by Heather Beck, Product Support Manager, Bytware

If you have a well-implemented security plan, you have already identified your end users and have given careful consideration to their authorization roles. But what about security within your IT department? Have you restricted the authority of your IT staff members or software vendors who supply applications on your system? Do you have any IT consultants that have access to your system? Individuals within your IT department pose the greatest security threat of all. As with all other employees, IT staff members should only be authorized to those functions that require them to do their job. Generally, IT workers are trusted; but you can’t base your security on trust.

An obvious first step in taking control (remember security is a business function), is to ensure that all users are properly authorized to perform their jobs AND are otherwise restricted. You must identify the authorization roles within the IT department as well. Consider your operator who must coordinate with end users to resolve workstation issues, job issues, and printing problems. They may even schedule daily batch jobs. Do you have a communications administrator who maintains device descriptions and network configurations? Are they the same person as your operator or network administrator? After you’ve defined roles for your own IT staff members, you mustn’t forget about those vendors and consultants. They are an integral part of your IT environment.

There is also a looming threat regarding profile swapping. Profile swapping is a common technique used to elevate a user’s authority only when they need it. Using the IBM-supplied User Profile Swap APIs is a good way to temporarily gain control of another user profile. Once a job has been changed to run under a new user profile, every activity happening after that will fall under that new profile. For example, if you were to display spooled files, you would see the spooled files for the new user profile that you swapped to even though you signed on under your own user profile. And if you submitted a new job, it would be submitted under the new profile. There are many business reasons to use this technique but it can also come at a heavy price.

So you’ve defined your profiles and granted and revoked authorities, but your system and users aren’t static. Employees and business requirements change. And even if their authorities are well-defined and will never change, there are times they could potentially be acting like someone else (profile swapping!). Therefore you must also take steps to constantly audit these users and authorities to ensure your security is effective over time. You need a peek into your system on a periodic basis to be sure you’re not still relying on trust with your IT staff.

The System Audit Journal allows you to perform user level event auditing. You can audit an IT staff member’s actions or their use of particular objects, or both by using the CHGUSRAUD command. This command gives you an excellent tool to spot-check users with *ALLOBJ special authority. QAUDJRN even logs a PS audit journal entry when a profile swap has taken place.

To enhance your security and assist in investigating suspicious activity, a screen-capture utility like Bytware’s PeekPlus can be invaluable. PeekPlus gives you the ability to view another user’s screen in real time, up to the last keystroke. Screen activity can even be recorded to a file to provide a permanent audit trail or it can be imported to any word processor to document incidents. Security administrators need tools that allow them to investigate security matters from their own terminal, and PeekPlus allows them to view another user’s screen with or without their knowledge.

Although you trust your IT staff, you may still need to monitor their activity or record their screens for evidence gathering, internal HR-related investigations, or just general security auditing. Have you ever wondered what exactly your night operator is doing when you’re not there? Wouldn’t it be nice to keep track of their screens to review the following morning? Or do you have trouble with someone answering messages incorrectly on the Console during day-end operations? Wouldn’t it be helpful if your IT consultants or software vendors knew they were being watched when they accessed your system? You can use PeekPlus to document the screen contents of any interactive job and send the screens to a file or printer. You can submit a job to capture screens to a database file, and that job will run until the device is signed off. You can then import the file into another application or download to your PC. You can also automate the screen capturing process using a CL program or job schedule entry.

Just because you have a well-implemented security plan, doesn’t mean trust will get you far. Consider the users in your IT department, define their roles clearly, and get tools to help you minimize the risk.

If you would like to find out more about PeekPlus contact us at 775.851.2900 or visit http://www.bytware.com/pp.

---

How to Prevent IFS Worms from Making Off with Your Critical Data

By Sandi Moore, Technical Consultant, Bytware

Throughout the day, we all receive hundreds, if not thousands, of emails in our Inbox from various sources—including co-workers, customers, vendors, and more. We rely on our corporate mail server and our local PC virus scanning to protect us from threats that may be hiding in those emails. Our mail admins remind us time and again to avoid opening unsolicited attachments or clicking on links from unknown persons. Data is constantly flowing through web browsers, FTP servers, shared network drives, removable media, and many other avenues. Knowing that these are all paths to infection, we scan and secure them as well. But what about your IBM i?

In recent months, we have seen a rash of virus infections that have had a frustrating impact on the IFS for many customers. W32/autorun.worm.aaeh is a worm that spreads by making copies of itself on removable drives and mounted network shares (i.e. your mapped drive to the IFS) and embeds copies of itself in ZIP and RAR files. It will hide the directories on removable drives and replace those directories with copies of itself—using the same filename as the hidden directory—so that when a user opens the mapped drive, it looks like their folder; but it is really the virus. It also checks for certain file types, changes the attributes to hidden, and creates a copy of itself with the same filename as the hidden file. The result? When you try to access your file, you are instead launching the virus. And this is just on your IBM i. The issues caused on PCs run even deeper.

The clean-up process ties up massive man-hours and involves using WRKLNK to find the affected directories and remove the bad files, as well as running CHGATR command to change the attributes of all the hidden files back to their correct state. Along the way you must try to prevent users from launching copies of the worm again and undoing the cleanup already done. The good news is that the damage from this virus is superficial, if not annoying. The next one could be more like the MyDoom virus that deleted files from any mapped drive it found.

Can this be prevented? Yes, the spread and damage of a virus can be prevented with a combination of strategies. First, limit who has the ability to map a drive to your system. For those who do need this ability, limit what functions they are allowed to perform through that mapped drive. A virus launched on a PC has all of the authority of the User who launched it, so if you have someone with SECADM mapping a drive that connects automatically, you have the potential for big problems.

Second, implement a native anti-virus software package on your IBM i to scan your directories for viruses. StandGuard Anti-Virus allows you to take advantage of the IBM-supported on-access scanning to prevent the virus from spreading. On-access scanning is done in real-time as the file is accessed through the File Server and any file found to be infected is stopped dead in its tracks. It also allows you to scan your full system on a regularly scheduled basis to look for files that enter through the many other means available such as FTP, optical drives, backups and other.

You never know what is hiding on your system until you scan it. And with regulatory standards such as PCI-DSS requiring the deployment of anti-virus software, you’ll not only be cutting off threats such as W32/autorun.worm.aaeh at the pass, but also ensuring that your organization is fully prepared for reporting and audits.

Find out more about protecting your IFS! Register for our May 15 webinar “3 IFS Weaknesses You Must Secure—Now!”

---

12 Ways MessengerPlus and Robot/SCHEDULE Can Work Together!

By Chuck Losinski

The scheduling functionality built into IBM i can help you take control of the jobs running on your system. But if you truly want to unleash the power of MessengerPlus for automated systems management, combining it with Robot/SCHEDULE from Help/Systems is the perfect solution. Robot/SCHEDULE takes you beyond the basics of IBM i scheduling with the ability to create finely tuned workflows that match perfectly to the unique requirements of your environment. Here are 12 ways that MessengerPlus and Robot/SCHEDULE can enhance your operations.

1. Have MessengerPlus monitor for the SLA messages that Robot/SCHEDULE can generate. (See Figure 1.)

Robot/SCHEDULE has a built-in job monitoring function that can monitor for and detect if:

a. Your job did not complete on time or ran too long
b. Your job ran too quickly (file might be empty)
c. Your job did not start on time

2. Let Robot/SCHEDULE fetch your PTF updates for MessengerPlus by scheduling the MPRUNUPD command at the best time for YOU. Possibly make this process dependent upon your month end process completing. This is called “Reactivity” in Robot/SCHEDULE and allows simple or complex dependency processing depending upon your needs. See the example job flow diagram from Robot/SCHEDULE (Figure 2).

3. Have MessengerPlus monitor the critical Robot/SCHEDULE jobs that constitute the engine of Robot/SCHEDULE in the RBTSLEEPER subsystem. Critical jobs:

a. ROBOT
b. ROBOTREACT
c. ROBOTJM
d. ROBOTAUDIT
e. ROBOTSBMJ

4. Have MessengerPlus monitor the RBTSLEEPER subsystem to make sure it is active and running the various Robot products.

5. Monitor for the RB16404 message from your Robot/SCHEDULE jobs which indicates that one of your Robot jobs ended abnormally. These jobs can also be displayed in the Robot/SCHEDULE Schedule Activity Monitor for a visual indication that a job has ended abnormally. The Schedule Activity Monitor shows you a 24-hour forecast of your job schedule, the jobs that are queued or running, and the completed jobs. It automatically refreshes to give you an up-to-the-minute status of your Robot jobs. (See Figure 3.)

6. Embed the MessengerPlus command to send an email (SNDPGRMSG) when your job stream is starting, you’ve reached a critical checkpoint, or your job stream has completed. Unlike the native IBM i scheduler, Robot/SCHEDULE jobs can contain multiple commands and can stop processing the job if any of the commands fail. (See Figure 4).

7. Schedule the MessengerPlus commands to hold (HLDMON) and release (RLSMON) resource monitoring during a month end process or another time.

8. Schedule the MessengerPlus Event Monitoring (PRTEVT) report giving you a detail report of the exceptions to the resource monitoring, job monitoring or message history. Use Robot/SCHEDULE Reserved Command Variables to fully automate the date range submission for the report. (See Figure 5).

9. Schedule the MessengerPlus command to delete Event History based on days old, monitor name, status, type, originating system, and severity.

10. Schedule the MessengerPlus command to end (ENDMP) then restart (STRMP) MessengerPlus due to the limitation on the number times and ILE program can be called. We recommend doing this on a weekly basis.

11. Using the “EVERY” option in Robot/SCHEDULE to run a job every X minutes, schedule a “heartbeat” message using the SNDPGRMSG that MessengerPlus is active. Send that to the operations team responsible for monitoring all systems. There are many advanced scheduling options built into Robot/SCHEDULE to handle all of your complex scheduling needs. (See Figure 6).

12. And last but not least use the conversion from the native scheduler to import all your batch jobs into Robot/SCHEDULE. This will allow you can take advantage of all the great features of Robot/SCHEDULE described above to automate, monitor, and control your scheduled jobs using the Robot/REPLAY plug-in and the Enterprise plug-in for Windows, Unix, and Linux. (This last one has nothing to do with MessengerPlus but we wanted an even dozen!)

Want to try combining MessengerPlus and Robot/SCHEDULE for yourself? Try Robot/SCHEDULE free for 30 days.

---

Q&A

How can I secure Telnet by User ID if no User ID was sent upon connection?

The Telnet server normally allows clients to connect without providing a User ID and password. This makes it easier for users to try different User IDs and passwords using the sign-on screen. Additionally, it would prevent your system security tool from being able to enforce Telnet policies based on User ID, because no User ID was sent.

StandGuard Network Security builds upon the OS design and requires a User ID and password to be sent upon connection. The option is provided to require the Telnet Client to send a valid User ID and password on the connection request. This makes it more difficult for users to try different User IDs and passwords, and prevents devices from being automatically selected and subsequently disabled due to invalid sign-on attempts. It allows StandGuard Network Security to enforce Telnet policies based on User ID (or group).

Do I have to run StandGuard Anti-Virus under user QSECOFR or can I use my own profile?

Several parts of the application need *SECOFR authority from time to time and the functions are submitted by default under the STANDGUARD user profile, but when STANDGUARD needs more authority it swaps to QSECOFR. The profile that STANDGUARD swaps to is listed in a data area. If you don’t want STANDGUARD swapping to QSECOFR when necessary, you can change the user profile that is used. Please use a profile that has *ALLOBJ, *SECADMN and has a directory entry. To make the change:

CALL PGM(STANDGUARD/AVCHGAO) PARM(userprofile STANDGUARD)

The program needs 2 parms, the preferred user profile name, and the STANDGUARD library name.

The following information is reproduced from the the IBM website for your reference.

Effective May 3, 2005, the IBM ServerProven® rebate offering has been modified. Refer to the Modification summary for a list of changes made with this modification.

All other terms and conditions remain unchanged.

This announcement supersedes United States Marketing Announcement 305-021 , dated February 22, 2005, and Canadian Announcement A05-0318, dated February 22, 2005.

The Offer
You can receive a rebate of up to $68,000 USD ($85,000 CAD) if you acquire a qualifying new ServerProven Solution that includes:

• an eligible new IBM iSeries™, i5, pSeries®, or xSeries® server; or
• an eligible upgrade to an installed IBM iSeries or i5 server; and
• an eligible ServerProven IBM or non-IBM software solution for the eligible server or upgrade acquired.

The amount of the rebate will be equal to the lesser of either the invoice price of the ServerProven software solution acquired, or the amount listed in the Qualifying/Eligible products section of the IBM website, which is based upon the eligible server or server upgrade acquired.

Only one rebate will be paid per eligible pSeries or xSeries server machine type/serial number acquired under this offering.

A single iSeries or i5 server machine type/serial number can qualify for more than one rebate as long as it is acquired new and subsequently upgraded, or was upgraded more than once, and the new acquisition and/or upgrade(s) are each acquired along with an eligible new ServerProven software solution that has not been previously installed on the iSeries or i5 server.

For a list of eligible products and maximum rebate amounts, refer to the Qualifying/Eligible products section.

Start and/or end dates
For hardware purchase transactions, IBM invoices for the eligible products must have a date of on or after May 3, 2005.

For hardware lease transactions, signed and accepted Leasing Certificates of Acceptance, or lease contracts with “Deemed Acceptance” for the eligible products must have a commencement date of on or after May 3, 2005.

Invoices for the eligible ServerProven software solutions can have a date that is up to 90 calendar days before or after the invoice date or lease commencement date of the eligible hardware.

For full details and other important information, visit the “ServerProven Rebate Offering” on IBM’s website.

A new variant of the Mydoom worm began making its way around the Internet last Friday, and this particularly nasty worm has already caused a great deal of damage to users—including iSeries shops—thanks to its ability to delete files. W32/Mydoom.f@MM, or simply Mydoom.F, is a mass-mailing and share-hopping worm based upon the original Mydoom code. The second variation, Mydoom.B, dropped the worm’s code making it readily available to virus writers. Experts believe that Mydoom.F originates from a different author than the original.

Like earlier variants of Mydoom, this new worm launches distributed denial of service (DDoS) attacks, this time against Microsoft and the Recording Industry Association of America (RIAA). In addition, Mydoom.F searches for and deletes files on local and mapped drives. Primarily the worm targets images files and Microsoft Word and Excel documents and searches for extensions .bmp, .avi, .jpg, .sav, .xls, .doc, and .mdb. The worm runs in a loop and deletes additional files on each pass.

Mapped drives need not be physically located on the infected system in order to be affected by Mydoom.F. Drives located on other platforms that can house Windows files can be equally affected.

Bytware, Inc., the Reno, Nevada-based developer of StandGuard Anti-Virus for the IBM eServer iSeries, has been contacted by several iSeries shops that have suffered data loss caused by Mydoom.F infection of networked PCs. The iSeries is generally viewed as invulnerable to viruses. A common practice of scanning the iSeries with a Windows PC through a mapped drive can open a door for worms and viruses to the iSeries.

In addition to file deletion and DDoS attacks, the Mydoom.F worm opens TCP port 1080, and additional ports in the range of 3000 to 5000, in an attempt to allow the author access to infected machines.

Mydoom.F arrives as an e-mail attachment of a variety of files types, including .zip. Upon identifying shared or mapped drives, the worm makes copies of itself as .zip archives or .exe files in different directories using random file names. It also propagates by harvesting e-mail addresses from infected systems and mass mailing itself using its own SMTP engine.

Most AV vendors have added definitions for Mydoom.F and experts urge users to update their anti-virus software and to protect all systems, including non-Windows platforms that may act as file servers and are attached to Windows PCs via mapped drives.

For more information about Mydoom.F, visit the Network Associates Virus Information Library at http://vil.nai.com/vil/content/v_101038.htm

For more information about iSeries anti-virus protection, visit the main StandGuard Anti-Virus page.