OS/400 Alert: Security Starts At Home
February 25, 2004 Shannon O'Donnell
Everyone talks about security, but how many do anything about it? If you are looking for tools that will help you get a handle on the various security holes and vulnerabilities on your PC and AS/400, this issue of “OS/400 Alert” is for you. I’ll cover several tools that you can download and use to make your PC and AS/400 as secure as they can be.
MICROSOFT BASELINE SECURITY ANALYZER
Are you overwhelmed by the number of viruses and security holes spreading on the Web on a daily basis? Do you fear that you may not be able to keep up with all of these threats? Do you have a lot of Microsoft software installed on your PC, and are not sure whether you have the latest patches for it? If you answered yes to any of these questions, it is likely that you would benefit from the Microsoft Baseline Security Analyzer. MBSA will perform an extensive security check on your system, scanning for such things as weak passwords, configuration errors, and other vulnerabilities. MBSA will also identify all of your Microsoft software, such as Word XP, and check to see if there are any new patches available for it. If so, it will tell you what they are and how to download and install them.
You can download the Microsoft Baseline Security Analyzer utility from Microsoft’s Web site.
OS/400 SECURITY WIZARD
If you have the Operations Navigator (iSeries Navigator) GUI installed on your PC, you probably have access to the IBM AS/400 Security Wizard. The Security Wizard, previously available only as a downloadable stand-alone tool, has been integrated with the Operations Navigator tool, making it both easy to use and quick to access. The Security Wizard steps you through a series of plain-English questions, to which you provide answers based on your own unique requirements. When you are finished, you will be given a detailed list of recommendations, which you can apply (or modify as you see fit) to your iSeries. To access the Security Wizard, open Operations Navigator, expand the “Security” tree item. The “Security Wizard” option will appear in the task pane at the bottom of the Operations Navigator GUI.
A Web-based version of this tool is available on IBM’s Web site.
INTELLIGENT COMMUNICATIONS TRACE ANALYZER
The Intelligent Communications Trace Analzyer, although not actually a security tool, can be used to identify problems with TCP/IP communications, which may ultimately point to holes or even to attacks on your iSeries network.
The Analyzer is designed to help you analyze an iSeries communications trace (taken by either the STRCMNTRC command or the TRCCNN command) for various performance, connection, or security problems you may be experiencing.
The Analyzer will ask you some questions about the communication problem you suspect you are having, and will ask you where the trace is located. Then the tool analyzes the trace and tells you where problems might exist. It provides a detailed explanation of each problem it finds and offers advice on how the situation might be resolved. The Analyzer also shows you the frames within the trace that provide the evidence for each problem. You can also use the Analyzer as a trace “workbench” in order to browse through the trace by individual port pair conversations or other levels, viewing either the summaries of each frame or the actual frames as they appear in the trace.
The Analyzer installs as a licensed program option on an iSeries at V5R2, and will analyze traces taken on V4R4 and later systems. The GUI user interface is installed and runs as an iSeries Navigator plug-in. It is available free of charge. For more information, go to IBM’s Web site.
THIS WEEK’S NASTY WINDOWS WORRIES
W32.Netsky.B@mm is a mass-mailing worm that uses its own SMTP engine to send itself to the e-mail addresses it finds when scanning the hard drives and mapped drives. This worm also searches drives C through Z for folder names containing the words “share” or “sharing,” then copies itself to those folders.
W32.Cone@mm is a mass-mailing worm that sends itself to the e-mail addresses it gathers from files on an infected computer.
W32.MyDoom.F@mm is yet another variation of the MyDoom virus. This one arrives as an attachment with the file extension .bat, .com, .cmd, .exe, .pif, .scr, or .zip. The e-mail may have a spoofed sender’s e-mail address. When a computer is infected, the worm sets up a backdoor into the system by opening TCP port 1080, which can allow an attacker to connect to the computer and use it as a proxy to gain access to its network resources. In addition, the backdoor can download and execute arbitrary files.
The computer infected by the worm will perform a denial-of-service attack against www.microsoft.com and www.riaa.com if the machine’s local system date is between the 17th and 22nd of any month.
PTF’s AND FIXES FOR OS/400 AND RELATED PROGRAMS
The latest cumulative package for V5R2 customers was released on January 21.
The latest HIPER package was released on February 18.
The Database Group PTF was updated on January 26.
