Kisco Closes AS/400 Telnet Security Loophole

Kisco Information Systems (Mt. Kisco, N.Y.) has released OnePass/400, which closes a Telnet security exposure on the AS/400. The AS/400 has a Telnet feature that allows connection to the AS/400 from any network client using Telnet software. Telnet capability can also be a security breach, however, because user profiles and sign-on passwords are not encrypted. Anyone using “sniffer” software on the Internet can pick up those user profiles and passwords as they connect via Telnet, thereby gaining access to the system.

Kisco Information Systems claims that its OnePass/400 closes a dangerous security loophole that occurs when Telnet is used for access to an AS/400.
Using OnePass/400, a system administrator can enter profiles of all Telnet users who will be connecting to the AS/400—only those authorized users will be successfully connected. If an incorrect password is supplied, the terminal session is immediately logged off. Once a legitimate single-use password has been supplied, the sign-on operation is completed and the password is permanently retired. Anyone observing the logon sequence may be able to obtain the user profile, password and single-use password but they will not be able to use this information to gain access to a new Telnet session.

If someone attempts an unauthorized access to the system with a password that has expired or already been used, OnePass/400 notifies up to five people when that happens, logging which profile was used and the date and time that the event occurred. Administrators can then view or print the product’s log to track that activity.

“Security all depends on the nature of the customer—whether they have sensitive data that would attract sniffers who might be looking at data going into and out of their system. If you look on the Internet, you could easily find some 5250 information posted on hacker bulletin boards. It’s no deep, dark secret like it used to be,” comments Rich Loeber, Kisco’s president.

“We originally developed OnePass/400 for a local client that wanted to provide workers with the option to telecommute, but they were concerned about a security exposure,” he adds. “Even though the profile and password is not encrypted using our solution, OnePass/400 provides a second level of single-use password that automatically expires as soon as it’s used. Even if the ID and password are comprised, they’re no longer valid.

“This customer has been using our product for about eight months, and has not had a security breach. However, we have seen evidence of people attempting to Telnet into their system from IP addresses that are not authorized. They are also using some of our other security software, which has kept the intruders out,” says Loeber.

Kisco decided to develop OnePass/400 as a legitimate product after the successful implementation at their first customer site. “We realized this customer can’t be the only one using Telnet and opening their company to a security exposure on the AS/400s. We spent about 6 weeks in development to polish the product and make it a robust solution.” Kisco expects to ship 150-200 units of OnePass/400 by the end of the year.

“OnePass/400 is initially targeted at companies that want to provide employees with a telecommuting option in a secure environment,” Loeber says. “However, it’s a also a great solution for any industry where multiple AS/400s are used to Telent to other AS/400s.”

Currently, OnePass/400 is available as a separate product. It costs $895 and is available for free trial from Kisco Information Systems. It’s likely that OnePass/400 will be offered at a discount to current users of Kisco’s other product offerings. Kisco expects to integrate it with their SafeNet/400 in a future release as an additional charge for added Internet security.

Related Editorial:

  • Kisco Offers Release 2 of WebReport/400
  • A Wake Up Call for Security

    Related Information:

  • Kisco Information Systems (new window)
  • OnePass/400 Overview (new window)
  • Must Read Articles