Re: Mainframe ransomware solution

Fri, 08 Oct 2021 08:18:37 -0700 

Hi Bob,
From what I recall, the bad guys had "READ" to the RACF Database. (It helps to have incompetent SecAdmin staff and auditors.) They downloaded it and then dictionary-attacked it easily, because there was no password limitation and there was no trivial-password-exclusion list. Also, NVAS had no security. That is, once in, the hackers could logon to any 3270 application from the main panel. 

Regards,
David

On 2021-10-08 10:54, Bob Bridges wrote:

The way I read in the long Polish article about the Logica hack, when I researched it back 
in 2013, is that there was speculation about USS and about an HTTP flaw, but the forensics 
folks in the end thought they probably got hold of a password in the good old-fashioned way 
and went from there.  They did indeed find and exploit USS configuration goofs.  And the 
HTTP flaw is real 
(https://na01.safelinks.protection.outlook.com/?url=https%3A%2F%2Fnvd.nist.gov%2Fvuln%2Fdetail%2FCVE-2012-5955&data=04%7C01%7C%7Ccd9662019d7c471e41b208d98a6b83b3%7C84df9e7fe9f640afb435aaaaaaaaaaaa%7C1%7C0%7C637693016700068298%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C1000&sdata=URXCTpLeeXlb7WraJx2DMcyoy1AfPLKyhn3Nc1jECxQ%3D&reserved=0),
 but Logica's post-hack report doesn't mention it; so they, at least, didn't think it 
figured into the original break-in or in the culprits' activities afterward.

---
Bob Bridges, robhbrid...@gmail.com, cell 336 382-7313

/* I've never hated a man enough to give him his diamonds back.  -Zsa-Zsa Gabor 
*/

-----Original Message-----
From: IBM Mainframe Discussion List <IBM-MAIN@LISTSERV.UA.EDU> On Behalf Of 
Charles Mills
Sent: Thursday, October 7, 2021 18:49

Assuming you don't count Logica. ("Oh, that wasn't a real mainframe hack, they came 
in through USS.")

-----Original Message-----
From: IBM Mainframe Discussion List [mailto:IBM-MAIN@LISTSERV.UA.EDU] On Behalf 
Of Bill Johnson
Sent: Thursday, October 7, 2021 3:21 PM

You’d have to be a poorly run shop to permit any of those to occur. Maybe 
that’s why mainframe hacks have actually never happened....

----------------------------------------------------------------------
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN
.


----------------------------------------------------------------------
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN


























					Reply via email to