Re: PCI Compliance - Encryption of all non-console administrative access.

[Mark Jacobs]

John Mattson wrote:
Ray !!! Just getting back from SHARE.  There was a presentation on PCI at 
Share, and folks are just starting to really take it seriously.  I will 
send you a copy of the presentation if you like.  My shop is just starting 
in on this, and I would be glad to compare notes with you. 
[EMAIL PROTECTED] 
  
We are very heavily into PCI here. We have been certified as PCI 
compliant and keep working hard to maintain that status.


We just required all TN3270 traffic to use SSL/TLS. All customer data is 
encrypted with 3DES when it is at rest and we are just starting to 
implement the TS1120 tape drives to encrypt our full volume backup tapes 
and eventually all out application specific backups.


I would like to see the presentation to see if we can improve our 
procedures.


--
Pound pastrami, can kraut, six bagels -- bring home for Emma.

Isaac Edward Leibowitz (Saint Leibowitz)
A Canticle for Leibowitz

--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to [EMAIL PROTECTED] with the message: GET IBM-MAIN INFO
Search the archives at http://bama.ua.edu/archives/ibm-main.html

Re: PCI Compliance - Encryption of all non-console administrative access.

[John Mattson]

Ray !!! Just getting back from SHARE.  There was a presentation on PCI at 
Share, and folks are just starting to really take it seriously.  I will 
send you a copy of the presentation if you like.  My shop is just starting 
in on this, and I would be glad to compare notes with you. 
[EMAIL PROTECTED] 
>--
>Date:Mon, 30 Jul 2007 10:43:07 -0500
>From:Ray Prevott <[EMAIL PROTECTED]>
>Subject: PCI Compliance - Encryption of all non-console administrative 
access.
>
>How is everybody dealing with this anyhow?  Testing  procedures include a 

>determination that TELNET and other remote log-in commands are not 
>available for use internally.

--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to [EMAIL PROTECTED] with the message: GET IBM-MAIN INFO
Search the archives at http://bama.ua.edu/archives/ibm-main.html

Re: FW: [IBM-MAIN] Theft of spindles was Re: PCI Compliance - Encryption of all non-console administrative access.

[Clark Morris]

On 5 Aug 2007 03:34:04 -0700, in bit.listserv.ibm-main you wrote:

>Clark,
>
>I found this quote at
>http://findarticles.com/p/articles/mi_zdbln/is_200303/ai_ziff38166/pg_2.
>
>"ISM spokeswoman Anne Mowat confirmed that the hard drive was taken from a
>standard PC workstation and was a backup to information stored elsewhere."

Given the data described and the number of different companies, I
wonder what was going on at ISM.  It SEEMED like data that would not
be in the same application and that would not be run for multiple
companies.
>
>
>Ron
>
> 
>
>> -Original Message-
>> From: IBM Mainframe Discussion List
>> [mailto:[EMAIL PROTECTED] On Behalf Of Clark Morris
>> Sent: Saturday, August 04, 2007 3:49 PM
>> To: IBM-MAIN@BAMA.UA.EDU
>> Subject: Re: [IBM-MAIN] Theft of spindles was Re: PCI Compliance - 
>> Encryption of all non-console administrative access.
>> 
>> On 1 Aug 2007 23:33:41 -0700, in bit.listserv.ibm-main you wrote:
>> 
>> 
>> The drives were stolen in February of 2003 from ISM, an IBM subsidiary 
>> and the implication was that at least some of them were mainframe 
>> related.  This story 
>> http://www.cbc.ca/money/story/2003/02/03/ism_030203.html from the 
>> Canadian Broadcasting Corporation didn't have those implications but 
>> other stories at the time did.  For example, while the subsequent 
>> links don't work this gives more of the flavor 
>> http://www.priva-c.com/privacyhorizon/lessonslearned_ism.asp
>> .  I suspect that this was a swapped out drive.  Given that more than 
>> one company was involved, it looks like it was a drive in some kind of 
>> RAID configuration that had parts of logical drives on the physical 
>> drive.
>>
>

--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to [EMAIL PROTECTED] with the message: GET IBM-MAIN INFO
Search the archives at http://bama.ua.edu/archives/ibm-main.html

Re: Theft of spindles was Re: PCI Compliance - Encryption of all non-console administrative access.

[Jeffrey D. Smith]

> -Original Message-
> From: IBM Mainframe Discussion List [mailto:[EMAIL PROTECTED] On
> Behalf Of Thomas Kern
> Sent: Monday, August 06, 2007 10:12 AM
> To: IBM-MAIN@BAMA.UA.EDU
> Subject: Re: Theft of spindles was Re: PCI Compliance - Encryption of all
> non-console administrative access.
> 
> While the corporate/government espionage agent may not be as technically
> savy as the local sysprog or CE, when they get the stolen media back to
> their headquarters, it would get turned over to real experts. Just because
> the incidents to-date have been fairly benign, doesn't mean that
> professional thieves have not stolen data, they just haven't been
> discovered
> yet. That is the sign of a good thief, that you haven't noticed the theft
> yet.
> 
> /Tom Kern

Reminds me of the famous quote from a CEO of a large corporation,
"We have never had an undetected security breach."

Jeffrey D. Smith
Principal Product Architect
Farsight Systems Corporation
700 KEN PRATT BLVD. #204-159
LONGMONT, CO 80501-6452
303-774-9381 direct
303-484-6170 FAX
http://www.farsight-systems.com/

--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to [EMAIL PROTECTED] with the message: GET IBM-MAIN INFO
Search the archives at http://bama.ua.edu/archives/ibm-main.html

Re: Theft of spindles was Re: PCI Compliance - Encryption of all non-console administrative access.

[Thomas Kern]

While the corporate/government espionage agent may not be as technically
savy as the local sysprog or CE, when they get the stolen media back to
their headquarters, it would get turned over to real experts. Just because
the incidents to-date have been fairly benign, doesn't mean that
professional thieves have not stolen data, they just haven't been discovered
yet. That is the sign of a good thief, that you haven't noticed the theft yet.

/Tom Kern
/301-903-2211

On Sat, 4 Aug 2007 19:50:52 -0300, Clark F Morris
<[EMAIL PROTECTED]> wrote:
>SPOOL can have a lot of sensitive information in readable format.
>Reading it is not for the technically ignorant.

--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to [EMAIL PROTECTED] with the message: GET IBM-MAIN INFO
Search the archives at http://bama.ua.edu/archives/ibm-main.html

Re: PCI Compliance - Encryption of all non-console administrative access.

[Anne & Lynn Wheeler]

Lynn Wheeler <[EMAIL PROTECTED]> writes:

for some topic drift ... part of the issue is that the majority of
such compromises have involved data-at-rest ... not data-in-transit
... and lots of implementations don't provide the access control that
may be found in mainframe installations ... so encrypting the data at
risk might be viewed as compensating process for inadequate access
control. the other part of it is that studies have something like 70
percent of such compromises have involved insiders (who already may
have some level of access).


re:
http://www.garlic.com/~lynn/2007n.html#85 PCI Compliance - Encryption of all 
non-console administrative access.

... above post may have only made it to the newsgroup, not the mailing list

for some additional drift, a recent post in ongoing financial crypto blog 
thread on (effectively) decline in security and assurance over the past several 
decades
http://www.garlic.com/~lynn/aadsm27.htm#53 Doom and Gloom spreads, security revisionism 
suggests "H6.5: Be an adept!"

--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to [EMAIL PROTECTED] with the message: GET IBM-MAIN INFO
Search the archives at http://bama.ua.edu/archives/ibm-main.html

FW: [IBM-MAIN] Theft of spindles was Re: PCI Compliance - Encryption of all non-console administrative access.

[Ron Hawkins]

Clark,

I found this quote at
http://findarticles.com/p/articles/mi_zdbln/is_200303/ai_ziff38166/pg_2.

"ISM spokeswoman Anne Mowat confirmed that the hard drive was taken from a
standard PC workstation and was a backup to information stored elsewhere."


Ron

 

> -Original Message-
> From: IBM Mainframe Discussion List
> [mailto:[EMAIL PROTECTED] On Behalf Of Clark Morris
> Sent: Saturday, August 04, 2007 3:49 PM
> To: IBM-MAIN@BAMA.UA.EDU
> Subject: Re: [IBM-MAIN] Theft of spindles was Re: PCI Compliance - 
> Encryption of all non-console administrative access.
> 
> On 1 Aug 2007 23:33:41 -0700, in bit.listserv.ibm-main you wrote:
> 
> 
> The drives were stolen in February of 2003 from ISM, an IBM subsidiary 
> and the implication was that at least some of them were mainframe 
> related.  This story 
> http://www.cbc.ca/money/story/2003/02/03/ism_030203.html from the 
> Canadian Broadcasting Corporation didn't have those implications but 
> other stories at the time did.  For example, while the subsequent 
> links don't work this gives more of the flavor 
> http://www.priva-c.com/privacyhorizon/lessonslearned_ism.asp
> .  I suspect that this was a swapped out drive.  Given that more than 
> one company was involved, it looks like it was a drive in some kind of 
> RAID configuration that had parts of logical drives on the physical 
> drive.
>

--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to [EMAIL PROTECTED] with the message: GET IBM-MAIN INFO
Search the archives at http://bama.ua.edu/archives/ibm-main.html

Re: Theft of spindles was Re: PCI Compliance - Encryption of all non-console administrative access.

[Ron Hawkins]

 Clark,

It is especially not for the technically ignorant because the CKD EBCDIC
data has been encapsulated into an FBA block. You would have to strip out
the padding and CRC and read the text data as ASCII rather then EBCDIC.

And SPOOL is going to be splattered around in trackgroups, and in a 7D+P
array group they will only have one eigth of the actual volume(s). Not an
easy way to try and get some useful information.

There would certainly be some bits and pieces that would be in the clear,
but it would not be an easy task to figure out what they atually had got
their hands on.

Ron

> -Original Message-
> From: IBM Mainframe Discussion List 
> [mailto:[EMAIL PROTECTED] On Behalf Of Clark F Morris
> Sent: Saturday, August 04, 2007 3:51 PM
> To: IBM-MAIN@BAMA.UA.EDU
> Subject: Re: [IBM-MAIN] Theft of spindles was Re: PCI 
> Compliance - Encryption of all non-console administrative access.
> 
> On 2 Aug 2007 02:24:21 -0700, in bit.listserv.ibm-main you wrote:
> 
> 
> SPOOL can have a lot of sensitive information in readable format.
> Reading it is not for the technically ignorant.

--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to [EMAIL PROTECTED] with the message: GET IBM-MAIN INFO
Search the archives at http://bama.ua.edu/archives/ibm-main.html

Re: Theft of spindles was Re: PCI Compliance - Encryption of all non-console administrative access.

[Clark F Morris]

On 2 Aug 2007 02:24:21 -0700, in bit.listserv.ibm-main you wrote:

>Ron Hawkins wrote:
>> Clark,
>> 
>> Could this really be a true story? The few boxes that attach to mainframes
>> would have triggered a SIM the moment someone unlatched and pulled the drive
>> - a highlighted, non-scrolling error message on the console.
>> 
>> And of course the box would have called home to report the failed drive, and
>> within an hour or two the CE/FE would have been asking where the missing
>> drive canister had gone.
>> 
>> Any computer room worth it's salt would have a log of who had gone in and
>> out and the culprit would have been nabbed before you could say
>> rumplestiltskin.
>> 
>> A box of spares next to a MF perhaps... Sounds like an urban myth to me.
>> 
>> Ron
>> 
>> PS That would be a hell of a PC running SSA or FCP HBAs.
>
>No, we use to run HDS dual-SCSI-port drives, as the interface so common 
>in PCs. 
>
>But seriously: I think it is *much easier* to copy the information than 
>to steal physical drive modules. If one's datacenter is well protected, 
>strict RACF and other security rules are enforced, then usually server 
>room is also well protected.
>
>Regarding to Timothy's message about encryption - now I understand your 
>point. "Encryption everything" doesn't mean i.e. SYSRES and SPOOL. 
>Timothy , you mean all sensitive data, don't you ?

SPOOL can have a lot of sensitive information in readable format.
Reading it is not for the technically ignorant.  
>
>Regards
>-- 
>Radoslaw Skorupka
>Lodz, Poland

--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to [EMAIL PROTECTED] with the message: GET IBM-MAIN INFO
Search the archives at http://bama.ua.edu/archives/ibm-main.html

Re: Theft of spindles was Re: PCI Compliance - Encryption of all non-console administrative access.

[Clark Morris]

On 1 Aug 2007 23:33:41 -0700, in bit.listserv.ibm-main you wrote:

>Clark,
>
>Could this really be a true story? The few boxes that attach to mainframes
>would have triggered a SIM the moment someone unlatched and pulled the drive
>- a highlighted, non-scrolling error message on the console.

The drives were stolen in February of 2003 from ISM, an IBM subsidiary
and the implication was that at least some of them were mainframe
related.  This story
http://www.cbc.ca/money/story/2003/02/03/ism_030203.html from the
Canadian Broadcasting Corporation didn't have those implications but
other stories at the time did.  For example, while the subsequent
links don't work this gives more of the flavor
http://www.priva-c.com/privacyhorizon/lessonslearned_ism.asp .  I
suspect that this was a swapped out drive.  Given that more than one
company was involved, it looks like it was a drive in some kind of
RAID configuration that had parts of logical drives on the physical
drive.

>
>And of course the box would have called home to report the failed drive, and
>within an hour or two the CE/FE would have been asking where the missing
>drive canister had gone.
>
>Any computer room worth it's salt would have a log of who had gone in and
>out and the culprit would have been nabbed before you could say
>rumplestiltskin.
>
>A box of spares next to a MF perhaps... Sounds like an urban myth to me.
>
>Ron
>
>PS That would be a hell of a PC running SSA or FCP HBAs.
>
>> 
>> A couple of years ago, disk drives were stolen from an IBM outsourcing
>> centre here in Canada.  I believe they were from a box attached to a
>> mainframe.  With the advent of the actual disk drives for a mainframe
>> being the same size as those for a PC, it becomes a lot easier.  There
>> was speculation that the drive(s?) was/were taken for use in a PC.
>
>--
>For IBM-MAIN subscribe / signoff / archive access instructions,
>send email to [EMAIL PROTECTED] with the message: GET IBM-MAIN INFO
>Search the archives at http://bama.ua.edu/archives/ibm-main.html

--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to [EMAIL PROTECTED] with the message: GET IBM-MAIN INFO
Search the archives at http://bama.ua.edu/archives/ibm-main.html

Re: Theft of spindles was Re: PCI Compliance - Encryption of all non-console administrative access.

[R.S.]

Ron Hawkins wrote:

Clark,

Could this really be a true story? The few boxes that attach to mainframes
would have triggered a SIM the moment someone unlatched and pulled the drive
- a highlighted, non-scrolling error message on the console.

And of course the box would have called home to report the failed drive, and
within an hour or two the CE/FE would have been asking where the missing
drive canister had gone.

Any computer room worth it's salt would have a log of who had gone in and
out and the culprit would have been nabbed before you could say
rumplestiltskin.

A box of spares next to a MF perhaps... Sounds like an urban myth to me.

Ron

PS That would be a hell of a PC running SSA or FCP HBAs.


No, we use to run HDS dual-SCSI-port drives, as the interface so common 
in PCs. 


But seriously: I think it is *much easier* to copy the information than 
to steal physical drive modules. If one's datacenter is well protected, 
strict RACF and other security rules are enforced, then usually server 
room is also well protected.


Regarding to Timothy's message about encryption - now I understand your 
point. "Encryption everything" doesn't mean i.e. SYSRES and SPOOL. 

Timothy , you mean all sensitive data, don't you ?

Regards
--
Radoslaw Skorupka
Lodz, Poland


--
BRE Bank SA
ul. Senatorska 18
00-950 Warszawa
www.brebank.pl

Sd Rejonowy dla m. st. Warszawy 
XII Wydzia Gospodarczy Krajowego Rejestru Sdowego, 
nr rejestru przedsibiorców KRS 025237

NIP: 526-021-50-88
Wedug stanu na dzie 01.01.2007 r. kapita zakadowy BRE Banku SA (w caoci 
opacony) wynosi 118.064.140 z. W zwizku z realizacj warunkowego 
podwyszenia kapitau zakadowego, na podstawie uchwa XVI WZ z dnia 21.05.2003 
r., kapita zakadowy BRE Banku SA moe ulec podwyszeniu do kwoty 118.760.528 
z. Akcje w podwyszonym kapitale zakadowym bd w caoci opacone.

--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to [EMAIL PROTECTED] with the message: GET IBM-MAIN INFO
Search the archives at http://bama.ua.edu/archives/ibm-main.html

Re: Theft of spindles was Re: PCI Compliance - Encryption of all non-console administrative access.

[Ron Hawkins]

Clark,

Could this really be a true story? The few boxes that attach to mainframes
would have triggered a SIM the moment someone unlatched and pulled the drive
- a highlighted, non-scrolling error message on the console.

And of course the box would have called home to report the failed drive, and
within an hour or two the CE/FE would have been asking where the missing
drive canister had gone.

Any computer room worth it's salt would have a log of who had gone in and
out and the culprit would have been nabbed before you could say
rumplestiltskin.

A box of spares next to a MF perhaps... Sounds like an urban myth to me.

Ron

PS That would be a hell of a PC running SSA or FCP HBAs.

> 
> A couple of years ago, disk drives were stolen from an IBM outsourcing
> centre here in Canada.  I believe they were from a box attached to a
> mainframe.  With the advent of the actual disk drives for a mainframe
> being the same size as those for a PC, it becomes a lot easier.  There
> was speculation that the drive(s?) was/were taken for use in a PC.

--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to [EMAIL PROTECTED] with the message: GET IBM-MAIN INFO
Search the archives at http://bama.ua.edu/archives/ibm-main.html

Theft of spindles was Re: PCI Compliance - Encryption of all non-console administrative access.

[Clark Morris]

On 31 Jul 2007 22:07:06 -0700, in bit.listserv.ibm-main Timothy
Sipples  wrote:

>
>> much snipped
>
>While I might agree with your logic -- the chance of a spindle theft is
>relatively remote though nonzero -- it really doesn't matter what you or I
>say here. There are certain minimum security requirements for processing
>Visa, MasterCard, and other credit cards. The PCI auditors dictate whether
>you meet those standards or not, and what you're supposed to do to remedy
>any shortcomings. This is certainly true in the United States and
>increasingly true in other countries. PCI became re-energized in the wake
>of the CardSystems debacle, and subsequent breaches haven't made them any
>less forgiving.

A couple of years ago, disk drives were stolen from an IBM outsourcing
centre here in Canada.  I believe they were from a box attached to a
mainframe.  With the advent of the actual disk drives for a mainframe
being the same size as those for a PC, it becomes a lot easier.  There
was speculation that the drive(s?) was/were taken for use in a PC.
>
>By the way, the same company was ordered to encrypt every network
>connection, including network connections within their data center. To my
>knowledge they're complying.
>
>- - - - -
>Timothy Sipples
>IBM Consulting Enterprise Software Architect
>Specializing in Software Architectures Related to System z
>Based in Tokyo, Serving IBM Japan and IBM Asia-Pacific
>E-Mail: [EMAIL PROTECTED]

--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to [EMAIL PROTECTED] with the message: GET IBM-MAIN INFO
Search the archives at http://bama.ua.edu/archives/ibm-main.html

Re: PCI Compliance - Encryption of all non-console administrative access.

[Walt Farrell]

On Tue, 31 Jul 2007 16:40:14 -0500, Hal Merritt <[EMAIL PROTECTED]> wrote:

>...snipped...
> But we need secure 'green screen' TN3270 TSO

The TN3270 server supports SSL or TLS, and so do a number of TN3270 clients.
 SSL/TLS will provide your secure connection.

 Walt Farrell, CISSP
 IBM STSM, z/OS Security Design

--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to [EMAIL PROTECTED] with the message: GET IBM-MAIN INFO
Search the archives at http://bama.ua.edu/archives/ibm-main.html

Re: PCI Compliance - Encryption of all non-console administrative access.

[Van Dalsen, Herbie]

Tim Wrote:
>>I worked with a credit card processor that was told by its PCI
auditors
>>that it must encrypt any sensitive information on disk, including
credit
>>card numbers, expiration dates, etc. This is typical and reality.
Maybe
>>your country's situation is different, although that might not
persist.

That is exactly the industry I am currently in, that is until USBANK
takes our mainframe away and do the processing in the US. But as I
understand it, PCI compliance can be negotiated with the Auditors who
then need to build a good case for the company with Master Card / VISA /
AMEX. We were able to complete most of the requirements over a 3 year
period, but I am convinced that if we stayed online beyond our current
end date, we might have been forced to buy some EMC disks and move our
customer data behind the middleware. I do not think it is a Country /
Region that determines the rules, it is internationally determined by
Master Card / VISA / AMEX / PCI.

Regards

Herbie
*
This email and any attachments are confidential and intended for the sole use 
of the intended recipient(s).If you receive this email in error please notify 
[EMAIL PROTECTED] and delete it from your system. Any unauthorized 
dissemination, retransmission, or copying of this email and any attachments is 
prohibited. Euroconex does not accept any responsibility for any breach of 
confidence, which may arise from the use of email. Please note that any views 
or opinions presented in this email are solely those of the author and do not 
necessarily represent those of the Company. This message has been scanned for 
known computer viruses. 
*

--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to [EMAIL PROTECTED] with the message: GET IBM-MAIN INFO
Search the archives at http://bama.ua.edu/archives/ibm-main.html

Re: PCI Compliance - Encryption of all non-console administrative access.

[Timothy Sipples]

Herbie Van Dalsen already replied with much of what I would say, but I do
have a couple comments.

R.S. writes:
>Excuse me, what company encrypts "anything on disk" ???

Some. Numbers are increasing. IBM doesn't add features like ENCRYPT (SQL
keyword) to DB2 or ship products like IBM Data Encryption for IMS and DB2
Databases in the face of zero demand. Presumably the same is true with
other vendors.

>IMHO "encrypt everything" is kind of euphemism (fiction if you want).
>It is simply impossible.

That's why I put it in quotes. We're agreed. However, as an encapsulation
of what the auditors require, it's a good, succinct summary.

>It is also too expensive and not needed, but this is another story.

The topic here is PCI compliance. Take up budget complaints with the PCI
auditors. Good luck. :-)

I worked with a credit card processor that was told by its PCI auditors
that it must encrypt any sensitive information on disk, including credit
card numbers, expiration dates, etc. This is typical and reality. Maybe
your country's situation is different, although that might not persist.

>BTW: I would say *almost* every data on medium or in the wire *outside*
>secured company premises should be encrypted. That means remote links
>(except DWDM in majority of cases), tapes, CDs, etc.
>Encryption of network links can be done at protocol level (SSH instead
>of telnet) or "at router level"  (all the traffic is encrypted). Usually
>there is no reason to use encrypted protocol when whole link is already
>encrypted.
>Last but not least: each case require thorough analysis.

While I might agree with your logic -- the chance of a spindle theft is
relatively remote though nonzero -- it really doesn't matter what you or I
say here. There are certain minimum security requirements for processing
Visa, MasterCard, and other credit cards. The PCI auditors dictate whether
you meet those standards or not, and what you're supposed to do to remedy
any shortcomings. This is certainly true in the United States and
increasingly true in other countries. PCI became re-energized in the wake
of the CardSystems debacle, and subsequent breaches haven't made them any
less forgiving.

By the way, the same company was ordered to encrypt every network
connection, including network connections within their data center. To my
knowledge they're complying.

- - - - -
Timothy Sipples
IBM Consulting Enterprise Software Architect
Specializing in Software Architectures Related to System z
Based in Tokyo, Serving IBM Japan and IBM Asia-Pacific
E-Mail: [EMAIL PROTECTED]
--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to [EMAIL PROTECTED] with the message: GET IBM-MAIN INFO
Search the archives at http://bama.ua.edu/archives/ibm-main.html

Re: PCI Compliance - Encryption of all non-console administrative access.

[GAVIN Darren * OPS EAS]

By default where I work, all tn32070 is encrypted with SSL (no matter if
administrator or not).  We use Passport PC to Host and Web to Host as
the emulators.

For secure FTP we use WS FTP Pro.

Not sure if this helps you, but that's how we secured terminal data
streams at our shop.

Darren

-Original Message-
From: IBM Mainframe Discussion List [mailto:[EMAIL PROTECTED] On
Behalf Of Hal Merritt
Sent: Tuesday, July 31, 2007 2:40 PM
To: IBM-MAIN@BAMA.UA.EDU
Subject: Re: PCI Compliance - Encryption of all non-console
administrative access.

I guess that makes me half right, half wrong, a half wit, or some
combination thereof :-))

I'll admit that I tend to think in binary (albeit mostly zeros) and I
consider an administrator's ID to be somewhat sensitive traffic. Of
course, many (most?) might disagree. I don't think PCI is that granular.


I'll also freely admit that SSH seems to be an excellent solution for
interactive *nix sessions. But we need secure 'green screen' TN3270 TSO
and automated batch FTP.

--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to [EMAIL PROTECTED] with the message: GET IBM-MAIN INFO
Search the archives at http://bama.ua.edu/archives/ibm-main.html

Re: PCI Compliance - Encryption of all non-console administrative access.

[Hal Merritt]

I guess that makes me half right, half wrong, a half wit, or some
combination thereof :-))

I'll admit that I tend to think in binary (albeit mostly zeros) and I
consider an administrator's ID to be somewhat sensitive traffic. Of
course, many (most?) might disagree. I don't think PCI is that granular.


I'll also freely admit that SSH seems to be an excellent solution for
interactive *nix sessions. But we need secure 'green screen' TN3270 TSO
and automated batch FTP.   

-Original Message-
From: IBM Mainframe Discussion List [mailto:[EMAIL PROTECTED] On
Behalf Of McKown, John
Sent: Tuesday, July 31, 2007 2:06 PM
To: IBM-MAIN@BAMA.UA.EDU
Subject: Re: PCI Compliance - Encryption of all non-console
administrative access.

> -Original Message-
> From: IBM Mainframe Discussion List 
> [mailto:[EMAIL PROTECTED] On Behalf Of Hal Merritt
> Sent: Tuesday, July 31, 2007 1:57 PM
> To: IBM-MAIN@BAMA.UA.EDU
> Subject: Re: PCI Compliance - Encryption of all non-console 
> administrative access.
> 
> 
> I am probably not understanding how SSH works. I was under the
> impression that you must first gain access via RACF and VTAM
> (TCP/IP)before you can get to somewhere you can invoke SSH. 
> 
> Traffic via SSH is encrypted.   

Depends. I can use ssh on my desktop to connect to a UNIX shell on my
z/OS system. This entire traffic is encrypted. This does depend on
TCPIP, of course, but TCPIP does not require RACF validation in order to
connect to an application (such as the SSH daemon). On my desktop, I
enter:

ssh zos.ip.address -l RACFID

I then get prompted to enter the password for RACFID. This traffic is
all encrypted.

--
John McKown
Senior Systems Programmer
HealthMarkets
Keeping the Promise of Affordable Coverage
Administrative Services Group
Information Technology

 
NOTICE: This electronic mail message and any files transmitted with it are 
intended exclusively
for the individual or entity to which it is addressed. The message, together 
with any attachment, may contain confidential and/or privileged
information. Any unauthorized review, use, printing, saving, copying, 
disclosure 
or distribution is strictly prohibited. If you have received this message in 
error, please immediately
advise the sender by reply email and delete all copies.

--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to [EMAIL PROTECTED] with the message: GET IBM-MAIN INFO
Search the archives at http://bama.ua.edu/archives/ibm-main.html

Re: PCI Compliance - Encryption of all non-console administrative access.

[McKown, John]

> -Original Message-
> From: IBM Mainframe Discussion List 
> [mailto:[EMAIL PROTECTED] On Behalf Of Hal Merritt
> Sent: Tuesday, July 31, 2007 1:57 PM
> To: IBM-MAIN@BAMA.UA.EDU
> Subject: Re: PCI Compliance - Encryption of all non-console 
> administrative access.
> 
> 
> I am probably not understanding how SSH works. I was under the
> impression that you must first gain access via RACF and VTAM
> (TCP/IP)before you can get to somewhere you can invoke SSH. 
> 
> Traffic via SSH is encrypted.   

Depends. I can use ssh on my desktop to connect to a UNIX shell on my
z/OS system. This entire traffic is encrypted. This does depend on
TCPIP, of course, but TCPIP does not require RACF validation in order to
connect to an application (such as the SSH daemon). On my desktop, I
enter:

ssh zos.ip.address -l RACFID

I then get prompted to enter the password for RACFID. This traffic is
all encrypted.

--
John McKown
Senior Systems Programmer
HealthMarkets
Keeping the Promise of Affordable Coverage
Administrative Services Group
Information Technology

The information contained in this e-mail message may be privileged
and/or confidential.  It is for intended addressee(s) only.  If you are
not the intended recipient, you are hereby notified that any disclosure,
reproduction, distribution or other use of this communication is
strictly prohibited and could, in certain circumstances, be a criminal
offense.  If you have received this e-mail in error, please notify the
sender by reply and delete this message without copying or disclosing
it.

--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to [EMAIL PROTECTED] with the message: GET IBM-MAIN INFO
Search the archives at http://bama.ua.edu/archives/ibm-main.html

Re: PCI Compliance - Encryption of all non-console administrative access.

[Hal Merritt]

I am probably not understanding how SSH works. I was under the
impression that you must first gain access via RACF and VTAM
(TCP/IP)before you can get to somewhere you can invoke SSH. 

Traffic via SSH is encrypted.   

-Original Message-
From: IBM Mainframe Discussion List [mailto:[EMAIL PROTECTED] On
Behalf Of Mark Jacobs
Sent: Tuesday, July 31, 2007 1:35 PM
To: IBM-MAIN@BAMA.UA.EDU
Subject: Re: PCI Compliance - Encryption of all non-console
administrative access.

Hal Merritt wrote:
> I believe it is on z/os. 
>
>   
I just performed an ssh to my workstation from a z/OS system and the 
packet trace (wireshark) shows encrypted packets from my lpars IP 
address to my workstation.

I can't believe that IBM would port ssh to zOS and take the encryption
out.

> -Original Message-
> From: IBM Mainframe Discussion List [mailto:[EMAIL PROTECTED] On
> Behalf Of David Andrews
> Sent: Tuesday, July 31, 2007 10:57 AM
> To: IBM-MAIN@BAMA.UA.EDU
> Subject: Re: PCI Compliance - Encryption of all non-console
> administrative access.
>
> On Tue, 2007-07-31 at 09:56 -0500, Hal Merritt wrote:
>   
>> Note that SSH (secure shell) does not seem to qualify as ID's and
>> passwords flow in the open.
>> 
>
> Ohno!  This is never the case!
>
>   


-- 
Mark Jacobs
Technical Services
Time Customer Service - Tampa, FL
NOTICE: This electronic mail message and any files transmitted with it are 
intended exclusively
for the individual or entity to which it is addressed. The message, together 
with any attachment, may contain confidential and/or privileged
information. Any unauthorized review, use, printing, saving, copying, 
disclosure 
or distribution is strictly prohibited. If you have received this message in 
error, please immediately
advise the sender by reply email and delete all copies.

--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to [EMAIL PROTECTED] with the message: GET IBM-MAIN INFO
Search the archives at http://bama.ua.edu/archives/ibm-main.html

Re: PCI Compliance - Encryption of all non-console administrative access.

[Mark Jacobs]

Hal Merritt wrote:
I believe it is on z/os. 

  
I just performed an ssh to my workstation from a z/OS system and the 
packet trace (wireshark) shows encrypted packets from my lpars IP 
address to my workstation.


I can't believe that IBM would port ssh to zOS and take the encryption out.


-Original Message-
From: IBM Mainframe Discussion List [mailto:[EMAIL PROTECTED] On
Behalf Of David Andrews
Sent: Tuesday, July 31, 2007 10:57 AM
To: IBM-MAIN@BAMA.UA.EDU
Subject: Re: PCI Compliance - Encryption of all non-console
administrative access.

On Tue, 2007-07-31 at 09:56 -0500, Hal Merritt wrote:
  

Note that SSH (secure shell) does not seem to qualify as ID's and
passwords flow in the open.



Ohno!  This is never the case!

  



--
Mark Jacobs
Technical Services
Time Customer Service - Tampa, FL
--

"The secret of life is honesty and fair dealing. 
If you can fake that, you've got it made."


--  Julius (Groucho) Henry Marx

--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to [EMAIL PROTECTED] with the message: GET IBM-MAIN INFO
Search the archives at http://bama.ua.edu/archives/ibm-main.html

Re: PCI Compliance - Encryption of all non-console administrative access.

[Hal Merritt]

I believe it is on z/os. 


-Original Message-
From: IBM Mainframe Discussion List [mailto:[EMAIL PROTECTED] On
Behalf Of David Andrews
Sent: Tuesday, July 31, 2007 10:57 AM
To: IBM-MAIN@BAMA.UA.EDU
Subject: Re: PCI Compliance - Encryption of all non-console
administrative access.

On Tue, 2007-07-31 at 09:56 -0500, Hal Merritt wrote:
> Note that SSH (secure shell) does not seem to qualify as ID's and
> passwords flow in the open.

Ohno!  This is never the case!

-- 
David Andrews
A. Duda and Sons, Inc.
[EMAIL PROTECTED]
 
NOTICE: This electronic mail message and any files transmitted with it are 
intended exclusively
for the individual or entity to which it is addressed. The message, together 
with any attachment, may contain confidential and/or privileged
information. Any unauthorized review, use, printing, saving, copying, 
disclosure 
or distribution is strictly prohibited. If you have received this message in 
error, please immediately
advise the sender by reply email and delete all copies.

--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to [EMAIL PROTECTED] with the message: GET IBM-MAIN INFO
Search the archives at http://bama.ua.edu/archives/ibm-main.html

Re: PCI Compliance - Encryption of all non-console administrative access.

[Van Dalsen, Herbie]

R.S. Wrote...
>>Excuse me, what company encrypts "anything on disk" ???
>>IMHO "encrypt everything" is kind of euphemism (fiction if you want).
>>It is simply impossible.
I must tell you, it is not. We have 2 types of encryption criteria
coming from PCI... 
1. Admin user-ID's which we are encrypting using an Emulator called
TTWIN that can successfully handle RACF created certificates that are
specified un the TCP Profile for the secure port.
2. Data containing names, addresses, ... of our customers. Was hoping
that the ESS/800 had HW encryption built in, but ... we put the
mainframe behind a special firewall wit absolutely no unencrypted
access, and then be bought middleware of some sort, that
encrypts/decrypts the data on win/UNIX environment so that it ends-up
encrypted on the disk, had 1 or two instances where the middle-ware had
a few glitches, and I am sure no abbreviation is needed on the chaotic
results, but over-all everyone, is happy with the peace of mind it seems
to create...

Regards

Herbie
*
This email and any attachments are confidential and intended for the sole use 
of the intended recipient(s).If you receive this email in error please notify 
[EMAIL PROTECTED] and delete it from your system. Any unauthorized 
dissemination, retransmission, or copying of this email and any attachments is 
prohibited. Euroconex does not accept any responsibility for any breach of 
confidence, which may arise from the use of email. Please note that any views 
or opinions presented in this email are solely those of the author and do not 
necessarily represent those of the Company. This message has been scanned for 
known computer viruses. 
*

--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to [EMAIL PROTECTED] with the message: GET IBM-MAIN INFO
Search the archives at http://bama.ua.edu/archives/ibm-main.html

Re: PCI Compliance - Encryption of all non-console administrative access.

[R.S.]

Timothy Sipples wrote:

"Encrypt everything," basically. That's anything "sensitive" flowing over a
network wire (even inside your data center), anything on tape, and
(usually) anything on disk.


Excuse me, what company encrypts "anything on disk" ???
IMHO "encrypt everything" is kind of euphemism (fiction if you want).
It is simply impossible.
It is also too expensive and not needed, but this is another story.




Companies are dealing with compliance by turning encryption on (and beefing
up authorization and authentication). This tends to be comparatively easy
on the mainframe, and there's been a lot of discussion here about various
aspects (e.g. tape encryption). It's not free, but it's not bad either, and
the cost tends to be vastly dwarfed by the losses in the alternative. (See:
CardSystems.)


Sounds like FUD. "Do you remember CardSystems ? Buy my new shining 
encryption solution". For example tape encryption seems to be the same 
on open systems (assuming usage of IBM TS1120 or STK T1).



BTW: I would say *almost* every data on medium or in the wire *outside* 
secured company premises should be encrypted. That means remote links 
(except DWDM in majority of cases), tapes, CDs, etc.
Encryption of network links can be done at protocol level (SSH instead 
of telnet) or "at router level"  (all the traffic is encrypted). Usually 
there is no reason to use encrypted protocol when whole link is already 
encrypted.

Last but not least: each case require thorough analysis.


--
Radoslaw Skorupka
Lodz, Poland


--
BRE Bank SA
ul. Senatorska 18
00-950 Warszawa
www.brebank.pl

Sd Rejonowy dla m. st. Warszawy 
XII Wydzia Gospodarczy Krajowego Rejestru Sdowego, 
nr rejestru przedsibiorców KRS 025237

NIP: 526-021-50-88
Wedug stanu na dzie 01.01.2007 r. kapita zakadowy BRE Banku SA (w caoci 
opacony) wynosi 118.064.140 z. W zwizku z realizacj warunkowego 
podwyszenia kapitau zakadowego, na podstawie uchwa XVI WZ z dnia 21.05.2003 
r., kapita zakadowy BRE Banku SA moe ulec podwyszeniu do kwoty 118.760.528 
z. Akcje w podwyszonym kapitale zakadowym bd w caoci opacone.

--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to [EMAIL PROTECTED] with the message: GET IBM-MAIN INFO
Search the archives at http://bama.ua.edu/archives/ibm-main.html

Re: PCI Compliance - Encryption of all non-console administrative access.

[David Andrews]

On Tue, 2007-07-31 at 09:56 -0500, Hal Merritt wrote:
> Note that SSH (secure shell) does not seem to qualify as ID's and
> passwords flow in the open.

Ohno!  This is never the case!

-- 
David Andrews
A. Duda and Sons, Inc.
[EMAIL PROTECTED]

--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to [EMAIL PROTECTED] with the message: GET IBM-MAIN INFO
Search the archives at http://bama.ua.edu/archives/ibm-main.html

Re: PCI Compliance - Encryption of all non-console administrative access.

[Mark Jacobs]

Hal Merritt wrote:

We use a layered approach to include TLS, physically isolated LAN's, and
other measures.  


Note that SSH (secure shell) does not seem to qualify as ID's and
passwords flow in the open. As far as I can tell, only certificate based
protocols are acceptable for those under a PCI gun. Some PC types might
state that only SSH is available on tinker toy boxes, but that is not
completely true. It is true that many (most?) distributions do not come
with TLS software installed and has to be added. 

  
AFAIK ssh userid's and passwords do NOT flow in the clear. The first 
thing ssh does after host key validation is create a unique one time use 
encryption key and then the userid/password is sent to the ssh server 
encrypted with this key.




--
Mark Jacobs
Technical Services
Time Customer Service - Tampa, FL
--

"The secret of life is honesty and fair dealing. 
If you can fake that, you've got it made."


--  Julius (Groucho) Henry Marx

--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to [EMAIL PROTECTED] with the message: GET IBM-MAIN INFO
Search the archives at http://bama.ua.edu/archives/ibm-main.html

Re: PCI Compliance - Encryption of all non-console administrative access.

[Hal Merritt]

We use a layered approach to include TLS, physically isolated LAN's, and
other measures.  

Note that SSH (secure shell) does not seem to qualify as ID's and
passwords flow in the open. As far as I can tell, only certificate based
protocols are acceptable for those under a PCI gun. Some PC types might
state that only SSH is available on tinker toy boxes, but that is not
completely true. It is true that many (most?) distributions do not come
with TLS software installed and has to be added. 

You last sentence about internal availability is confusing.   

-Original Message-
From: IBM Mainframe Discussion List [mailto:[EMAIL PROTECTED] On
Behalf Of Ray Prevott
Sent: Monday, July 30, 2007 10:43 AM
To: IBM-MAIN@BAMA.UA.EDU
Subject: PCI Compliance - Encryption of all non-console administrative
access.

How is everybody dealing with this anyhow?  Testing  procedures include
a 
determination that TELNET and other remote log-in commands are not 
available for use internally.

 
NOTICE: This electronic mail message and any files transmitted with it are 
intended exclusively
for the individual or entity to which it is addressed. The message, together 
with any attachment, may contain confidential and/or privileged
information. Any unauthorized review, use, printing, saving, copying, 
disclosure 
or distribution is strictly prohibited. If you have received this message in 
error, please immediately
advise the sender by reply email and delete all copies.

--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to [EMAIL PROTECTED] with the message: GET IBM-MAIN INFO
Search the archives at http://bama.ua.edu/archives/ibm-main.html

Re: PCI Compliance - Encryption of all non-console administrative access.

[Schramm, Rob]

If you want to contact me offline, I would be willing to discuss the
issue.

-Rob Schramm

rob dot schramm at 53 dot com

dot = .
at = @

This e-mail transmission contains information that is confidential and may be 
privileged.   It is intended only for the addressee(s) named above. If you 
receive this e-mail in error, please do not read, copy or disseminate it in any 
manner. If you are not the intended recipient, any disclosure, copying, 
distribution or use of the contents of this information is prohibited. Please 
reply to the message immediately by informing the sender that the message was 
misdirected. After replying, please erase it from your computer system. Your 
assistance in correcting this error is appreciated.

--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to [EMAIL PROTECTED] with the message: GET IBM-MAIN INFO
Search the archives at http://bama.ua.edu/archives/ibm-main.html

Re: PCI Compliance - Encryption of all non-console administrative access.

[Timothy Sipples]

"Encrypt everything," basically. That's anything "sensitive" flowing over a
network wire (even inside your data center), anything on tape, and
(usually) anything on disk.

Companies are dealing with compliance by turning encryption on (and beefing
up authorization and authentication). This tends to be comparatively easy
on the mainframe, and there's been a lot of discussion here about various
aspects (e.g. tape encryption). It's not free, but it's not bad either, and
the cost tends to be vastly dwarfed by the losses in the alternative. (See:
CardSystems.)

- - - - -
Timothy Sipples
IBM Consulting Enterprise Software Architect
Specializing in Software Architectures Related to System z
Based in Tokyo, Serving IBM Japan and IBM Asia-Pacific
E-Mail: [EMAIL PROTECTED]
--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to [EMAIL PROTECTED] with the message: GET IBM-MAIN INFO
Search the archives at http://bama.ua.edu/archives/ibm-main.html

PCI Compliance - Encryption of all non-console administrative access.

[Ray Prevott]

How is everybody dealing with this anyhow?  Testing  procedures include a 
determination that TELNET and other remote log-in commands are not 
available for use internally.

--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to [EMAIL PROTECTED] with the message: GET IBM-MAIN INFO
Search the archives at http://bama.ua.edu/archives/ibm-main.html