T 3.38 Errors in configuration and operation

Configuration errors arise when program start-up parameters and options are set incorrectly or incompletely. This includes, for example, access rights that are specified incorrectly. When a user makes an operational mistake, not only individual settings may be incorrect, but the IT systems or applications may also be handled incorrectly. An example of this is starting programs that are not necessary to fulfil the function of the computer, but can be misused by an attacker.

Examples of configuration or operator errors nowadays are storing passwords on a PC on which untested software is run off the Internet or loading and implementing malicious ActiveX controls. These programs, which amongst others are used to make web pages more attractive using dynamic content, are run with the same permissions as those possessed by the user. They can delete, change, or send any data desired.

Many programs intended to be used for publishing information in an open environment without restrictions can, when configured incorrectly, provide potential attackers with data that they can then misuse. In this manner, for example, the finger service can inform an attacker of how long a user has already been sitting at a computer. Browsers also transmit a substantial amount of information to the web server (e.g. the versions of the browser and operating system used, the name(s) and the Internet address of the PC) whenever a query is issued. Cookies should also be mentioned in this context. These are files on the user's computer in which the operators of web servers store data relating to the web user. This data can be called up the next time the server is visited and can be used by the operator of the server to analyse which web pages on the server the user has already visited.

The use of a Domain Name System (DNS) is a further source of danger. On the one hand, an incorrectly configured DNS makes it possible to query a large quantity of information relating to a local network. On the other hand, an attacker can send forged IP addresses by taking over the server, enabling the attacker to control all data traffic.

Automatically executable content in e-mails or HTML pages is another serious threat. This is referred to as a content security problem. Files downloaded from the internet can contain code that is executed simply by being viewed, without confirmation from the user. This is the case, for example, with macros in Office files, and this capability is exploited to create so-called macro viruses. Even programming languages and programming interfaces such as ActiveX, JavaScript or Java, which were developed for applications on the Internet, also have the potential to cause damage if the control function is implemented incorrectly.

In z/OS operating systems, the availability of the RACF security system is of primary importance to the availability of the entire system. The availability could be restricted through improper use of z/OS utilities when backing up the RACF database or by using the RACF commands incorrectly.