[email protected] (IronSphere by SecuriTeam Software) writes: > no the problem described, but from my experience, program developed to > 3270 user interface, are face lifted using brokers, bridges and other > middle wares. The three tier design ,where some of the field > verification was done by MFS and maps and not handled any more, and > the validation was planned for printable characters only. so, for > example, a DOS attack against your transaction server (or access to > data using SQL injection) can be easily conducted.
re: http://www.garlic.com/~lynn/2017c.html#60 [EXTERNAL] ComputerWorld Says: Cobol plays major role in U.S. government breaches we were doing cluster scaleup for our IBM HA/CMP product http://www.garlic.com/~lynn/subtopic.html#hacmp and some old email http://www.garlic.com/~lynn/lhwemail.html#medusa for both technical/scientific (with national labs) and commercial (with RDBMS vendors) ... old post about Jan92 meeting in Ellison's conferrence room http://www.garlic.com/~lynn/95.html#13 within a few weeks of the Ellison meeting, the cluster scaleup is transferred, announced as IBM supercomputer (for technical and scientific only), and we are told we can't work on anything with more than four processors. Shortly later we leave IBM. Two of the people named in the Ellison meeting later leave Oracle and are at a small client/server responsible for something called "commerce server". We are brought in as consultants because they want to do payments on their server, the small client/server startup had also invented this technology called "SSL" they want to use, its now frequently called "electronic commerce". Most of my work is on the webserver to payment networks gateway over which I have absolute authority (including having to deal with possibility of DOS attacks) ... but can only make recommendations on the client/server side ... some of which are almost immediately violated ... accounting for some number of exploits that continue to this day. One of the things we started to notice was that RDBMS-based webservers had significantly higher exploits than flat-file based webservers ... which was the result of various factors. In part RDBMS implementations were a lot more complicated and failures/exploits tend to be proportional to complexity. Common simple scenario; servers are taken off the network and security measures disabled as part of doing regular maintenance. RDBMS maintenance tended to be more time-consuming and much more frequently overran the maintenance window .... and then in the rush to get the server back up ... reenabling the security measures was frequently overlooked (even when installation had security regression tests that were required before reconnecting to the internet, they would be skipped in the rush to get back online). other triva: large percentage of breaches tend to be transaction information from previous financial transactions in a form of replay attack for fraudulent financial transactions. the data breach notification people had done detailed public surveys and this was the #1 issue. This financial transaction information is used in dozens of business transactions at millions of locations around the world. I've periodically commented that even if the planet was buried in miles of encryption hiding this information, it would still couldn't prevent leakage. I got con'ed into participating in the financial industry standard x9a10 which had been given the requirement to preserve the integrity of the financial industry for all retail payments. We did detailed end-to-end threat and vulernability studies. What we eventually came up was a standard that slightly tweaked the current transactions so that crooks couldn't use information from previous transactions for (replay attack) fraudulent financial transactions. It did nothing to prevent breaches, but it eliminated the ability of crooks to use the information for fraudulent financial transactions ... and therefor the motivation for many of breaches (significantly reduced the attack surface). Unfortunately, it was an enormously disruptive change to electronic payment stakeholders. even more trivia: major use of SSL in the world today is hiding financial transaction information while it flows over the internet, the x9a10 work eliminated the need to hide that information (while providing end-to-end integrity ... both in flight as well as at rest). note that the head of IBM end of last century, leaves and becomes head of private-equity company that will acquire beltway bandit that will employ Snowden. There is huge uptic in outsourcing to for-profit companies last decade, many under intensive pressure to cut corners to provide profit for their private-equity owners. Example was those doing outsourced security clearances found to be filling out paperwork but not bothering to do background checks ... 70% of the intelligence budget and over half the people http://www.investingdaily.com/17693/spies-like-us another example is OPM https://firstlook.org/theintercept/2015/06/24/opm-contractor-veritas/ https://fcw.com/articles/2015/06/24/house-oversight-opm.aspx also nothing to do with cobol (or financial) ... attackers danced through top-security networks through much of last decade, acquiring detailed specifications of major weapon systems (pointing finger at cobol could just be obfuscation and misdirection). Report: China gained U.S. weapons secrets using cyberespionage http://www.cnn.com/2013/05/28/world/asia/china-cyberespionage/ Confidential report lists U.S. weapons system designs compromised by Chinese cyberspies https://www.washingtonpost.com/world/national-security/confidential-report-lists-us-weapons-system-designs-compromised-by-chinese-cyberspies/2013/05/27/a42c3e1c-c2dd-11e2-8c3b-0b5e9247e8ca_story.html Also on the list is the most expensive weapons system ever built -- the F-35 Joint Strike Fighter, which is on track to cost about $1.4 trillion. The 2007 hack of that project was reported previously. ... snip ... REPORT: Chinese Hackers Stole Plans For Dozens Of Critical US Weapons Systems http://www.businessinsider.com/china-hacked-us-military-weapons-systems-2013-5 -- virtualization experience starting Jan1968, online at home since Mar1970 ---------------------------------------------------------------------- For IBM-MAIN subscribe / signoff / archive access instructions, send email to [email protected] with the message: INFO IBM-MAIN
