dave@horsfall.org
Date: Wed, 10 May 2017 07:14:36 +1000 (EST)
Jeremy Epstein wrote:
> Not disputing that it's a potential threat; just for the record it
> appears to have been unsuccessful.
No claim was made that it was successful; in fact, upon studying the item
again it was clearly intended as a joke (the SQL appears to be preceded by
"pwn", which is of course cracker slang for "broke into".
But yes, that was seven years ago, and as Bruce Schneier is always saying, attacks only get better over time...
Kelly.Manning@ncf.ca
Date: Tue, 9 May 2017 18:17:42 -0400 (EDT)
"(Basically it injects a "DROP TABLE" command.)"
And?
In DB2 the running process would have to be authorised for the DROP Table action in that particular named Tablespace.
How common is that? Is Drop Table less Restricted in other Relation DB
Management Systems?
I will concede that my experience has been that a number of IMS and CICS developers GRANT EXECUTE on DB2 Plans to PUBLIC, even though they have the option to restrict that GRANT to a particular named CICS or IMS subsystem. Even then, CREATE and DROP tablespace should involve scratch pad or work tablespaces which are intended to be used for transient data, not the same tablespaces used for long term data. The running process should not be using a DB Admin or Developer ID.
I pointed out to Security Admins and Sys Admins that a GRANT to PUBLIC
without limiting the scope to a named subsystem meant that programmers with
a screw loose or axe to grind could invoke the program from batch,
TSO... They told me that I was being too paranoid, so I applied that
restriction to my own work and didn't pursue it for the entire server.
My 1st 1979 IMS project involved a contractor who inspired a policy that a tape should never be sent offsite without a Group Data Security Admin signature. Years later I saw him in the middle of a Group Photo when I started a new job and asked "Oh, Does first name last name work here?".
That was met with a sudden silence. I told the story of my interaction with
him and was told that the 1st time he had been on the overnight on call
support rotation the phone number he had given turned out to be for "Dial a
Prayer".
My new manager took to having me vet the names of potential hires. If I didn't recognise the name I could often dig up work related comments such as showing up after office hours when a manager was working alone, with a shotgun, to dispute work assignments.
As I wrote, some folks just have a screw loose, no matter how technically brilliant they may be.