Sounds like a combination of improper RACF configuration and vulnerabilities in various Unix components, both standard (FTP) and IBM (WebSphere). What's really disturbing is the total lack of cooperation from LE for nearly two weeks.
This sounds like a case where pen testing might have saved their bacon. -- Shmuel (Seymour J.) Metz http://mason.gmu.edu/~smetz3 ________________________________________ From: IBM Mainframe Discussion List <IBM-MAIN@LISTSERV.UA.EDU> on behalf of Mike Schwab <mike.a.sch...@gmail.com> Sent: Monday, June 3, 2019 4:24 PM To: IBM-MAIN@LISTSERV.UA.EDU Subject: Re: Just how secure are mainframes? | Trevor Eddolls How was a mainframe breach detected? A TSOID trying to access a ton of files they didn't have access too. (link to Share PDF 'how hackers breached a government (and a bank)' by Soldier of Fortran below.) https://secure-web.cisco.com/1diIq2WmycO9mehmrGwTzmCLbt_KnBvFyhZUCpwxPn1IJCNukCY1aIACm935ADVtNgQ9BnGX9-_ZdmbGpOW-TcEPkRJhzeWPGoSbE6hh0eyPTYszGh-l5PACE5jfh3KLIEM92oz5MCfblU9gLwz9KOrNzu4rB-BJiZOp1XgXRTyOp44a8f0Gw62Ko_399a6NHmu18r7MWMYFDYHTNIplgVtjRSyXA5P_actNC5qVVYdcyYw884CcRvKP2nm-uGgtNoh1YrZLN-0JFynfHDxhITKkKkxUu2KHzqoudEoI_Gh2277euHi3tQuHRVTaQDAppTa7sG9znc8p-gzGCtyFV8IdblA9wVXYVA7b-jG_EC8JUULO5R9q_IpGiE44_F95v8pJTpOBXDv-ZXkmlUMNgFV31lPRBO2M94sqX5PlH5svWBkyD-Ai0BeCBaNk5gys7/https%3A%2F%2Fwww.google.com%2Furl%3Fsa%3Dt%26rct%3Dj%26q%3D%26esrc%3Ds%26source%3Dweb%26cd%3D1%26cad%3Drja%26uact%3D8%26ved%3D2ahUKEwj9qtK9kc7iAhUN-6wKHaMpAewQFjAAegQIABAC%26url%3Dhttps%253A%252F%252Fshare.confex.com%252Fshare%252F124%252Fwebprogram%252FHandout%252FSession16982%252FHow%252520Hackers%252520Breached%252520a%252520Government%252520%28and%252520a%252520Bank%29.pdf%26usg%3DAOvVaw1lvSNyZEIct1DU7WLqm4hY On Mon, Jun 3, 2019 at 4:42 PM Seymour J Metz <sme...@gmu.edu> wrote: > > This whole thread has consistently confused several very different issues: > > 1. How secure is z/OS itself? > > 2. How secure is 3rd party software? > > 3. How secure is the typical shop running z/OS? > > > -- > Shmuel (Seymour J.) Metz > http://mason.gmu.edu/~smetz3 > > ________________________________________ > From: IBM Mainframe Discussion List <IBM-MAIN@LISTSERV.UA.EDU> on behalf of > Clark Morris <cfmt...@uniserve.com> > Sent: Sunday, June 2, 2019 9:57 PM > To: IBM-MAIN@LISTSERV.UA.EDU > Subject: Re: Just how secure are mainframes? | Trevor Eddolls > > [Default] On 2 Jun 2019 14:46:41 -0700, in bit.listserv.ibm-main > 00000047540adefe-dmarc-requ...@listserv.ua.edu (Bill Johnson) wrote: > > >He’s trying to sell his company’s security services. Something I thought was > >not allowed on this list. > > > Whether or not he is selling something and I don't read his posts that > way, he is making some valid points. As a retired MVS (I was back in > applications by the time z/OS was available) systems programmer, I am > far more skeptical about the invulnerability of z/OS. It is too easy > to have decades old stuff still in a system in part because people > don't know why it is there or are unaware of its existence. How much > effort is required for an installation to achieve even 95 percent of > the invulnerability that is theoretically possible and keep that up. > How many holes are left in the average shop because people don't > understand the implications of all of both IBM and vendor defaults > where I will almost guarantee that there are at some defaults that > leave a system open to hacking. I think that it is difficult to > understand all of the implications of an action. Many shops may be > running exits or other systems modifications that have worked for > decades and because they work, no one has checked them to see if they > have an unintended vulnerability. I hope that none of my code that is > on file 432 of the CBT Tape (Philips light mods) has any vulnerability > but the thing that scares me is that I might not be smart enough to > find it even if I was looking for it. Good security isn't cheap. Z/OS > may be the most secure starting base but it requires real effort to > actually implement it with both good security and good usability. How > much vulnerability is there in the test systems? How much are the > systems programmer sandboxes exposed to the outside world? What > uncertainties exist in systems vendor code? Are organizations willing > or able to periodically test their systems' vulnerabilities? Can be > secure does not mean is secure? > > Clark Morris > > > >Sent from Yahoo Mail for iPhone > > > > > >On Sunday, June 2, 2019, 4:04 PM, Seymour J Metz <sme...@gmu.edu> wrote: > > > >> * As part of a APF authorized product there is a SVC or PC routine > >> that when called will turn on the JSBCAUTH bit > > > >Ouch! > > > >If it's APF authorized then why does it need to do that? And why would you > >allow such a vendor in the door? > > > >Did you have a tool that discovered that the vendor's SVC turned on > >JSCBAUTH, or did you have to read the code like the rest of us? > > ---------------------------------------------------------------------- > For IBM-MAIN subscribe / signoff / archive access instructions, > send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN > > ---------------------------------------------------------------------- > For IBM-MAIN subscribe / signoff / archive access instructions, > send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN -- Mike A Schwab, Springfield IL USA Where do Forest Rangers go to get away from it all? ---------------------------------------------------------------------- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN ---------------------------------------------------------------------- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN
