 195 systems between January and December 2006. (Last November, PowerTech’s 2006 report had a snapshot that mixed late 2005 and early 2006 data.) The companies are not a random sample of AS/400, iSeries, and System i5 shops, but rather companies that ask to get a free audit from PowerTech.
And once again, as in years past, PowerTech is chastising i5/OS and OS/400 shops for not being more careful with their security. “It is common to find critical applications such as accounting, payroll, inventory control, order entry, and customer care applications all housed on a single machine,” explains Jon Scott, president and chief executive officer at PowerTech. “The study points out that a large percentage of systems are not configured correctly by IT departments with respect to security, resulting in a large number of systems being vulnerable to internal security breaches.” Maybe not to exactly the same kind as that which hit TJX, but similar enough in concept to give pause.
The average AS/400, iSeries, and System i5 system in the 2007 report had 825 users and 393 libraries. On average, across these 188 companies, more than 80 had root access (*ALLOBJ) access to the systems–nearly 10 percent of the users on the boxes could do whatever they wanted. And more than twice that number had full report access to the systems (*SPLCTL) and 160 also had system operator status (*JOBCTL). Of the machines reviewed by PowerTech, only 11 percent had fewer than 10 users with *ALLOBJ access to the system, which is a recommended maximum that midrange security experts more or less agree upon.
“The systems that we looked at had too many users that are too powerful,” says John Earl, chief technology officer at PowerTech. “If a disgruntled or careless employee had such access, it could result in data loss, theft, and other kinds of damage to their company. People have to wake up. They have to realize that the System i is not more secure than any other server, but that it is more securable than other servers. It isn’t in a magic bubble. You have to actually do things to make it secure.”
The other persistent issue at i5/OS and OS/400 shops is leaving around inactive users. If an end user is gone, then their profile should be deleted so it cannot access the system any more. Period. At those 188 companies that PowerTech reviewed, there were nearly 100 end user profiles on average per company that had not been accessed within the prior 30 days. Amazingly, 7 percent of the user passwords examined by PowerTech had the default passwords supplied by IBM still activated, and half of the machines had more than 20 users with default passwords.
That is just insane.
And so is the way people are doing passwords on the i5/OS and OS/400 platforms. The majority of the machines require six or fewer characters in a password, when at least eight or nine is a good minimum. More than 57 percent of the systems examined in the study did not require a number as well as letters in the password, and 29 percent allowed end users to plug an old password in as a new one. Some 28 percent of the systems never require users to change their passwords.
On the data front, about 60 percent of users with *PUBLIC system library authority–meaning, the default setting for an end user, not a programmer or IT manager–had *CHANGE access to data residing in the DB2/400 databases. Only 22 percent were excluded to *USE read-only access and 11 percent were given *ALL access, meaning they can add, change, or delete data any way they want. Almost a third of users have the system audit journal turned off, so if security settings get changed, there is no log of who did it. And 40 percent of the 195 machines surveyed had the QSECURITY security level set to 30 or below, when IBM recommends that security should be set to level 40 or 50 because there are known security holes in the level 10, 20, and 30 security settings.
“Organizations who utilize OS/400 architecture should not be complacent about the security of this system,” says Earl. “These statistics make clear that critical data stored on the System i is as, or even more, vulnerable than data stored elsewhere in the enterprise.”