Hacking an IBM i

Data breaches happen on the IBM i even if it is one of the most securable platforms on the planet. Don't fool youself into thinking that it does not happen. Note that I stated in the very first paragraph, securable, not secure. That is because it ships with a CVSS rating of 6.7 with unencrypted telnet and ftp, but that's not all. It is the only system where you don't need an SUID to programatically swap with another profile. The crazy thing we did on the IBM i is allow authority to be given to a profile. Rather than creating profiles in an internal object or shadow file, we are the only system that allows another user to swap with a profile outside of a programatic process, ad-hoc, by granting others authority to *USRPRF (user profile objects) directly.

This action gives others ability at any time to become another profile without the password or permission from the business, even from a DOS command prompt, DDM/DRDA or an ODBC command. We also don't usually adhere to the PoLP on the IBM i. Instead, we use KoLP or MoLP, MtLP, Kind of Least Privilege or Mostly Least Privilege or More than Least Privilege by allowing users to have *JOBCTL (control any job, others jobs, or system jobs) and *SPLCTL (any spooled file). We give these administrative authorities out by the thousands and don't even get me started on the other 6 admin special authorities through groups and *USRPRF authority.

We use LanMan passwords making every profile password vulnerable to HashCat and John the Ripper. Yes, you need *ALLOBJ and *SECADM to get the hashes, but remember the *USRPRF objects, that can usually elevate you to this level. Real world IBM i hacks that we saw while I was the Senior Security Consultant working with the largest organizations in the world and now as a worldclass IBM and CIS Business Partner.

1. Critical data stolen by nation state actors from a defense contractor on the IBM i
2. Internal developer stealing information by harvesting passwords through an exit program at a large financial institution IBM i
3. Credit cards of Donald Trump, Barack Obama, George Bush and others stolen from a large retail system IBM i
4. Credit card theft for over 5 years by an internal developer on a system in South America from an IBM i (we almost felt bad till they said it happened over 5 years)
5. Asian customer had all auditing turned off, exit points removed and QAUDJRN and associated journal receivers deleted and the last thing the SIEM detected was that no audit journal existed. They asked, do you think we have been hacked?

We are serious about cybersecurity in the CIS and have written the first CIS IBM i Security Benchmark in history. As the author of these benchmarks, this is my second first on the IBM i. Back in 1996, Bruce Bading was the author of the very first automated AS/400 security assessment at the request of Carol Woodbury who was then Security Architect in Rochester and later as a partner of Pat Botz as we organized the first cybersecurity group in Rochester. Those tools are the basis for the CART tool that my friend and colleague Terry Ford maintains to this day, which is currently being mapped to the CIS controls which are mapped to every compliance requirement, PCI, HIPAA, SOX, FFIEC, NIST, etc.

So let's all get serious and stop the breach madness and make our systems not the most securable, but most insecure. Make us in IBM and IBM Business Partner world proud to say that the IBM i is one of the most securable and secure systems available for business.