Hacking Report For Our IBM i – 2nd Qtr 2013

By Rich Loeber

In January 2013, we at Kisco Information Systems issued our first Hacking Report for our IBM i system.  At that time, I promised to publish additional reports of what we are seeing on this test server.  This is our report for the second quarter of 2013 and represents activity observed from April 1st through the end of June.

During this three month period, we observed a slight increase in the volume of network transactions on our system, about a 13% increase.  At the same time, we saw a drop in the number of illegal access attempts that were rejected by our SafeNet/i software.  From 1,603 rejections last quarter, we saw an 11.6% decrease down to 1,417, or nearly 16 unauthorized access attempts every day, down from 18 last quarter.

This all goes to prove that life on the Internet continues to be unsafe.  If someone tried to break into my home 16 times a day, I’d be worried.  But this is what passes for “normal” in today’s networked world.

Some interesting things to note ….

On our server, the unauthorized access attempts still all fall into two categories.  The miscreants attempt to access the system by FTP and Telnet.

SafeNet/i on our FTP Server on the IBM i OS rejected 1,117 access attempts which represents a small increase from last quarter.  During this time, the number of legitimate FTP access attempts was 694, so the unauthorized attempts exceeded the legitimate attempts.  We serve client requirements and software development needs using FTP, so we have to keep the FTP server active.  This is a clear warning message, however, that if you are keeping the FTP server active on your system, you really need to have access controls in place like those provided by SafeNet/i.

We also took a look a the most popular user profiles being used to attempt access to our system via FTP.  Like last quarter, the leading profile is still ADMINSTRA with 157 attempts.  The next most popular profiles used were USER, ADMIN, BACKUP and DATA.  For these profiles, the pattern we continue to see the pattern of multiple access attempts from the same source using a different password each time.  This lends credence to the need to use less common profile names coupled with complex passwords.

For unauthorized Telnet access attempts, we saw a decrease in activity by about half.  The access attempts via Telnet tend to come in single attempts or at the most, two or three successive attempts.  SafeNet/i captures these before an actual signon screen is presented, so they never get to the feature in IBM’s i OS that forces a profile to go inactive.  (The same is true for the way we are intercepting unauthorized FTP attempts.)

We also continue to see certain IP addresses with repeated access attempts.  Interestingly, the leading violator for this quarter traced back to MicroSoft in Redmond, Washington.  The next three highest all traced back to the Asia Pacific Network Information Center in Australia.

When we went public with our IBM i server hacking results at the start of this year, there was some concern expressed that we might be challenging hackers to break into our test server.  We are happy to report that the challenge was apparently not taken up with the second quarter results being consistent with what we saw for the first quarter.

One other thing to note is that unauthorized access attempts are, in fact, limited to FTP and Telnet.  In a way, this is good news.  There are a lot of other doors and windows in the IBM i platform, but nobody is trying to use them.  All of the unauthorized access attempts that we have observed for the six months that we have been watching have been limited to just these two access points.

We will continue to review our server’s status on a quarterly basis and report the results on our blog space.  If you have questions about details of the report, feel free to contact me directly by email (rich at kisco.com).

Comments are closed.