The best don't get hacked
January 28, 2008
Some HP 3000 customers survive security hacks through the blessing of obscurity. Most security experts will tell you that if a hacker wants to breach your system, there's not much you can do to prevent a focused attack.
But you have more going for you when you put sensitive data in the MPE/iX environment. You can prowl through a posting on the hacker site phreak.org to see how passwords — that so simple but powerful barrier — keep mischief and mayhem out of your IT life. (Hackers are busy, oh so busy. Have a look through securityfocus.com for the latest hijinks and sabotage. Today, Best Buy has to pull digital picture frames off shelves because some of the frames were infected with a virus.)
Somebody named "Eastwind" (don't they always sound like bad '70s spy names?) put up a report on phreak.org called Hacking the HP 3000. At the end of some rambling tips, Eastwind brags, "The best don't get caught, and the best know who they are."
But the best 3000 system managers use passwords on everything — account, user, group, even sensitive files. It would take more than the rambling (the hacker's own description) of phreak.org to get beyond good 3000 password skills. Good passworders, you know who you are.
Good passwords are different for different groups and accounts. Good passwords mix numbers and letters. Good passwords get changed on a regular basis. There's still an HP 3000 solution out there to manage passwords so they get too complex for phreaks like Eastwind. Security/3000 from VEsoft is the leading choice. That's software which might also be useful in passing an audit.
Passwords are a guessing game for Eastwind. He points to FIELD.SUPPORT,PUB as a backdoor "unfortunately locked off or removed by some worldly wise system managers." Then the hacker moves on to the obvious gateway of MANAGER.SYS,PUB.
This is the manager’s account, and it will usually be protected by a User password and an Account password. These will be invaluable later, since most managers hate to memorize more than a few passwords and they need to have access to more than a few accounts. I can’t really help you on hacking the passwords. That’s usually where guesswork and intuition come in. Sorry.
Don't be one of the "most managers who hate to memorize."
Showing this kind of information to hackers can rankle some system managers. It's as if writing about it will make it easier to breach a 3000 system. You might be able to use brute force guessing software to come up with an account.user password set. But the multiple attempts should trigger some alarm in your systems protection.
The protected levels of the 3000 throw up another dilemma for Eastwind, too.
An HP 3000 has a few problems from a hackers view. You see, once you get on with your very own account, you still can’t see any files no matter how powerful you are. What you must do is to logon under the different accounts on the system to see what each person has to look at.
There are ways to get around this I am learning, but it’s too much for a first time type of thing, so call back later.
Ensure your passwords are strong, unique, and changed often on your HP 3000. That's some serious protection to add before a phreak like Eastwind blows past your system. It's the locked door theory of burglary prevention. The bad guys tend to move to the next house, if the door is secured.
