I'm not sure where everyone saw the ADCDMST userid being used. When I viewed the video, I saw the userid used, for the ftp, to be bt0, and that is set at around the 30 second mark into the video.
I agree with many, who have participated in this discussion, that RACF can be configured to reduce exposure to breaches. However, not all shops have their systems tied down as tight as z/OS can be. To me this demonstrates the fact that they got logged into ftp server, submitted a job, that started a service, listening on a specific port, and then they utilized this port in order to examine parts of the system. It is a very basic demonstration, and of course one that does not show any specific exploit, that is true. But that could just be the start. How many of us, have in the past, had some sort of svc, that when called, would place the calling program into supervisor state? How many have properly secured access to critical system datasets. I recently read a presentation, where the presenter was a z/OS security system auditor, who would go into a shop, and then from a user with no special access, was able to in as little as 10 minutes, change the access that userid had on the system to a level where he could do just about anything. For us to look at this simple demonstration, and claim "well that is a bogus video", just ask the companies who have been breached (remember the calls from IBM telling us to install certain fixes asap?). We also tend to think about breaches being from external sites. You can do everything you can to lock down that access, but what about your internal network? That's probably not secured as tightly as any externally facing system/site. As stats show that almost 80% of data breaches are from internal (anybody remember Snowden?) personnel, the security of our z/OS systems requires us to tighten down the hatches, so to speak. Social engineering is one of the ways to find out and get into a system (ever had a user just come out and tell you their password when you were working on a problem they had reported?). z/OS does have more controls that help to limit what someone can do, but that only works IF the controls are in place and IF we, as system programmers, have not installed something that is a backdoor (or found that someone had previously done that), that can be used for nefarious purposes. Peter ---------------------------------------------------------------------- For IBM-MAIN subscribe / signoff / archive access instructions, send email to [email protected] with the message: INFO IBM-MAIN
