Thanks for all the responses. I wasn't aware of any vulnerabilities, patched or otherwise. I don't handle our mainframe's security, another department does that. Frightening.
Regards, Eric Verwijs Programmeur-analyste, RPC, SV et solutions de paiement - Direction générale de l'innovation, information et technologie Emploi et Développement social Canada / Gouvernement du Canada frederick.verw...@hrsdc-rhdcc.gc.ca Téléphone 819-654-0934 Télécopieur 819-654-1009 Programmer Analyst, CPP, OAS, and Payment Solutions - Innovation, Information and Technology Branch Employment and Social Development Canada / Government of Canada frederick.verw...@hrsdc-rhdcc.gc.ca Telephone 819-654-0934 Facsimile 819-654-1009 -----Original Message----- From: IBM Mainframe Discussion List [mailto:IBM-MAIN@LISTSERV.UA.EDU] On Behalf Of Ray Overby Sent: November-01-18 2:35 AM To: IBM-MAIN@LISTSERV.UA.EDU Subject: Re: eWEEK Article highlights weaknesses in Mainframe Security Disclamer: Don't shoot the messenger (I am very passionate on this topic). The fact is unpatched zero day vulnerabilities exist on all z/OS mainframe's. Don't take my word for this. Ask KRI's clients what their experience is with z/Assure VAP finding (probable) zero day integrity based code vulnerabilities. I say probable because the ISV's don't appear to share the integrity vulnerability details with anyone outside their respective organizations. They certainly do not share this information with Key Resources. So if the ISV takes longer than a couple of days to provide a patch its likely they did not have one before the vulnerability was reported. Thus you can conclude that the vulnerability was a zero day. Comment: If there were no unpatched security holes then IBM wouldn't need to release security PTFs to fix them. Response: Correct. You only need to look at the patches provided by your ISV's (IBM, CA, BMC, Rocket.... Sorry if I missed any one!) and you will find security and/or integrity patches. Comment: I would hope that it's a lot harder to find one than it used to be. A: No actually it is not. I started doing this in 2009. Key Resource's z/Assure VAP product regularly finds integrity based-code vulnerabilities. Most of these vulnerabilities appear to be zero day. As some people would consider my comments biased, don't take my word for it. Ask our clients if what I am saying is accurate. Question: What zero-day vulnerabilities would there be? I’ve not heard of unpatched security holes in z/OS before. Short answer: Conspiracy of Silence. Unless you are with the companies that find the vulnerability, work for the ISV support group, or are part of the ISV management or development teams you would never know about the vulnerability UNTIL you saw the patch on their patch portals. Patches normally contain no details about the vulnerability. This is how mainframe integrity based-code vulnerability management is done. These vulnerabilities are NOT reported on the National Vulnerability Database. Comment: Aside from of course, phishing and other attacks aimed at the users and not the machine itself. Answer: Nothing to do with phishing and other attacks. I am referring to integrity based-code vulnerabilities. These vulnerabilities are in SVC's, PC routines, or APF). However, a good hacker will combine vulnerabilities to achieve their goal. The hacker wants to establish a beach head in your network. From there they can traverse the network compromising system's until they get access to z/OS. With these integrity based-code vulnerabilities once they are established and able to run work on z/OS they can elevate their credentials with an integrity based-code vulnerabilities and turn off logging. "Run work" would roughly translate to: a) FTP JCL to z/OS b) Logon to TSO or something similar c) Submit JCL through RJE or NJE (google metasploit NJE for attach vectors)........there are documented attacks using this technique. Feel free to contact me offline to continue this discussion. Ray Overby On 10/30/2018 7:43 PM, Seymour J Metz wrote: > If there were no unpatched security holes then IBM wouldn't need to release > security PTFs to fix them. I would hope that it's a lot harder to find one > than it used to be. > > > -- > Shmuel (Seymour J.) Metz > http://mason.gmu.edu/~smetz3 > > ________________________________________ > From: IBM Mainframe Discussion List <IBM-MAIN@listserv.ua.edu> on behalf of > Eric Verwijs <frederick.verw...@hrsdc-rhdcc.gc.ca> > Sent: Tuesday, October 30, 2018 10:59 AM > To: IBM-MAIN@listserv.ua.edu > Subject: eWEEK Article highlights weaknesses in Mainframe Security > > http://secure-web.cisco.com/1cEGuBe_ZRQESR4kUXS7ShVfhPRr6RLxpO47vTAIYiTpY0Px4GzQAVFwbRnVRDSO88yQdYgZwS9NG2LhzWNCaA7jKdLghofcDczS2pS3jXM7QWTltrwO_G_rwXUyVhX6ZWsuHZY6BnoUE_A8HOWKsXNFwYvaiJjxToXSq6pYcfH4L-krJSWFPD-gLTdPf1R9xE7aoeN-_Hy7BnmgO9LtgBCAavC3aAT3sRoaplXe4Jxk4KcS3OamjQqK37nR0H3AW9MKFVQZaESyzWDzyrh9-zAveMhyg7Pwrf2PVRC_NVB9who4DKiu2x4w-qS9h0_TRcIsa8i7taFLNn3uRnvBXcyZED7CuE3hWLOKJRvH8PRslj5ZwVqdfDbfEYzbAKO_Abcu0TGiSQOS6nMco7sLYZ0Sl5rfVpSCkNmPODHPZmAoBPzLFjdZM7XhMXYE4faKg/http%3A%2F%2Fwww.eweek.com%2Fsecurity%2Ftaking-a-closer-look-at-mainframe-security > > What zero-day vulnerabilities would there be? I’ve not heard of unpatched > security holes in Z/OS before. > > Unless you are not properly managing your data, that is, limit access to > confidential information, how would someone get it? Aside from of course, > phishing and other attacks aimed at the users and not the machine itself. > > > > Regards, > Eric Verwijs > > Programmer-analyste, RPC, SV et solutions de paiement - Direction générale de > l'innovation, information et technologie > Emploi et Développement social Canada / Gouvernement du Canada > frederick.verw...@hrsdc-rhdcc.gc.ca > Téléphone 819-654-0934 > Télécopieur 819-654-1009 > > Programmer Analyst, CPP, OAS, and Payment Solutions - Innovation, Information > and Technology Branch > Employment and Social Development Canada / Government of Canada > frederick.verw...@hrsdc-rhdcc.gc.ca > Telephone 819-654-0934 > Facsimile 819-654-1009 > > > ---------------------------------------------------------------------- > For IBM-MAIN subscribe / signoff / archive access instructions, > send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN > > ---------------------------------------------------------------------- > For IBM-MAIN subscribe / signoff / archive access instructions, > send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN > ---------------------------------------------------------------------- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN ---------------------------------------------------------------------- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN
