It may be a more common exposure than I would have predicted. I've run into clients who have general read access to a high-level qualifier, let's say SYS2.**, which sounds reasonable because SYS2 has lots of CLIST, load and proc libs that all users need. But then they drop a lot of other things in there too; maybe SYS2.CA.ACF.** has the ACF2 database, or there's a SYS2 library where they store certificate keys. No one stopped to think, apparently, about what could go wrong with this.
No one needs read access to the security database. In Top Secret, for example, if I issue a command to list a user or permit access to a dataset, the TSS started task looks at my authority to take that action and then does it on its own authority. During an installation or migration I can create temporary access for the guy who's doing the work, set to expire automatically after an agreed period of time (a fortnight, a month, whatever), but that's it. You could make an exception for the storage manager if you really want to, but the security products even have their own backup facilities so there just isn't much need for anyone to have read access to the security database. In the Swedish hack, the original stolen ID had read access to the RACF database. The hackers downloaded the database, then applied a dictionary attack to it at their leisure, thus getting thousands of passwords not only in that LPAR but in another one visited by the same users. --- Bob Bridges, robhbrid...@gmail.com, cell 336 382-7313 /* Ye knowe ek that in forme of speche is chaunge Withinne a thousand yere, and wordes tho That hadden pris, now wonder nyce and straunge Us thinketh hem, and yit they spake hem so. -Geoffrey Chaucer, Troilus and Criseyde, Book 2, 22-25 */ -----Original Message----- From: IBM Mainframe Discussion List [mailto:IBM-MAIN@LISTSERV.UA.EDU] On Behalf Of Seymour J Metz Sent: Tuesday, May 7, 2019 16:54 To: IBM-MAIN@LISTSERV.UA.EDU Subject: Re: mainframe hacking "success stories"? RACF database unprotected? That's not a properly secured system, any more than one with default passwords is. -- Shmuel (Seymour J.) Metz http://mason.gmu.edu/~smetz3 ________________________________________ From: IBM Mainframe Discussion List <IBM-MAIN@LISTSERV.UA.EDU> on behalf of Knutson, Samuel <samuel.knut...@compuware.com> Sent: Monday, May 6, 2019 3:19 PM To: IBM-MAIN@LISTSERV.UA.EDU Subject: Re: mainframe hacking "success stories"? The attacker created zero day exploits against z/OS in the wild allowing escalation of privilege and proved difficult to dislodge even once discovered. Information available to the public supports this. Phil Young has done a good job of dissecting the hack. Philip Young - Smashing the Mainframe for Fun and Prison Time https://secure-web.cisco.com/1WHZO7R_IzgaHmdSwc5fSpAsKhWqVG-Hc8oqhS1AazIb1z9 MntaVwwZo5ffUYnhUSo1yf8zD5sr1au8SYtE-JcwOypzxfKX_kJMguP7cUGE7LrhWfUr0e_Z--o2 sXZAhUD-ZgjqMrnZaae6eqL_cxNZgbZKqKbcc20i5UU51GSxTvvrYXSsEPMZySnINGr52STdXBoH 8zY2CDpzo1qrc6K8eRA_MAb9G1KhY8l0Yt6yOj7VyYgNzCxlzZjKt71yrZ8YuGRS5Df2Z_DSIJtA p2KL0R_uzcHshox7vsvk3y5PGoZRl9M24EStow5L5rzczUpBcLFd1K5IYn5xSrqKXEhYome2AfmD fwaQt5mRdy3IHX3gjKpmMGHI1vduL9foUdWRYO5pplujaSlpEzZ3GQ6heQcgXBymhLBVQqAR_N33 qWnLANE_IdF6FIDBwgIzvA/https%3A%2F%2Fyoutu.be%2FSjtyifWTqmc And How Hackers Breached a Government (and a Bank) https://secure-web.cisco.com/1c-YbwF54FIR_OVKsBQbi_FSQ_Buj6SAGBnZFwi8hiRIbp9 GtVg_GYvf1iyySH4aPQFGUiDHmRBocoAihCpRRpUh8Cw1k3aE-dp9f_d-NWYWtq1CNeOb7qMYbza MRGEp03yU38Eu6RLBq6fEQUvHQv4EqGKA6V-BAIYm2U2zNq-URUcl4jhaa7rxKZDLOr2uXmh64_v gh1tDlm_q8zfe3DMSIv96ZgKylj_T6Dz2pnh1tYh7uoKRdb_LX6CJkokmqk2sWGQlRtTJieL7JvQ OIH_Y-G5AzxE_Tnk2-igiY2AF0D47kcSLMbSEhxRgdIpeTzQoPqXu0bvj63rfoPjgkbEWPY_NzU_ M_R3Dl0mKJpRF7iu3T63VWhwkNkWcIa1rAqLB6o1Y05Aq_fczPj6FrliYbLY7ShGQrmB2pTBJkzt 8ILHbZwKUvY8B6V5tWvUaM/https%3A%2F%2Fshare.confex.com%2Fshare%2F124%2Fwebpro gram%2FHandout%2FSession16982%2FHow%2520Hackers%2520Breached%2520a%2520Gover nment%2520%2528and%2520a%2520Bank%2529.pdf z/OS on IBMz hardware is the most securable environment in the world but as public evidence supports it was compromised. It would seem fair to say the mainframe was hacked. Best Regards, Sam Knutson -----Original Message----- From: IBM Mainframe Discussion List <IBM-MAIN@LISTSERV.UA.EDU> On Behalf Of Bill Johnson Sent: Monday, May 6, 2019 2:45 PM To: IBM-MAIN@LISTSERV.UA.EDU Subject: Re: mainframe hacking "success stories"? Exactly. Sent from Yahoo Mail for iPhone On Monday, May 6, 2019, 2:43 PM, ITschak Mugzach <imugz...@gmail.com> wrote: Yes. Just logged on... And had access to all databases. This us how they was caught. Too much queries per second. בתאריך יום ב׳, 6 במאי 2019, 21:17, מאת Bill Johnson < 00000047540adefe-dmarc-requ...@listserv.ua.edu>: > The Pirate Bay hack acquired a valid mainframe userid and password off > of a Microsoft laptop. In effect, not really a mainframe hack. He just > logged on. https://secure-web.cisco.com/1FHcvIN9JU6P3HDRd5Nm3kzXT9GShrhJ2swTQh93tmIsKYH _nTMhNb1Xy4Z1wExjMZmlhtneijXsWajoTs4dODCTJK0Gns1Lhn0TGX7NFQoMPaf45QoXHxV_3P5 HRmQE1oWL65CRqRiAMbCLvrwemiSSt-2PQTF4uIXWTyPa6nl1H2VSpk24KRUCzUgm39kP3MLQa5v s2JEi9jzzNSppCPXdMJm6WQnjr25jidrU3UVzHlYU6FFz_69qs5Ug0rQfdJoX6XoByi0aKn01E4n DG26HFvHKw2JuJd_U-niP5mCtABsFcVBovCc-btiFde1lim8BnwZqcXJtTyK2TwtSfdpJmsf8_L0 sIEJtfEYxh5yJbUptiD-xxRNkHUi8Sm1ifykfSwyWKnAPdl0Xj7BgvnmUVI_Zk_5R1h5I5YkwNkk nZZl2zQZmwAMcWbAI4DpQ9/https%3A%2F%2Fbadcyber.com%2Fa-history-of-a-hacking%2 F > > Sent from Yahoo Mail for iPhone > > > On Monday, May 6, 2019, 1:21 PM, Charles Mills <charl...@mcn.org> wrote: > > #1: Noooooo. It was a legitimate mainframe hack (assuming you consider > USS a legitimate part of the mainframe, which it has been for 20 years or so). > It was an exploit of CGI buffer overrun. > > #2: It drives me nuts to hear mainframers explain away mainframe breaches. > "It wasn't really a mainframe hack, they got in through USS." "It > wasn't really a mainframe hack, they re-used a Windows password." "It > wasn't really a mainframe hack ... whatever." If your CEO was standing > in front of the press explaining how your company let x million credit > card numbers go astray, would it matter HOW they got into your > mainframe, or only that they DID?" If your mainframe is vulnerable to > a USS hack, or a shared Windows password, or whatever, you need to fix > THAT, or risk having to explain to your CEO why he got fired (like > Target's) for letting all those credit card numbers go astray. > > Charles > > > -----Original Message----- > From: IBM Mainframe Discussion List [mailto:IBM-MAIN@LISTSERV.UA.EDU] > On Behalf Of Bill Johnson > Sent: Sunday, May 5, 2019 10:00 AM > To: IBM-MAIN@LISTSERV.UA.EDU > Subject: Re: mainframe hacking "success stories"? > > Wasn’t really a mainframe hack. It was a laptop hack that acquired > legitimate mainframe credentials. > > ---------------------------------------------------------------------- > For IBM-MAIN subscribe / signoff / archive access instructions, send > email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN > > > > ---------------------------------------------------------------------- > For IBM-MAIN subscribe / signoff / archive access instructions, send > email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN > ---------------------------------------------------------------------- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN ---------------------------------------------------------------------- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN The contents of this e-mail are intended for the named addressee only. It contains information that may be confidential. Unless you are the named addressee or an authorized designee, you may not copy or use it, or disclose it to anyone else. If you received it in error please notify us immediately and then destroy it ---------------------------------------------------------------------- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN ---------------------------------------------------------------------- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN ---------------------------------------------------------------------- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN
