At 7/20/2009 04:49 PM, Patrick O'Keefe wrote:
I think you were saying that you have the keys to the realm if you
are an authorized program and IBM requires authorization for far too
many services, so it is far too easy to stick back-door code in a
program that "needs" to be authorized.
Basically, yes.
That certainly is a hole in mainframe security, but I don't think of
that as a "hacking" issue. (I'm going to assume the "hacking" in
the original posting was meant to imply a breaching of MVS security
by outsiders where "outsiders" could be either outside the company
or outside the group of legitimate users - a meaning real hackers
would find very offensive.)
My issue is mainframe security and what seems to me to be a rather
complacent and unfounded attitude that MVS security is bulletproof.
It is not bulletproof for the reasons that I discussed in my prior post.
To divide the issue by the distinction of "insider" vs. "outsider"
obscures the threat.
First of all, WRT an inside threat, I grant that a person posing such
a threat would first have to get past many (well, hopefully many)
other security barriers before being able to exploit the authorized
libraries vulnerability. But I don't think that therefore one should
be unconcerned about the vulnerability.
WRT an "outside" threat, I am willing to accept (and I acknowledged
this in my prior post) that the z/OS's defense against non-APF
authorized threats is "bulletproof". But then to just leave the issue
there is, I think, complacent.
The presumption seems to be that no "outsider" would have the ability
to put a program into APF authorized libraries. Well, what about 3rd
party vendors? We certainly provide the motivation to induce
"insiders" to place our programs into authorized libraries. But what
are we? "Insiders"? "Outsiders"?
(As mentioned in my prior post, one technical way to partially
address this exposure would be for IBM to reduce the number of
reasons requiring a program to run authorized.)
That certainly is a hole in mainframe security, but I don't think of
that as a "hacking" issue.
I dunno. Wouldn't "Trojan Horse" fall into the category of "hacking"?
I think "hacking" around or through MVS security is very rare.
I certainly hope so... But by no means would I consider myself
qualified to make that assertion.
FWIW, this sort of vulnerability is by no means limited to
mainframes. The PC world is plagued by this problem. In other words,
the model is out there. If "Western Civilization Runs on the
Mainframe", then it's only a matter of time before someone will find
that it's worth the effort to write a "gotta have" Trojan Horse.
Dave Cole REPLY TO: [email protected]
ColeSoft Partners WEB PAGE: http://www.colesoft.com
736 Fox Hollow Road VOICE: 540-456-8536
Afton, VA 22920 FAX: 540-456-6658
At 7/20/2009 04:49 PM, Patrick O'Keefe wrote:
Maybe the result was silence that time but the general topic has
been discussed a number of time in a number of venues. I think you
were saying that you have the keys to the realm if you are an
authorized program and IBM requires authorization for far too many
services, so it is far too easy to stick back-door code in a program
that "needs" to be authorized.
That certainly is a hole in mainframe security, but I don't think of
that as a "hacking" issue. (I'm going to assume the "hacking" in
the original posting was meant to imply a breaching of MVS security
by outsiders where "outsiders" could be either outside the company
or outside the group of legitimate users - a meaning real hackers
would find very offensive.)
Writing a back door is "an inside job". It could be an interesting
hack, but I don't think that's what the OP meant.
MVS security (when used) does a good job of keeping outsiders out,
but no system on any operating system is safe from those that are
given the authority to bypass the security.
Pat O'Keefe
I think "hacking" around or through MVS security is very rare.
----------------------------------------------------------------------
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to [email protected] with the message: GET IBM-MAIN INFO
Search the archives at http://bama.ua.edu/archives/ibm-main.html
