Re: eWEEK Article highlights weaknesses in Mainframe Security
Thanks for all the responses. I wasn't aware of any vulnerabilities, patched or otherwise. I don't handle our mainframe's security, another department does that. Frightening. Regards, Eric Verwijs Programmeur-analyste, RPC, SV et solutions de paiement - Direction générale de l'innovation, information et technologie Emploi et Développement social Canada / Gouvernement du Canada frederick.verw...@hrsdc-rhdcc.gc.ca Téléphone 819-654-0934 Télécopieur 819-654-1009 Programmer Analyst, CPP, OAS, and Payment Solutions - Innovation, Information and Technology Branch Employment and Social Development Canada / Government of Canada frederick.verw...@hrsdc-rhdcc.gc.ca Telephone 819-654-0934 Facsimile 819-654-1009 -Original Message- From: IBM Mainframe Discussion List [mailto:IBM-MAIN@LISTSERV.UA.EDU] On Behalf Of Ray Overby Sent: November-01-18 2:35 AM To: IBM-MAIN@LISTSERV.UA.EDU Subject: Re: eWEEK Article highlights weaknesses in Mainframe Security Disclamer: Don't shoot the messenger (I am very passionate on this topic). The fact is unpatched zero day vulnerabilities exist on all z/OS mainframe's. Don't take my word for this. Ask KRI's clients what their experience is with z/Assure VAP finding (probable) zero day integrity based code vulnerabilities. I say probable because the ISV's don't appear to share the integrity vulnerability details with anyone outside their respective organizations. They certainly do not share this information with Key Resources. So if the ISV takes longer than a couple of days to provide a patch its likely they did not have one before the vulnerability was reported. Thus you can conclude that the vulnerability was a zero day. Comment: If there were no unpatched security holes then IBM wouldn't need to release security PTFs to fix them. Response: Correct. You only need to look at the patches provided by your ISV's (IBM, CA, BMC, Rocket Sorry if I missed any one!) and you will find security and/or integrity patches. Comment: I would hope that it's a lot harder to find one than it used to be. A: No actually it is not. I started doing this in 2009. Key Resource's z/Assure VAP product regularly finds integrity based-code vulnerabilities. Most of these vulnerabilities appear to be zero day. As some people would consider my comments biased, don't take my word for it. Ask our clients if what I am saying is accurate. Question: What zero-day vulnerabilities would there be? I’ve not heard of unpatched security holes in z/OS before. Short answer: Conspiracy of Silence. Unless you are with the companies that find the vulnerability, work for the ISV support group, or are part of the ISV management or development teams you would never know about the vulnerability UNTIL you saw the patch on their patch portals. Patches normally contain no details about the vulnerability. This is how mainframe integrity based-code vulnerability management is done. These vulnerabilities are NOT reported on the National Vulnerability Database. Comment: Aside from of course, phishing and other attacks aimed at the users and not the machine itself. Answer: Nothing to do with phishing and other attacks. I am referring to integrity based-code vulnerabilities. These vulnerabilities are in SVC's, PC routines, or APF). However, a good hacker will combine vulnerabilities to achieve their goal. The hacker wants to establish a beach head in your network. From there they can traverse the network compromising system's until they get access to z/OS. With these integrity based-code vulnerabilities once they are established and able to run work on z/OS they can elevate their credentials with an integrity based-code vulnerabilities and turn off logging. "Run work" would roughly translate to: a) FTP JCL to z/OS b) Logon to TSO or something similar c) Submit JCL through RJE or NJE (google metasploit NJE for attach vectors)there are documented attacks using this technique. Feel free to contact me offline to continue this discussion. Ray Overby On 10/30/2018 7:43 PM, Seymour J Metz wrote: > If there were no unpatched security holes then IBM wouldn't need to release > security PTFs to fix them. I would hope that it's a lot harder to find one > than it used to be. > > > -- > Shmuel (Seymour J.) Metz > http://mason.gmu.edu/~smetz3 > > > From: IBM Mainframe Discussion List on behalf of > Eric Verwijs > Sent: Tuesday, October 30, 2018 10:59 AM > To: IBM-MAIN@listserv.ua.edu > Subject: eWEEK Article highlights weaknesses in Mainframe Security > > http://secure-web.cisco.com/1cEGuBe_ZRQESR4kUXS7ShVfhPRr6RLxpO47vTAIYiTpY0Px4GzQAVFwbRnVRDSO88yQdYgZwS9NG2LhzWNCaA7jKdLghofcDczS2pS3jXM7QWTltrwO_G_rwXUyVhX6ZWsuHZY6BnoUE_A8HOWKsXNFwYvaiJjxToXSq6pYcfH4L-krJSWFPD-gLTdPf1R9xE7aoeN-_Hy7BnmgO9LtgBCAavC3aAT3sRoaplXe4Jxk4KcS3OamjQqK37n
Re: eWEEK Article highlights weaknesses in Mainframe Security
Disclamer: Don't shoot the messenger (I am very passionate on this topic). The fact is unpatched zero day vulnerabilities exist on all z/OS mainframe's. Don't take my word for this. Ask KRI's clients what their experience is with z/Assure VAP finding (probable) zero day integrity based code vulnerabilities. I say probable because the ISV's don't appear to share the integrity vulnerability details with anyone outside their respective organizations. They certainly do not share this information with Key Resources. So if the ISV takes longer than a couple of days to provide a patch its likely they did not have one before the vulnerability was reported. Thus you can conclude that the vulnerability was a zero day. Comment: If there were no unpatched security holes then IBM wouldn't need to release security PTFs to fix them. Response: Correct. You only need to look at the patches provided by your ISV's (IBM, CA, BMC, Rocket Sorry if I missed any one!) and you will find security and/or integrity patches. Comment: I would hope that it's a lot harder to find one than it used to be. A: No actually it is not. I started doing this in 2009. Key Resource's z/Assure VAP product regularly finds integrity based-code vulnerabilities. Most of these vulnerabilities appear to be zero day. As some people would consider my comments biased, don't take my word for it. Ask our clients if what I am saying is accurate. Question: What zero-day vulnerabilities would there be? I’ve not heard of unpatched security holes in z/OS before. Short answer: Conspiracy of Silence. Unless you are with the companies that find the vulnerability, work for the ISV support group, or are part of the ISV management or development teams you would never know about the vulnerability UNTIL you saw the patch on their patch portals. Patches normally contain no details about the vulnerability. This is how mainframe integrity based-code vulnerability management is done. These vulnerabilities are NOT reported on the National Vulnerability Database. Comment: Aside from of course, phishing and other attacks aimed at the users and not the machine itself. Answer: Nothing to do with phishing and other attacks. I am referring to integrity based-code vulnerabilities. These vulnerabilities are in SVC's, PC routines, or APF). However, a good hacker will combine vulnerabilities to achieve their goal. The hacker wants to establish a beach head in your network. From there they can traverse the network compromising system's until they get access to z/OS. With these integrity based-code vulnerabilities once they are established and able to run work on z/OS they can elevate their credentials with an integrity based-code vulnerabilities and turn off logging. "Run work" would roughly translate to: a) FTP JCL to z/OS b) Logon to TSO or something similar c) Submit JCL through RJE or NJE (google metasploit NJE for attach vectors)there are documented attacks using this technique. Feel free to contact me offline to continue this discussion. Ray Overby On 10/30/2018 7:43 PM, Seymour J Metz wrote: If there were no unpatched security holes then IBM wouldn't need to release security PTFs to fix them. I would hope that it's a lot harder to find one than it used to be. -- Shmuel (Seymour J.) Metz http://mason.gmu.edu/~smetz3 From: IBM Mainframe Discussion List on behalf of Eric Verwijs Sent: Tuesday, October 30, 2018 10:59 AM To: IBM-MAIN@listserv.ua.edu Subject: eWEEK Article highlights weaknesses in Mainframe Security http://secure-web.cisco.com/1cEGuBe_ZRQESR4kUXS7ShVfhPRr6RLxpO47vTAIYiTpY0Px4GzQAVFwbRnVRDSO88yQdYgZwS9NG2LhzWNCaA7jKdLghofcDczS2pS3jXM7QWTltrwO_G_rwXUyVhX6ZWsuHZY6BnoUE_A8HOWKsXNFwYvaiJjxToXSq6pYcfH4L-krJSWFPD-gLTdPf1R9xE7aoeN-_Hy7BnmgO9LtgBCAavC3aAT3sRoaplXe4Jxk4KcS3OamjQqK37nR0H3AW9MKFVQZaESyzWDzyrh9-zAveMhyg7Pwrf2PVRC_NVB9who4DKiu2x4w-qS9h0_TRcIsa8i7taFLNn3uRnvBXcyZED7CuE3hWLOKJRvH8PRslj5ZwVqdfDbfEYzbAKO_Abcu0TGiSQOS6nMco7sLYZ0Sl5rfVpSCkNmPODHPZmAoBPzLFjdZM7XhMXYE4faKg/http%3A%2F%2Fwww.eweek.com%2Fsecurity%2Ftaking-a-closer-look-at-mainframe-security What zero-day vulnerabilities would there be? I’ve not heard of unpatched security holes in Z/OS before. Unless you are not properly managing your data, that is, limit access to confidential information, how would someone get it? Aside from of course, phishing and other attacks aimed at the users and not the machine itself. Regards, Eric Verwijs Programmer-analyste, RPC, SV et solutions de paiement - Direction générale de l'innovation, information et technologie Emploi et Développement social Canada / Gouvernement du Canada frederick.verw...@hrsdc-rhdcc.gc.ca Téléphone 819-654-0934 Télécopieur 819-654-1009 Programmer Analyst, CPP, OAS, and Payment Solutions - Innovation, Information and Technology Branch Employment and Social Development Canada / Government
Re: eWEEK Article highlights weaknesses in Mainframe Security
Do you mean open systems or "open" systems? z/OS may be as vulnerable as a well secured Linux system, but I doubr that it is as vulnerable as a windows system. -- Shmuel (Seymour J.) Metz http://mason.gmu.edu/~smetz3 From: IBM Mainframe Discussion List on behalf of Robyn Gilchrist Sent: Wednesday, October 31, 2018 8:56 AM To: IBM-MAIN@listserv.ua.edu Subject: Re: eWEEK Article highlights weaknesses in Mainframe Security CNMEUNIX is the NetView Unix Command processor that allowed unauthorized access to UID(0), patched in 2012. IBM HTTP Server (DGW Base) had a security red alert back in early 2013 but, as is IBM’s prerogative, they didn’t divulge the particulars of the exposure. Ray opened my eyes to exactly how z vulnerabilities and exploits occur. Not alleged vulnerabilities, numbers don’t lie. This is computer science, after all. Since our conversation, I haven’t viewed the z the same way. I haven’t viewed IBM-MAIN the same way. z is just as vulnerable as open systems, maybe more so with our … er … aging labor staff, years of neglect in admin practices, and the false sense of security we’ve enjoyed behind our firewalls, green screens and 370/390/z architecture. I have a presentation about the Logica hack that I’ve done at a few RUGs (RACF User Groups). The hack was technically impressive and zero-day exploit was just one of many attack vectors. https://secure-web.cisco.com/1jkHZbdDScNtUrvtWaZyKtQoZRhQsL0JlZG-n_A9gqHXEAmwzI6X25qvQn6OBRinaVAsukszwgWrRxXZCRukJe5TwlUNuFIFjvFe2HSH_QkLnUIH04SHRIs-WHQP_AdWBnWjbhbKp1Hx3WZ7ipUKYbPqVDQSAyeccCeKA8rL0ih8X2fZP3mWTXuFLv6yg2kryfAPVylxhXlTTLK1DfaTIkB8j-_2lnv1ZVmzLzVDMSbfoNkrSe17ZevPLw77LrUkyRQH5jGkbAeUsyFqvUex_8kLmqf0li9QagSpR5nfGIUgzoW5fz79M3-cH7069D3GOml6FAC5lpXyqBlqDMtG8ccxwB6TwIr_wrS6qhPyyFRx3hY-LWkQ2L2HlI0J05s0nDiR02S7LZmG8F2Y8vA_2J8FZMjdt8Q60K7OeMyftfJeIKcxPECtXW_qRoNf82yp-/https%3A%2F%2Fwww.rshconsulting.com%2FRSHpres%2FRSH_Consulting__Examining_Mainframe_Internet_Hack__October_2018.pdf Robyn Robyn E Gilchrist Senior RACF and z/OS Technical Specialist RSH Consulting, Inc. 617-977-9090 http://secure-web.cisco.com/1Mf8r2TLmggsKk5_CE3We_qEBM-piMInrDlZY_Rvc8MLWmONOuQE8JDZhL7c-zcxOEd2U7T-2CURlDx-r8aVwOXaRCGF4wHvJTBwZsP6wGEVUU-r7t_SazXA1dBoqCcvx0q3jZAHQ7As5gn6bOlKiFiP9WM4myTG5ExZDrYH9a10LYNNc74zI0ib1KCajv9DwVI3i2Ja74ssYwLfV9EsSQmqa2xLdSZ1lQUoV_Ik7qchR1uLMBe1e2TJvhatjHCnns3ZFHR3qaCrA73IAv7oQOzd6CAlwRQxwah8lqqIyG6K19VBqcTkBgsUxxkXEyF_gTZiN6DdLjHJQRzifnZhDD78Ai8-KITGjue7NiHV_-Xm8UWErytZEqvKa5zvkNhmZkUJ9zi9T7ZhccdL0ZPQ38ny2UQWpQ_bsCzA2DRZhMlfP_6A2dLpRVVISpVO5Jx8H/http%3A%2F%2Fwww.linkedin.com%2Fin%2Frobyn-e-gilchrist http://secure-web.cisco.com/1dfmWiKlQwFyNZJxct55b9HkCLtdeL99UWAU8lTQqJvTE10aaQrI6uPVF9bsxHmZZBxDEgdYWsqgwM5DIL8IK4EwVggUAplG1L_MbuOK6NxcmTSyKRhEVG_F83jiuvo0S3x7t2-1v8idan9RMRCMtCw7FyFPU0LCT53R_uNmP2sEevgq0wfvbjmBwPmFMSoEFAF1tcmOXLgWyBlbyG6N2KcUrHjyQQiQAtOzUPaJ6UMNfz3bpYLSAHJEsaGnCIFJ98ZyBve98-_QnrnhC-cistfHsFYLxZdYQohqW74PEUBVPF2YE_BNa7Z8fBMDG0KXPlHJyLPNkW_g7_XCgMxrXxASfomdVn1AzB2GGzjN3588YBIY5wP8bCrBNN0-zSoLy1rTuLjvAbnzYOedzzIFSfqYuV--NAW-p9bzJYBxFbtjgS1gRBpp714MfNHt_Oy9b/http%3A%2F%2Fwww.rshconsulting.com Upcoming RSH RACF Training - WebEx - RACF Audit & Compliance Roadmap - MAR 11-15, 2019 - RACF Level I Administration - DEC 4-7, 2018 - RACF Level II Administration - APR 1-5, 2019 - RACF Level III Admin, Audit, & Compliance - FEB 25 - MAR 1, 2019 - RACF - Securing z/OS UNIX - FEB 11-15, 2019 -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN
Re: eWEEK Article highlights weaknesses in Mainframe Security
W dniu 2018-10-31 o 13:56, Robyn Gilchrist pisze: [...] z is just as vulnerable as open systems, [...] No, not *as open systems*. BTW: z/OS is open system, while Windows is not really open. So... ;-))) -- Radoslaw Skorupka Lodz, Poland == Jeśli nie jesteś adresatem tej wiadomości: - powiadom nas o tym w mailu zwrotnym (dziękujemy!), - usuń trwale tę wiadomość (i wszystkie kopie, które wydrukowałeś lub zapisałeś na dysku). Wiadomość ta może zawierać chronione prawem informacje, które może wykorzystać tylko adresat.Przypominamy, że każdy, kto rozpowszechnia (kopiuje, rozprowadza) tę wiadomość lub podejmuje podobne działania, narusza prawo i może podlegać karze. mBank S.A. z siedzibą w Warszawie, ul. Senatorska 18, 00-950 Warszawa,www.mBank.pl, e-mail: kont...@mbank.pl. Sąd Rejonowy dla m. st. Warszawy XII Wydział Gospodarczy Krajowego Rejestru Sądowego, KRS 025237, NIP: 526-021-50-88. Kapitał zakładowy (opłacony w całości) według stanu na 01.01.2018 r. wynosi 169.248.488 złotych. If you are not the addressee of this message: - let us know by replying to this e-mail (thank you!), - delete this message permanently (including all the copies which you have printed out or saved). This message may contain legally protected information, which may be used exclusively by the addressee.Please be reminded that anyone who disseminates (copies, distributes) this message or takes any similar action, violates the law and may be penalised. mBank S.A. with its registered office in Warsaw, ul. Senatorska 18, 00-950 Warszawa,www.mBank.pl, e-mail: kont...@mbank.pl. District Court for the Capital City of Warsaw, 12th Commercial Division of the National Court Register, KRS 025237, NIP: 526-021-50-88. Fully paid-up share capital amounting to PLN 169,248,488 as at 1 January 2018. -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN
Re: eWEEK Article highlights weaknesses in Mainframe Security
Any article that starts with: Big-hunk heavy-metal equipment made by IBM (Z Series) ... is hard to take seriously. On Wed, Oct 31, 2018 at 9:33 AM Allan Staller wrote: > Agreed! > > -Original Message- > From: IBM Mainframe Discussion List On Behalf > Of Arthur > Sent: Tuesday, October 30, 2018 6:07 PM > To: IBM-MAIN@LISTSERV.UA.EDU > Subject: Re: eWEEK Article highlights weaknesses in Mainframe Security > > On 30 Oct 2018 07:59:23 -0700, in bit.listserv.ibm-main > (Message-ID:< > 22f77f8ce1e2084ab5fdb5843a0ba2a191038...@mlem1865.hrdc-drhc.net>) > frederick.verw...@hrsdc-rhdcc.gc.ca (Eric Verwijs) wrote: > > >https://apac01.safelinks.protection.outlook.com/?url=http%3A%2F%2Fwww.e > >week.com%2Fsecurity%2Ftaking-a-closer-look-at-mainframe-securityda > >ta=02%7C01%7Callan.staller%40HCL.COM%7C5ef96afd1d454ecd055208d63ebe358a > >%7C189de737c93a4f5a8b686f4ca9941912%7C0%7C0%7C636765384023595472sd > >ata=brUYMgyrrSwvVmQOv3WjstiiR%2FoHfHaiwUaOgGgenXI%3Dreserved=0 > > > >What zero-day vulnerabilities would there be? I've not heard of > >unpatched security holes in Z/OS before. > > Note that near the top of the article it says: "In this eWEEK Data Point > article, using industry information from Ray Overby, President and CEO of > Key Resources, Inc." It was KRI that supposedly found the zero-day vulns. > > I think this is not so much an article as an ad for KRI. > > -- > For IBM-MAIN subscribe / signoff / archive access instructions, send email > to lists...@listserv.ua.edu with the message: INFO IBM-MAIN > ::DISCLAIMER:: > > -- > The contents of this e-mail and any attachment(s) are confidential and > intended for the named recipient(s) only. E-mail transmission is not > guaranteed to be secure or error-free as information could be intercepted, > corrupted, lost, destroyed, arrive late or incomplete, or may contain > viruses in transmission. The e mail and its contents (with or without > referred errors) shall therefore not attach any liability on the originator > or HCL or its affiliates. Views or opinions, if any, presented in this > email are solely those of the author and may not necessarily reflect the > views or opinions of HCL or its affiliates. Any form of reproduction, > dissemination, copying, disclosure, modification, distribution and / or > publication of this message without the prior written consent of authorized > representative of HCL is strictly prohibited. If you have received this > email in error please delete it and notify the sender immediately. Before > opening any email and/or attachments, please check them for viruses and > other defects. > > -- > > -- > For IBM-MAIN subscribe / signoff / archive access instructions, > send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN > -- zMan -- "I've got a mainframe and I'm not afraid to use it" -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN
Re: eWEEK Article highlights weaknesses in Mainframe Security
Agreed! -Original Message- From: IBM Mainframe Discussion List On Behalf Of Arthur Sent: Tuesday, October 30, 2018 6:07 PM To: IBM-MAIN@LISTSERV.UA.EDU Subject: Re: eWEEK Article highlights weaknesses in Mainframe Security On 30 Oct 2018 07:59:23 -0700, in bit.listserv.ibm-main (Message-ID:<22f77f8ce1e2084ab5fdb5843a0ba2a191038...@mlem1865.hrdc-drhc.net>) frederick.verw...@hrsdc-rhdcc.gc.ca (Eric Verwijs) wrote: >https://apac01.safelinks.protection.outlook.com/?url=http%3A%2F%2Fwww.e >week.com%2Fsecurity%2Ftaking-a-closer-look-at-mainframe-securityda >ta=02%7C01%7Callan.staller%40HCL.COM%7C5ef96afd1d454ecd055208d63ebe358a >%7C189de737c93a4f5a8b686f4ca9941912%7C0%7C0%7C636765384023595472sd >ata=brUYMgyrrSwvVmQOv3WjstiiR%2FoHfHaiwUaOgGgenXI%3Dreserved=0 > >What zero-day vulnerabilities would there be? I've not heard of >unpatched security holes in Z/OS before. Note that near the top of the article it says: "In this eWEEK Data Point article, using industry information from Ray Overby, President and CEO of Key Resources, Inc." It was KRI that supposedly found the zero-day vulns. I think this is not so much an article as an ad for KRI. -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN ::DISCLAIMER:: -- The contents of this e-mail and any attachment(s) are confidential and intended for the named recipient(s) only. E-mail transmission is not guaranteed to be secure or error-free as information could be intercepted, corrupted, lost, destroyed, arrive late or incomplete, or may contain viruses in transmission. The e mail and its contents (with or without referred errors) shall therefore not attach any liability on the originator or HCL or its affiliates. Views or opinions, if any, presented in this email are solely those of the author and may not necessarily reflect the views or opinions of HCL or its affiliates. Any form of reproduction, dissemination, copying, disclosure, modification, distribution and / or publication of this message without the prior written consent of authorized representative of HCL is strictly prohibited. If you have received this email in error please delete it and notify the sender immediately. Before opening any email and/or attachments, please check them for viruses and other defects. -- -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN
Re: eWEEK Article highlights weaknesses in Mainframe Security
CNMEUNIX is the NetView Unix Command processor that allowed unauthorized access to UID(0), patched in 2012. IBM HTTP Server (DGW Base) had a security red alert back in early 2013 but, as is IBM’s prerogative, they didn’t divulge the particulars of the exposure. Ray opened my eyes to exactly how z vulnerabilities and exploits occur. Not alleged vulnerabilities, numbers don’t lie. This is computer science, after all. Since our conversation, I haven’t viewed the z the same way. I haven’t viewed IBM-MAIN the same way. z is just as vulnerable as open systems, maybe more so with our … er … aging labor staff, years of neglect in admin practices, and the false sense of security we’ve enjoyed behind our firewalls, green screens and 370/390/z architecture. I have a presentation about the Logica hack that I’ve done at a few RUGs (RACF User Groups). The hack was technically impressive and zero-day exploit was just one of many attack vectors. https://www.rshconsulting.com/RSHpres/RSH_Consulting__Examining_Mainframe_Internet_Hack__October_2018.pdf Robyn Robyn E Gilchrist Senior RACF and z/OS Technical Specialist RSH Consulting, Inc. 617-977-9090 www.linkedin.com/in/robyn-e-gilchrist www.rshconsulting.com Upcoming RSH RACF Training - WebEx - RACF Audit & Compliance Roadmap - MAR 11-15, 2019 - RACF Level I Administration - DEC 4-7, 2018 - RACF Level II Administration - APR 1-5, 2019 - RACF Level III Admin, Audit, & Compliance - FEB 25 - MAR 1, 2019 - RACF - Securing z/OS UNIX - FEB 11-15, 2019 -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN
Re: eWEEK Article highlights weaknesses in Mainframe Security
W dniu 2018-10-30 o 21:55, Charles Mills pisze: +1 on the other replies so far. The nature of zero-day vulnerabilities is that you have not heard of them before. Is z/OS inherently perfect and immune to all possible vulnerabilities, including those resulting from customer error? Of course not! True, but... What? We already know there are security patches for z/OS (let's focun on one system) - aren't we? That's also obvious before PTF is released the hole was not fixed and there has to be some period of time between the hole is found and the PTF is ready and even later - applied. So... what? What is the conclusion of the article? Is the z/OS less secure than let's say Windows or Linux? Is z/OS as insecure as Windows? Should one order some services from KRI immediately? Is the article a form of KRI advertisement? Is it advertisement based on FUD? Is frightening people (which may or may not have technical knowledge) ethical? My €0.02 -- Radoslaw Skorupka Lodz, Poland == Jeśli nie jesteś adresatem tej wiadomości: - powiadom nas o tym w mailu zwrotnym (dziękujemy!), - usuń trwale tę wiadomość (i wszystkie kopie, które wydrukowałeś lub zapisałeś na dysku). Wiadomość ta może zawierać chronione prawem informacje, które może wykorzystać tylko adresat.Przypominamy, że każdy, kto rozpowszechnia (kopiuje, rozprowadza) tę wiadomość lub podejmuje podobne działania, narusza prawo i może podlegać karze. mBank S.A. z siedzibą w Warszawie, ul. Senatorska 18, 00-950 Warszawa,www.mBank.pl, e-mail: kont...@mbank.pl. Sąd Rejonowy dla m. st. Warszawy XII Wydział Gospodarczy Krajowego Rejestru Sądowego, KRS 025237, NIP: 526-021-50-88. Kapitał zakładowy (opłacony w całości) według stanu na 01.01.2018 r. wynosi 169.248.488 złotych. If you are not the addressee of this message: - let us know by replying to this e-mail (thank you!), - delete this message permanently (including all the copies which you have printed out or saved). This message may contain legally protected information, which may be used exclusively by the addressee.Please be reminded that anyone who disseminates (copies, distributes) this message or takes any similar action, violates the law and may be penalised. mBank S.A. with its registered office in Warsaw, ul. Senatorska 18, 00-950 Warszawa,www.mBank.pl, e-mail: kont...@mbank.pl. District Court for the Capital City of Warsaw, 12th Commercial Division of the National Court Register, KRS 025237, NIP: 526-021-50-88. Fully paid-up share capital amounting to PLN 169,248,488 as at 1 January 2018. -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN
Re: eWEEK Article highlights weaknesses in Mainframe Security
The risk landscape has changed. If you look at CVE for IBM products that are based on GPL code, you will see may vulnerabilities. That's to say that the mainframe is not immune against zero day attacks. Generally speaking, many of the success mainframe penetration stories are based on mis-configured software. What make it interesting is the fact that vendors are shipping products with dangerous defaults. ITschak On Tue, Oct 30, 2018 at 10:56 PM Charles Mills wrote: > +1 on the other replies so far. > > The nature of zero-day vulnerabilities is that you have not heard of them > before. > > Is z/OS inherently perfect and immune to all possible vulnerabilities, > including those resulting from customer error? Of course not! > > Come to SHARE! Listen to the security presentations! Listen to Mark Wilson > talk about pen testing assignments, and how he has never failed to get in > within a few hours. > > Charles > > > -Original Message- > From: IBM Mainframe Discussion List [mailto:IBM-MAIN@LISTSERV.UA.EDU] On > Behalf Of Eric Verwijs > Sent: Tuesday, October 30, 2018 7:59 AM > To: IBM-MAIN@LISTSERV.UA.EDU > Subject: eWEEK Article highlights weaknesses in Mainframe Security > > http://www.eweek.com/security/taking-a-closer-look-at-mainframe-security > > What zero-day vulnerabilities would there be? I’ve not heard of unpatched > security holes in Z/OS before. > > Unless you are not properly managing your data, that is, limit access to > confidential information, how would someone get it? Aside from of course, > phishing and other attacks aimed at the users and not the machine itself. > > > > Regards, > Eric Verwijs > > Programmer-analyste, RPC, SV et solutions de paiement - Direction générale > de l'innovation, information et technologie > Emploi et Développement social Canada / Gouvernement du Canada > frederick.verw...@hrsdc-rhdcc.gc.ca > Téléphone 819-654-0934 > Télécopieur 819-654-1009 > > Programmer Analyst, CPP, OAS, and Payment Solutions - Innovation, > Information and Technology Branch > Employment and Social Development Canada / Government of Canada > frederick.verw...@hrsdc-rhdcc.gc.ca > Telephone 819-654-0934 > Facsimile 819-654-1009 > > > -- > For IBM-MAIN subscribe / signoff / archive access instructions, > send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN > > -- > For IBM-MAIN subscribe / signoff / archive access instructions, > send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN > -- ITschak Mugzach *|** IronSphere Platform* *|* *Information Security Contiguous Monitoring for Legacy **| * -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN
Re: eWEEK Article highlights weaknesses in Mainframe Security
[Default] On 30 Oct 2018 16:19:45 -0700, in bit.listserv.ibm-main ibmmain.10.ats...@xoxy.net (Arthur) wrote: >On 30 Oct 2018 07:59:23 -0700, in bit.listserv.ibm-main >(Message-ID:<22f77f8ce1e2084ab5fdb5843a0ba2a191038...@mlem1865.hrdc-drhc.net>) >frederick.verw...@hrsdc-rhdcc.gc.ca (Eric Verwijs) wrote: > >>http://www.eweek.com/security/taking-a-closer-look-at-mainframe-security >> >>What zero-day vulnerabilities would there be? I've not >>heard of unpatched security holes in Z/OS before. > >Note that near the top of the article it says: "In this >eWEEK Data Point article, using industry information from >Ray Overby, President and CEO of Key Resources, Inc." It >was KRI that supposedly found the zero-day vulns. > >I think this is not so much an article as an ad for KRI. As a former MVS systems programmer, I have always been somewhat skeptical about the invulnerability of MVS and its successors. I don't know enough about VM to comment on it. Is there a statement of integrity for VSE, for TPF? What are the ways someone can access the z series if it is connected to the Internet? What are the vulnerabilities posed by trusted users? Given that there are 256 gigabyte USB keys how much information can be stolen by people allowed to log in? Are test systems protected as well as production systems and how many have some version of production data. Building good sets of coordinated test data is an expense that many organizations have been unwilling to incur. I know virtually nothing about KRI but that isn't the only organization that has claimed to successfully penetrate the mainframe. Good security means that people have access only to that which they need to do their jobs and for only as long as is needed. It means that usage is monitored. Security is not simple and authorized people have the ability to cause much harm. Clark Morris > >-- >For IBM-MAIN subscribe / signoff / archive access instructions, >send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN
Re: eWEEK Article highlights weaknesses in Mainframe Security
On 30 Oct 2018 07:59:23 -0700, in bit.listserv.ibm-main (Message-ID:<22f77f8ce1e2084ab5fdb5843a0ba2a191038...@mlem1865.hrdc-drhc.net>) frederick.verw...@hrsdc-rhdcc.gc.ca (Eric Verwijs) wrote: http://www.eweek.com/security/taking-a-closer-look-at-mainframe-security What zero-day vulnerabilities would there be? I've not heard of unpatched security holes in Z/OS before. Note that near the top of the article it says: "In this eWEEK Data Point article, using industry information from Ray Overby, President and CEO of Key Resources, Inc." It was KRI that supposedly found the zero-day vulns. I think this is not so much an article as an ad for KRI. -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN
Re: eWEEK Article highlights weaknesses in Mainframe Security
+1 on the other replies so far. The nature of zero-day vulnerabilities is that you have not heard of them before. Is z/OS inherently perfect and immune to all possible vulnerabilities, including those resulting from customer error? Of course not! Come to SHARE! Listen to the security presentations! Listen to Mark Wilson talk about pen testing assignments, and how he has never failed to get in within a few hours. Charles -Original Message- From: IBM Mainframe Discussion List [mailto:IBM-MAIN@LISTSERV.UA.EDU] On Behalf Of Eric Verwijs Sent: Tuesday, October 30, 2018 7:59 AM To: IBM-MAIN@LISTSERV.UA.EDU Subject: eWEEK Article highlights weaknesses in Mainframe Security http://www.eweek.com/security/taking-a-closer-look-at-mainframe-security What zero-day vulnerabilities would there be? I’ve not heard of unpatched security holes in Z/OS before. Unless you are not properly managing your data, that is, limit access to confidential information, how would someone get it? Aside from of course, phishing and other attacks aimed at the users and not the machine itself. Regards, Eric Verwijs Programmer-analyste, RPC, SV et solutions de paiement - Direction générale de l'innovation, information et technologie Emploi et Développement social Canada / Gouvernement du Canada frederick.verw...@hrsdc-rhdcc.gc.ca Téléphone 819-654-0934 Télécopieur 819-654-1009 Programmer Analyst, CPP, OAS, and Payment Solutions - Innovation, Information and Technology Branch Employment and Social Development Canada / Government of Canada frederick.verw...@hrsdc-rhdcc.gc.ca Telephone 819-654-0934 Facsimile 819-654-1009 -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN
Re: eWEEK Article highlights weaknesses in Mainframe Security
Not just IBM, but any vendor that has a product that includes system level code (APF authorized, Key 0 or supervisor state). Lou -- Artificial Intelligence is no match for Natural Stupidity - Unknown On Tue, Oct 30, 2018 at 1:43 PM Seymour J Metz wrote: > If there were no unpatched security holes then IBM wouldn't need to > release security PTFs to fix them. I would hope that it's a lot harder to > find one than it used to be. > > > -- > Shmuel (Seymour J.) Metz > http://mason.gmu.edu/~smetz3 > > > From: IBM Mainframe Discussion List on behalf > of Eric Verwijs > Sent: Tuesday, October 30, 2018 10:59 AM > To: IBM-MAIN@listserv.ua.edu > Subject: eWEEK Article highlights weaknesses in Mainframe Security > > > http://secure-web.cisco.com/1cEGuBe_ZRQESR4kUXS7ShVfhPRr6RLxpO47vTAIYiTpY0Px4GzQAVFwbRnVRDSO88yQdYgZwS9NG2LhzWNCaA7jKdLghofcDczS2pS3jXM7QWTltrwO_G_rwXUyVhX6ZWsuHZY6BnoUE_A8HOWKsXNFwYvaiJjxToXSq6pYcfH4L-krJSWFPD-gLTdPf1R9xE7aoeN-_Hy7BnmgO9LtgBCAavC3aAT3sRoaplXe4Jxk4KcS3OamjQqK37nR0H3AW9MKFVQZaESyzWDzyrh9-zAveMhyg7Pwrf2PVRC_NVB9who4DKiu2x4w-qS9h0_TRcIsa8i7taFLNn3uRnvBXcyZED7CuE3hWLOKJRvH8PRslj5ZwVqdfDbfEYzbAKO_Abcu0TGiSQOS6nMco7sLYZ0Sl5rfVpSCkNmPODHPZmAoBPzLFjdZM7XhMXYE4faKg/http%3A%2F%2Fwww.eweek.com%2Fsecurity%2Ftaking-a-closer-look-at-mainframe-security > > What zero-day vulnerabilities would there be? I’ve not heard of unpatched > security holes in Z/OS before. > > Unless you are not properly managing your data, that is, limit access to > confidential information, how would someone get it? Aside from of course, > phishing and other attacks aimed at the users and not the machine itself. > > > > Regards, > Eric Verwijs > > Programmer-analyste, RPC, SV et solutions de paiement - Direction générale > de l'innovation, information et technologie > Emploi et Développement social Canada / Gouvernement du Canada > frederick.verw...@hrsdc-rhdcc.gc.ca > Téléphone 819-654-0934 > Télécopieur 819-654-1009 > > Programmer Analyst, CPP, OAS, and Payment Solutions - Innovation, > Information and Technology Branch > Employment and Social Development Canada / Government of Canada > frederick.verw...@hrsdc-rhdcc.gc.ca > Telephone 819-654-0934 > Facsimile 819-654-1009 > > > -- > For IBM-MAIN subscribe / signoff / archive access instructions, > send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN > > -- > For IBM-MAIN subscribe / signoff / archive access instructions, > send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN > -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN
Re: eWEEK Article highlights weaknesses in Mainframe Security
If there were no unpatched security holes then IBM wouldn't need to release security PTFs to fix them. I would hope that it's a lot harder to find one than it used to be. -- Shmuel (Seymour J.) Metz http://mason.gmu.edu/~smetz3 From: IBM Mainframe Discussion List on behalf of Eric Verwijs Sent: Tuesday, October 30, 2018 10:59 AM To: IBM-MAIN@listserv.ua.edu Subject: eWEEK Article highlights weaknesses in Mainframe Security http://secure-web.cisco.com/1cEGuBe_ZRQESR4kUXS7ShVfhPRr6RLxpO47vTAIYiTpY0Px4GzQAVFwbRnVRDSO88yQdYgZwS9NG2LhzWNCaA7jKdLghofcDczS2pS3jXM7QWTltrwO_G_rwXUyVhX6ZWsuHZY6BnoUE_A8HOWKsXNFwYvaiJjxToXSq6pYcfH4L-krJSWFPD-gLTdPf1R9xE7aoeN-_Hy7BnmgO9LtgBCAavC3aAT3sRoaplXe4Jxk4KcS3OamjQqK37nR0H3AW9MKFVQZaESyzWDzyrh9-zAveMhyg7Pwrf2PVRC_NVB9who4DKiu2x4w-qS9h0_TRcIsa8i7taFLNn3uRnvBXcyZED7CuE3hWLOKJRvH8PRslj5ZwVqdfDbfEYzbAKO_Abcu0TGiSQOS6nMco7sLYZ0Sl5rfVpSCkNmPODHPZmAoBPzLFjdZM7XhMXYE4faKg/http%3A%2F%2Fwww.eweek.com%2Fsecurity%2Ftaking-a-closer-look-at-mainframe-security What zero-day vulnerabilities would there be? I’ve not heard of unpatched security holes in Z/OS before. Unless you are not properly managing your data, that is, limit access to confidential information, how would someone get it? Aside from of course, phishing and other attacks aimed at the users and not the machine itself. Regards, Eric Verwijs Programmer-analyste, RPC, SV et solutions de paiement - Direction générale de l'innovation, information et technologie Emploi et Développement social Canada / Gouvernement du Canada frederick.verw...@hrsdc-rhdcc.gc.ca Téléphone 819-654-0934 Télécopieur 819-654-1009 Programmer Analyst, CPP, OAS, and Payment Solutions - Innovation, Information and Technology Branch Employment and Social Development Canada / Government of Canada frederick.verw...@hrsdc-rhdcc.gc.ca Telephone 819-654-0934 Facsimile 819-654-1009 -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN
Re: eWEEK Article highlights weaknesses in Mainframe Security
Hi Eric, The article is not talking about zero-day vulnerabilities with respect to RACF or the other ESMs. A prime example of the type of vulnerability the article is referring to would be the recent discussion of the SVC that put the caller into key-zero supervisor state. A vulnerability like that can occur also with SVCs or PCs that do not properly handle their parameters and write to storage in key zero instead of in the callers key. There are multiple examples but these are just two. Lou -- Artificial Intelligence is no match for Natural Stupidity - Unknown On Tue, Oct 30, 2018 at 9:59 AM Eric Verwijs < frederick.verw...@hrsdc-rhdcc.gc.ca> wrote: > http://www.eweek.com/security/taking-a-closer-look-at-mainframe-security > > What zero-day vulnerabilities would there be? I’ve not heard of unpatched > security holes in Z/OS before. > > Unless you are not properly managing your data, that is, limit access to > confidential information, how would someone get it? Aside from of course, > phishing and other attacks aimed at the users and not the machine itself. > > > > Regards, > Eric Verwijs > > Programmer-analyste, RPC, SV et solutions de paiement - Direction générale > de l'innovation, information et technologie > Emploi et Développement social Canada / Gouvernement du Canada > frederick.verw...@hrsdc-rhdcc.gc.ca > Téléphone 819-654-0934 > Télécopieur 819-654-1009 > > Programmer Analyst, CPP, OAS, and Payment Solutions - Innovation, > Information and Technology Branch > Employment and Social Development Canada / Government of Canada > frederick.verw...@hrsdc-rhdcc.gc.ca > Telephone 819-654-0934 > Facsimile 819-654-1009 > > > -- > For IBM-MAIN subscribe / signoff / archive access instructions, > send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN > -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN
eWEEK Article highlights weaknesses in Mainframe Security
http://www.eweek.com/security/taking-a-closer-look-at-mainframe-security What zero-day vulnerabilities would there be? I’ve not heard of unpatched security holes in Z/OS before. Unless you are not properly managing your data, that is, limit access to confidential information, how would someone get it? Aside from of course, phishing and other attacks aimed at the users and not the machine itself. Regards, Eric Verwijs Programmer-analyste, RPC, SV et solutions de paiement - Direction générale de l'innovation, information et technologie Emploi et Développement social Canada / Gouvernement du Canada frederick.verw...@hrsdc-rhdcc.gc.ca Téléphone 819-654-0934 Télécopieur 819-654-1009 Programmer Analyst, CPP, OAS, and Payment Solutions - Innovation, Information and Technology Branch Employment and Social Development Canada / Government of Canada frederick.verw...@hrsdc-rhdcc.gc.ca Telephone 819-654-0934 Facsimile 819-654-1009 -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN
