3000 security status: obscure and secure
December 26, 2018
Earlier this year Jeff Kubler of Kubler Consulting was trying to label the status of MPE/iX security. The distinction between hardware and software is noteworthy. Whatever security the 3000s had confers onto the virtualized 3000s running under the Charon emulator from Stromasys.
Kubler built a list of the known conditions and advantages
- Unknown operating system
- Password protected
- Must know how to address it with HELLO
- Must know or guess the user
- Could have additional security like VEsoft strenghtening the additional login string
- Security on the account, user and group level could keep those who even know a login from getting anything important
- No visiting websites while using an HP 3000 application
When Alan Yeo of ScreenJet said the 3000 security is weak ("if you have locked the doors, then it will stop someone who just tries the door handle"), Pro 3K's Mark Ranft wanted to disagree.
The correct description is Security through Obscurity. If your HP 3000 has VESOFT's Security 3000 installed, and it is properly configured with two factor authentication, I don't know if anyone, without physical access to the machine, or access to unencrypted backups media, that could break in.
Where the HP 3000 falls short is in encryption of data that is in transit between the user and the system. For this, I recommend you turn to MiniSoft Secure 92 for terminal access.
And unfortunately, if you host a website on the HP 3000, I have to admit the HP WebWise MPE/iX Secure Web Server is not TLS 1.2 capable. This would be a showstopper for PCI certification. But this is only a big deal if you accept credit card or other protected information via the website.
Finally, depending on your location or customer base, you may also need to worry about GDPR.
That two-factor feature might not be fully available under MPE/iX, depending on your definition of 2FA.
One weakness of MPE is that unless you have a password insertion utility, such as STREAMX, passwords for jobs must either be typed in when streaming, which precludes many job scheduling methods, or they must be hard-coded in the jobs. If you can prevent command-line access, some of these weaknesses can be overcome. I would say that the 3000's security is pretty weak without Security/3000 or a similar product.
With MPE or any other OS, security is effective only if those administering the machine take it seriously and don't make dumb mistakes. Years ago an employee of a company I worked for was being visited by her sister who was an HP SE in another city. I caught the sister trying to log on to our system using the default passwords for TELESUP and other standard accounts. Fortunately, I had changed them all, but I'm sure this approach works in many cases.
I often see systems where jobs with hard-coded passwords have read access granted to "ANY", lots of users with excessive privileges, and so forth. Unfortunately, these problems persist because most IT auditors don't know an HP 3000 from a hole in the ground.
Ranft got in the last word on the matter, which seems to suggest the Vesoft Security 3000 is essential.
If you set up Security 3000 to ask you for a series of questions, like your dog's birthday, instead of just a second password. I am pretty certain that qualifies as two factor authentication. Wikipedia defines it as: Two-factor authentication (also known as 2FA) is a type (subset) of multi-factor authentication. It is a method of confirming a user's claimed identity by utilizing a combination of two different factors: 1) something they know, 2) something they have, or 3) something they are.
And you are correct. Most un-enhanced HP 3000 systems had poor security. Vladimir Volokh of VEsoft made a living visiting companies and selling them Security/3000 and the rest of the VEsoft suite by breaking in while they sat beside him at the console. I would always enjoy my visits with Vlad. After a few visits, I learned enough that he was no longer able to break into my systems. But in those days there were some backdoor ways to get PM capability.