Re: PCI Compliance - Encryption of all non-console administrative access.
John Mattson wrote: Ray !!! Just getting back from SHARE. There was a presentation on PCI at Share, and folks are just starting to really take it seriously. I will send you a copy of the presentation if you like. My shop is just starting in on this, and I would be glad to compare notes with you. [EMAIL PROTECTED] We are very heavily into PCI here. We have been certified as PCI compliant and keep working hard to maintain that status. We just required all TN3270 traffic to use SSL/TLS. All customer data is encrypted with 3DES when it is at rest and we are just starting to implement the TS1120 tape drives to encrypt our full volume backup tapes and eventually all out application specific backups. I would like to see the presentation to see if we can improve our procedures. -- Pound pastrami, can kraut, six bagels -- bring home for Emma. Isaac Edward Leibowitz (Saint Leibowitz) A Canticle for Leibowitz -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to [EMAIL PROTECTED] with the message: GET IBM-MAIN INFO Search the archives at http://bama.ua.edu/archives/ibm-main.html
Re: PCI Compliance - Encryption of all non-console administrative access.
Ray !!! Just getting back from SHARE. There was a presentation on PCI at Share, and folks are just starting to really take it seriously. I will send you a copy of the presentation if you like. My shop is just starting in on this, and I would be glad to compare notes with you. [EMAIL PROTECTED] >-- >Date:Mon, 30 Jul 2007 10:43:07 -0500 >From:Ray Prevott <[EMAIL PROTECTED]> >Subject: PCI Compliance - Encryption of all non-console administrative access. > >How is everybody dealing with this anyhow? Testing procedures include a >determination that TELNET and other remote log-in commands are not >available for use internally. -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to [EMAIL PROTECTED] with the message: GET IBM-MAIN INFO Search the archives at http://bama.ua.edu/archives/ibm-main.html
Re: FW: [IBM-MAIN] Theft of spindles was Re: PCI Compliance - Encryption of all non-console administrative access.
On 5 Aug 2007 03:34:04 -0700, in bit.listserv.ibm-main you wrote: >Clark, > >I found this quote at >http://findarticles.com/p/articles/mi_zdbln/is_200303/ai_ziff38166/pg_2. > >"ISM spokeswoman Anne Mowat confirmed that the hard drive was taken from a >standard PC workstation and was a backup to information stored elsewhere." Given the data described and the number of different companies, I wonder what was going on at ISM. It SEEMED like data that would not be in the same application and that would not be run for multiple companies. > > >Ron > > > >> -Original Message- >> From: IBM Mainframe Discussion List >> [mailto:[EMAIL PROTECTED] On Behalf Of Clark Morris >> Sent: Saturday, August 04, 2007 3:49 PM >> To: IBM-MAIN@BAMA.UA.EDU >> Subject: Re: [IBM-MAIN] Theft of spindles was Re: PCI Compliance - >> Encryption of all non-console administrative access. >> >> On 1 Aug 2007 23:33:41 -0700, in bit.listserv.ibm-main you wrote: >> >> >> The drives were stolen in February of 2003 from ISM, an IBM subsidiary >> and the implication was that at least some of them were mainframe >> related. This story >> http://www.cbc.ca/money/story/2003/02/03/ism_030203.html from the >> Canadian Broadcasting Corporation didn't have those implications but >> other stories at the time did. For example, while the subsequent >> links don't work this gives more of the flavor >> http://www.priva-c.com/privacyhorizon/lessonslearned_ism.asp >> . I suspect that this was a swapped out drive. Given that more than >> one company was involved, it looks like it was a drive in some kind of >> RAID configuration that had parts of logical drives on the physical >> drive. >> > -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to [EMAIL PROTECTED] with the message: GET IBM-MAIN INFO Search the archives at http://bama.ua.edu/archives/ibm-main.html
Re: Theft of spindles was Re: PCI Compliance - Encryption of all non-console administrative access.
> -Original Message- > From: IBM Mainframe Discussion List [mailto:[EMAIL PROTECTED] On > Behalf Of Thomas Kern > Sent: Monday, August 06, 2007 10:12 AM > To: IBM-MAIN@BAMA.UA.EDU > Subject: Re: Theft of spindles was Re: PCI Compliance - Encryption of all > non-console administrative access. > > While the corporate/government espionage agent may not be as technically > savy as the local sysprog or CE, when they get the stolen media back to > their headquarters, it would get turned over to real experts. Just because > the incidents to-date have been fairly benign, doesn't mean that > professional thieves have not stolen data, they just haven't been > discovered > yet. That is the sign of a good thief, that you haven't noticed the theft > yet. > > /Tom Kern Reminds me of the famous quote from a CEO of a large corporation, "We have never had an undetected security breach." Jeffrey D. Smith Principal Product Architect Farsight Systems Corporation 700 KEN PRATT BLVD. #204-159 LONGMONT, CO 80501-6452 303-774-9381 direct 303-484-6170 FAX http://www.farsight-systems.com/ -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to [EMAIL PROTECTED] with the message: GET IBM-MAIN INFO Search the archives at http://bama.ua.edu/archives/ibm-main.html
Re: Theft of spindles was Re: PCI Compliance - Encryption of all non-console administrative access.
While the corporate/government espionage agent may not be as technically savy as the local sysprog or CE, when they get the stolen media back to their headquarters, it would get turned over to real experts. Just because the incidents to-date have been fairly benign, doesn't mean that professional thieves have not stolen data, they just haven't been discovered yet. That is the sign of a good thief, that you haven't noticed the theft yet. /Tom Kern /301-903-2211 On Sat, 4 Aug 2007 19:50:52 -0300, Clark F Morris <[EMAIL PROTECTED]> wrote: >SPOOL can have a lot of sensitive information in readable format. >Reading it is not for the technically ignorant. -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to [EMAIL PROTECTED] with the message: GET IBM-MAIN INFO Search the archives at http://bama.ua.edu/archives/ibm-main.html
Re: PCI Compliance - Encryption of all non-console administrative access.
Lynn Wheeler <[EMAIL PROTECTED]> writes: for some topic drift ... part of the issue is that the majority of such compromises have involved data-at-rest ... not data-in-transit ... and lots of implementations don't provide the access control that may be found in mainframe installations ... so encrypting the data at risk might be viewed as compensating process for inadequate access control. the other part of it is that studies have something like 70 percent of such compromises have involved insiders (who already may have some level of access). re: http://www.garlic.com/~lynn/2007n.html#85 PCI Compliance - Encryption of all non-console administrative access. ... above post may have only made it to the newsgroup, not the mailing list for some additional drift, a recent post in ongoing financial crypto blog thread on (effectively) decline in security and assurance over the past several decades http://www.garlic.com/~lynn/aadsm27.htm#53 Doom and Gloom spreads, security revisionism suggests "H6.5: Be an adept!" -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to [EMAIL PROTECTED] with the message: GET IBM-MAIN INFO Search the archives at http://bama.ua.edu/archives/ibm-main.html
FW: [IBM-MAIN] Theft of spindles was Re: PCI Compliance - Encryption of all non-console administrative access.
Clark, I found this quote at http://findarticles.com/p/articles/mi_zdbln/is_200303/ai_ziff38166/pg_2. "ISM spokeswoman Anne Mowat confirmed that the hard drive was taken from a standard PC workstation and was a backup to information stored elsewhere." Ron > -Original Message- > From: IBM Mainframe Discussion List > [mailto:[EMAIL PROTECTED] On Behalf Of Clark Morris > Sent: Saturday, August 04, 2007 3:49 PM > To: IBM-MAIN@BAMA.UA.EDU > Subject: Re: [IBM-MAIN] Theft of spindles was Re: PCI Compliance - > Encryption of all non-console administrative access. > > On 1 Aug 2007 23:33:41 -0700, in bit.listserv.ibm-main you wrote: > > > The drives were stolen in February of 2003 from ISM, an IBM subsidiary > and the implication was that at least some of them were mainframe > related. This story > http://www.cbc.ca/money/story/2003/02/03/ism_030203.html from the > Canadian Broadcasting Corporation didn't have those implications but > other stories at the time did. For example, while the subsequent > links don't work this gives more of the flavor > http://www.priva-c.com/privacyhorizon/lessonslearned_ism.asp > . I suspect that this was a swapped out drive. Given that more than > one company was involved, it looks like it was a drive in some kind of > RAID configuration that had parts of logical drives on the physical > drive. > -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to [EMAIL PROTECTED] with the message: GET IBM-MAIN INFO Search the archives at http://bama.ua.edu/archives/ibm-main.html
Re: Theft of spindles was Re: PCI Compliance - Encryption of all non-console administrative access.
Clark, It is especially not for the technically ignorant because the CKD EBCDIC data has been encapsulated into an FBA block. You would have to strip out the padding and CRC and read the text data as ASCII rather then EBCDIC. And SPOOL is going to be splattered around in trackgroups, and in a 7D+P array group they will only have one eigth of the actual volume(s). Not an easy way to try and get some useful information. There would certainly be some bits and pieces that would be in the clear, but it would not be an easy task to figure out what they atually had got their hands on. Ron > -Original Message- > From: IBM Mainframe Discussion List > [mailto:[EMAIL PROTECTED] On Behalf Of Clark F Morris > Sent: Saturday, August 04, 2007 3:51 PM > To: IBM-MAIN@BAMA.UA.EDU > Subject: Re: [IBM-MAIN] Theft of spindles was Re: PCI > Compliance - Encryption of all non-console administrative access. > > On 2 Aug 2007 02:24:21 -0700, in bit.listserv.ibm-main you wrote: > > > SPOOL can have a lot of sensitive information in readable format. > Reading it is not for the technically ignorant. -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to [EMAIL PROTECTED] with the message: GET IBM-MAIN INFO Search the archives at http://bama.ua.edu/archives/ibm-main.html
Re: Theft of spindles was Re: PCI Compliance - Encryption of all non-console administrative access.
On 2 Aug 2007 02:24:21 -0700, in bit.listserv.ibm-main you wrote: >Ron Hawkins wrote: >> Clark, >> >> Could this really be a true story? The few boxes that attach to mainframes >> would have triggered a SIM the moment someone unlatched and pulled the drive >> - a highlighted, non-scrolling error message on the console. >> >> And of course the box would have called home to report the failed drive, and >> within an hour or two the CE/FE would have been asking where the missing >> drive canister had gone. >> >> Any computer room worth it's salt would have a log of who had gone in and >> out and the culprit would have been nabbed before you could say >> rumplestiltskin. >> >> A box of spares next to a MF perhaps... Sounds like an urban myth to me. >> >> Ron >> >> PS That would be a hell of a PC running SSA or FCP HBAs. > >No, we use to run HDS dual-SCSI-port drives, as the interface so common >in PCs. > >But seriously: I think it is *much easier* to copy the information than >to steal physical drive modules. If one's datacenter is well protected, >strict RACF and other security rules are enforced, then usually server >room is also well protected. > >Regarding to Timothy's message about encryption - now I understand your >point. "Encryption everything" doesn't mean i.e. SYSRES and SPOOL. >Timothy , you mean all sensitive data, don't you ? SPOOL can have a lot of sensitive information in readable format. Reading it is not for the technically ignorant. > >Regards >-- >Radoslaw Skorupka >Lodz, Poland -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to [EMAIL PROTECTED] with the message: GET IBM-MAIN INFO Search the archives at http://bama.ua.edu/archives/ibm-main.html
Re: Theft of spindles was Re: PCI Compliance - Encryption of all non-console administrative access.
On 1 Aug 2007 23:33:41 -0700, in bit.listserv.ibm-main you wrote: >Clark, > >Could this really be a true story? The few boxes that attach to mainframes >would have triggered a SIM the moment someone unlatched and pulled the drive >- a highlighted, non-scrolling error message on the console. The drives were stolen in February of 2003 from ISM, an IBM subsidiary and the implication was that at least some of them were mainframe related. This story http://www.cbc.ca/money/story/2003/02/03/ism_030203.html from the Canadian Broadcasting Corporation didn't have those implications but other stories at the time did. For example, while the subsequent links don't work this gives more of the flavor http://www.priva-c.com/privacyhorizon/lessonslearned_ism.asp . I suspect that this was a swapped out drive. Given that more than one company was involved, it looks like it was a drive in some kind of RAID configuration that had parts of logical drives on the physical drive. > >And of course the box would have called home to report the failed drive, and >within an hour or two the CE/FE would have been asking where the missing >drive canister had gone. > >Any computer room worth it's salt would have a log of who had gone in and >out and the culprit would have been nabbed before you could say >rumplestiltskin. > >A box of spares next to a MF perhaps... Sounds like an urban myth to me. > >Ron > >PS That would be a hell of a PC running SSA or FCP HBAs. > >> >> A couple of years ago, disk drives were stolen from an IBM outsourcing >> centre here in Canada. I believe they were from a box attached to a >> mainframe. With the advent of the actual disk drives for a mainframe >> being the same size as those for a PC, it becomes a lot easier. There >> was speculation that the drive(s?) was/were taken for use in a PC. > >-- >For IBM-MAIN subscribe / signoff / archive access instructions, >send email to [EMAIL PROTECTED] with the message: GET IBM-MAIN INFO >Search the archives at http://bama.ua.edu/archives/ibm-main.html -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to [EMAIL PROTECTED] with the message: GET IBM-MAIN INFO Search the archives at http://bama.ua.edu/archives/ibm-main.html
Re: Theft of spindles was Re: PCI Compliance - Encryption of all non-console administrative access.
Ron Hawkins wrote: Clark, Could this really be a true story? The few boxes that attach to mainframes would have triggered a SIM the moment someone unlatched and pulled the drive - a highlighted, non-scrolling error message on the console. And of course the box would have called home to report the failed drive, and within an hour or two the CE/FE would have been asking where the missing drive canister had gone. Any computer room worth it's salt would have a log of who had gone in and out and the culprit would have been nabbed before you could say rumplestiltskin. A box of spares next to a MF perhaps... Sounds like an urban myth to me. Ron PS That would be a hell of a PC running SSA or FCP HBAs. No, we use to run HDS dual-SCSI-port drives, as the interface so common in PCs. But seriously: I think it is *much easier* to copy the information than to steal physical drive modules. If one's datacenter is well protected, strict RACF and other security rules are enforced, then usually server room is also well protected. Regarding to Timothy's message about encryption - now I understand your point. "Encryption everything" doesn't mean i.e. SYSRES and SPOOL. Timothy , you mean all sensitive data, don't you ? Regards -- Radoslaw Skorupka Lodz, Poland -- BRE Bank SA ul. Senatorska 18 00-950 Warszawa www.brebank.pl Sd Rejonowy dla m. st. Warszawy XII Wydzia Gospodarczy Krajowego Rejestru Sdowego, nr rejestru przedsibiorców KRS 025237 NIP: 526-021-50-88 Wedug stanu na dzie 01.01.2007 r. kapita zakadowy BRE Banku SA (w caoci opacony) wynosi 118.064.140 z. W zwizku z realizacj warunkowego podwyszenia kapitau zakadowego, na podstawie uchwa XVI WZ z dnia 21.05.2003 r., kapita zakadowy BRE Banku SA moe ulec podwyszeniu do kwoty 118.760.528 z. Akcje w podwyszonym kapitale zakadowym bd w caoci opacone. -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to [EMAIL PROTECTED] with the message: GET IBM-MAIN INFO Search the archives at http://bama.ua.edu/archives/ibm-main.html
Re: Theft of spindles was Re: PCI Compliance - Encryption of all non-console administrative access.
Clark, Could this really be a true story? The few boxes that attach to mainframes would have triggered a SIM the moment someone unlatched and pulled the drive - a highlighted, non-scrolling error message on the console. And of course the box would have called home to report the failed drive, and within an hour or two the CE/FE would have been asking where the missing drive canister had gone. Any computer room worth it's salt would have a log of who had gone in and out and the culprit would have been nabbed before you could say rumplestiltskin. A box of spares next to a MF perhaps... Sounds like an urban myth to me. Ron PS That would be a hell of a PC running SSA or FCP HBAs. > > A couple of years ago, disk drives were stolen from an IBM outsourcing > centre here in Canada. I believe they were from a box attached to a > mainframe. With the advent of the actual disk drives for a mainframe > being the same size as those for a PC, it becomes a lot easier. There > was speculation that the drive(s?) was/were taken for use in a PC. -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to [EMAIL PROTECTED] with the message: GET IBM-MAIN INFO Search the archives at http://bama.ua.edu/archives/ibm-main.html
Theft of spindles was Re: PCI Compliance - Encryption of all non-console administrative access.
On 31 Jul 2007 22:07:06 -0700, in bit.listserv.ibm-main Timothy Sipples wrote: > >> much snipped > >While I might agree with your logic -- the chance of a spindle theft is >relatively remote though nonzero -- it really doesn't matter what you or I >say here. There are certain minimum security requirements for processing >Visa, MasterCard, and other credit cards. The PCI auditors dictate whether >you meet those standards or not, and what you're supposed to do to remedy >any shortcomings. This is certainly true in the United States and >increasingly true in other countries. PCI became re-energized in the wake >of the CardSystems debacle, and subsequent breaches haven't made them any >less forgiving. A couple of years ago, disk drives were stolen from an IBM outsourcing centre here in Canada. I believe they were from a box attached to a mainframe. With the advent of the actual disk drives for a mainframe being the same size as those for a PC, it becomes a lot easier. There was speculation that the drive(s?) was/were taken for use in a PC. > >By the way, the same company was ordered to encrypt every network >connection, including network connections within their data center. To my >knowledge they're complying. > >- - - - - >Timothy Sipples >IBM Consulting Enterprise Software Architect >Specializing in Software Architectures Related to System z >Based in Tokyo, Serving IBM Japan and IBM Asia-Pacific >E-Mail: [EMAIL PROTECTED] -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to [EMAIL PROTECTED] with the message: GET IBM-MAIN INFO Search the archives at http://bama.ua.edu/archives/ibm-main.html
Re: PCI Compliance - Encryption of all non-console administrative access.
On Tue, 31 Jul 2007 16:40:14 -0500, Hal Merritt <[EMAIL PROTECTED]> wrote: >...snipped... > But we need secure 'green screen' TN3270 TSO The TN3270 server supports SSL or TLS, and so do a number of TN3270 clients. SSL/TLS will provide your secure connection. Walt Farrell, CISSP IBM STSM, z/OS Security Design -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to [EMAIL PROTECTED] with the message: GET IBM-MAIN INFO Search the archives at http://bama.ua.edu/archives/ibm-main.html
Re: PCI Compliance - Encryption of all non-console administrative access.
Tim Wrote: >>I worked with a credit card processor that was told by its PCI auditors >>that it must encrypt any sensitive information on disk, including credit >>card numbers, expiration dates, etc. This is typical and reality. Maybe >>your country's situation is different, although that might not persist. That is exactly the industry I am currently in, that is until USBANK takes our mainframe away and do the processing in the US. But as I understand it, PCI compliance can be negotiated with the Auditors who then need to build a good case for the company with Master Card / VISA / AMEX. We were able to complete most of the requirements over a 3 year period, but I am convinced that if we stayed online beyond our current end date, we might have been forced to buy some EMC disks and move our customer data behind the middleware. I do not think it is a Country / Region that determines the rules, it is internationally determined by Master Card / VISA / AMEX / PCI. Regards Herbie * This email and any attachments are confidential and intended for the sole use of the intended recipient(s).If you receive this email in error please notify [EMAIL PROTECTED] and delete it from your system. Any unauthorized dissemination, retransmission, or copying of this email and any attachments is prohibited. Euroconex does not accept any responsibility for any breach of confidence, which may arise from the use of email. Please note that any views or opinions presented in this email are solely those of the author and do not necessarily represent those of the Company. This message has been scanned for known computer viruses. * -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to [EMAIL PROTECTED] with the message: GET IBM-MAIN INFO Search the archives at http://bama.ua.edu/archives/ibm-main.html
Re: PCI Compliance - Encryption of all non-console administrative access.
Herbie Van Dalsen already replied with much of what I would say, but I do have a couple comments. R.S. writes: >Excuse me, what company encrypts "anything on disk" ??? Some. Numbers are increasing. IBM doesn't add features like ENCRYPT (SQL keyword) to DB2 or ship products like IBM Data Encryption for IMS and DB2 Databases in the face of zero demand. Presumably the same is true with other vendors. >IMHO "encrypt everything" is kind of euphemism (fiction if you want). >It is simply impossible. That's why I put it in quotes. We're agreed. However, as an encapsulation of what the auditors require, it's a good, succinct summary. >It is also too expensive and not needed, but this is another story. The topic here is PCI compliance. Take up budget complaints with the PCI auditors. Good luck. :-) I worked with a credit card processor that was told by its PCI auditors that it must encrypt any sensitive information on disk, including credit card numbers, expiration dates, etc. This is typical and reality. Maybe your country's situation is different, although that might not persist. >BTW: I would say *almost* every data on medium or in the wire *outside* >secured company premises should be encrypted. That means remote links >(except DWDM in majority of cases), tapes, CDs, etc. >Encryption of network links can be done at protocol level (SSH instead >of telnet) or "at router level" (all the traffic is encrypted). Usually >there is no reason to use encrypted protocol when whole link is already >encrypted. >Last but not least: each case require thorough analysis. While I might agree with your logic -- the chance of a spindle theft is relatively remote though nonzero -- it really doesn't matter what you or I say here. There are certain minimum security requirements for processing Visa, MasterCard, and other credit cards. The PCI auditors dictate whether you meet those standards or not, and what you're supposed to do to remedy any shortcomings. This is certainly true in the United States and increasingly true in other countries. PCI became re-energized in the wake of the CardSystems debacle, and subsequent breaches haven't made them any less forgiving. By the way, the same company was ordered to encrypt every network connection, including network connections within their data center. To my knowledge they're complying. - - - - - Timothy Sipples IBM Consulting Enterprise Software Architect Specializing in Software Architectures Related to System z Based in Tokyo, Serving IBM Japan and IBM Asia-Pacific E-Mail: [EMAIL PROTECTED] -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to [EMAIL PROTECTED] with the message: GET IBM-MAIN INFO Search the archives at http://bama.ua.edu/archives/ibm-main.html
Re: PCI Compliance - Encryption of all non-console administrative access.
By default where I work, all tn32070 is encrypted with SSL (no matter if administrator or not). We use Passport PC to Host and Web to Host as the emulators. For secure FTP we use WS FTP Pro. Not sure if this helps you, but that's how we secured terminal data streams at our shop. Darren -Original Message- From: IBM Mainframe Discussion List [mailto:[EMAIL PROTECTED] On Behalf Of Hal Merritt Sent: Tuesday, July 31, 2007 2:40 PM To: IBM-MAIN@BAMA.UA.EDU Subject: Re: PCI Compliance - Encryption of all non-console administrative access. I guess that makes me half right, half wrong, a half wit, or some combination thereof :-)) I'll admit that I tend to think in binary (albeit mostly zeros) and I consider an administrator's ID to be somewhat sensitive traffic. Of course, many (most?) might disagree. I don't think PCI is that granular. I'll also freely admit that SSH seems to be an excellent solution for interactive *nix sessions. But we need secure 'green screen' TN3270 TSO and automated batch FTP. -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to [EMAIL PROTECTED] with the message: GET IBM-MAIN INFO Search the archives at http://bama.ua.edu/archives/ibm-main.html
Re: PCI Compliance - Encryption of all non-console administrative access.
I guess that makes me half right, half wrong, a half wit, or some combination thereof :-)) I'll admit that I tend to think in binary (albeit mostly zeros) and I consider an administrator's ID to be somewhat sensitive traffic. Of course, many (most?) might disagree. I don't think PCI is that granular. I'll also freely admit that SSH seems to be an excellent solution for interactive *nix sessions. But we need secure 'green screen' TN3270 TSO and automated batch FTP. -Original Message- From: IBM Mainframe Discussion List [mailto:[EMAIL PROTECTED] On Behalf Of McKown, John Sent: Tuesday, July 31, 2007 2:06 PM To: IBM-MAIN@BAMA.UA.EDU Subject: Re: PCI Compliance - Encryption of all non-console administrative access. > -Original Message- > From: IBM Mainframe Discussion List > [mailto:[EMAIL PROTECTED] On Behalf Of Hal Merritt > Sent: Tuesday, July 31, 2007 1:57 PM > To: IBM-MAIN@BAMA.UA.EDU > Subject: Re: PCI Compliance - Encryption of all non-console > administrative access. > > > I am probably not understanding how SSH works. I was under the > impression that you must first gain access via RACF and VTAM > (TCP/IP)before you can get to somewhere you can invoke SSH. > > Traffic via SSH is encrypted. Depends. I can use ssh on my desktop to connect to a UNIX shell on my z/OS system. This entire traffic is encrypted. This does depend on TCPIP, of course, but TCPIP does not require RACF validation in order to connect to an application (such as the SSH daemon). On my desktop, I enter: ssh zos.ip.address -l RACFID I then get prompted to enter the password for RACFID. This traffic is all encrypted. -- John McKown Senior Systems Programmer HealthMarkets Keeping the Promise of Affordable Coverage Administrative Services Group Information Technology NOTICE: This electronic mail message and any files transmitted with it are intended exclusively for the individual or entity to which it is addressed. The message, together with any attachment, may contain confidential and/or privileged information. Any unauthorized review, use, printing, saving, copying, disclosure or distribution is strictly prohibited. If you have received this message in error, please immediately advise the sender by reply email and delete all copies. -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to [EMAIL PROTECTED] with the message: GET IBM-MAIN INFO Search the archives at http://bama.ua.edu/archives/ibm-main.html
Re: PCI Compliance - Encryption of all non-console administrative access.
> -Original Message- > From: IBM Mainframe Discussion List > [mailto:[EMAIL PROTECTED] On Behalf Of Hal Merritt > Sent: Tuesday, July 31, 2007 1:57 PM > To: IBM-MAIN@BAMA.UA.EDU > Subject: Re: PCI Compliance - Encryption of all non-console > administrative access. > > > I am probably not understanding how SSH works. I was under the > impression that you must first gain access via RACF and VTAM > (TCP/IP)before you can get to somewhere you can invoke SSH. > > Traffic via SSH is encrypted. Depends. I can use ssh on my desktop to connect to a UNIX shell on my z/OS system. This entire traffic is encrypted. This does depend on TCPIP, of course, but TCPIP does not require RACF validation in order to connect to an application (such as the SSH daemon). On my desktop, I enter: ssh zos.ip.address -l RACFID I then get prompted to enter the password for RACFID. This traffic is all encrypted. -- John McKown Senior Systems Programmer HealthMarkets Keeping the Promise of Affordable Coverage Administrative Services Group Information Technology The information contained in this e-mail message may be privileged and/or confidential. It is for intended addressee(s) only. If you are not the intended recipient, you are hereby notified that any disclosure, reproduction, distribution or other use of this communication is strictly prohibited and could, in certain circumstances, be a criminal offense. If you have received this e-mail in error, please notify the sender by reply and delete this message without copying or disclosing it. -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to [EMAIL PROTECTED] with the message: GET IBM-MAIN INFO Search the archives at http://bama.ua.edu/archives/ibm-main.html
Re: PCI Compliance - Encryption of all non-console administrative access.
I am probably not understanding how SSH works. I was under the impression that you must first gain access via RACF and VTAM (TCP/IP)before you can get to somewhere you can invoke SSH. Traffic via SSH is encrypted. -Original Message- From: IBM Mainframe Discussion List [mailto:[EMAIL PROTECTED] On Behalf Of Mark Jacobs Sent: Tuesday, July 31, 2007 1:35 PM To: IBM-MAIN@BAMA.UA.EDU Subject: Re: PCI Compliance - Encryption of all non-console administrative access. Hal Merritt wrote: > I believe it is on z/os. > > I just performed an ssh to my workstation from a z/OS system and the packet trace (wireshark) shows encrypted packets from my lpars IP address to my workstation. I can't believe that IBM would port ssh to zOS and take the encryption out. > -Original Message- > From: IBM Mainframe Discussion List [mailto:[EMAIL PROTECTED] On > Behalf Of David Andrews > Sent: Tuesday, July 31, 2007 10:57 AM > To: IBM-MAIN@BAMA.UA.EDU > Subject: Re: PCI Compliance - Encryption of all non-console > administrative access. > > On Tue, 2007-07-31 at 09:56 -0500, Hal Merritt wrote: > >> Note that SSH (secure shell) does not seem to qualify as ID's and >> passwords flow in the open. >> > > Ohno! This is never the case! > > -- Mark Jacobs Technical Services Time Customer Service - Tampa, FL NOTICE: This electronic mail message and any files transmitted with it are intended exclusively for the individual or entity to which it is addressed. The message, together with any attachment, may contain confidential and/or privileged information. Any unauthorized review, use, printing, saving, copying, disclosure or distribution is strictly prohibited. If you have received this message in error, please immediately advise the sender by reply email and delete all copies. -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to [EMAIL PROTECTED] with the message: GET IBM-MAIN INFO Search the archives at http://bama.ua.edu/archives/ibm-main.html
Re: PCI Compliance - Encryption of all non-console administrative access.
Hal Merritt wrote: I believe it is on z/os. I just performed an ssh to my workstation from a z/OS system and the packet trace (wireshark) shows encrypted packets from my lpars IP address to my workstation. I can't believe that IBM would port ssh to zOS and take the encryption out. -Original Message- From: IBM Mainframe Discussion List [mailto:[EMAIL PROTECTED] On Behalf Of David Andrews Sent: Tuesday, July 31, 2007 10:57 AM To: IBM-MAIN@BAMA.UA.EDU Subject: Re: PCI Compliance - Encryption of all non-console administrative access. On Tue, 2007-07-31 at 09:56 -0500, Hal Merritt wrote: Note that SSH (secure shell) does not seem to qualify as ID's and passwords flow in the open. Ohno! This is never the case! -- Mark Jacobs Technical Services Time Customer Service - Tampa, FL -- "The secret of life is honesty and fair dealing. If you can fake that, you've got it made." -- Julius (Groucho) Henry Marx -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to [EMAIL PROTECTED] with the message: GET IBM-MAIN INFO Search the archives at http://bama.ua.edu/archives/ibm-main.html
Re: PCI Compliance - Encryption of all non-console administrative access.
I believe it is on z/os. -Original Message- From: IBM Mainframe Discussion List [mailto:[EMAIL PROTECTED] On Behalf Of David Andrews Sent: Tuesday, July 31, 2007 10:57 AM To: IBM-MAIN@BAMA.UA.EDU Subject: Re: PCI Compliance - Encryption of all non-console administrative access. On Tue, 2007-07-31 at 09:56 -0500, Hal Merritt wrote: > Note that SSH (secure shell) does not seem to qualify as ID's and > passwords flow in the open. Ohno! This is never the case! -- David Andrews A. Duda and Sons, Inc. [EMAIL PROTECTED] NOTICE: This electronic mail message and any files transmitted with it are intended exclusively for the individual or entity to which it is addressed. The message, together with any attachment, may contain confidential and/or privileged information. Any unauthorized review, use, printing, saving, copying, disclosure or distribution is strictly prohibited. If you have received this message in error, please immediately advise the sender by reply email and delete all copies. -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to [EMAIL PROTECTED] with the message: GET IBM-MAIN INFO Search the archives at http://bama.ua.edu/archives/ibm-main.html
Re: PCI Compliance - Encryption of all non-console administrative access.
R.S. Wrote... >>Excuse me, what company encrypts "anything on disk" ??? >>IMHO "encrypt everything" is kind of euphemism (fiction if you want). >>It is simply impossible. I must tell you, it is not. We have 2 types of encryption criteria coming from PCI... 1. Admin user-ID's which we are encrypting using an Emulator called TTWIN that can successfully handle RACF created certificates that are specified un the TCP Profile for the secure port. 2. Data containing names, addresses, ... of our customers. Was hoping that the ESS/800 had HW encryption built in, but ... we put the mainframe behind a special firewall wit absolutely no unencrypted access, and then be bought middleware of some sort, that encrypts/decrypts the data on win/UNIX environment so that it ends-up encrypted on the disk, had 1 or two instances where the middle-ware had a few glitches, and I am sure no abbreviation is needed on the chaotic results, but over-all everyone, is happy with the peace of mind it seems to create... Regards Herbie * This email and any attachments are confidential and intended for the sole use of the intended recipient(s).If you receive this email in error please notify [EMAIL PROTECTED] and delete it from your system. Any unauthorized dissemination, retransmission, or copying of this email and any attachments is prohibited. Euroconex does not accept any responsibility for any breach of confidence, which may arise from the use of email. Please note that any views or opinions presented in this email are solely those of the author and do not necessarily represent those of the Company. This message has been scanned for known computer viruses. * -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to [EMAIL PROTECTED] with the message: GET IBM-MAIN INFO Search the archives at http://bama.ua.edu/archives/ibm-main.html
Re: PCI Compliance - Encryption of all non-console administrative access.
Timothy Sipples wrote: "Encrypt everything," basically. That's anything "sensitive" flowing over a network wire (even inside your data center), anything on tape, and (usually) anything on disk. Excuse me, what company encrypts "anything on disk" ??? IMHO "encrypt everything" is kind of euphemism (fiction if you want). It is simply impossible. It is also too expensive and not needed, but this is another story. Companies are dealing with compliance by turning encryption on (and beefing up authorization and authentication). This tends to be comparatively easy on the mainframe, and there's been a lot of discussion here about various aspects (e.g. tape encryption). It's not free, but it's not bad either, and the cost tends to be vastly dwarfed by the losses in the alternative. (See: CardSystems.) Sounds like FUD. "Do you remember CardSystems ? Buy my new shining encryption solution". For example tape encryption seems to be the same on open systems (assuming usage of IBM TS1120 or STK T1). BTW: I would say *almost* every data on medium or in the wire *outside* secured company premises should be encrypted. That means remote links (except DWDM in majority of cases), tapes, CDs, etc. Encryption of network links can be done at protocol level (SSH instead of telnet) or "at router level" (all the traffic is encrypted). Usually there is no reason to use encrypted protocol when whole link is already encrypted. Last but not least: each case require thorough analysis. -- Radoslaw Skorupka Lodz, Poland -- BRE Bank SA ul. Senatorska 18 00-950 Warszawa www.brebank.pl Sd Rejonowy dla m. st. Warszawy XII Wydzia Gospodarczy Krajowego Rejestru Sdowego, nr rejestru przedsibiorców KRS 025237 NIP: 526-021-50-88 Wedug stanu na dzie 01.01.2007 r. kapita zakadowy BRE Banku SA (w caoci opacony) wynosi 118.064.140 z. W zwizku z realizacj warunkowego podwyszenia kapitau zakadowego, na podstawie uchwa XVI WZ z dnia 21.05.2003 r., kapita zakadowy BRE Banku SA moe ulec podwyszeniu do kwoty 118.760.528 z. Akcje w podwyszonym kapitale zakadowym bd w caoci opacone. -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to [EMAIL PROTECTED] with the message: GET IBM-MAIN INFO Search the archives at http://bama.ua.edu/archives/ibm-main.html
Re: PCI Compliance - Encryption of all non-console administrative access.
On Tue, 2007-07-31 at 09:56 -0500, Hal Merritt wrote: > Note that SSH (secure shell) does not seem to qualify as ID's and > passwords flow in the open. Ohno! This is never the case! -- David Andrews A. Duda and Sons, Inc. [EMAIL PROTECTED] -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to [EMAIL PROTECTED] with the message: GET IBM-MAIN INFO Search the archives at http://bama.ua.edu/archives/ibm-main.html
Re: PCI Compliance - Encryption of all non-console administrative access.
Hal Merritt wrote: We use a layered approach to include TLS, physically isolated LAN's, and other measures. Note that SSH (secure shell) does not seem to qualify as ID's and passwords flow in the open. As far as I can tell, only certificate based protocols are acceptable for those under a PCI gun. Some PC types might state that only SSH is available on tinker toy boxes, but that is not completely true. It is true that many (most?) distributions do not come with TLS software installed and has to be added. AFAIK ssh userid's and passwords do NOT flow in the clear. The first thing ssh does after host key validation is create a unique one time use encryption key and then the userid/password is sent to the ssh server encrypted with this key. -- Mark Jacobs Technical Services Time Customer Service - Tampa, FL -- "The secret of life is honesty and fair dealing. If you can fake that, you've got it made." -- Julius (Groucho) Henry Marx -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to [EMAIL PROTECTED] with the message: GET IBM-MAIN INFO Search the archives at http://bama.ua.edu/archives/ibm-main.html
Re: PCI Compliance - Encryption of all non-console administrative access.
We use a layered approach to include TLS, physically isolated LAN's, and other measures. Note that SSH (secure shell) does not seem to qualify as ID's and passwords flow in the open. As far as I can tell, only certificate based protocols are acceptable for those under a PCI gun. Some PC types might state that only SSH is available on tinker toy boxes, but that is not completely true. It is true that many (most?) distributions do not come with TLS software installed and has to be added. You last sentence about internal availability is confusing. -Original Message- From: IBM Mainframe Discussion List [mailto:[EMAIL PROTECTED] On Behalf Of Ray Prevott Sent: Monday, July 30, 2007 10:43 AM To: IBM-MAIN@BAMA.UA.EDU Subject: PCI Compliance - Encryption of all non-console administrative access. How is everybody dealing with this anyhow? Testing procedures include a determination that TELNET and other remote log-in commands are not available for use internally. NOTICE: This electronic mail message and any files transmitted with it are intended exclusively for the individual or entity to which it is addressed. The message, together with any attachment, may contain confidential and/or privileged information. Any unauthorized review, use, printing, saving, copying, disclosure or distribution is strictly prohibited. If you have received this message in error, please immediately advise the sender by reply email and delete all copies. -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to [EMAIL PROTECTED] with the message: GET IBM-MAIN INFO Search the archives at http://bama.ua.edu/archives/ibm-main.html
Re: PCI Compliance - Encryption of all non-console administrative access.
If you want to contact me offline, I would be willing to discuss the issue. -Rob Schramm rob dot schramm at 53 dot com dot = . at = @ This e-mail transmission contains information that is confidential and may be privileged. It is intended only for the addressee(s) named above. If you receive this e-mail in error, please do not read, copy or disseminate it in any manner. If you are not the intended recipient, any disclosure, copying, distribution or use of the contents of this information is prohibited. Please reply to the message immediately by informing the sender that the message was misdirected. After replying, please erase it from your computer system. Your assistance in correcting this error is appreciated. -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to [EMAIL PROTECTED] with the message: GET IBM-MAIN INFO Search the archives at http://bama.ua.edu/archives/ibm-main.html
Re: PCI Compliance - Encryption of all non-console administrative access.
"Encrypt everything," basically. That's anything "sensitive" flowing over a network wire (even inside your data center), anything on tape, and (usually) anything on disk. Companies are dealing with compliance by turning encryption on (and beefing up authorization and authentication). This tends to be comparatively easy on the mainframe, and there's been a lot of discussion here about various aspects (e.g. tape encryption). It's not free, but it's not bad either, and the cost tends to be vastly dwarfed by the losses in the alternative. (See: CardSystems.) - - - - - Timothy Sipples IBM Consulting Enterprise Software Architect Specializing in Software Architectures Related to System z Based in Tokyo, Serving IBM Japan and IBM Asia-Pacific E-Mail: [EMAIL PROTECTED] -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to [EMAIL PROTECTED] with the message: GET IBM-MAIN INFO Search the archives at http://bama.ua.edu/archives/ibm-main.html
PCI Compliance - Encryption of all non-console administrative access.
How is everybody dealing with this anyhow? Testing procedures include a determination that TELNET and other remote log-in commands are not available for use internally. -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to [EMAIL PROTECTED] with the message: GET IBM-MAIN INFO Search the archives at http://bama.ua.edu/archives/ibm-main.html