It was always fun to watch people try to hack the series 2 and 3 with PEEK A BOO PROGRAM!
Just give a 'more experienced user' an account and watch and learn....
Also useful was hardware monitiring of ports with terminals observing bridged in. In this manner even before login you could observe login attempts and.... kick the keyboard in and...tall to the createans!
It... was... fascinating! It was... educational!
Ed Sharpe
Sent from AOL Mobile Mail
On Friday, June 8, 2018 John Clogg <[log in to unmask]> wrote:
A password is something you know. A secret question is also something you know. Therefore, you are not using two factors, you are using one factor twice. Not the same thing, and not within the strict definition of 2FA. I agree that a well-configured installation of Security/3000 provides very good security, I just disagree with the 2FA claim.
-----Original Message-----
From: Mark Ranft [mailto:[log in to unmask]]
Sent: Friday, June 08, 2018 9:03 AM
To: John Clogg <[log in to unmask]>; [log in to unmask]
Subject: RE: [HP3000-L] HP 3000 security
I don't claim to be an expert. (Well maybe I am pretty good.) But if you set up Security 3000 to ask you for a series of questions, like your dog's birthday, instead of just a second password. I am pretty certain that qualifies as two factor authentication. Wikipedia defines it as:
Two-factor authentication (also known as 2FA) is a type (subset) of multi-factor authentication. It is a method of confirming a user's claimed identity by utilizing a combination of two different factors: 1) something they know, 2) something they have, or 3) something they are.
And you are correct. Most HP 3000 systems had poor security. Vladimir made a living visiting companies and selling them Security/3000 and the rest of the VeSoft suite by breaking in. I would always enjoy my visits with Vlad.
After a few visits, I learned enough that he was no longer able to break into my systems. But then there were some backdoor ways to get PM capability.
Mark Ranft
Pro 3K
-----Original Message-----
From: John Clogg <[log in to unmask]>
Sent: Friday, June 8, 2018 9:48 AM
To: Mark Ranft <[log in to unmask]>; [log in to unmask]
Subject: RE: [HP3000-L] HP 3000 security
I agree that the HP3000's greatest defense is its obscurity. I do question one of your assertions. You described Security/3000 as providing 2-factor authentication. Unless that feature has been added recently (I haven't used
Security/3000 recently), it does not provide 2FA. Requiring two passwords or asking a secret question is not two factors.
One weakness of MPE is that unless you have a password insertion utility, such as STREAMX, passwords for jobs must either be typed in when streaming, which precludes many job scheduling methods, or they must be hard-coded in the jobs. If you can prevent command-line access, some of these weaknesses can be overcome. I would say that the 3000's security is pretty weak without Security/3000 or a similar product.
With MPE or any other OS, security is effective only if those administering the machine take it seriously and don't make dumb mistakes. Years ago an employee of a company I worked for was being visited by her sister who was an HP SE in another city. I caught the sister trying to log on to our system using the default passwords for TELESUP and other standard accounts.
Fortunately, I had changed them all, but I'm sure this approach works in many cases. I often see systems where jobs with hard-coded passwords have read access granted to "ANY", lots of users with excessive privileges, etc.
Unfortunately, these problems persist because most IT auditors don't know an
HP3000 from a hole in the ground.
John Clogg
-----Original Message-----
From: HP-3000 Systems Discussion [mailto:[log in to unmask]] On Behalf Of Mark Ranft
Sent: Friday, June 08, 2018 6:08 AM
To: [log in to unmask]
Subject: Re: [HP3000-L] HP 3000 security
Alan, I have to disagree with weak. The correct description is 'Security through Obscurity'. If your HP 3000 has VESOFT's Security 3000 installed, and it is properly configured with two factor authentication, I don't know if anyone, without physical access to the machine, or access to unencrypted backups media, that could break in.
Where the HP3000 falls short is in encryption of data that is in transit between the user and the system. For this, I recommend you turn to MiniSoft Secure 92 for terminal access.
And unfortunately, if you host a website on the HP3000, I have to admit the HP WebWise MPE/iX Secure Web Server is not TLS 1.2 capable. This would be a showstopper for PCI certification. But this is only a big deal if you accept credit card or other protected information via the website.
Finally, depending on your location, and/or customer base, you may also need to worry about GDPR.
I would be happy to help properly configure Security 3000, or anything else, for your systems.
Mark Ranft
> Pro 3K
>
>
>>
On Jun 8, 2018, at 6:26 AM, Alan Yeo <[log in to unmask]> wrote:
>>
>> On 08/06/2018 06:08, Jeff Kubler wrote:
>> To all,
>> How would you describe the security status of the HP 3000?
>
> Think best description I heard of its standard security is "Weak
> through
Obscurity"
>
> A bit like the security of the average house, if you have locked the
doors, then it will stop someone who just tries the door handle, but is as ineffectual as a chocolate fireguard in keeping out someone with even a mild desire to gain entry.
>
> Alan
>
>
> --
> Alan Yeo
> [log in to unmask] Just because you're paranoid
> Phone +44 1684 593460 it doesn't mean someone isn't!.
>
> * To join/leave the list, search archives, change list settings, *
> * etc., please visit http://raven.utc.edu/archives/hp3000-l.html *
* To join/leave the list, search archives, change list settings, *
* etc., please visit http://raven.utc.edu/archives/hp3000-l.html *
* To join/leave the list, search archives, change list settings, *
* etc., please visit http://raven.utc.edu/archives/hp3000-l.html *
* To join/leave the list, search archives, change list settings, *
* etc., please visit http://raven.utc.edu/archives/hp3000-l.html *
|
