On 18 Jun 2005 07:48:27 -0700, in bit.listserv.ibm-main you wrote: >Saturday's Washington Post reports on the woes of CardSystems in Tucson, a >credit card processor. A hacker got access to 40 million credit cards. >MasterCard, Visa, and the FBI are not amused. The article briefly alludes >to how the attack succeeded: > > >http://www.washingtonpost.com/wp-dyn/content/article/2005/06/17/AR2005061701031.html > >According to http://www.cardsystems.com/careers.html (the recruiting page >for the company), CardSystems has the following types of systems >installed: > > Microsoft .NET (and Windows servers) > Oracle databases > VMS > >Not a single mention of an IBM zSeries system, RACF, CICS, or IMS in all >its job recruiting pages. Which is really too bad, because if they had >been processing credit cards through those systems, chances are that >hacker wouldn't be having as much "fun" right now.
How secure are the z/OS systems that do substantial web service? In this case, I wonder if the perpetrator was an insider or ex-insider. Also there are add on products for the environments mentioned as well as security functions in Oracle that may or may not have been properly implemented. Remember that RACF is an add-on (albeit that a security system is now almost required for z/OS to work). Did the hacker get the information from the production servers or the application test servers? In a similar vein, is confidential information changed when test data is created from production data on major z/OS systems? I would like to see the results of penetration attempts on z/OS sites with similar application profiles. Are the vulnerabilities for SAP or JD Edwards the same regardless of platform? If a salesperson has access to x information sitting on the mainframe by using a laptop and Internet connection, how easy would it be for an outsider to get the same information? How vulnerable are z series systems to denial of service attacks by people logging into the HMC where remote IPL is enabled (or even just remote access)? I have spent most of my career in the 360 - 370 arena and I suspect that a technically knowledgeable insider who had TSO access comparable to an application programmer probably could have seriously compromised a large percentage of the sites at least until the early 1990's. Controlling access is a difficult and challenging task and defining legitimate use is not a trivial task. I know that to do my job as an applications programming consultant, I needed access to a lot of business confidential information (try fixing something like a customer file without access). In line with this, I am skeptical about the value of encrypting most files on the mainframe or other server that is not easily accessible physically. If the data is stolen using an authorized process, it will be decrypted anyway. The amount of unauthorized access that can be prevented probably isn't that great. How do you manage encrypting backup and other tapes so that the keys aren't with the tapes yet the tapes can be read in a disaster situation at a remote site and in the case of archival tapes so that the tapes can be read for the life of the tape. In regard to the latter, it would be interesting to find out what percentage of archival files can actually be read using record descriptions or table descriptions for the files or data base unloads. While I am not a supporter of encryption in general, I probably should encrypt my USB key although, it would only slow down someone who gets it since the encryption key would have to be on the same 512 meg as the data. > >>> comments of Timothy's that I think echo my own (Clark's) snipped > >[Speaking for myself.] > >- - - - - >Timothy F. Sipples >Senior Software Architect, Enterprise Transformation >IBM Americas zSeries Software >Phone: (312) 245-4003 >E-Mail: [EMAIL PROTECTED] (PGP key available.) > ---------------------------------------------------------------------- For IBM-MAIN subscribe / signoff / archive access instructions, send email to [EMAIL PROTECTED] with the message: GET IBM-MAIN INFO Search the archives at http://bama.ua.edu/archives/ibm-main.html
