Re: Mainframes open to internet attacks?
I can't say I've tried it but this simple python script looks like it could do some damage https://github.com/mainframed/MFDoS. On 29/08/2015 2:05 PM, Rob Schramm wrote: Not necessarily. Assumptions are definitely being made. Rob Schramm On Fri, Aug 28, 2015, 9:59 PM David Crayford dcrayf...@gmail.com wrote: On 29/08/2015 5:56 AM, Charles Mills wrote: http://mainframesproject.tumblr.com/ That really is a hall of shame! If you can access telnet then you can disrupt the system with a DDoS attack. Charles -Original Message- From: IBM Mainframe Discussion List [mailto:IBM-MAIN@LISTSERV.UA.EDU] On Behalf Of Scott Ford Sent: Friday, August 28, 2015 1:42 PM To: IBM-MAIN@LISTSERV.UA.EDU Subject: Re: Mainframes open to internet attacks? I think the dude who wrote to article was looking for money or being a name in the industry. Every Z system I have been on you could not get to a login screen that easy. That's about 20+ shops , so dude give us details no fluff Scott -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN
Re: Mainframes open to internet attacks?
Not necessarily. Assumptions are definitely being made. Rob Schramm On Fri, Aug 28, 2015, 9:59 PM David Crayford dcrayf...@gmail.com wrote: On 29/08/2015 5:56 AM, Charles Mills wrote: http://mainframesproject.tumblr.com/ That really is a hall of shame! If you can access telnet then you can disrupt the system with a DDoS attack. Charles -Original Message- From: IBM Mainframe Discussion List [mailto:IBM-MAIN@LISTSERV.UA.EDU] On Behalf Of Scott Ford Sent: Friday, August 28, 2015 1:42 PM To: IBM-MAIN@LISTSERV.UA.EDU Subject: Re: Mainframes open to internet attacks? I think the dude who wrote to article was looking for money or being a name in the industry. Every Z system I have been on you could not get to a login screen that easy. That's about 20+ shops , so dude give us details no fluff Scott -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN
Re: Mainframes open to internet attacks?
W dniu 2015-08-29 o 03:59, David Crayford pisze: On 29/08/2015 5:56 AM, Charles Mills wrote: http://mainframesproject.tumblr.com/ That really is a hall of shame! If you can access telnet then you can disrupt the system with a DDoS attack. Not every system is production system. Not every production system is really important for its owner. I repeat: I know a system where you can obtain TSO account for free. -- Radoslaw Skorupka Lodz, Poland -- Treść tej wiadomości może zawierać informacje prawnie chronione Banku przeznaczone wyłącznie do użytku służbowego adresata. Odbiorcą może być jedynie jej adresat z wyłączeniem dostępu osób trzecich. Jeżeli nie jesteś adresatem niniejszej wiadomości lub pracownikiem upoważnionym do jej przekazania adresatowi, informujemy, że jej rozpowszechnianie, kopiowanie, rozprowadzanie lub inne działanie o podobnym charakterze jest prawnie zabronione i może być karalne. Jeżeli otrzymałeś tę wiadomość omyłkowo, prosimy niezwłocznie zawiadomić nadawcę wysyłając odpowiedź oraz trwale usunąć tę wiadomość włączając w to wszelkie jej kopie wydrukowane lub zapisane na dysku. This e-mail may contain legally privileged information of the Bank and is intended solely for business use of the addressee. This e-mail may only be received by the addressee and may not be disclosed to any third parties. If you are not the intended addressee of this e-mail or the employee authorized to forward it to the addressee, be advised that any dissemination, copying, distribution or any other similar activity is legally prohibited and may be punishable. If you received this e-mail by mistake please advise the sender immediately by using the reply facility in your e-mail software and delete permanently this e-mail including any copies of it either printed or saved to hard drive. mBank S.A. z siedzibą w Warszawie, ul. Senatorska 18, 00-950 Warszawa, www.mBank.pl, e-mail: kont...@mbank.pl Sąd Rejonowy dla m. st. Warszawy XII Wydział Gospodarczy Krajowego Rejestru Sądowego, nr rejestru przedsiębiorców KRS 025237, NIP: 526-021-50-88. Według stanu na dzień 01.01.2015 r. kapitał zakładowy mBanku S.A. (w całości wpłacony) wynosi 168.840.228 złotych. -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN
Re: Mainframes open to internet attacks?
Hi All I completely agree with Phil - the issue is not whether the Mainframe is open to the Internet - it’s an issue of complacency vs. correct configuration. Too many C*O types are so focused on the availability aspect of CIA that they downplay the risks to the other aspects of that triad - particularly on Z. Assuming z/OS is safe - does not make it so - and ignoring the various vulnerabilities (misconfiguration, under or mis-staffing, lack of controls, lack of SLCM/DLCM , lack of anything else that's required) - does not make them go away. This is not true in every case, but I too have seen TSO users with minimal capabilities owning the system - in under two hours. If you have security assessments regularly - you'll always find something. Your goal should be to make your external auditor work really hard to find what you've forgotten :-) MZ -Original Message- From: IBM Mainframe Discussion List [mailto:IBM-MAIN@LISTSERV.UA.EDU] On Behalf Of Phil Sent: Friday, August 28, 2015 8:26 AM To: IBM-MAIN@LISTSERV.UA.EDU Subject: Re: Mainframes open to internet attacks? Hi All, I’m actually the person interviewed in this (frankly overblown) article. Thankfully I had a chance to talk again about this project here: https://www.bostonglobe.com/ideas/2015/08/13/remote-corner-internet-art-sprouts/joPVVFqBnctHanbtUBLhzL/story.html https://www.bostonglobe.com/ideas/2015/08/13/remote-corner-internet-art-sprouts/joPVVFqBnctHanbtUBLhzL/story.html Radoslaw, I’m so glad you were able to attend one of my talks (was it the Skytalks or BSidesLV?). However, I think you misunderstood the point I was trying to make. I’ve constantly touted how stupid the information security industry has been in thinking mainframes were old and obsolete. See this article about one of my first talks from two years ago: http://www.darkreading.com/attacks-breaches/cutting-through-the-mystique-of-testing-the-mainframe/d/d-id/1140239 http://www.darkreading.com/attacks-breaches/cutting-through-the-mystique-of-testing-the-mainframe/d/d-id/1140239 my story hasn’t really changed since. My toolset has, and participation is slowly increasing, but not fast enough. In fact, my co-speaker and I, at the most recent DEFCON, were making fun of the audience for not knowing what CICS was despite how important it likely was to their daily lives. On the topic on whether they are secure or not, thats up to the implementation. I know of someone who claims ‘give me an account and I can own your mainframe’. He doesn’t do it through magical 0-days, he’s using misconfigurations and easy to access tools (for example, in one instance he found a surrogate profile for an account with system special open to everyone because it was an ‘emergency id’). But this is true of any platform. zLinux is just as secure as z/OS, if both are configured correctly. Finally, on to the ‘art project’ as I like to call it. Back, long ago, when I was on x.25 networks looking for things to play with I might encounter a screen like these. I just find them amazing and beautiful (and a little nostalgic to be honest). Having them be on the internet doesn’t really matter, if they are configured correctly. My assumption is that they are on the internet on purpose and are no different than a staff landing page (for example: https://fs.aircanada.ca/idp/SSO.saml2 https://fs.aircanada.ca/idp/SSO.saml2, i found this through literally 1 second on google). If you want to see other interesting ’things' on the internet check out SHODANs twitter feed for devices like ‘Lake Pumping Stations’ and ‘Skilift in France’: https://twitter.com/shodanhq https://twitter.com/shodanhq I realize this is likely way off-topic for this discussion list but feel free to email me if you have questions or concerns (or are interested in how I did it). Phil On Aug 27, 2015, at 9:00 PM, IBM-MAIN automatic digest system lists...@listserv.ua.edu wrote: Date:Thu, 27 Aug 2015 17:38:05 +0200 From:R.S. r.skoru...@bremultibank.com.pl mailto:r.skoru...@bremultibank.com.pl Subject: Re: Mainframes open to internet attacks? W dniu 2015-08-19 o 00:26, Robert Harrison pisze: From technologyreview.com http://technologyreview.com/: http://www.technologyreview.com/news/540011/mainframe-computers-that- handle-our-most-sensitive-data-are-open-to-internet-attacks/ http://www.technologyreview.com/news/540011/mainframe-computers-that -handle-our-most-sensitive-data-are-open-to-internet-attacks/ Really? What I understod from the lecture: a) mainframes are old, obsolete, but unfotunately sometimes still in use - which is a sin. b) mainframes are insecure c) some mainframe are directly accessible from Internet, by mistake of course. What I mean: a) b) - IMHO obvious ;-) c) IMHO it is bad idea to make any system directly accessible from Internet. Mainframe, any kind of Unix, Linux, Windows... Some exceptions do apply but it's still
Re: Mainframes open to internet attacks?
W dniu 2015-08-28 o 06:19, Timothy Sipples pisze: Radoslaw Skorupka wrote: c) IMHO it is bad idea to make any system directly accessible from Internet. Mainframe, any kind of Unix, Linux, Windows... Which leaves...what? Is Wang still selling machines? (But those were systems, too...) Well... OS/2 and it's successor eComStation VMS aka OpenVMS OS/400 (now more funny answers) iOS Android PC DOS (it's hard to find server working uder DOS, but...) BeOS NetWare FreeBSD QNX -- Radoslaw Skorupka Lodz, Poland -- Tre tej wiadomoci moe zawiera informacje prawnie chronione Banku przeznaczone wycznie do uytku subowego adresata. Odbiorc moe by jedynie jej adresat z wyczeniem dostpu osób trzecich. Jeeli nie jeste adresatem niniejszej wiadomoci lub pracownikiem upowanionym do jej przekazania adresatowi, informujemy, e jej rozpowszechnianie, kopiowanie, rozprowadzanie lub inne dziaanie o podobnym charakterze jest prawnie zabronione i moe by karalne. Jeeli otrzymae t wiadomo omykowo, prosimy niezwocznie zawiadomi nadawc wysyajc odpowied oraz trwale usun t wiadomo wczajc w to wszelkie jej kopie wydrukowane lub zapisane na dysku. This e-mail may contain legally privileged information of the Bank and is intended solely for business use of the addressee. This e-mail may only be received by the addressee and may not be disclosed to any third parties. If you are not the intended addressee of this e-mail or the employee authorized to forward it to the addressee, be advised that any dissemination, copying, distribution or any other similar activity is legally prohibited and may be punishable. If you received this e-mail by mistake please advise the sender immediately by using the reply facility in your e-mail software and delete permanently this e-mail including any copies of it either printed or saved to hard drive. mBank S.A. z siedzib w Warszawie, ul. Senatorska 18, 00-950 Warszawa, www.mBank.pl, e-mail: kont...@mbank.pl Sd Rejonowy dla m. st. Warszawy XII Wydzia Gospodarczy Krajowego Rejestru Sdowego, nr rejestru przedsibiorców KRS 025237, NIP: 526-021-50-88. Wedug stanu na dzie 01.01.2015 r. kapita zakadowy mBanku S.A. (w caoci wpacony) wynosi 168.840.228 zotych. -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN
Re: Mainframes open to internet attacks?
Compared to what? compared to a mainframe locked in a vault. -Original Message- From: IBM Mainframe Discussion List [mailto:IBM-MAIN@LISTSERV.UA.EDU] On Behalf Of Shmuel Metz (Seymour J.) Sent: Thursday, August 27, 2015 7:23 PM To: IBM-MAIN@LISTSERV.UA.EDU Subject: Re: Mainframes open to internet attacks? In 55df2edd.5090...@bremultibank.com.pl, on 08/27/2015 at 05:38 PM, R.S. r.skoru...@bremultibank.com.pl said: What I understod from the lecture: a) mainframes are old, obsolete, but unfotunately sometimes still in use - which is a sin. If they do the job as well as or better than available alternatives then they're not obsolete. b) mainframes are insecure Compared to what? -- Shmuel (Seymour J.) Metz, SysProg and JOAT ISO position; see http://patriot.net/~shmuel/resume/brief.html We don't care. We don't have to care, we're Congress. (S877: The Shut up and Eat Your spam act of 2003) -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN
Re: Mainframes open to internet attacks?
W dniu 2015-08-28 o 14:12, John McKown pisze: The die hard AmigaDOS people will be wanting an apology for being ignored -- yet again. The CP/M people have all died, so no worries from them. [grin]. Well, I still have working CP/M machine and feel quite alive. However I never tried to connect it to Internet. (yes, it's Friday...) -- Radoslaw Skorupka Lodz, Poland -- Treść tej wiadomości może zawierać informacje prawnie chronione Banku przeznaczone wyłącznie do użytku służbowego adresata. Odbiorcą może być jedynie jej adresat z wyłączeniem dostępu osób trzecich. Jeżeli nie jesteś adresatem niniejszej wiadomości lub pracownikiem upoważnionym do jej przekazania adresatowi, informujemy, że jej rozpowszechnianie, kopiowanie, rozprowadzanie lub inne działanie o podobnym charakterze jest prawnie zabronione i może być karalne. Jeżeli otrzymałeś tę wiadomość omyłkowo, prosimy niezwłocznie zawiadomić nadawcę wysyłając odpowiedź oraz trwale usunąć tę wiadomość włączając w to wszelkie jej kopie wydrukowane lub zapisane na dysku. This e-mail may contain legally privileged information of the Bank and is intended solely for business use of the addressee. This e-mail may only be received by the addressee and may not be disclosed to any third parties. If you are not the intended addressee of this e-mail or the employee authorized to forward it to the addressee, be advised that any dissemination, copying, distribution or any other similar activity is legally prohibited and may be punishable. If you received this e-mail by mistake please advise the sender immediately by using the reply facility in your e-mail software and delete permanently this e-mail including any copies of it either printed or saved to hard drive. mBank S.A. z siedzibą w Warszawie, ul. Senatorska 18, 00-950 Warszawa, www.mBank.pl, e-mail: kont...@mbank.pl Sąd Rejonowy dla m. st. Warszawy XII Wydział Gospodarczy Krajowego Rejestru Sądowego, nr rejestru przedsiębiorców KRS 025237, NIP: 526-021-50-88. Według stanu na dzień 01.01.2015 r. kapitał zakładowy mBanku S.A. (w całości wpłacony) wynosi 168.840.228 złotych. -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN
Re: Mainframes open to internet attacks?
On Fri, Aug 28, 2015 at 3:02 AM, R.S. r.skoru...@bremultibank.com.pl wrote: W dniu 2015-08-28 o 06:19, Timothy Sipples pisze: Radoslaw Skorupka wrote: c) IMHO it is bad idea to make any system directly accessible from Internet. Mainframe, any kind of Unix, Linux, Windows... Which leaves...what? Is Wang still selling machines? (But those were systems, too...) Well... OS/2 and it's successor eComStation VMS aka OpenVMS OS/400 (now more funny answers) iOS Android PC DOS (it's hard to find server working uder DOS, but...) BeOS NetWare FreeBSD The NetBSD and OpenBSD projects will have their seconds call on you for ignoring them. QNX The die hard AmigaDOS people will be wanting an apology for being ignored -- yet again. The CP/M people have all died, so no worries from them. [grin]. But the real danger from omitting somone is from the Mac OSX people. They tend to be fanatics. -- Radoslaw Skorupka Lodz, Poland -- Schrodinger's backup: The condition of any backup is unknown until a restore is attempted. Yoda of Borg, we are. Futile, resistance is, yes. Assimilated, you will be. He's about as useful as a wax frying pan. 10 to the 12th power microphones = 1 Megaphone Maranatha! John McKown -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN
Re: Mainframes open to internet attacks?
On 29/08/2015 5:56 AM, Charles Mills wrote: http://mainframesproject.tumblr.com/ That really is a hall of shame! If you can access telnet then you can disrupt the system with a DDoS attack. Charles -Original Message- From: IBM Mainframe Discussion List [mailto:IBM-MAIN@LISTSERV.UA.EDU] On Behalf Of Scott Ford Sent: Friday, August 28, 2015 1:42 PM To: IBM-MAIN@LISTSERV.UA.EDU Subject: Re: Mainframes open to internet attacks? I think the dude who wrote to article was looking for money or being a name in the industry. Every Z system I have been on you could not get to a login screen that easy. That's about 20+ shops , so dude give us details no fluff Scott -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN
Re: Mainframes open to internet attacks?
http://mainframesproject.tumblr.com/ Charles -Original Message- From: IBM Mainframe Discussion List [mailto:IBM-MAIN@LISTSERV.UA.EDU] On Behalf Of Scott Ford Sent: Friday, August 28, 2015 1:42 PM To: IBM-MAIN@LISTSERV.UA.EDU Subject: Re: Mainframes open to internet attacks? I think the dude who wrote to article was looking for money or being a name in the industry. Every Z system I have been on you could not get to a login screen that easy. That's about 20+ shops , so dude give us details no fluff Scott -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN
Re: Mainframes open to internet attacks?
I think the dude who wrote to article was looking for money or being a name in the industry. Every Z system I have been on you could not get to a login screen that easy. That's about 20+ shops , so dude give us details no fluff Scott On Friday, August 28, 2015, R.S. r.skoru...@bremultibank.com.pl wrote: W dniu 2015-08-28 o 14:12, John McKown pisze: The die hard AmigaDOS people will be wanting an apology for being ignored -- yet again. The CP/M people have all died, so no worries from them. [grin]. Well, I still have working CP/M machine and feel quite alive. However I never tried to connect it to Internet. (yes, it's Friday...) -- Radoslaw Skorupka Lodz, Poland -- Treść tej wiadomości może zawierać informacje prawnie chronione Banku przeznaczone wyłącznie do użytku służbowego adresata. Odbiorcą może być jedynie jej adresat z wyłączeniem dostępu osób trzecich. Jeżeli nie jesteś adresatem niniejszej wiadomości lub pracownikiem upoważnionym do jej przekazania adresatowi, informujemy, że jej rozpowszechnianie, kopiowanie, rozprowadzanie lub inne działanie o podobnym charakterze jest prawnie zabronione i może być karalne. Jeżeli otrzymałeś tę wiadomość omyłkowo, prosimy niezwłocznie zawiadomić nadawcę wysyłając odpowiedź oraz trwale usunąć tę wiadomość włączając w to wszelkie jej kopie wydrukowane lub zapisane na dysku. This e-mail may contain legally privileged information of the Bank and is intended solely for business use of the addressee. This e-mail may only be received by the addressee and may not be disclosed to any third parties. If you are not the intended addressee of this e-mail or the employee authorized to forward it to the addressee, be advised that any dissemination, copying, distribution or any other similar activity is legally prohibited and may be punishable. If you received this e-mail by mistake please advise the sender immediately by using the reply facility in your e-mail software and delete permanently this e-mail including any copies of it either printed or saved to hard drive. mBank S.A. z siedzibą w Warszawie, ul. Senatorska 18, 00-950 Warszawa, www.mBank.pl, e-mail: kont...@mbank.pl Sąd Rejonowy dla m. st. Warszawy XII Wydział Gospodarczy Krajowego Rejestru Sądowego, nr rejestru przedsiębiorców KRS 025237, NIP: 526-021-50-88. Według stanu na dzień 01.01.2015 r. kapitał zakładowy mBanku S.A. (w całości wpłacony) wynosi 168.840.228 złotych. -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN
Re: Mainframes open to internet attacks?
W dniu 2015-08-19 o 00:26, Robert Harrison pisze: From technologyreview.com: http://www.technologyreview.com/news/540011/mainframe-computers-that-handle-our-most-sensitive-data-are-open-to-internet-attacks/ Really? What I understod from the lecture: a) mainframes are old, obsolete, but unfotunately sometimes still in use - which is a sin. b) mainframes are insecure c) some mainframe are directly accessible from Internet, by mistake of course. What I mean: a) b) - IMHO obvious ;-) c) IMHO it is bad idea to make any system directly accessible from Internet. Mainframe, any kind of Unix, Linux, Windows... Some exceptions do apply but it's still platform-irrelevant. What is relevant it's protocol. TN3270 over TLS/SSL is better than any kind of telnet, etc. I'm aware of mainframe z/OS installation which offer free TSO account to anyone. BTW: There are plenty other open stuff on the Net, for example internet cameras. I mean CCTV installed in shops, lifts, etc. I saw webpage which collected such cameras, i.e. I saw shoe shop in my city. ;-) -- Radoslaw Skorupka Lodz, Poland -- Treść tej wiadomości może zawierać informacje prawnie chronione Banku przeznaczone wyłącznie do użytku służbowego adresata. Odbiorcą może być jedynie jej adresat z wyłączeniem dostępu osób trzecich. Jeżeli nie jesteś adresatem niniejszej wiadomości lub pracownikiem upoważnionym do jej przekazania adresatowi, informujemy, że jej rozpowszechnianie, kopiowanie, rozprowadzanie lub inne działanie o podobnym charakterze jest prawnie zabronione i może być karalne. Jeżeli otrzymałeś tę wiadomość omyłkowo, prosimy niezwłocznie zawiadomić nadawcę wysyłając odpowiedź oraz trwale usunąć tę wiadomość włączając w to wszelkie jej kopie wydrukowane lub zapisane na dysku. This e-mail may contain legally privileged information of the Bank and is intended solely for business use of the addressee. This e-mail may only be received by the addressee and may not be disclosed to any third parties. If you are not the intended addressee of this e-mail or the employee authorized to forward it to the addressee, be advised that any dissemination, copying, distribution or any other similar activity is legally prohibited and may be punishable. If you received this e-mail by mistake please advise the sender immediately by using the reply facility in your e-mail software and delete permanently this e-mail including any copies of it either printed or saved to hard drive. mBank S.A. z siedzibą w Warszawie, ul. Senatorska 18, 00-950 Warszawa, www.mBank.pl, e-mail: kont...@mbank.pl Sąd Rejonowy dla m. st. Warszawy XII Wydział Gospodarczy Krajowego Rejestru Sądowego, nr rejestru przedsiębiorców KRS 025237, NIP: 526-021-50-88. Według stanu na dzień 01.01.2015 r. kapitał zakładowy mBanku S.A. (w całości wpłacony) wynosi 168.840.228 złotych. -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN
Re: Mainframes open to internet attacks?
In 55df2edd.5090...@bremultibank.com.pl, on 08/27/2015 at 05:38 PM, R.S. r.skoru...@bremultibank.com.pl said: What I understod from the lecture: a) mainframes are old, obsolete, but unfotunately sometimes still in use - which is a sin. If they do the job as well as or better than available alternatives then they're not obsolete. b) mainframes are insecure Compared to what? -- Shmuel (Seymour J.) Metz, SysProg and JOAT ISO position; see http://patriot.net/~shmuel/resume/brief.html We don't care. We don't have to care, we're Congress. (S877: The Shut up and Eat Your spam act of 2003) -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN
Re: Mainframes open to internet attacks?
Radoslaw Skorupka wrote: c) IMHO it is bad idea to make any system directly accessible from Internet. Mainframe, any kind of Unix, Linux, Windows... Which leaves...what? Is Wang still selling machines? (But those were systems, too...) Timothy Sipples IT Architect Executive, Industry Solutions, IBM z Systems, AP/GCG/MEA E-Mail: sipp...@sg.ibm.com -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN
Re: Mainframes open to internet attacks?
mike.a.sch...@gmail.com (Mike Schwab) writes: How about Multics? Designed from the start to be multi-user and highly secure. some of the CTSS people went to the 5th flr and did Multics. Other of the CTSS people went to the IBM science center on the 4th flr and did cp67/cms, the internal network, online services, etc. Being in the same bldg. separated by one flr, there was some rivalry. One of the early tests was when science center ported apl\360 to cms for cms\apl ... it allowed typical apl\360 16kbyte workspaces to be increased to virtual memory size ... and also added API that allowed access of system services (like file read/write). Opening APL to real-world applications attracted a lot of internal locations to start using the cambridge system remotesly. A group of business planners in Armonk loaded the most valuable corporate asset (customer details) on cambridge system to do business modeling applications in cms\apl. we had some interesting issues since non-employess (cambridge area univ students, instructors, professors) also had online access to the cambridge system. some posts mentioning science center http://www.garlic.com/~lynn/subtopic.html#545tech some multics installations: http://www.multicians.org/site-afdsc.html http://www.multicians.org/mgd.html#DOCKMASTER other old reference to DOCKMASTER org. (gone 404 but lives on at wayback machine): http://web.archive.org/web/20090117083033/http://www.nsa.gov/research/selinux/list-archive/0409/8362.shtml and old reference to afds coming by to talk about 20 vm/4341 systems ... but then that was increased to 220 (posted in multics discussion group) http://www.garlic.com/~lynn/2001m.html#email790404 Recently a european that worked in NATO claimed that they got 6000 vm/4341 systems. Note that Multics was implemented in PLI. Up through the 90s, the major tcp/ip bugs/exploits were because of buffer length related bugs epidemic in c-language implementations (and still continues to be a frequent source of exploits). The original ibm mainframe tcp/ip product was implemented in vs/pascal and had *none* of these epidemic bugs found in c-language implementations. As an aside, for various reasons this implementation had some significant performance issues, getting 44kbytes/sec aggregate using 3090 processor. I did the rfc1044 enhancements and some tuning tests at cray research got sustained channel speed throughput between cray and 4341, using only modest amount of 4341 (possibly 500 times improvement in bytes moved per instruction executed). The (non-rfc1044) version was also made available on MVS by simulating the required VM functions. Much later the communication group contracted for TCP/IP support through VTAM. After the initial demonstration, the communication group told the contractor that everybody *knows* that a *correct* version of TCP/IP runs slower than LU6.2 and they will only be paying for a *correct* version. I also had other rivalry with the 5th flr. One of my hobbies was providing enhanced operating systems to internal locations ... some old email regarding CSC/VM (later it was SJR/VM, after I transferred to san jose research): http://www.garlic.com/~lynn/2006w.html#email750102 http://www.garlic.com/~lynn/2006w.html#email750430 It wasn't fair to compare the total number of Multics systems that had ever existed with the total number of vm370 customer systems or even the total number of internal vm370 systems. However, for a time, I had a few more internal csc/vm systems than the total number of Multics systems. -- virtualization experience starting Jan1968, online at home since Mar1970 -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN
Re: Mainframes open to internet attacks?
Hi All, I’m actually the person interviewed in this (frankly overblown) article. Thankfully I had a chance to talk again about this project here: https://www.bostonglobe.com/ideas/2015/08/13/remote-corner-internet-art-sprouts/joPVVFqBnctHanbtUBLhzL/story.html https://www.bostonglobe.com/ideas/2015/08/13/remote-corner-internet-art-sprouts/joPVVFqBnctHanbtUBLhzL/story.html Radoslaw, I’m so glad you were able to attend one of my talks (was it the Skytalks or BSidesLV?). However, I think you misunderstood the point I was trying to make. I’ve constantly touted how stupid the information security industry has been in thinking mainframes were old and obsolete. See this article about one of my first talks from two years ago: http://www.darkreading.com/attacks-breaches/cutting-through-the-mystique-of-testing-the-mainframe/d/d-id/1140239 http://www.darkreading.com/attacks-breaches/cutting-through-the-mystique-of-testing-the-mainframe/d/d-id/1140239 my story hasn’t really changed since. My toolset has, and participation is slowly increasing, but not fast enough. In fact, my co-speaker and I, at the most recent DEFCON, were making fun of the audience for not knowing what CICS was despite how important it likely was to their daily lives. On the topic on whether they are secure or not, thats up to the implementation. I know of someone who claims ‘give me an account and I can own your mainframe’. He doesn’t do it through magical 0-days, he’s using misconfigurations and easy to access tools (for example, in one instance he found a surrogate profile for an account with system special open to everyone because it was an ‘emergency id’). But this is true of any platform. zLinux is just as secure as z/OS, if both are configured correctly. Finally, on to the ‘art project’ as I like to call it. Back, long ago, when I was on x.25 networks looking for things to play with I might encounter a screen like these. I just find them amazing and beautiful (and a little nostalgic to be honest). Having them be on the internet doesn’t really matter, if they are configured correctly. My assumption is that they are on the internet on purpose and are no different than a staff landing page (for example: https://fs.aircanada.ca/idp/SSO.saml2 https://fs.aircanada.ca/idp/SSO.saml2, i found this through literally 1 second on google). If you want to see other interesting ’things' on the internet check out SHODANs twitter feed for devices like ‘Lake Pumping Stations’ and ‘Skilift in France’: https://twitter.com/shodanhq https://twitter.com/shodanhq I realize this is likely way off-topic for this discussion list but feel free to email me if you have questions or concerns (or are interested in how I did it). Phil On Aug 27, 2015, at 9:00 PM, IBM-MAIN automatic digest system lists...@listserv.ua.edu wrote: Date:Thu, 27 Aug 2015 17:38:05 +0200 From:R.S. r.skoru...@bremultibank.com.pl mailto:r.skoru...@bremultibank.com.pl Subject: Re: Mainframes open to internet attacks? W dniu 2015-08-19 o 00:26, Robert Harrison pisze: From technologyreview.com http://technologyreview.com/: http://www.technologyreview.com/news/540011/mainframe-computers-that-handle-our-most-sensitive-data-are-open-to-internet-attacks/ http://www.technologyreview.com/news/540011/mainframe-computers-that-handle-our-most-sensitive-data-are-open-to-internet-attacks/ Really? What I understod from the lecture: a) mainframes are old, obsolete, but unfotunately sometimes still in use - which is a sin. b) mainframes are insecure c) some mainframe are directly accessible from Internet, by mistake of course. What I mean: a) b) - IMHO obvious ;-) c) IMHO it is bad idea to make any system directly accessible from Internet. Mainframe, any kind of Unix, Linux, Windows... Some exceptions do apply but it's still platform-irrelevant. What is relevant it's protocol. TN3270 over TLS/SSL is better than any kind of telnet, etc. I'm aware of mainframe z/OS installation which offer free TSO account to anyone. BTW: There are plenty other open stuff on the Net, for example internet cameras. I mean CCTV installed in shops, lifts, etc. I saw webpage which collected such cameras, i.e. I saw shoe shop in my city. ;-) -- Radoslaw Skorupka Lodz, Poland -- Treść tej wiadomości może zawierać informacje prawnie chronione Banku przeznaczone wyłącznie do użytku służbowego adresata. Odbiorcą może być jedynie jej adresat z wyłączeniem dostępu osób trzecich. Jeżeli nie jesteś adresatem niniejszej wiadomości lub pracownikiem upoważnionym do jej przekazania adresatowi, informujemy, że jej rozpowszechnianie, kopiowanie, rozprowadzanie lub inne działanie o podobnym charakterze jest prawnie zabronione i może być karalne. Jeżeli otrzymałeś tę wiadomość omyłkowo, prosimy niezwłocznie zawiadomić nadawcę wysyłając odpowiedź oraz trwale usunąć tę wiadomość włączając w to wszelkie jej kopie
Re: Mainframes open to internet attacks?
How about Multics? Designed from the start to be multi-user and highly secure. On Thu, Aug 27, 2015 at 11:19 PM, Timothy Sipples sipp...@sg.ibm.com wrote: Radoslaw Skorupka wrote: c) IMHO it is bad idea to make any system directly accessible from Internet. Mainframe, any kind of Unix, Linux, Windows... Which leaves...what? Is Wang still selling machines? (But those were systems, too...) Timothy Sipples IT Architect Executive, Industry Solutions, IBM z Systems, AP/GCG/MEA E-Mail: sipp...@sg.ibm.com -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN -- Mike A Schwab, Springfield IL USA Where do Forest Rangers go to get away from it all? -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN
Re: Mainframes open to internet attacks?
On Wed, Aug 19, 2015 at 8:22 AM, Vince Coen vbc...@gmail.com wrote: Err you have to read this a little closer : leaders of the U.S. office of personal management .. explain So these people experienced it, what exactly ? Knowledge of any form of IT !! ? There again could have down a simple search on Google and believed what they read on the internet and even worse via Google. There again when I see the date on Google I double check :) This shortly is a case of the blind leading the blind, no ? As for the case of mainframes being open to hacking - well any system can if the user name/password system is not maintained and likewise the front end concentrator not have its own security fully in place. High secure systems only accept user login's from known IP and MAC addresses that are pre-stored. As a remote worked these days I have to declare all computer kit I use to access client system with: My IP addresses Good, but can be gotten around (with difficulty) if you can mess with the host's ARP cache. The MAC code for each box Easy to spool a MAC address using a Linux machine. My encrypted password if their system can handle it - in my case I use 1024 byte folded coding . This is the best. I've not looked at this much, but it may be possible to circumvent by a determined person with an MITM attack. What I use for things such as GMail, GitHub, and Twitter is Two Factor authentication. For GMail GitHub, there is a Google app which is a secure keyed time token generator. For Twitter, they SMS text a 6 digit code to my phone. So for any of those sites, I must have my phone on me. The place where I work _used_ to have a VPN with a dedicated secure token key issued to you. Everybody had their own token key. You could use it only to log on using your assigned id. Your key + other id == no connection. But it was too expensive. And not a Microsoft solution. So bye-bye. Can't say I have found any one getting though those (so far). Vince IT since 1961. -- Schrodinger's backup: The condition of any backup is unknown until a restore is attempted. Yoda of Borg, we are. Futile, resistance is, yes. Assimilated, you will be. He's about as useful as a wax frying pan. 10 to the 12th power microphones = 1 Megaphone Maranatha! John McKown -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN
Re: Mainframes open to internet attacks?
personal or personnel? Which makes the article writer or whoever was quoted another weak link in the chain. :-) Cheers, Martin Martin Packer, zChampion, Principal Systems Investigator, Worldwide Banking Center of Excellence, IBM +44-7802-245-584 email: martin_pac...@uk.ibm.com Twitter / Facebook IDs: MartinPacker Blog: https://www.ibm.com/developerworks/mydeveloperworks/blogs/MartinPacker From: Vince Coen vbc...@gmail.com To: IBM-MAIN@LISTSERV.UA.EDU Date: 19/08/2015 14:22 Subject:Re: Mainframes open to internet attacks? Sent by:IBM Mainframe Discussion List IBM-MAIN@LISTSERV.UA.EDU Err you have to read this a little closer : leaders of the U.S. office of personal management .. explain So these people experienced it, what exactly ? Knowledge of any form of IT !! ? There again could have down a simple search on Google and believed what they read on the internet and even worse via Google. There again when I see the date on Google I double check :) This shortly is a case of the blind leading the blind, no ? As for the case of mainframes being open to hacking - well any system can if the user name/password system is not maintained and likewise the front end concentrator not have its own security fully in place. High secure systems only accept user login's from known IP and MAC addresses that are pre-stored. As a remote worked these days I have to declare all computer kit I use to access client system with: My IP addresses The MAC code for each box My encrypted password if their system can handle it - in my case I use 1024 byte folded coding . Can't say I have found any one getting though those (so far). Vince IT since 1961. On 19/08/15 13:59, Greg Shirey wrote: I'm still trying to figure this out: More recently, when leaders of the U.S. office of personal management appeared before Congress to explain how sensitive data on millions of federal employees was accessed by hackers, they pointed to decades-old code written in a programming language called COBOL. Any ideas how COBOL facilitated a hack on sensitive data? Regards, Greg Shirey Ben E. Keith Company -Original Message- From: IBM Mainframe Discussion List [mailto:IBM-MAIN@LISTSERV.UA.EDU] On Behalf Of Meir Zohar Sent: Tuesday, August 18, 2015 11:08 PM To: IBM-MAIN@LISTSERV.UA.EDU Subject: Re: Mainframes open to internet attacks? Phil Young has been doing these talks for several years and some of the tools are posted on his Soldier of Fortran site. He is absolutely correct in that some sites are complacent in their the mainframe is secure attitude and that, like every other platform, z/OS requires a continuous evaluate-correct-test-rollout-rinse-repeat security cycle ... Since security implementation on z/OS, independent of the tool, is the realm of either the sysprog (with little time to deal with it on a daily basis) or the security staff (where dedicated z/OS specialists are few and far between) - this can and does lead potential gaps in coverage. Ignoring the problem doesn't make it go away (however, Ashley Madison users' most sensitive information was never on z/OS). -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN
Re: Mainframes open to internet attacks?
Err you have to read this a little closer : leaders of the U.S. office of personal management .. explain So these people experienced it, what exactly ? Knowledge of any form of IT !! ? There again could have down a simple search on Google and believed what they read on the internet and even worse via Google. There again when I see the date on Google I double check :) This shortly is a case of the blind leading the blind, no ? As for the case of mainframes being open to hacking - well any system can if the user name/password system is not maintained and likewise the front end concentrator not have its own security fully in place. High secure systems only accept user login's from known IP and MAC addresses that are pre-stored. As a remote worked these days I have to declare all computer kit I use to access client system with: My IP addresses The MAC code for each box My encrypted password if their system can handle it - in my case I use 1024 byte folded coding . Can't say I have found any one getting though those (so far). Vince IT since 1961. On 19/08/15 13:59, Greg Shirey wrote: I'm still trying to figure this out: More recently, when leaders of the U.S. office of personal management appeared before Congress to explain how sensitive data on millions of federal employees was accessed by hackers, they pointed to decades-old code written in a programming language called COBOL. Any ideas how COBOL facilitated a hack on sensitive data? Regards, Greg Shirey Ben E. Keith Company -Original Message- From: IBM Mainframe Discussion List [mailto:IBM-MAIN@LISTSERV.UA.EDU] On Behalf Of Meir Zohar Sent: Tuesday, August 18, 2015 11:08 PM To: IBM-MAIN@LISTSERV.UA.EDU Subject: Re: Mainframes open to internet attacks? Phil Young has been doing these talks for several years and some of the tools are posted on his Soldier of Fortran site. He is absolutely correct in that some sites are complacent in their the mainframe is secure attitude and that, like every other platform, z/OS requires a continuous evaluate-correct-test-rollout-rinse-repeat security cycle ... Since security implementation on z/OS, independent of the tool, is the realm of either the sysprog (with little time to deal with it on a daily basis) or the security staff (where dedicated z/OS specialists are few and far between) - this can and does lead potential gaps in coverage. Ignoring the problem doesn't make it go away (however, Ashley Madison users' most sensitive information was never on z/OS). -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN
Re: Mainframes open to internet attacks?
I'm still trying to figure this out: More recently, when leaders of the U.S. office of personal management appeared before Congress to explain how sensitive data on millions of federal employees was accessed by hackers, they pointed to decades-old code written in a programming language called COBOL. Any ideas how COBOL facilitated a hack on sensitive data? Regards, Greg Shirey Ben E. Keith Company -Original Message- From: IBM Mainframe Discussion List [mailto:IBM-MAIN@LISTSERV.UA.EDU] On Behalf Of Meir Zohar Sent: Tuesday, August 18, 2015 11:08 PM To: IBM-MAIN@LISTSERV.UA.EDU Subject: Re: Mainframes open to internet attacks? Phil Young has been doing these talks for several years and some of the tools are posted on his Soldier of Fortran site. He is absolutely correct in that some sites are complacent in their the mainframe is secure attitude and that, like every other platform, z/OS requires a continuous evaluate-correct-test-rollout-rinse-repeat security cycle ... Since security implementation on z/OS, independent of the tool, is the realm of either the sysprog (with little time to deal with it on a daily basis) or the security staff (where dedicated z/OS specialists are few and far between) - this can and does lead potential gaps in coverage. Ignoring the problem doesn't make it go away (however, Ashley Madison users' most sensitive information was never on z/OS). -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN
Re: Mainframes open to internet attacks?
Soldier of Fortran site had links to all this. I don't think any of the information is new. Rob Schramm On Tue, Aug 18, 2015, 7:15 PM Charles Mills charl...@mcn.org wrote: Really. In 2012 Logica, a mainframe service bureau in Sweden, suffered a disastrous hack that involved government agency files, credit cards, and social security numbers. The entry was via an online legal database that was accessible via browser from the Internet, and which turned out to be vulnerable to the CGI remote command execution vulnerability. The hack was a crisis for Logica that ultimately required international diplomacy to stop as the hacker had so many privileged RACF userids that if they revoked one, he simply used another and created ten more. Per Gottfrid Svartholm Warg, alias anakata, co-founder of The Pirate Bay, a media sharing site, was convicted of the breach, and also of breaching a CSC mainframe in Denmark, in which EU international police records among others were exfiltrated. (Referenced in the article you cite.) Charles -Original Message- From: IBM Mainframe Discussion List [mailto:IBM-MAIN@LISTSERV.UA.EDU] On Behalf Of Robert Harrison Sent: Tuesday, August 18, 2015 3:27 PM To: IBM-MAIN@LISTSERV.UA.EDU Subject: Mainframes open to internet attacks? From technologyreview.com: http://www.technologyreview.com/news/540011/mainframe-computers-that-handle-our-most-sensitive-data-are-open-to-internet-attacks/ Really? -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN
Re: Mainframes open to internet attacks?
Phil Young has been doing these talks for several years and some of the tools are posted on his Soldier of Fortran site. He is absolutely correct in that some sites are complacent in their the mainframe is secure attitude and that, like every other platform, z/OS requires a continuous evaluate-correct-test-rollout-rinse-repeat security cycle ... Since security implementation on z/OS, independent of the tool, is the realm of either the sysprog (with little time to deal with it on a daily basis) or the security staff (where dedicated z/OS specialists are few and far between) - this can and does lead potential gaps in coverage. Ignoring the problem doesn't make it go away (however, Ashley Madison users' most sensitive information was never on z/OS). MZ -Original Message- From: IBM Mainframe Discussion List [mailto:IBM-MAIN@LISTSERV.UA.EDU] On Behalf Of Robert Harrison Sent: Wednesday, August 19, 2015 1:27 AM To: IBM-MAIN@LISTSERV.UA.EDU Subject: Mainframes open to internet attacks? From technologyreview.com: http://www.technologyreview.com/news/540011/mainframe-computers-that-handle-our-most-sensitive-data-are-open-to-internet-attacks/ Really? Robert Harrison -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN
Re: Mainframes open to internet attacks?
On 8/18/2015 at 06:26 PM, Robert Harrison robert.harri...@omes.ok.gov wrote: From technologyreview.com: http://www.technologyreview.com/news/540011/mainframe-computers-that-handle- our-most-sensitive-data-are-open-to-internet-attacks/ Really? Yes, really. Phil Young isn't the only one that talks about this. Mark Wilson at SHARE in Orlando had a good session about (the lack of) good mainframe security at a lot of shops he consults with. Mark Post -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN
Re: Mainframes open to internet attacks?
On 8/18/2015 at 06:26 PM, Robert Harrison robert.harri...@omes.ok.gov wrote: From technologyreview.com: http://www.technologyreview.com/news/540011/mainframe-computers-that-handle- our-most-sensitive-data-are-open-to-internet-attacks/ It's fun to read the comments on that article, denying that there's any sort of real security problem. They're just: - Site configuration issues. - Taken care of by the hardware - Not a problem, I've never had a breach on my system. That's a small subset of the litany Mark Wilson receives from just about every customer right before he breaches their z/OS system. To be fair, the first bullet configuration issue is pretty accurate. A lot of the things talked about were the result of things not being set up 100% tight. The problem is that the environments are so complex, and involve so many different people or groups, it's nearly impossible to nail down everything correctly. His, and Phil Young's, main message is simply denying a problem exists won't protect you. You have to check, and re-check, and re-check, and ... Mark Post -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN
Re: Mainframes open to internet attacks?
Really. In 2012 Logica, a mainframe service bureau in Sweden, suffered a disastrous hack that involved government agency files, credit cards, and social security numbers. The entry was via an online legal database that was accessible via browser from the Internet, and which turned out to be vulnerable to the CGI remote command execution vulnerability. The hack was a crisis for Logica that ultimately required international diplomacy to stop as the hacker had so many privileged RACF userids that if they revoked one, he simply used another and created ten more. Per Gottfrid Svartholm Warg, alias anakata, co-founder of The Pirate Bay, a media sharing site, was convicted of the breach, and also of breaching a CSC mainframe in Denmark, in which EU international police records among others were exfiltrated. (Referenced in the article you cite.) Charles -Original Message- From: IBM Mainframe Discussion List [mailto:IBM-MAIN@LISTSERV.UA.EDU] On Behalf Of Robert Harrison Sent: Tuesday, August 18, 2015 3:27 PM To: IBM-MAIN@LISTSERV.UA.EDU Subject: Mainframes open to internet attacks? From technologyreview.com: http://www.technologyreview.com/news/540011/mainframe-computers-that-handle-our-most-sensitive-data-are-open-to-internet-attacks/ Really? -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN