You don't need to subvert z/OS to subvert a system. There are myriad
business critical programs that run in problem state. While well
formed RACF rules can offer protection, I wonder how many such rules
are well formed.
In any case, a malicious or sloppy "insider" doesn't have to be
inside the Systems staff. He need only be inside the
business-systems-knowledgeable community or even the system's trusted
user community.
Dave Cole REPLY TO:
<mailto:[email protected]>[email protected]
ColeSoft Marketing WEB PAGE: <http://www.colesoft.com/>colesoft.com
736 Fox Hollow Road DESK: 540-456-8536
Afton, VA 22920 CELL: 540-456-6518
At 4/2/2013 05:59 PM, Tony Harminc wrote:
On 2 April 2013 16:21, John Gilmore <[email protected]> wrote:
> This piece will repay your attention. It is the first open-literature
> discussion of the market for 'exploits' and who is selling what to
> whom for how much that I have seen.
There have been discussions in less well informed and well written
publications than The Economist over the last year or so. Notably
Forbes and ZDnet both published articles last March:
http://www.forbes.com/sites/andygreenberg/2012/03/23/shopping-for-zero-days-an-price-list-for-hackers-secret-software-exploits/
http://www.zdnet.com/blog/security/us-government-pays-250000-for-ios-exploit/11044
> There is no discussion of z/OS exploits, but I do not find this
reassuring. Our turn will certainly come.
Vulnerabilities in the z/OS core certainly appear from time to time,
but we generally learn of them only from the obscure nature of IBM's
fixes. I discovered one a couple of years ago, and demonstrated to
myself, but did not write code for a usable exploit. About the time I
was going to send it to IBM, the fix appeared. But the nature of z/OS
vulnerabilities and any putative market for their exploits is rather
different from those on most other platforms. The general public does
not have the sort of insider access to z/OS that the lowliest COBOL
programmer or operations clerk has, and that is required to even bump
into IBM's statement of system integrity. Guarding against insiders is
worthy and necessary, but it's hard to imagine much of a market for
exploits that they can use, fun as it may be to dream them up.
Exploits against web servers and other public z/OS interfaces are much
more generic and - despite the dreaded C string buffer overflows -
probably less likely to be successful because of the layering of
privileges within z/OS and its components. One can imagine a complex
Stuxnet-like exploit that targets z/OS, and is spread by USB keys or
system programmers' bad browsing habits, but then really the exploit
target is not z/OS but the intermediate systems and their users.
Tony H.
----------------------------------------------------------------------
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to [email protected] with the message: INFO IBM-MAIN
