Hi All I completely agree with Phil - the issue is not whether the Mainframe is open to the Internet - it’s an issue of complacency vs. correct configuration. Too many C*O types are so focused on the availability aspect of CIA that they downplay the risks to the other aspects of that triad - particularly on Z. Assuming z/OS is safe - does not make it so - and ignoring the various vulnerabilities (misconfiguration, under or mis-staffing, lack of controls, lack of SLCM/DLCM , lack of anything else that's required) - does not make them go away. This is not true in every case, but I too have seen TSO users with minimal capabilities "owning the system" - in under two hours. If you have security assessments regularly - you'll always find something. Your goal should be to make your external auditor work really hard to find what you've forgotten :-)
MZ -----Original Message----- From: IBM Mainframe Discussion List [mailto:IBM-MAIN@LISTSERV.UA.EDU] On Behalf Of Phil Sent: Friday, August 28, 2015 8:26 AM To: IBM-MAIN@LISTSERV.UA.EDU Subject: Re: Mainframes open to internet attacks? Hi All, I’m actually the person interviewed in this (frankly overblown) article. Thankfully I had a chance to talk again about this project here: https://www.bostonglobe.com/ideas/2015/08/13/remote-corner-internet-art-sprouts/joPVVFqBnctHanbtUBLhzL/story.html <https://www.bostonglobe.com/ideas/2015/08/13/remote-corner-internet-art-sprouts/joPVVFqBnctHanbtUBLhzL/story.html> Radoslaw, I’m so glad you were able to attend one of my talks (was it the Skytalks or BSidesLV?). However, I think you misunderstood the point I was trying to make. I’ve constantly touted how stupid the information security industry has been in thinking mainframes were old and obsolete. See this article about one of my first talks from two years ago: http://www.darkreading.com/attacks-breaches/cutting-through-the-mystique-of-testing-the-mainframe/d/d-id/1140239 <http://www.darkreading.com/attacks-breaches/cutting-through-the-mystique-of-testing-the-mainframe/d/d-id/1140239> my story hasn’t really changed since. My toolset has, and participation is slowly increasing, but not fast enough. In fact, my co-speaker and I, at the most recent DEFCON, were making fun of the audience for not knowing what CICS was despite how important it likely was to their daily lives. On the topic on whether they are secure or not, thats up to the implementation. I know of someone who claims ‘give me an account and I can own your mainframe’. He doesn’t do it through magical 0-days, he’s using misconfigurations and easy to access tools (for example, in one instance he found a surrogate profile for an account with system special open to everyone because it was an ‘emergency id’). But this is true of any platform. zLinux is just as secure as z/OS, if both are configured correctly. Finally, on to the ‘art project’ as I like to call it. Back, long ago, when I was on x.25 networks looking for things to play with I might encounter a screen like these. I just find them amazing and beautiful (and a little nostalgic to be honest). Having them be on the internet doesn’t really matter, if they are configured correctly. My assumption is that they are on the internet on purpose and are no different than a staff landing page (for example: https://fs.aircanada.ca/idp/SSO.saml2 <https://fs.aircanada.ca/idp/SSO.saml2>, i found this through literally 1 second on google). If you want to see other interesting ’things' on the internet check out SHODANs twitter feed for devices like ‘Lake Pumping Stations’ and ‘Skilift in France’: https://twitter.com/shodanhq <https://twitter.com/shodanhq> I realize this is likely way off-topic for this discussion list but feel free to email me if you have questions or concerns (or are interested in how I did it). Phil > On Aug 27, 2015, at 9:00 PM, IBM-MAIN automatic digest system > <lists...@listserv.ua.edu> wrote: > > Date: Thu, 27 Aug 2015 17:38:05 +0200 > From: "R.S." <r.skoru...@bremultibank.com.pl > <mailto:r.skoru...@bremultibank.com.pl>> > Subject: Re: Mainframes open to internet attacks? > > W dniu 2015-08-19 o 00:26, Robert Harrison pisze: >>> From technologyreview.com <http://technologyreview.com/>: >> >> http://www.technologyreview.com/news/540011/mainframe-computers-that- >> handle-our-most-sensitive-data-are-open-to-internet-attacks/ >> <http://www.technologyreview.com/news/540011/mainframe-computers-that >> -handle-our-most-sensitive-data-are-open-to-internet-attacks/> >> >> Really? >> > What I understod from the lecture: > a) mainframes are old, obsolete, but unfotunately sometimes still in > use > - which is a sin. > b) mainframes are insecure > c) some mainframe are directly accessible from Internet, by mistake of > course. > > What I mean: > a) & b) - IMHO obvious ;-) > > c) IMHO it is bad idea to make any system directly accessible from > Internet. Mainframe, any kind of Unix, Linux, Windows... > Some exceptions do apply but it's still platform-irrelevant. What is > relevant it's protocol. TN3270 over TLS/SSL is better than any kind of > telnet, etc. > I'm aware of mainframe z/OS installation which offer free TSO account > to anyone. > > BTW: There are plenty other "open" stuff on the Net, for example > internet cameras. I mean CCTV installed in shops, lifts, etc. I saw > webpage which collected such cameras, i.e. I saw shoe shop in my city. > ;-) > > -- > Radoslaw Skorupka > Lodz, Poland > > > > > > > -- > Treść tej wiadomości może zawierać informacje prawnie chronione Banku > przeznaczone wyłącznie do użytku służbowego adresata. Odbiorcą może być > jedynie jej adresat z wyłączeniem dostępu osób trzecich. Jeżeli nie jesteś > adresatem niniejszej wiadomości lub pracownikiem upoważnionym do jej > przekazania adresatowi, informujemy, że jej rozpowszechnianie, kopiowanie, > rozprowadzanie lub inne działanie o podobnym charakterze jest prawnie > zabronione i może być karalne. Jeżeli otrzymałeś tę wiadomość omyłkowo, > prosimy niezwłocznie zawiadomić nadawcę wysyłając odpowiedź oraz trwale > usunąć tę wiadomość włączając w to wszelkie jej kopie wydrukowane lub > zapisane na dysku. > > This e-mail may contain legally privileged information of the Bank and is > intended solely for business use of the addressee. This e-mail may only be > received by the addressee and may not be disclosed to any third parties. If > you are not the intended addressee of this e-mail or the employee authorized > to forward it to the addressee, be advised that any dissemination, copying, > distribution or any other similar activity is legally prohibited and may be > punishable. If you received this e-mail by mistake please advise the sender > immediately by using the reply facility in your e-mail software and delete > permanently this e-mail including any copies of it either printed or saved to > hard drive. > > mBank S.A. z siedzibą w Warszawie, ul. Senatorska 18, 00-950 Warszawa, > www.mBank.pl <http://www.mbank.pl/>, e-mail: kont...@mbank.pl > <mailto:kont...@mbank.pl> Sąd Rejonowy dla m. st. Warszawy XII Wydział > Gospodarczy Krajowego Rejestru Sądowego, nr rejestru przedsiębiorców KRS > 0000025237, NIP: 526-021-50-88. Według stanu na dzień 01.01.2015 r. kapitał > zakładowy mBanku S.A. (w całości wpłacony) wynosi 168.840.228 złotych. ---------------------------------------------------------------------- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN ---------------------------------------------------------------------- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN
