idfli...@gmail.com (scott Ford) writes: > As a vendor i have been receiving questions about DoS attacks on z/OS .. > I understand the idea / concept of perimeter defense , i was a Network > Engineer in a pass life. > But from a application point of view, if the application is using AT/TLS > and there are Pagent protection policies for PORTS/IP addresses and the > application is using encryption, where's the risk ???
We had worked with some number of Oracle people supporting cluster scaleup for our HA/CMP IBM product. We then left IBM and two of the Oracle people from this Jan1992 Ellison meeting http://www.garlic.com/~lynn/95.html#13 left Oracle and were at small client/server startup responsible for "commerce server". We were brought in as consultants because they wanted to do payment transactions on their server; the startup had also invented this technology they called "SSL" they wanted to use; the result is now frequently called "electronic commerce". I had absolute authority over server to payment network gateway but could only make recommendations about the browser to server, some of which were almost immediately violated, which continue to account for some number of vulnerabilities that continue to this day. Several of the attacks have to do with faking certificates and not recognizing the problem (enabling things like MITM-attacks). I use to pontificate about how vulnerable spoofing certificates were (do trust certificates from other entities) http://www.garlic.com/~lynn/subpubkey.html#sslcerts Don't know how much control that installations use for AT/TLS certificates. One of the early "electronic commerce" vulnerabilities was increasing number of commerce servers moving from flat files to RDBMS based implementations. RDBMS maintenance was much more difficult and time-consuming. For maintenance, servers would be taken offline, some security relaxed, maintenance performed ... and then because RDBMS maintenance more often overran window, there was mad rush to get back online and not all of the security were turned back on. Then apparently for having done "electronic commerce", we get pulled into X9 financial standards meetings to help write some number of financial standards. I did a financial standard and secure chip. This was in the same era as chip&pin started ... which had lots of vulnerabilities and took on the order of 8seconds with direct connect power. I did chip w/o any of the vulnerabilities. Then the transit industry asked me if the chip could also do transaction in the transit turnstyle time limits (100milliseconds) using only contactless (RF) power (w/o compromise any integrity). There was a large pilot of chip&pin in the US around the turn of the century during its "Yes Card" period ... old cartes 2002 trip report (gone 404 but lives on at the wayback machine) ... at the end of report, it is almost as easy to counterfeit chip as magstripe. http://web.archive.org/web/20030417083810/http://www.smartcard.co.uk/resources/articles/cartes2002.html At 2003 ATM Integrity Task Force meeting, Federal LEO gave "Yes Card" presentation prompting somebody in the audience to exclaim that they managed to spend billions of dollars to prove that chips were as vulnerable as magstripe. In the wake of the "Yes Card" problems, all evidence of the large US pilot appeared to evaporate and it was speculated that it would be a long time before it was tried in the US again. some more discussion in this recent (facebook) IBM Retirees post https://www.facebook.com/groups/62822320855/permalink/10155349644130856/ trivia: CEO of one of the cyber companies that participated in the booth at annual, world-wide retail banking BAI show, had previously been head of POK mainframe and then Boca PC: http://www.garlic.com/~lynn/99.html#217 http://www.garlic.com/~lynn/99.html#224 Also did pilot code for both RADIUS and KERBEROS authentication ... some past posts http://www.garlic.com/~lynn/subpubkey.html#radius and http://www.garlic.com/~lynn/subpubkey.html#kerberos bunch of security patents http://www.garlic.com/~lynn/x959.html#aads -- virtualization experience starting Jan1968, online at home since Mar1970 ---------------------------------------------------------------------- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN