Exactly
Sent from Yahoo Mail for iPhone On Tuesday, May 28, 2019, 9:38 AM, Vernooij, Kees (ITOP NM) - KLM <kees.verno...@klm.com> wrote: I would say that, at least for situations 1 to 8, you have gained unintended access to the mainframe via an access door that was (too) poorly protected. In these cases the mainframe was not the weak point, but the people (again) that set up the protection. Kees. > -----Original Message----- > From: IBM Mainframe Discussion List [mailto:IBM-MAIN@LISTSERV.UA.EDU] On > Behalf Of Lennie Dymoke-Bradshaw > Sent: 28 May, 2019 15:12 > To: IBM-MAIN@LISTSERV.UA.EDU > Subject: Re: Fwd: Just how secure are mainframes? | Trevor Eddolls > > In addition to defining what is "security" we need to define what we mean > by "hacking". In my previous career at IBM I was asked this many times. At > that time I preferred to talk of an "attack" on the mainframe, and then > determine the susceptibility of the system to that attack. > > However, I came up with some situations which could be examined to try and > get people to define what they mean by "hacking" in this context. The > questions I asked were the following. I suspect different folks will come > up with different answers for some of these questions. You will soon see, > as well where the fault/blame/responsibility for security lies for each of > these situations. Anyway, here are the questions I used. > > 1. If I use a colleague's userid and password without his knowledge, is > this hacking? Have I hacked the mainframe? > > 2. If I trick a mainframe user into divulging his password, and then use > this to access data, is this hacking? Have I hacked the mainframe? > > 3. If I use access I have been given in a manner which it was not designed > to be used for (e.g. access to a break-glass userid for recovery), and so > gain access to private data, am I hacking? Have I hacked the mainframe? > > 4. If I am a systems programmer and have legitimate UPDATE access to an > APF authorised library, and use it to gain RACF SPECIAL, is this hacking? > Have I hacked the mainframe? > > 5. If I have a basic userid on a z/OS system, and then discover that I can > make use of unprotected CSA storage created by a badly coded 3rd party > product which uses it for inter-address space communications, and I use > this to gain access to data I would not normally have access to, is this > hacking? Have I hacked the mainframe? > > 6. If I discover a bad z/OS configuration option has been used (e.g. > IDCAMS in AUTHTSF), and I exploit it to gain access in key zero and then > grant my userid RACF SPECIAL, am I hacking? Have I hacked the mainframe? > > 7. If I gain access to a DB2 userid because its password is hard-coded on > a distributed server, and then use it to gain access to DB2 on z/OS, am I > hacking? Have I hacked the mainframe? > > 8. If I discover a z/OS integrity exposure, which should be covered by the > z/OS Statement of Integrity, and then make use of it, instead of reporting > it to IBM to be resolved, am I hacking? Have I hacked the mainframe? > > Lennie Dymoke-Bradshaw | Security Lead | RSM Partners Ltd > Web: www.rsmpartners.com > ‘Dance like no one is watching. Encrypt like everyone is.’ > > -----Original Message----- > From: IBM Mainframe Discussion List <IBM-MAIN@LISTSERV.UA.EDU> On Behalf > Of Vernooij, Kees (ITOP NM) - KLM > Sent: 28 May 2019 08:13 > To: IBM-MAIN@LISTSERV.UA.EDU > Subject: Re: [IBM-MAIN] Fwd: Just how secure are mainframes? | Trevor > Eddolls > > Well, it seems 'security' needs to be defined here. > Probably like in my answer to Bill: difficulty * result. > > You are secure enough if you can prevent a hacker to steal $100,= by > delaying him for 1 hour. > You are not if you can delay him for only one hour to steal a million. > > Kees. > > > -----Original Message----- > > From: IBM Mainframe Discussion List [mailto:IBM-MAIN@LISTSERV.UA.EDU] > > On Behalf Of R.S. > > Sent: 28 May, 2019 9:00 > > To: IBM-MAIN@LISTSERV.UA.EDU > > Subject: Re: Fwd: Just how secure are mainframes? | Trevor Eddolls > > > > W dniu 2019-05-27 o 17:45, Chad Rikansrud pisze: > > > At the risk of re-kicking the already dead horse: Bill, you're > > comparing apples and spiders. > > > > > > Are there fewer mainframe 'hacks'? Yep. There are also > > > exponentially > > fewer mainframes than Windows / Android / Mac / IOS / Linux. Like - a > > few thousand mainframes compared to 2.5 BILLION users of > > Windows/Linux/Mac/Android & IOS combined. That is somewhere between > > 250,000 - 500,000x more installs of those OS's. And they are freely > > available for literally anyone to poke at. > > > > > > What you're arguing "Because Windows gets hacked daily, and > > > mainframes > > are never in the news as have being hacked - means that mainframes are > > more secure .. more 'hack-proof'" Is like saying that: > > > > > > -- Homes in Toronto are more hurricane-proof because fewer of them > > > are > > destroyed than in Key West. > > > OR > > > -- Babies are better drivers than their parents, because their > > > parents > > get in accidents every day. > > > OR > > > -- People in Greenland are less susceptible to cancer because fewer > > people die of it than do in the US. > > > > > > For years people thought Macs were less susceptible to viruses than > > their Windows counterparts... because? They never read about Mac hacks. > > The reality? There were way fewer Macs. Now? Still much less > > marketshare than Windows, but lots of Mac hacks/malware out there > > because they have more than doubled their market share in 6-8 years. > > > > You criticize demagoguery using demagoguery. > > It's not that mainframe were not hacked just because nobody tried. Or > > to few hackers tried. > > And not every adult is equally good driver. > > A solid safe can be opened, but carton box ca be opened more easily. > > Even if there are much more carton boxes than safes. > > > > > > -- > > Radoslaw Skorupka > > Lodz, Poland > > > > > > > > > > ====================================================================== > > > > Jeśli nie jesteś adresatem tej wiadomości: > > > > - powiadom nas o tym w mailu zwrotnym (dziękujemy!), > > - usuń trwale tę wiadomość (i wszystkie kopie, które wydrukowałeś lub > > zapisałeś na dysku). > > Wiadomość ta może zawierać chronione prawem informacje, które może > > wykorzystać tylko adresat.Przypominamy, że każdy, kto rozpowszechnia > > (kopiuje, rozprowadza) tę wiadomość lub podejmuje podobne działania, > > narusza prawo i może podlegać karze. > > > > mBank S.A. z siedzibą w Warszawie, ul. Senatorska 18, 00-950 > > Warszawa,www.mBank.pl, e-mail: kont...@mbank.pl. Sąd Rejonowy dla m. st. > > Warszawy XII Wydział Gospodarczy Krajowego Rejestru Sądowego, KRS > > 0000025237, NIP: 526-021-50-88. Kapitał zakładowy (opłacony w całości) > > według stanu na 01.01.2018 r. wynosi 169.248.488 złotych. > > > > If you are not the addressee of this message: > > > > - let us know by replying to this e-mail (thank you!), > > - delete this message permanently (including all the copies which you > > have printed out or saved). > > This message may contain legally protected information, which may be > > used exclusively by the addressee.Please be reminded that anyone who > > disseminates (copies, distributes) this message or takes any similar > > action, violates the law and may be penalised. > > > > mBank S.A. with its registered office in Warsaw, ul. Senatorska 18, > > 00-950 Warszawa,www.mBank.pl, e-mail: kont...@mbank.pl. District Court > > for the Capital City of Warsaw, 12th Commercial Division of the > > National Court Register, KRS 0000025237, NIP: 526-021-50-88. Fully > > paid-up share capital amounting to PLN 169,248,488 as at 1 January 2018. > > > > ---------------------------------------------------------------------- > > For IBM-MAIN subscribe / signoff / archive access instructions, send > > email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN > ******************************************************** > For information, services and offers, please visit our web site: > http://www.klm.com. This e-mail and any attachment may contain > confidential and privileged material intended for the addressee only. If > you are not the addressee, you are notified that no part of the e-mail or > any attachment may be disclosed, copied or distributed, and that any other > action related to this e-mail or attachment is strictly prohibited, and > may be unlawful. If you have received this e-mail by error, please notify > the sender immediately by return e-mail, and delete this message. > > Koninklijke Luchtvaart Maatschappij NV (KLM), its subsidiaries and/or its > employees shall not be liable for the incorrect or incomplete transmission > of this e-mail or any attachments, nor responsible for any delay in > receipt. > Koninklijke Luchtvaart Maatschappij N.V. (also known as KLM Royal Dutch > Airlines) is registered in Amstelveen, The Netherlands, with registered > number 33014286 > ******************************************************** > > > ---------------------------------------------------------------------- > For IBM-MAIN subscribe / signoff / archive access instructions, send email > to lists...@listserv.ua.edu with the message: INFO IBM-MAIN > > ---------------------------------------------------------------------- > For IBM-MAIN subscribe / signoff / archive access instructions, > send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN ******************************************************** For information, services and offers, please visit our web site: http://www.klm.com. This e-mail and any attachment may contain confidential and privileged material intended for the addressee only. If you are not the addressee, you are notified that no part of the e-mail or any attachment may be disclosed, copied or distributed, and that any other action related to this e-mail or attachment is strictly prohibited, and may be unlawful. If you have received this e-mail by error, please notify the sender immediately by return e-mail, and delete this message. Koninklijke Luchtvaart Maatschappij NV (KLM), its subsidiaries and/or its employees shall not be liable for the incorrect or incomplete transmission of this e-mail or any attachments, nor responsible for any delay in receipt. Koninklijke Luchtvaart Maatschappij N.V. (also known as KLM Royal Dutch Airlines) is registered in Amstelveen, The Netherlands, with registered number 33014286 ******************************************************** ---------------------------------------------------------------------- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN ---------------------------------------------------------------------- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN
