Re: Mainframe ransomware solution
Sorry, Gil -- sorry that I was the one who derailed that thread into "war stories", and also because I'm with Phil: I enjoy them. --- Bob Bridges, robhbrid...@gmail.com, cell 336 382-7313 /* While mathematicians often do not have much humility, we all have lots of experience with humiliation. -Dan Goldston, in his acceptance speech for the prestigious Cole Prize */ -Original Message- From: IBM Mainframe Discussion List On Behalf Of Paul Gilmartin Sent: Friday, October 15, 2021 13:08 I remember, wistfully, when there were fewer nostalgia threads. --- On Mon, 11 Oct 2021 11:26:09 -0400, Phil Smith III wrote: >Well, now that this thread has devolved into war stories (often the >best part of a day's digest): -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN
Re: Mainframe ransomware solution
LOL - A nostalgia post about nostalgia posts. On 10/15/2021 10:08 AM, Paul Gilmartin wrote: I remember, wistfully, when there were fewer nostalgia threads. -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN
Re: Mainframe ransomware solution
On Mon, 11 Oct 2021 11:26:09 -0400, Phil Smith III wrote: >Well, now that this thread has devolved into war stories (often the best >part of a day's digest): > I remember, wistfully, when there were fewer nostalgia threads. -- gil -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN
Re: Mainframe ransomware solution
Newfoundland? Ok, now for something ~completely~ off-topic: Back during 09-11, a lot of commercial flights were grounded for some days -- all over the world maybe, in Europe and the US for sure. A lot of transatlantic flights went to earth in Newfoundland, and hundreds or maybe thousand of passengers glutted all the hotels; there was no place to put them. Newfoundlanders took the overflow into their homes, fed them, sometimes entertained them. It was all the news at the time, here. I swore if I ever met a Newfie, I'd buy him dinner, as a ~very~ slight return on the karma earned. I have yet to pay off on that debt; it's accumulating interest. If you or your coworker ever happen by North Carolina... --- Bob Bridges, robhbrid...@gmail.com, cell 336 382-7313 /* While mathematicians often do not have much humility, we all have lots of experience with humiliation. -Dan Goldston, in his acceptance speech for the prestigious Cole Prize */ -Original Message- From: IBM Mainframe Discussion List On Behalf Of David Spiegel Sent: Monday, October 11, 2021 10:44 This reminds me of a story from the early '90s, when I worked for a multi-national food company. (I actually worked for more than one.) One of the Help Desk guys decided to customize "his own" TPX screen. He made it say "Welcome to Hell". When I got in, I booted DOS (IBM PS/2 Model 70), started Windows 3.1 and then started PCOMM. As soon as I noticed the "greeting", I walked over to the Help Desk and nonchalantly asked Billy if he had customized anything since 17:00 the day before. He admitted to changing the greeting, but, had no clue that he would be affecting 2,000 users coast to coast. After a string of blue words including: "Lard Tunderin' Jeezus" (hat's Newfoundland-speak for what we now call Whiskey Tango Foxtrot), he removed it. I pointed out to him that he was fortunate that I arrived before the president. He would've bought me a coffee, but, we had free coffee at work, one of the perqs (a bad pun). --- On 2021-10-11 10:22, Bob Bridges wrote: > Managers have no sense of humour where it doesn't matter. Well, some > managers. > > I still remember fondly my messing with a coworker's PC menu. I don't > remember which menu system we were using at the time, but Roberto had found > some little gag app that would display a blimp for a few seconds with your > selected message scrolling across it. So while he was out I fixed up his > menu so that when he fired up Word, it would 1) display the blimp ("Roberto > is a doofus!"), 2) erase the blimp call from the Word menu option so it would > look normal, and 3) start Word. The Harvard Graphics option would put the > blimp back in his Word option. So until he figured out the pattern, it would > display the blimp at seemingly random intervals, but whenever he looked at > the Word option under the covers there was nothing there. > > I was also charmed by a (different) coworker who modified his copy of PC DOS; > instead of "Bad command or file name", it said "Say what, hippo fingers?". I > never bothered until just now to verify that those two messages are exactly > the same length; I just assumed that his replacement was no longer than the > official text. > > All very harmless. I guess I'm just not a serious hacker. > > -Original Message- > From: IBM Mainframe Discussion List On Behalf Of > CM Poncelet > Sent: Sunday, October 10, 2021 22:23 > > This reminds me of someone at a Company I worked for, can't remember which, > where some programmer had displayed a prompt for whatever to which an > end-user replied "f*@k" - upon which the program then replied, "Your place or > mine?" Needless to say, management was not amused by this and the programmer > was given a "good talking to" if not then also put on "garden leave". > > --- On 10/10/2021 15:52, PINION, RICHARD W. wrote: >> The only thing I ever put on a system, similar to that, was a TSO program >> which produced a crude picture of the one finger salute. You could put >> whatever message you wanted on the hand. Silly me, I had the program >> executing at TSO logon. Management was not amused. >> >> -Original Message- >> From: Peter Sylvester >> Sent: Sunday, October 10, 2021 9:36 AM >> You could have "protected" the VM systems as much as you want, if a "friend" >> send you an exec/script/clist and you execute it. the was actually created >> as small joke by a student at one of the EARN/BITNET nodes who did not see >> that it could escape from the site. >> >> my old friend Helmut on the neighbour node detected "patient 0". It rapidely >> entered vnet which was shutdown (to remove all copies afaik), earn bitnet >> was saved by Eric Thomas by filtering in rscs. You had to execute it, a >> global social attack/joke, not like the other real worm in sendmail >> >> --- On 08/10/2021 16:43, David Spiegel wrote: >>> "... What about the Christmas Card Worm? ..." >>> >>> Tha
Re: Mainframe ransomware solution
I thought this is a mainframe mailing list... About ten years ago, during a security consultancy work I performed at a client shop, I noticed that CICS is not properly protected. I told the sysprog and the CIO what changes need to be done, but the sysprog insist that the system is secured. I got a permission to teach him a lesson. I noticed that the connection to a partner company is not secure, so I called their sysprog and asked him to use CRTE tran over this connection and disable a specific transaction. The local sysprog start getting calls from branch offices telling him that the function is not working. It took him some time to find that the transaction is disabled and to enable it. immediately after, we asked the other sysprog to disable it again... we made it few cycles until we told him that his system was penetrated from outside of the organization and that his system is not secure. ITschak ITschak Mugzach *|** IronSphere Platform* *|* *Information Security Continuous Monitoring for z/OS, x/Linux & IBM I **| z/VM coming soon * On Mon, Oct 11, 2021 at 5:23 PM Bob Bridges wrote: > Managers have no sense of humour where it doesn't matter. Well, some > managers. > > I still remember fondly my messing with a coworker's PC menu. I don't > remember which menu system we were using at the time, but Roberto had found > some little gag app that would display a blimp for a few seconds with your > selected message scrolling across it. So while he was out I fixed up his > menu so that when he fired up Word, it would 1) display the blimp ("Roberto > is a doofus!"), 2) erase the blimp call from the Word menu option so it > would look normal, and 3) start Word. The Harvard Graphics option would > put the blimp back in his Word option. So until he figured out the > pattern, it would display the blimp at seemingly random intervals, but > whenever he looked at the Word option under the covers there was nothing > there. > > I was also charmed by a (different) coworker who modified his copy of PC > DOS; instead of "Bad command or file name", it said "Say what, hippo > fingers?". I never bothered until just now to verify that those two > messages are exactly the same length; I just assumed that his replacement > was no longer than the official text. > > All very harmless. I guess I'm just not a serious hacker. > > --- > Bob Bridges, robhbrid...@gmail.com, cell 336 382-7313 > > /* While mathematicians often do not have much humility, we all have lots > of experience with humiliation. -Dan Goldston, in his acceptance speech > for the prestigious Cole Prize */ > > -Original Message- > From: IBM Mainframe Discussion List On Behalf > Of CM Poncelet > Sent: Sunday, October 10, 2021 22:23 > > This reminds me of someone at a Company I worked for, can't remember > which, where some programmer had displayed a prompt for whatever to which > an end-user replied "f*@k" - upon which the program then replied, "Your > place or mine?" Needless to say, management was not amused by this and the > programmer was given a "good talking to" if not then also put on "garden > leave". > > --- On 10/10/2021 15:52, PINION, RICHARD W. wrote: > > The only thing I ever put on a system, similar to that, was a TSO > program which produced a crude picture of the one finger salute. You could > put whatever message you wanted on the hand. Silly me, I had the program > executing at TSO logon. Management was not amused. > > > > -Original Message- > > From: Peter Sylvester > > Sent: Sunday, October 10, 2021 9:36 AM > > > You could have "protected" the VM systems as much as you want, if a > "friend" send you an exec/script/clist and you execute it. the was actually > created as small joke by a student at one of the EARN/BITNET nodes who did > not see that it could escape from the site. > > > > my old friend Helmut on the neighbour node detected "patient 0". It > rapidely entered vnet which was shutdown (to remove all copies afaik), earn > bitnet was saved by Eric Thomas by filtering in rscs. You had to execute > it, a global social attack/joke, not like the other real worm in sendmail > > > > --- On 08/10/2021 16:43, David Spiegel wrote: > >> "... What about the Christmas Card Worm? ..." > >> > >> That was AFAIK on a VM system, not, an MVS system. > > -- > For IBM-MAIN subscribe / signoff / archive access instructions, > send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN > -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN
Re: Mainframe ransomware solution
Well, now that this thread has devolved into war stories (often the best part of a day's digest): A friend working helpdesk once hacked an end-user's PROFILE EXEC on CMS so that every OTHER time he logged on, it would do something odd, forget what. User made SEVERAL trips between her* office and the helpdesk office before he finally let her in on the joke. (Several things in that story that couldn't happen today: having a help desk, having it local, end-users on CMS, etc.) *Prankster wasn't sexist-I believe both were men. I chose genders to make it clear which person was which. -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN
Re: Mainframe ransomware solution
Hi Bob, This reminds me of a story from the early '90s, when I worked for a multi-national food company. (I actually worked for more than one.) One of the Help Desk guys decided to customize "his own" TPX screen. He made it say "Welcome to Hell". When I got in, I booted DOS (IBM PS/2 Model 70), started Windows 3.1 and then started PCOMM. As soon as I noticed the "greeting", I walked over to the Help Desk and nonchalantly asked Billy if he had customized anything since 17:00 the day before. He admitted to changing the greeting, but, had no clue that he would be affecting 2,000 users coast to coast. After a string of blue words including: "Lard Tunderin' Jeezus" (hat's Newfoundland-speak for what we now call Whiskey Tango Foxtrot), he removed it. I pointed out to him that he was fortunate that I arrived before the president. He would've bought me a coffee, but, we had free coffee at work, one of the perqs (a bad pun). Regards, David On 2021-10-11 10:22, Bob Bridges wrote: Managers have no sense of humour where it doesn't matter. Well, some managers. I still remember fondly my messing with a coworker's PC menu. I don't remember which menu system we were using at the time, but Roberto had found some little gag app that would display a blimp for a few seconds with your selected message scrolling across it. So while he was out I fixed up his menu so that when he fired up Word, it would 1) display the blimp ("Roberto is a doofus!"), 2) erase the blimp call from the Word menu option so it would look normal, and 3) start Word. The Harvard Graphics option would put the blimp back in his Word option. So until he figured out the pattern, it would display the blimp at seemingly random intervals, but whenever he looked at the Word option under the covers there was nothing there. I was also charmed by a (different) coworker who modified his copy of PC DOS; instead of "Bad command or file name", it said "Say what, hippo fingers?". I never bothered until just now to verify that those two messages are exactly the same length; I just assumed that his replacement was no longer than the official text. All very harmless. I guess I'm just not a serious hacker. --- Bob Bridges, robhbrid...@gmail.com, cell 336 382-7313 /* While mathematicians often do not have much humility, we all have lots of experience with humiliation. -Dan Goldston, in his acceptance speech for the prestigious Cole Prize */ -Original Message- From: IBM Mainframe Discussion List On Behalf Of CM Poncelet Sent: Sunday, October 10, 2021 22:23 This reminds me of someone at a Company I worked for, can't remember which, where some programmer had displayed a prompt for whatever to which an end-user replied "f*@k" - upon which the program then replied, "Your place or mine?" Needless to say, management was not amused by this and the programmer was given a "good talking to" if not then also put on "garden leave". --- On 10/10/2021 15:52, PINION, RICHARD W. wrote: The only thing I ever put on a system, similar to that, was a TSO program which produced a crude picture of the one finger salute. You could put whatever message you wanted on the hand. Silly me, I had the program executing at TSO logon. Management was not amused. -Original Message- From: Peter Sylvester Sent: Sunday, October 10, 2021 9:36 AM You could have "protected" the VM systems as much as you want, if a "friend" send you an exec/script/clist and you execute it. the was actually created as small joke by a student at one of the EARN/BITNET nodes who did not see that it could escape from the site. my old friend Helmut on the neighbour node detected "patient 0". It rapidely entered vnet which was shutdown (to remove all copies afaik), earn bitnet was saved by Eric Thomas by filtering in rscs. You had to execute it, a global social attack/joke, not like the other real worm in sendmail --- On 08/10/2021 16:43, David Spiegel wrote: "... What about the Christmas Card Worm? ..." That was AFAIK on a VM system, not, an MVS system. -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN . -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN
Re: Mainframe ransomware solution
Managers have no sense of humour where it doesn't matter. Well, some managers. I still remember fondly my messing with a coworker's PC menu. I don't remember which menu system we were using at the time, but Roberto had found some little gag app that would display a blimp for a few seconds with your selected message scrolling across it. So while he was out I fixed up his menu so that when he fired up Word, it would 1) display the blimp ("Roberto is a doofus!"), 2) erase the blimp call from the Word menu option so it would look normal, and 3) start Word. The Harvard Graphics option would put the blimp back in his Word option. So until he figured out the pattern, it would display the blimp at seemingly random intervals, but whenever he looked at the Word option under the covers there was nothing there. I was also charmed by a (different) coworker who modified his copy of PC DOS; instead of "Bad command or file name", it said "Say what, hippo fingers?". I never bothered until just now to verify that those two messages are exactly the same length; I just assumed that his replacement was no longer than the official text. All very harmless. I guess I'm just not a serious hacker. --- Bob Bridges, robhbrid...@gmail.com, cell 336 382-7313 /* While mathematicians often do not have much humility, we all have lots of experience with humiliation. -Dan Goldston, in his acceptance speech for the prestigious Cole Prize */ -Original Message- From: IBM Mainframe Discussion List On Behalf Of CM Poncelet Sent: Sunday, October 10, 2021 22:23 This reminds me of someone at a Company I worked for, can't remember which, where some programmer had displayed a prompt for whatever to which an end-user replied "f*@k" - upon which the program then replied, "Your place or mine?" Needless to say, management was not amused by this and the programmer was given a "good talking to" if not then also put on "garden leave". --- On 10/10/2021 15:52, PINION, RICHARD W. wrote: > The only thing I ever put on a system, similar to that, was a TSO program > which produced a crude picture of the one finger salute. You could put > whatever message you wanted on the hand. Silly me, I had the program > executing at TSO logon. Management was not amused. > > -Original Message- > From: Peter Sylvester > Sent: Sunday, October 10, 2021 9:36 AM > You could have "protected" the VM systems as much as you want, if a "friend" > send you an exec/script/clist and you execute it. the was actually created as > small joke by a student at one of the EARN/BITNET nodes who did not see that > it could escape from the site. > > my old friend Helmut on the neighbour node detected "patient 0". It rapidely > entered vnet which was shutdown (to remove all copies afaik), earn bitnet was > saved by Eric Thomas by filtering in rscs. You had to execute it, a global > social attack/joke, not like the other real worm in sendmail > > --- On 08/10/2021 16:43, David Spiegel wrote: >> "... What about the Christmas Card Worm? ..." >> >> That was AFAIK on a VM system, not, an MVS system. -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN
Re: Mainframe ransomware solution
This reminds me of someone at a Company I worked for, can't remember which, where some programmer had displayed a prompt for whatever to which an end-user replied "f*@k" - upon which the program then replied, "Your place or mine?" Needless to say, management was not amused by this and the programmer was given a "good talking to" if not then also put on "garden leave". On 10/10/2021 15:52, PINION, RICHARD W. wrote: > The only thing I ever put on a system, similar to that, was a TSO program > which produced a crude picture of the one finger salute. You could put > whatever message you wanted on the hand. Silly me, I had the program > executing at TSO logon. Management was not amused. > > -Original Message- > From: IBM Mainframe Discussion List On Behalf Of > Peter Sylvester > Sent: Sunday, October 10, 2021 9:36 AM > To: IBM-MAIN@LISTSERV.UA.EDU > Subject: Re: Mainframe ransomware solution > > [External Email. Exercise caution when clicking links or opening attachments.] > > On 08/10/2021 16:43, David Spiegel wrote: >> Hi R'Shmuel; AMV"SH, >> "... What about the Christmas Card Worm? ..." >> >> That was AFAIK on a VM system, not, an MVS system. >> >> Regards, >> David >> >> > You could have "protected" the VM systems as much as you want, if a "friend" > send you an exec/script/clist and you execute it. > > the was actually created as small joke by a student at one of the EARN/BITNET > nodes who did not see that it could escape from the site. > > my old friend Helmut on the neighbour node detected "patient 0". > > It rapidely entered vnet which was shutdown (to remove all copies afaik), > earn bitnet was saved by Eric Thomas by filtering in rscs. > > You had to execute it, a global social attack/joke, not like the other real > worm in sendmail > > Peter Sylvester > > -- > For IBM-MAIN subscribe / signoff / archive access instructions, send email to > lists...@listserv.ua.edu with the message: INFO IBM-MAIN > Confidentiality notice: > This e-mail message, including any attachments, may contain legally > privileged and/or confidential information. If you are not the intended > recipient(s), or the employee or agent responsible for delivery of this > message to the intended recipient(s), you are hereby notified that any > dissemination, distribution, or copying of this e-mail message is strictly > prohibited. If you have received this message in error, please immediately > notify the sender and delete this e-mail message from your computer. > > -- > For IBM-MAIN subscribe / signoff / archive access instructions, > send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN > . > -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN
Re: Mainframe ransomware solution
My ILRBIRS only had the picture, no text. My favorite prank is the Cookie Monster written at MIT for Multics: <https://www.multicians.org/cookie.html>.. -- Shmuel (Seymour J.) Metz http://mason.gmu.edu/~smetz3 From: IBM Mainframe Discussion List [IBM-MAIN@LISTSERV.UA.EDU] on behalf of PINION, RICHARD W. [rpin...@firsthorizon.com] Sent: Sunday, October 10, 2021 10:52 AM To: IBM-MAIN@LISTSERV.UA.EDU Subject: Re: Mainframe ransomware solution The only thing I ever put on a system, similar to that, was a TSO program which produced a crude picture of the one finger salute. You could put whatever message you wanted on the hand. Silly me, I had the program executing at TSO logon. Management was not amused. -Original Message- From: IBM Mainframe Discussion List On Behalf Of Peter Sylvester Sent: Sunday, October 10, 2021 9:36 AM To: IBM-MAIN@LISTSERV.UA.EDU Subject: Re: Mainframe ransomware solution [External Email. Exercise caution when clicking links or opening attachments.] On 08/10/2021 16:43, David Spiegel wrote: > Hi R'Shmuel; AMV"SH, > "... What about the Christmas Card Worm? ..." > > That was AFAIK on a VM system, not, an MVS system. > > Regards, > David > > You could have "protected" the VM systems as much as you want, if a "friend" send you an exec/script/clist and you execute it. the was actually created as small joke by a student at one of the EARN/BITNET nodes who did not see that it could escape from the site. my old friend Helmut on the neighbour node detected "patient 0". It rapidely entered vnet which was shutdown (to remove all copies afaik), earn bitnet was saved by Eric Thomas by filtering in rscs. You had to execute it, a global social attack/joke, not like the other real worm in sendmail Peter Sylvester -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN Confidentiality notice: This e-mail message, including any attachments, may contain legally privileged and/or confidential information. If you are not the intended recipient(s), or the employee or agent responsible for delivery of this message to the intended recipient(s), you are hereby notified that any dissemination, distribution, or copying of this e-mail message is strictly prohibited. If you have received this message in error, please immediately notify the sender and delete this e-mail message from your computer. -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN
Re: Mainframe ransomware solution
The only thing I ever put on a system, similar to that, was a TSO program which produced a crude picture of the one finger salute. You could put whatever message you wanted on the hand. Silly me, I had the program executing at TSO logon. Management was not amused. -Original Message- From: IBM Mainframe Discussion List On Behalf Of Peter Sylvester Sent: Sunday, October 10, 2021 9:36 AM To: IBM-MAIN@LISTSERV.UA.EDU Subject: Re: Mainframe ransomware solution [External Email. Exercise caution when clicking links or opening attachments.] On 08/10/2021 16:43, David Spiegel wrote: > Hi R'Shmuel; AMV"SH, > "... What about the Christmas Card Worm? ..." > > That was AFAIK on a VM system, not, an MVS system. > > Regards, > David > > You could have "protected" the VM systems as much as you want, if a "friend" send you an exec/script/clist and you execute it. the was actually created as small joke by a student at one of the EARN/BITNET nodes who did not see that it could escape from the site. my old friend Helmut on the neighbour node detected "patient 0". It rapidely entered vnet which was shutdown (to remove all copies afaik), earn bitnet was saved by Eric Thomas by filtering in rscs. You had to execute it, a global social attack/joke, not like the other real worm in sendmail Peter Sylvester -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN Confidentiality notice: This e-mail message, including any attachments, may contain legally privileged and/or confidential information. If you are not the intended recipient(s), or the employee or agent responsible for delivery of this message to the intended recipient(s), you are hereby notified that any dissemination, distribution, or copying of this e-mail message is strictly prohibited. If you have received this message in error, please immediately notify the sender and delete this e-mail message from your computer. -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN
Re: Mainframe ransomware solution
On 08/10/2021 16:43, David Spiegel wrote: Hi R'Shmuel; AMV"SH, "... What about the Christmas Card Worm? ..." That was AFAIK on a VM system, not, an MVS system. Regards, David You could have "protected" the VM systems as much as you want, if a "friend" send you an exec/script/clist and you execute it. the was actually created as small joke by a student at one of the EARN/BITNET nodes who did not see that it could escape from the site. my old friend Helmut on the neighbour node detected "patient 0". It rapidely entered vnet which was shutdown (to remove all copies afaik), earn bitnet was saved by Eric Thomas by filtering in rscs. You had to execute it, a global social attack/joke, not like the other real worm in sendmail Peter Sylvester -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN
Re: Mainframe ransomware solution
On 8/10/2021 7:50 am, Tom Brennan wrote: I'll repeat what I always say about this. If I was hacking a mainframe I wouldn't start with the mainframe, I'd start with the sysprog or security admin's PC or Mac or email or phone or whatever. In that case it doesn't matter one bit how well the mainframe is protected internally. Exactly! Even the sophisticated malware such as stuxnet infected their targets using USB thumb drives. It's not some magical network hacking like we see in those ridiculous movies with the 3D graphics and barking animated guard dogs. One of my colleagues was working in the IBM OMVS development team when the Logica breach occurred. The bottom line is the attacker used a zero-day attack. Anyone that believes the mainframe is impervious to zero-day attacks is dangerously naive. The source code is on github https://github.com/mainframed/logica. The zero-day exploit was a REXX exec. There are also shell-injection exploits and all sorts of ingenious hacks. It's also unfair to frame z/OS UNIX as the weak link just because of the Logica breach. I'm lucky enough to work with some very smart and highly experienced people and have heard very disconcerting stories about security exposures in vendor code. The magic SVCs have already been mentioned but I've even heard anecdotes about stealing passwords from VTAM buffers. And please stop with the political remarks. This seems to be the one place on earth I can go without reading about politics. A place where I can enjoy a 50+ post back-and-forth between Seymour and Gil, for example, without hearing one word about US politics. On 10/7/2021 3:21 PM, Bill Johnson wrote: You’d have to be a poorly run shop to permit any of those to occur. Maybe that’s why mainframe hacks have actually never happened.Biden successfully extracted 124,000 from Afghanistan in a few weeks. Amazing. Sent from Yahoo Mail for iPhone On Thursday, October 7, 2021, 2:12 PM, Charles Mills wrote: And assuming you never make a mistake. Never leave an APF data set unprotected. Never give the wrong person console authority. Fully understand APF on UNIX. Never have a Rexx PDS used by privileged users that is modifiable by others. Have no magic SVCs. Have no flawed APF code, no APF "tools" available inappropriately. Charles -Original Message- From: IBM Mainframe Discussion List [mailto:IBM-MAIN@LISTSERV.UA.EDU] On Behalf Of Radoslaw Skorupka Sent: Wednesday, October 6, 2021 2:13 PM To: IBM-MAIN@LISTSERV.UA.EDU Subject: Re: Mainframe ransomware solution W dniu 05.10.2021 o 15:24, Tommy Tsui pisze: Hi Any shop implement mainframe ransomware solution can share? IBM seems has cyber vault to handle this. Is there any other solution available ? Thanks for sharing Yes, we have such solution. This is combination of the following products: 1. z/OS 2. RACF 3. Professional staff Other means: RACF backup Safeguarded copy and other vendors' solutions audit procedures Note: all of the "solutions" marketed nowadays give you some cure *after breach happened*. However that means some problems. It is unlikely to restore with RPO=0. If you want RPO=0 then you should pay much more attention at prevention, which means ...no, NOT ANOTHER PRODUCT. Definitely first: professional staff, procedures, audit. And then maybe some tools. IBM Cyber Resiliency tools: Guardium, zSecure Suite, QRadar SIEM, Safeguarded Copy... -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN . -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN
Re: Mainframe ransomware solution
Yes, that's the one. I can read a number of languages, but Polish isn't among them; I fed that article to Google Translate, and with a few bobbles it did a fair job. I remember a reference in the translation to the "FTP hotel", which I guessed means the FTP server, but for the most part the meaning was pretty obvious. The actual Logica report was written in Swinglish -- but it was good Swinglish, and anyway I worked 14 years at a Volvo company so it wasn't strange :). --- Bob Bridges, robhbrid...@gmail.com, cell 336 382-7313 /* There are two possible outcomes. If the result confirms the hypothesis, then you've made a measurement. If the result is contrary to the hypothesis, then you've made a discovery. -Enrico Fermi */ -Original Message- From: IBM Mainframe Discussion List On Behalf Of Radoslaw Skorupka Sent: Friday, October 8, 2021 14:15 Yes, I remember this article. I also read that in Polish. :-) And at the time whole police report was leaked. 200+ pages. It was definitely impossible without intercepted password and many configuration mistakes. HTTP vulnerability was also there, but it was not the way to hack in. https://zaufanatrzeciastrona.pl/historia-pewnego-wlamania/ (still in Polish, inside links to several articles) --- W dniu 08.10.2021 o 16:54, Bob Bridges pisze: > The way I read in the long Polish article about the Logica hack, when I > researched it back in 2013, is that there was speculation about USS and about > an HTTP flaw, but the forensics folks in the end thought they probably got > hold of a password in the good old-fashioned way and went from there. They > did indeed find and exploit USS configuration goofs. And the HTTP flaw is > real (https://nvd.nist.gov/vuln/detail/CVE-2012-5955), but Logica's post-hack > report doesn't mention it; so they, at least, didn't think it figured into > the original break-in or in the culprits' activities afterward. > > -Original Message- > From: IBM Mainframe Discussion List On Behalf Of > Charles Mills > Sent: Thursday, October 7, 2021 18:49 > > Assuming you don't count Logica. ("Oh, that wasn't a real mainframe hack, > they came in through USS.") > > -Original Message- > From: IBM Mainframe Discussion List [mailto:IBM-MAIN@LISTSERV.UA.EDU] On > Behalf Of Bill Johnson > Sent: Thursday, October 7, 2021 3:21 PM > > You’d have to be a poorly run shop to permit any of those to occur. Maybe > that’s why mainframe hacks have actually never happened -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN
Re: Mainframe ransomware solution
I'm sort of intrigued by the notion of 'magical SVC'. I know it's a figure of speech, but I categorically disbelieve in magic. For the whipper snappers among us, our beloved SDSF started out in the 1980s as an IUP--installed user program. Written as I understand it by a couple of IBM customer SEs. It was called Interactive Spool Facility; hence the ubiquity of the ISF prefix throughout the product. 'SDSF' was marketed by IBM and eventually--after strong customer demand--elevated to a Class 1 product with full Support Center involvement. >From the beginning, even as an IUP, SDSF needed to run APF authorized. That was accomplished by a magical SVC'. Customers were uncomfortable with that solution for the same reasons discussed in this thread. The solution attempted was to make some elaborate checks in the SVC to verify that it was in fact being issued by the IBM product. At some point the whole SVC strategy was abandoned. Modern SDSF no longer requires any magic SVC. I have not heard of any customer concern over the current implementation. On Fri, Oct 8, 2021 at 11:15 AM Radoslaw Skorupka wrote: > Yes, I remember this article. I also read that in Polish. :-) > And at the time whole police report was leaked. 200+ pages. > It was definitely impossible without intercepted password and many > configuration mistakes. > HTTP vulnerability was also there, but it was not the way to hack in. > > https://zaufanatrzeciastrona.pl/historia-pewnego-wlamania/ (still in > Polish, inside links to several articles) > > -- > Radoslaw Skorupka > Lodz, Poland > > > > > W dniu 08.10.2021 o 16:54, Bob Bridges pisze: > > The way I read in the long Polish article about the Logica hack, when I > researched it back in 2013, is that there was speculation about USS and > about an HTTP flaw, but the forensics folks in the end thought they > probably got hold of a password in the good old-fashioned way and went from > there. They did indeed find and exploit USS configuration goofs. And the > HTTP flaw is real (https://nvd.nist.gov/vuln/detail/CVE-2012-5955), but > Logica's post-hack report doesn't mention it; so they, at least, didn't > think it figured into the original break-in or in the culprits' activities > afterward. > > > > --- > > Bob Bridges, robhbrid...@gmail.com, cell 336 382-7313 > > > > /* I've never hated a man enough to give him his diamonds back. > -Zsa-Zsa Gabor */ > > > > -Original Message- > > From: IBM Mainframe Discussion List On > Behalf Of Charles Mills > > Sent: Thursday, October 7, 2021 18:49 > > > > Assuming you don't count Logica. ("Oh, that wasn't a real mainframe > hack, they came in through USS.") > > > > -Original Message- > > From: IBM Mainframe Discussion List [mailto:IBM-MAIN@LISTSERV.UA.EDU] > On Behalf Of Bill Johnson > > Sent: Thursday, October 7, 2021 3:21 PM > > > > You’d have to be a poorly run shop to permit any of those to occur. > Maybe that’s why mainframe hacks have actually never happened > > -- Skip Robinson 323-715-0595 -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN
Re: Mainframe ransomware solution
Yes, I remember this article. I also read that in Polish. :-) And at the time whole police report was leaked. 200+ pages. It was definitely impossible without intercepted password and many configuration mistakes. HTTP vulnerability was also there, but it was not the way to hack in. https://zaufanatrzeciastrona.pl/historia-pewnego-wlamania/ (still in Polish, inside links to several articles) -- Radoslaw Skorupka Lodz, Poland W dniu 08.10.2021 o 16:54, Bob Bridges pisze: The way I read in the long Polish article about the Logica hack, when I researched it back in 2013, is that there was speculation about USS and about an HTTP flaw, but the forensics folks in the end thought they probably got hold of a password in the good old-fashioned way and went from there. They did indeed find and exploit USS configuration goofs. And the HTTP flaw is real (https://nvd.nist.gov/vuln/detail/CVE-2012-5955), but Logica's post-hack report doesn't mention it; so they, at least, didn't think it figured into the original break-in or in the culprits' activities afterward. --- Bob Bridges, robhbrid...@gmail.com, cell 336 382-7313 /* I've never hated a man enough to give him his diamonds back. -Zsa-Zsa Gabor */ -Original Message- From: IBM Mainframe Discussion List On Behalf Of Charles Mills Sent: Thursday, October 7, 2021 18:49 Assuming you don't count Logica. ("Oh, that wasn't a real mainframe hack, they came in through USS.") -Original Message- From: IBM Mainframe Discussion List [mailto:IBM-MAIN@LISTSERV.UA.EDU] On Behalf Of Bill Johnson Sent: Thursday, October 7, 2021 3:21 PM You’d have to be a poorly run shop to permit any of those to occur. Maybe that’s why mainframe hacks have actually never happened -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN
Re: Mainframe ransomware solution
Yes, an ID they got hold of -- my impression was that it was the original ID -- had read access to the RACF database. They downloaded it, and posted questions here and there about how RACF passwords are encrypted. Within a few days a new version of John the Ripper appeared, reworked for RACF. The forensics people ran that version on an unexceptional PC afterward, as a test, using a dictionary attack of course, and as I recall they said they got ten or twenty thousand passwords out of it in the first day or two, which of course gave them access to IDs on other LPARs as well. I'm kind of surprised how often I find that a client thinks the admins need update access to the security database in order to do their job. Sometimes they even let me take it away; not always, my dire warnings notwithstanding. I'm more disturbed at how often a site has a rule giving everyone read access to SYS2.**, which often includes the security database along with everything else. I suppose they set it up that way in the beginning, "just to get things rolling", and never looked at it again. About coming in through USS: When I first wrote up the report on the Logica hack for my then-employer, my Conclusions section started out with this confession: Overall, what I see is that the hackers got on through a stolen password (obtained no doubt through the usual means). Then they used OMVS to gain superuser access, UID(0), and go from there. My jaundiced notions of Unix security, and my prejudice in favor of MVS’, are strengthened by this tale rather than weakened. The problem with this reaction is that I know nothing of Unix; really I should learn something about it before I conclude anything. And after all, since OMVS is a part of MVS, that makes Unix part of my responsibility, no? I know more about OMVS security now, but not nearly enough. --- Bob Bridges, robhbrid...@gmail.com, cell 336 382-7313 /* One of the justifications for democracy is that everyone's interest should be represented in government. Butthe homeowner who locks his door is looking out for his own interest just as much as the burglar who picks the lock, but not exactly in the same way. The voter who wants to keep his own money isn't seeking the same thing as the voter who wants the state to give him someone else's money. -Joseph Sobran */ -Original Message- From: IBM Mainframe Discussion List On Behalf Of David Spiegel Sent: Friday, October 8, 2021 11:18 From what I recall, the bad guys had "READ" to the RACF Database. (It helps to have incompetent SecAdmin staff and auditors.) They downloaded it and then dictionary-attacked it easily, because there was no password limitation and there was no trivial-password-exclusion list. Also, NVAS had no security. That is, once in, the hackers could logon to any 3270 application from the main panel. --- On 2021-10-08 10:54, Bob Bridges wrote: > The way I read in the long Polish article about the Logica hack, when I > researched it back in 2013, is that there was speculation about USS and about > an HTTP flaw, but the forensics folks in the end thought they probably got > hold of a password in the good old-fashioned way and went from there. They > did indeed find and exploit USS configuration goofs. And the HTTP flaw is > real...but Logica's post-hack report doesn't mention it; so they, at least, > didn't think it figured into the original break-in or in the culprits' > activities afterward. > > -Original Message- > From: Charles Mills > Sent: Thursday, October 7, 2021 18:49 > > Assuming you don't count Logica. ("Oh, that wasn't a real mainframe > hack, they came in through USS.") > > -Original Message- > From: Bill Johnson > Sent: Thursday, October 7, 2021 3:21 PM > > You’d have to be a poorly run shop to permit any of those to occur. Maybe > that’s why mainframe hacks have actually never happened -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN
Re: Mainframe ransomware solution
On 10/8/2021 8:18 AM, David Spiegel wrote: From what I recall, the bad guys had "READ" to the RACF Database. (It helps to have incompetent SecAdmin staff and auditors.) These days, one would be beyond negligent to ignore the warnings issued by the RACF_SENSITIVE_RESOURCES health check. (Was that available in 2013?) I assume all ESMs produce similar warnings: | RACF Dataset Report | | S Data Set Name Vol UACC Warn ID* User | - --- -- | SYS2.RACF.DBPRIM MVSSY2 None No | SYS2.RACF.DBBACK MVSSY1 None No -- Phoenix Software International Edward E. Jaffe 831 Parkview Drive North El Segundo, CA 90245 https://www.phoenixsoftware.com/ This e-mail message, including any attachments, appended messages and the information contained therein, is for the sole use of the intended recipient(s). If you are not an intended recipient or have otherwise received this email message in error, any use, dissemination, distribution, review, storage or copying of this e-mail message and the information contained therein is strictly prohibited. If you are not an intended recipient, please contact the sender by reply e-mail and destroy all copies of this email message and do not otherwise utilize or retain this email message or any or all of the information contained therein. Although this email message and any attachments or appended messages are believed to be free of any virus or other defect that might affect any computer system into which it is received and opened, it is the responsibility of the recipient to ensure that it is virus free and no responsibility is accepted by the sender for any loss or damage arising in any way from its opening or use. -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN
Re: Mainframe ransomware solution
Exactly right. Sent from Yahoo Mail for iPhone On Friday, October 8, 2021, 8:54 AM, Bob Bridges wrote: The way I read in the long Polish article about the Logica hack, when I researched it back in 2013, is that there was speculation about USS and about an HTTP flaw, but the forensics folks in the end thought they probably got hold of a password in the good old-fashioned way and went from there. They did indeed find and exploit USS configuration goofs. And the HTTP flaw is real (https://nvd.nist.gov/vuln/detail/CVE-2012-5955), but Logica's post-hack report doesn't mention it; so they, at least, didn't think it figured into the original break-in or in the culprits' activities afterward. --- Bob Bridges, robhbrid...@gmail.com, cell 336 382-7313 /* I've never hated a man enough to give him his diamonds back. -Zsa-Zsa Gabor */ -Original Message- From: IBM Mainframe Discussion List On Behalf Of Charles Mills Sent: Thursday, October 7, 2021 18:49 Assuming you don't count Logica. ("Oh, that wasn't a real mainframe hack, they came in through USS.") -Original Message- From: IBM Mainframe Discussion List [mailto:IBM-MAIN@LISTSERV.UA.EDU] On Behalf Of Bill Johnson Sent: Thursday, October 7, 2021 3:21 PM You’d have to be a poorly run shop to permit any of those to occur. Maybe that’s why mainframe hacks have actually never happened -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN
Re: Mainframe ransomware solution
Dude, you need to quit being a lemming afraid to challenge the know it alls. Oh wait. Sent from Yahoo Mail for iPhone On Friday, October 8, 2021, 8:34 AM, zMan wrote: And you were. In those exchanges, that makes one of you. On Thu, Oct 7, 2021 at 9:00 PM Charles Mills wrote: > Sincere apologies. I was trying to be constructive. > Bill, you need to put the crack pipe down. -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN
Re: Mainframe ransomware solution
Hi Bob, From what I recall, the bad guys had "READ" to the RACF Database. (It helps to have incompetent SecAdmin staff and auditors.) They downloaded it and then dictionary-attacked it easily, because there was no password limitation and there was no trivial-password-exclusion list. Also, NVAS had no security. That is, once in, the hackers could logon to any 3270 application from the main panel. Regards, David On 2021-10-08 10:54, Bob Bridges wrote: The way I read in the long Polish article about the Logica hack, when I researched it back in 2013, is that there was speculation about USS and about an HTTP flaw, but the forensics folks in the end thought they probably got hold of a password in the good old-fashioned way and went from there. They did indeed find and exploit USS configuration goofs. And the HTTP flaw is real (https://na01.safelinks.protection.outlook.com/?url=https%3A%2F%2Fnvd.nist.gov%2Fvuln%2Fdetail%2FCVE-2012-5955&data=04%7C01%7C%7Ccd9662019d7c471e41b208d98a6b83b3%7C84df9e7fe9f640afb435%7C1%7C0%7C637693016700068298%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C1000&sdata=URXCTpLeeXlb7WraJx2DMcyoy1AfPLKyhn3Nc1jECxQ%3D&reserved=0), but Logica's post-hack report doesn't mention it; so they, at least, didn't think it figured into the original break-in or in the culprits' activities afterward. --- Bob Bridges, robhbrid...@gmail.com, cell 336 382-7313 /* I've never hated a man enough to give him his diamonds back. -Zsa-Zsa Gabor */ -Original Message- From: IBM Mainframe Discussion List On Behalf Of Charles Mills Sent: Thursday, October 7, 2021 18:49 Assuming you don't count Logica. ("Oh, that wasn't a real mainframe hack, they came in through USS.") -Original Message- From: IBM Mainframe Discussion List [mailto:IBM-MAIN@LISTSERV.UA.EDU] On Behalf Of Bill Johnson Sent: Thursday, October 7, 2021 3:21 PM You’d have to be a poorly run shop to permit any of those to occur. Maybe that’s why mainframe hacks have actually never happened -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN . -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN
Re: Mainframe ransomware solution
The way I read in the long Polish article about the Logica hack, when I researched it back in 2013, is that there was speculation about USS and about an HTTP flaw, but the forensics folks in the end thought they probably got hold of a password in the good old-fashioned way and went from there. They did indeed find and exploit USS configuration goofs. And the HTTP flaw is real (https://nvd.nist.gov/vuln/detail/CVE-2012-5955), but Logica's post-hack report doesn't mention it; so they, at least, didn't think it figured into the original break-in or in the culprits' activities afterward. --- Bob Bridges, robhbrid...@gmail.com, cell 336 382-7313 /* I've never hated a man enough to give him his diamonds back. -Zsa-Zsa Gabor */ -Original Message- From: IBM Mainframe Discussion List On Behalf Of Charles Mills Sent: Thursday, October 7, 2021 18:49 Assuming you don't count Logica. ("Oh, that wasn't a real mainframe hack, they came in through USS.") -Original Message- From: IBM Mainframe Discussion List [mailto:IBM-MAIN@LISTSERV.UA.EDU] On Behalf Of Bill Johnson Sent: Thursday, October 7, 2021 3:21 PM You’d have to be a poorly run shop to permit any of those to occur. Maybe that’s why mainframe hacks have actually never happened -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN
Re: Mainframe ransomware solution
Still a mainframe, and the demonstration of MVS at SHARE was certainly MVS. What was security like on TSS/360 and TSS/370? -- Shmuel (Seymour J.) Metz http://mason.gmu.edu/~smetz3 From: IBM Mainframe Discussion List [IBM-MAIN@LISTSERV.UA.EDU] on behalf of David Spiegel [dspiegel...@hotmail.com] Sent: Friday, October 8, 2021 10:43 AM To: IBM-MAIN@LISTSERV.UA.EDU Subject: Re: Mainframe ransomware solution Hi R'Shmuel; AMV"SH, "... What about the Christmas Card Worm? ..." That was AFAIK on a VM system, not, an MVS system. Regards, David On 2021-10-08 10:35, Seymour J Metz wrote: > Historically, there have been many poorly run shops. Prior to MVS, older > systems were wide open and even systems with storage protection were swiss > cheeses. > > 07F0 > 0A0C > > Didn't somebody delete an unsecured system data set during IBM's MVS > demonstration at SHARE? What about the Christmas Card Worm? > > > -- > Shmuel (Seymour J.) Metz > https://na01.safelinks.protection.outlook.com/?url=http%3A%2F%2Fmason.gmu.edu%2F~smetz3&data=04%7C01%7C%7Cb18204aadece408d669708d98a68dbc6%7C84df9e7fe9f640afb435%7C1%7C0%7C637693005274413450%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C1000&sdata=Uk8NcyJRnMxMoFv7faM3sA3HSM1HafQ6QJvHBBzpUiA%3D&reserved=0 > > > From: IBM Mainframe Discussion List [IBM-MAIN@LISTSERV.UA.EDU] on behalf of > Bill Johnson [0047540adefe-dmarc-requ...@listserv.ua.edu] > Sent: Thursday, October 7, 2021 6:21 PM > To: IBM-MAIN@LISTSERV.UA.EDU > Subject: Re: Mainframe ransomware solution > > You’d have to be a poorly run shop to permit any of those to occur. Maybe > that’s why mainframe hacks have actually never happened.Biden > successfully extracted 124,000 from Afghanistan in a few weeks. Amazing. > > > Sent from Yahoo Mail for iPhone > > > On Thursday, October 7, 2021, 2:12 PM, Charles Mills wrote: > > And assuming you never make a mistake. Never leave an APF data set > unprotected. Never give the wrong person console authority. Fully understand > APF on UNIX. Never have a Rexx PDS used by privileged users that is > modifiable by others. Have no magic SVCs. Have no flawed APF code, no APF > "tools" available inappropriately. > > Charles > -- > For IBM-MAIN subscribe / signoff / archive access instructions, > send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN > . -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN
Re: Mainframe ransomware solution
Hi R'Shmuel; AMV"SH, "... What about the Christmas Card Worm? ..." That was AFAIK on a VM system, not, an MVS system. Regards, David On 2021-10-08 10:35, Seymour J Metz wrote: Historically, there have been many poorly run shops. Prior to MVS, older systems were wide open and even systems with storage protection were swiss cheeses. 07F0 0A0C Didn't somebody delete an unsecured system data set during IBM's MVS demonstration at SHARE? What about the Christmas Card Worm? -- Shmuel (Seymour J.) Metz https://na01.safelinks.protection.outlook.com/?url=http%3A%2F%2Fmason.gmu.edu%2F~smetz3&data=04%7C01%7C%7Cb18204aadece408d669708d98a68dbc6%7C84df9e7fe9f640afb435%7C1%7C0%7C637693005274413450%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C1000&sdata=Uk8NcyJRnMxMoFv7faM3sA3HSM1HafQ6QJvHBBzpUiA%3D&reserved=0 From: IBM Mainframe Discussion List [IBM-MAIN@LISTSERV.UA.EDU] on behalf of Bill Johnson [0047540adefe-dmarc-requ...@listserv.ua.edu] Sent: Thursday, October 7, 2021 6:21 PM To: IBM-MAIN@LISTSERV.UA.EDU Subject: Re: Mainframe ransomware solution You’d have to be a poorly run shop to permit any of those to occur. Maybe that’s why mainframe hacks have actually never happened.Biden successfully extracted 124,000 from Afghanistan in a few weeks. Amazing. Sent from Yahoo Mail for iPhone On Thursday, October 7, 2021, 2:12 PM, Charles Mills wrote: And assuming you never make a mistake. Never leave an APF data set unprotected. Never give the wrong person console authority. Fully understand APF on UNIX. Never have a Rexx PDS used by privileged users that is modifiable by others. Have no magic SVCs. Have no flawed APF code, no APF "tools" available inappropriately. Charles -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN . -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN
Re: Mainframe ransomware solution
IMO you were doing fine, Mr Mills. The only thing I might suggest is that you let unearned obstreporosity drop off into the void unnoticed. In addition to being more fun for lurkers who don't care to read such exchanges, surely that'd be more frustrating to anyone hoping for a quarrel (whoever that might be). --- Bob Bridges, robhbrid...@gmail.com, cell 336 382-7313 /* I'd still be slaving away at a desk for another 25 years if people backed up [their computer data] and kept a cool head. -Ross Greenberg, a pioneer in IBM PC antivirus software who went into semi-retirement in his mid-30s */ -Original Message- From: IBM Mainframe Discussion List On Behalf Of Charles Mills Sent: Thursday, October 7, 2021 21:00 Sincere apologies. I was trying to be constructive. -Original Message- From: IBM Mainframe Discussion List [mailto:IBM-MAIN@LISTSERV.UA.EDU] On Behalf Of Farley, Peter x23353 Sent: Thursday, October 7, 2021 5:34 PM I don't know about the others on the list, but I am a tad tired of this and other rounds of sniping between Mr. Johnson and Mr. Mills. -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN
Re: Mainframe ransomware solution
Historically, there have been many poorly run shops. Prior to MVS, older systems were wide open and even systems with storage protection were swiss cheeses. 07F0 0A0C Didn't somebody delete an unsecured system data set during IBM's MVS demonstration at SHARE? What about the Christmas Card Worm? -- Shmuel (Seymour J.) Metz http://mason.gmu.edu/~smetz3 From: IBM Mainframe Discussion List [IBM-MAIN@LISTSERV.UA.EDU] on behalf of Bill Johnson [0047540adefe-dmarc-requ...@listserv.ua.edu] Sent: Thursday, October 7, 2021 6:21 PM To: IBM-MAIN@LISTSERV.UA.EDU Subject: Re: Mainframe ransomware solution You’d have to be a poorly run shop to permit any of those to occur. Maybe that’s why mainframe hacks have actually never happened.Biden successfully extracted 124,000 from Afghanistan in a few weeks. Amazing. Sent from Yahoo Mail for iPhone On Thursday, October 7, 2021, 2:12 PM, Charles Mills wrote: And assuming you never make a mistake. Never leave an APF data set unprotected. Never give the wrong person console authority. Fully understand APF on UNIX. Never have a Rexx PDS used by privileged users that is modifiable by others. Have no magic SVCs. Have no flawed APF code, no APF "tools" available inappropriately. Charles -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN
Re: Mainframe ransomware solution
And you were. In those exchanges, that makes one of you. On Thu, Oct 7, 2021 at 9:00 PM Charles Mills wrote: > Sincere apologies. I was trying to be constructive. > Bill, you need to put the crack pipe down. -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN
Re: Mainframe ransomware solution
My understanding is that most security breaches are either inside jobs or involve social engineering. Procedural and technological measures are absolutely necessary, but they are not enough. -- Shmuel (Seymour J.) Metz http://mason.gmu.edu/~smetz3 From: IBM Mainframe Discussion List [IBM-MAIN@LISTSERV.UA.EDU] on behalf of Tom Brennan [t...@tombrennansoftware.com] Sent: Thursday, October 7, 2021 7:50 PM To: IBM-MAIN@LISTSERV.UA.EDU Subject: Re: Mainframe ransomware solution I'll repeat what I always say about this. If I was hacking a mainframe I wouldn't start with the mainframe, I'd start with the sysprog or security admin's PC or Mac or email or phone or whatever. In that case it doesn't matter one bit how well the mainframe is protected internally. And please stop with the political remarks. This seems to be the one place on earth I can go without reading about politics. A place where I can enjoy a 50+ post back-and-forth between Seymour and Gil, for example, without hearing one word about US politics. -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN
Re: Mainframe ransomware solution
PPTT, unless you consider training to be part of process. Training should include periodic training on changes. -- Shmuel (Seymour J.) Metz http://mason.gmu.edu/~smetz3 From: IBM Mainframe Discussion List [IBM-MAIN@LISTSERV.UA.EDU] on behalf of Filip Palian [s3...@pjwstk.edu.pl] Sent: Friday, October 8, 2021 12:55 AM To: IBM-MAIN@LISTSERV.UA.EDU Subject: Re: Mainframe ransomware solution >From the information security perspective there's a well-known confidentiality, integrity and availability (CIA) triad. However, the overall security posture of an organisation is dependent on the following three key areas: people, process, technology (PPT). Majority of breaches/risks can be prevented/mitigated by addressing essentials (e.g. capable staff, awareness trainings, well documented and communicated processes, technology/security controls etc.). As always, a multifaceted approach is required to address security holistically. Relaying solely on technology/products is simply a no go/not enough. pt., 8 paź 2021 o 11:59 Charles Mills napisał(a): > Sincere apologies. I was trying to be constructive. > > Charles > > > -Original Message- > From: IBM Mainframe Discussion List [mailto:IBM-MAIN@LISTSERV.UA.EDU] On > Behalf Of Farley, Peter x23353 > Sent: Thursday, October 7, 2021 5:34 PM > To: IBM-MAIN@LISTSERV.UA.EDU > Subject: Re: Mainframe ransomware solution > > I don't know about the others on the list, but I am a tad tired of this > and other rounds of sniping between Mr. Johnson and Mr. Mills. > > -- > For IBM-MAIN subscribe / signoff / archive access instructions, > send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN > -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN
Re: Mainframe ransomware solution
I've been at multiple shops that had magic SVCs. At one shop that had two, I was allowed to remove one but not another. In one shop where I discovered an error in the authentication code, I was ordered to not mention it to the auditors. I naively expect such to die with the advent of APF, but they're still out the, due to decades of inertia. -- Shmuel (Seymour J.) Metz http://mason.gmu.edu/~smetz3 From: IBM Mainframe Discussion List [IBM-MAIN@LISTSERV.UA.EDU] on behalf of Radoslaw Skorupka [r.skoru...@hotmail.com] Sent: Friday, October 8, 2021 7:40 AM To: IBM-MAIN@LISTSERV.UA.EDU Subject: Re: Mainframe ransomware solution First part of my answer was kind of joke. Wasn't it clear? Second part provided some means, products and opinions. Regarding magic SVCs - I have *never* found any. Yes, I met and fixed some other mistakes you mentioned. And yes, such point should be on auditor checklist. And yes, people tend to make mistakes. That's why I mentioned audit as important part of the picture. And it is good idea to have redundant protections whenever possible. That's why we have encrypted datasets. Not because RACF sucks. And at the end we may have Safeguarded Copy or Dell/EMC solution. -- Radoslaw Skorupka Lodz, Poland W dniu 08.10.2021 o 00:47, Charles Mills pisze: > I don't know, but what the professional Pen Testers tell me is that they > never fail to find things like that. > > I've never met any group that never made a mistake, never had an "oops," > never "missed something." > > Magic SVCs were widespread until recently. Has every single one vanished? > > Charles > > > -Original Message- > From: IBM Mainframe Discussion List [mailto:IBM-MAIN@LISTSERV.UA.EDU] On > Behalf Of Bill Johnson > Sent: Thursday, October 7, 2021 3:21 PM > To: IBM-MAIN@LISTSERV.UA.EDU > Subject: Re: Mainframe ransomware solution > > You’d have to be a poorly run shop to permit any of those to occur. Maybe > that’s why mainframe hacks have actually never happened.Biden > successfully extracted 124,000 from Afghanistan in a few weeks. Amazing. > > > Sent from Yahoo Mail for iPhone > > > On Thursday, October 7, 2021, 2:12 PM, Charles Mills wrote: > > And assuming you never make a mistake. Never leave an APF data set > unprotected. Never give the wrong person console authority. Fully understand > APF on UNIX. Never have a Rexx PDS used by privileged users that is > modifiable by others. Have no magic SVCs. Have no flawed APF code, no APF > "tools" available inappropriately. > > Charles > > > -Original Message- > From: IBM Mainframe Discussion List [mailto:IBM-MAIN@LISTSERV.UA.EDU] On > Behalf Of Radoslaw Skorupka > Sent: Wednesday, October 6, 2021 2:13 PM > To: IBM-MAIN@LISTSERV.UA.EDU > Subject: Re: Mainframe ransomware solution > > W dniu 05.10.2021 o 15:24, Tommy Tsui pisze: >>> Hi >> Any shop implement mainframe ransomware solution can share? IBM seems has >> cyber vault to handle this. Is there any other solution available ? >> Thanks for sharing > > Yes, we have such solution. > This is combination of the following products: > 1. z/OS > 2. RACF > 3. Professional staff > > > Other means: > RACF > backup > Safeguarded copy and other vendors' solutions > audit > procedures > > Note: all of the "solutions" marketed nowadays give you some cure *after > breach happened*. However that means some problems. It is unlikely to > restore with RPO=0. If you want RPO=0 then you should pay much more > attention at prevention, which means ...no, NOT ANOTHER PRODUCT. > Definitely first: professional staff, procedures, audit. And then maybe > some tools. > IBM Cyber Resiliency tools: Guardium, zSecure Suite, QRadar SIEM, > Safeguarded Copy... -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN
Re: Mainframe ransomware solution
I'm not IBM expert, but... 1. This is bad or not followed procedure. BTW: I made it impossible in my shop, since day 0. It was never ever possible to get new password on production without procedure. The procedure was inconvenient, more time consuming compared to call, but it wasn't bypassed. And yes, password resets were thoroughly audited since day 1. And all shouting managers were answered that we will react as quickly as possible, but still according to the procedure. 2. MFA would make it impossible. MFA is additional cost, it is inconvenient, but it works. 3. There is still possibility to kidnap one's child and force him to do bad things. ...but this is not end of story. Separation of duties should help here a little. For example sysprog or RACF admin can do anything with the z/OS, but usually such person cannot reconfigure corporate firewall or allow strangers to enter the data center. -- Radoslaw Skorupka Lodz, Poland W dniu 08.10.2021 o 02:44, Tom Brennan pisze: (Sorry, another repeat here) I once test-called the company Help Desk and with no other information but the fact that I called from a sysprog's desk phone (my own), they gave me not only a password reset, but also told me my TSO userid because I had "forgotten" it, and then helped me log on. Sure, a hacker would have to be at my desk, but that could be accomplished. IBM Experts: I'm ready for your correction. On 10/7/2021 5:06 PM, Bill Johnson wrote: The thing about you list dominators, is you think you know it all and should never be challenged. I love when the IBM experts corrects one of you. Sent from Yahoo Mail for iPhone On Thursday, October 7, 2021, 6:01 PM, Charles Mills wrote: Exactly, and "that was not a real hack" would not get your data back. Charles -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN
Re: Mainframe ransomware solution
W dniu 08.10.2021 o 01:26, Charles Mills pisze: [...] It is not an anti-mainframe position to advocate for mainframe security. "Oh, we have nothing to worry about" is surely the enemy of security. Charles Amen to that! -- Radoslaw Skorupka Lodz, Poland -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN
Re: Mainframe ransomware solution
There is big difference between stolen money from tent on the camping and stolen money from bank safe, which was not closed because someone did not do his duty. The safe can be locked, but the tent cannot be effectively secured. -- Radoslaw Skorupka Lodz, Poland W dniu 08.10.2021 o 01:18, Charles Mills pisze: The one I am privately aware of I did not work on and is four years (?) in the past. It was a US government system. There are varying versions of the Logica story. The one I read in the police report and accept as factual involved the exploitation of a flaw in a Web browser running on z/OS UNIX. They used that to utterly take over the machine, issuing multiple userids and making them SPECIAL and so forth. They installed their own login server to make things easier for themselves. I would call that a mainframe breach. I think a focus on "was it a real hack" is a mistake. If your senior systems programmer writes his password on the back of his business card and accidentally leaves it in a bar, that is not a "real hack" but your data is just as much at risk as if it were. The focus should be on vulnerabilities (in that case, lack of MFA and lack of user education) not "was it a real hack?" If your teenaged son dropped his housekey in your driveway and someone used it to come in and steal your TV, would you say "that was not a real burglary"? At best you can't say mainframe hacks have never happened, you can only say you don't know of any. There is a well-known tendency for shops not to discuss. (Nor for that matter can one assert unequivocally that they have; only that there are none that are well-documented.) Charles -Original Message- From: IBM Mainframe Discussion List [mailto:IBM-MAIN@LISTSERV.UA.EDU] On Behalf Of Bill Johnson Sent: Thursday, October 7, 2021 3:59 PM To: IBM-MAIN@LISTSERV.UA.EDU Subject: Re: Mainframe ransomware solution Logica isn’t actually a hack. And of course the phantom one you’re working on. -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN
Re: Mainframe ransomware solution
First part of my answer was kind of joke. Wasn't it clear? Second part provided some means, products and opinions. Regarding magic SVCs - I have *never* found any. Yes, I met and fixed some other mistakes you mentioned. And yes, such point should be on auditor checklist. And yes, people tend to make mistakes. That's why I mentioned audit as important part of the picture. And it is good idea to have redundant protections whenever possible. That's why we have encrypted datasets. Not because RACF sucks. And at the end we may have Safeguarded Copy or Dell/EMC solution. -- Radoslaw Skorupka Lodz, Poland W dniu 08.10.2021 o 00:47, Charles Mills pisze: I don't know, but what the professional Pen Testers tell me is that they never fail to find things like that. I've never met any group that never made a mistake, never had an "oops," never "missed something." Magic SVCs were widespread until recently. Has every single one vanished? Charles -Original Message- From: IBM Mainframe Discussion List [mailto:IBM-MAIN@LISTSERV.UA.EDU] On Behalf Of Bill Johnson Sent: Thursday, October 7, 2021 3:21 PM To: IBM-MAIN@LISTSERV.UA.EDU Subject: Re: Mainframe ransomware solution You’d have to be a poorly run shop to permit any of those to occur. Maybe that’s why mainframe hacks have actually never happened.Biden successfully extracted 124,000 from Afghanistan in a few weeks. Amazing. Sent from Yahoo Mail for iPhone On Thursday, October 7, 2021, 2:12 PM, Charles Mills wrote: And assuming you never make a mistake. Never leave an APF data set unprotected. Never give the wrong person console authority. Fully understand APF on UNIX. Never have a Rexx PDS used by privileged users that is modifiable by others. Have no magic SVCs. Have no flawed APF code, no APF "tools" available inappropriately. Charles -Original Message- From: IBM Mainframe Discussion List [mailto:IBM-MAIN@LISTSERV.UA.EDU] On Behalf Of Radoslaw Skorupka Sent: Wednesday, October 6, 2021 2:13 PM To: IBM-MAIN@LISTSERV.UA.EDU Subject: Re: Mainframe ransomware solution W dniu 05.10.2021 o 15:24, Tommy Tsui pisze: Hi Any shop implement mainframe ransomware solution can share? IBM seems has cyber vault to handle this. Is there any other solution available ? Thanks for sharing Yes, we have such solution. This is combination of the following products: 1. z/OS 2. RACF 3. Professional staff Other means: RACF backup Safeguarded copy and other vendors' solutions audit procedures Note: all of the "solutions" marketed nowadays give you some cure *after breach happened*. However that means some problems. It is unlikely to restore with RPO=0. If you want RPO=0 then you should pay much more attention at prevention, which means ...no, NOT ANOTHER PRODUCT. Definitely first: professional staff, procedures, audit. And then maybe some tools. IBM Cyber Resiliency tools: Guardium, zSecure Suite, QRadar SIEM, Safeguarded Copy... -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN
Re: Mainframe ransomware solution
I’ve not seen the first one, but the second one is a joke. ITschak בתאריך יום ו׳, 8 באוק׳ 2021 ב-5:17 מאת Nash, Jonathan S. < 01abdcef2f3c-dmarc-requ...@listserv.ua.edu>: > > Philip Young > “Soldier of Fortran” > Mainframe hacker videos from 6 years ago :-( > > https://youtu.be/Xfl4spvM5DI > > https://youtu.be/vyHAqxCkf-k > > There are other Def con etc mainframe hacker > videos out there ... > > Kinda makes me nervous... > > -- > For IBM-MAIN subscribe / signoff / archive access instructions, > send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN > -- ITschak Mugzach *|** IronSphere Platform* *|* *Information Security Continuous Monitoring for z/OS, x/Linux & IBM I **| z/VM coming soon * -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN
Re: Mainframe ransomware solution
>From the information security perspective there's a well-known confidentiality, integrity and availability (CIA) triad. However, the overall security posture of an organisation is dependent on the following three key areas: people, process, technology (PPT). Majority of breaches/risks can be prevented/mitigated by addressing essentials (e.g. capable staff, awareness trainings, well documented and communicated processes, technology/security controls etc.). As always, a multifaceted approach is required to address security holistically. Relaying solely on technology/products is simply a no go/not enough. pt., 8 paź 2021 o 11:59 Charles Mills napisał(a): > Sincere apologies. I was trying to be constructive. > > Charles > > > -Original Message- > From: IBM Mainframe Discussion List [mailto:IBM-MAIN@LISTSERV.UA.EDU] On > Behalf Of Farley, Peter x23353 > Sent: Thursday, October 7, 2021 5:34 PM > To: IBM-MAIN@LISTSERV.UA.EDU > Subject: Re: Mainframe ransomware solution > > I don't know about the others on the list, but I am a tad tired of this > and other rounds of sniping between Mr. Johnson and Mr. Mills. > > -- > For IBM-MAIN subscribe / signoff / archive access instructions, > send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN > -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN
Re: Mainframe ransomware solution
Philip Young “Soldier of Fortran” Mainframe hacker videos from 6 years ago :-( https://youtu.be/Xfl4spvM5DI https://youtu.be/vyHAqxCkf-k There are other Def con etc mainframe hacker videos out there ... Kinda makes me nervous... -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN
Re: Mainframe ransomware solution
Sincere apologies. I was trying to be constructive. Charles -Original Message- From: IBM Mainframe Discussion List [mailto:IBM-MAIN@LISTSERV.UA.EDU] On Behalf Of Farley, Peter x23353 Sent: Thursday, October 7, 2021 5:34 PM To: IBM-MAIN@LISTSERV.UA.EDU Subject: Re: Mainframe ransomware solution I don't know about the others on the list, but I am a tad tired of this and other rounds of sniping between Mr. Johnson and Mr. Mills. -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN
Re: Mainframe ransomware solution
Ok... sorry. I retract my last post :) Oops... the internet is forever. On 10/7/2021 5:34 PM, Farley, Peter x23353 wrote: I don't know about the others on the list, but I am a tad tired of this and other rounds of sniping between Mr. Johnson and Mr. Mills. I would sincerely appreciate it if both of you would tone it down by an order of magnitude or more, or even better take this particular line of discussion offline. Responding angrily on any topic doesn't enlighten anyone. It may be therapeutic but it is not appropriate. I am certainly not a "list dominator" and I appreciate the technical discussions on this list including those contributed to by both of these gentlemen, and have been given (and occasionally have myself given) good advice on the practice of our profession. I would really like that tradition to continue. +1 on Tom Brennan's request to keep politics out of our exchanges. There are plenty of other places for discussion or comments on those topics. Peter -Original Message- From: IBM Mainframe Discussion List On Behalf Of Bill Johnson Sent: Thursday, October 7, 2021 8:06 PM To: IBM-MAIN@LISTSERV.UA.EDU Subject: Re: Mainframe ransomware solution The thing about you list dominators, is you think you know it all and should never be challenged. I love when the IBM experts corrects one of you. On Thursday, October 7, 2021, 6:01 PM, Charles Mills wrote: Exactly, and "that was not a real hack" would not get your data back. Charles -Original Message- From: IBM Mainframe Discussion List [mailto:IBM-MAIN@LISTSERV.UA.EDU] On Behalf Of Tom Brennan Sent: Thursday, October 7, 2021 4:50 PM To: IBM-MAIN@LISTSERV.UA.EDU Subject: Re: Mainframe ransomware solution I'll repeat what I always say about this. If I was hacking a mainframe I wouldn't start with the mainframe, I'd start with the sysprog or security admin's PC or Mac or email or phone or whatever. In that case it doesn't matter one bit how well the mainframe is protected internally. And please stop with the political remarks. This seems to be the one place on earth I can go without reading about politics. A place where I can enjoy a 50+ post back-and-forth between Seymour and Gil, for example, without hearing one word about US politics. -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN This message and any attachments are intended only for the use of the addressee and may contain information that is privileged and confidential. If the reader of the message is not the intended recipient or an authorized representative of the intended recipient, you are hereby notified that any dissemination of this communication is strictly prohibited. If you have received this communication in error, please notify us immediately by e-mail and delete the message and any attachments from your system. -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN
Re: Mainframe ransomware solution
(Sorry, another repeat here) I once test-called the company Help Desk and with no other information but the fact that I called from a sysprog's desk phone (my own), they gave me not only a password reset, but also told me my TSO userid because I had "forgotten" it, and then helped me log on. Sure, a hacker would have to be at my desk, but that could be accomplished. IBM Experts: I'm ready for your correction. On 10/7/2021 5:06 PM, Bill Johnson wrote: The thing about you list dominators, is you think you know it all and should never be challenged. I love when the IBM experts corrects one of you. Sent from Yahoo Mail for iPhone On Thursday, October 7, 2021, 6:01 PM, Charles Mills wrote: Exactly, and "that was not a real hack" would not get your data back. Charles -Original Message- From: IBM Mainframe Discussion List [mailto:IBM-MAIN@LISTSERV.UA.EDU] On Behalf Of Tom Brennan Sent: Thursday, October 7, 2021 4:50 PM To: IBM-MAIN@LISTSERV.UA.EDU Subject: Re: Mainframe ransomware solution I'll repeat what I always say about this. If I was hacking a mainframe I wouldn't start with the mainframe, I'd start with the sysprog or security admin's PC or Mac or email or phone or whatever. In that case it doesn't matter one bit how well the mainframe is protected internally. And please stop with the political remarks. This seems to be the one place on earth I can go without reading about politics. A place where I can enjoy a 50+ post back-and-forth between Seymour and Gil, for example, without hearing one word about US politics. -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN . -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN
Re: Mainframe ransomware solution
Agreed. Move on. Rich Smrcina > On Oct 7, 2021, at 7:34 PM, Farley, Peter x23353 > <031df298a9da-dmarc-requ...@listserv.ua.edu> wrote: > > I don't know about the others on the list, but I am a tad tired of this and > other rounds of sniping between Mr. Johnson and Mr. Mills. > > I would sincerely appreciate it if both of you would tone it down by an order > of magnitude or more, or even better take this particular line of discussion > offline. Responding angrily on any topic doesn't enlighten anyone. It may > be therapeutic but it is not appropriate. > > -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN
Re: Mainframe ransomware solution
I don't know about the others on the list, but I am a tad tired of this and other rounds of sniping between Mr. Johnson and Mr. Mills. I would sincerely appreciate it if both of you would tone it down by an order of magnitude or more, or even better take this particular line of discussion offline. Responding angrily on any topic doesn't enlighten anyone. It may be therapeutic but it is not appropriate. I am certainly not a "list dominator" and I appreciate the technical discussions on this list including those contributed to by both of these gentlemen, and have been given (and occasionally have myself given) good advice on the practice of our profession. I would really like that tradition to continue. +1 on Tom Brennan's request to keep politics out of our exchanges. There are plenty of other places for discussion or comments on those topics. Peter -Original Message- From: IBM Mainframe Discussion List On Behalf Of Bill Johnson Sent: Thursday, October 7, 2021 8:06 PM To: IBM-MAIN@LISTSERV.UA.EDU Subject: Re: Mainframe ransomware solution The thing about you list dominators, is you think you know it all and should never be challenged. I love when the IBM experts corrects one of you. On Thursday, October 7, 2021, 6:01 PM, Charles Mills wrote: Exactly, and "that was not a real hack" would not get your data back. Charles -Original Message- From: IBM Mainframe Discussion List [mailto:IBM-MAIN@LISTSERV.UA.EDU] On Behalf Of Tom Brennan Sent: Thursday, October 7, 2021 4:50 PM To: IBM-MAIN@LISTSERV.UA.EDU Subject: Re: Mainframe ransomware solution I'll repeat what I always say about this. If I was hacking a mainframe I wouldn't start with the mainframe, I'd start with the sysprog or security admin's PC or Mac or email or phone or whatever. In that case it doesn't matter one bit how well the mainframe is protected internally. And please stop with the political remarks. This seems to be the one place on earth I can go without reading about politics. A place where I can enjoy a 50+ post back-and-forth between Seymour and Gil, for example, without hearing one word about US politics. -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN This message and any attachments are intended only for the use of the addressee and may contain information that is privileged and confidential. If the reader of the message is not the intended recipient or an authorized representative of the intended recipient, you are hereby notified that any dissemination of this communication is strictly prohibited. If you have received this communication in error, please notify us immediately by e-mail and delete the message and any attachments from your system. -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN
Re: Mainframe ransomware solution
Obviously not you, but I've seen email and phone used for apps that allow sysprogs temporary upgraded access, validated only by their email address or phone text. On 10/7/2021 4:53 PM, Bill Johnson wrote: I’d like to see anyone hack a mainframe using my phone. Or email. Let me guess. Mills and you sell security? Sent from Yahoo Mail for iPhone On Thursday, October 7, 2021, 5:50 PM, Tom Brennan wrote: I'll repeat what I always say about this. If I was hacking a mainframe I wouldn't start with the mainframe, I'd start with the sysprog or security admin's PC or Mac or email or phone or whatever. In that case it doesn't matter one bit how well the mainframe is protected internally. And please stop with the political remarks. This seems to be the one place on earth I can go without reading about politics. A place where I can enjoy a 50+ post back-and-forth between Seymour and Gil, for example, without hearing one word about US politics. On 10/7/2021 3:21 PM, Bill Johnson wrote: You’d have to be a poorly run shop to permit any of those to occur. Maybe that’s why mainframe hacks have actually never happened.Biden successfully extracted 124,000 from Afghanistan in a few weeks. Amazing. Sent from Yahoo Mail for iPhone On Thursday, October 7, 2021, 2:12 PM, Charles Mills wrote: And assuming you never make a mistake. Never leave an APF data set unprotected. Never give the wrong person console authority. Fully understand APF on UNIX. Never have a Rexx PDS used by privileged users that is modifiable by others. Have no magic SVCs. Have no flawed APF code, no APF "tools" available inappropriately. Charles -Original Message- From: IBM Mainframe Discussion List [mailto:IBM-MAIN@LISTSERV.UA.EDU] On Behalf Of Radoslaw Skorupka Sent: Wednesday, October 6, 2021 2:13 PM To: IBM-MAIN@LISTSERV.UA.EDU Subject: Re: Mainframe ransomware solution W dniu 05.10.2021 o 15:24, Tommy Tsui pisze: Hi Any shop implement mainframe ransomware solution can share? IBM seems has cyber vault to handle this. Is there any other solution available ? Thanks for sharing Yes, we have such solution. This is combination of the following products: 1. z/OS 2. RACF 3. Professional staff Other means: RACF backup Safeguarded copy and other vendors' solutions audit procedures Note: all of the "solutions" marketed nowadays give you some cure *after breach happened*. However that means some problems. It is unlikely to restore with RPO=0. If you want RPO=0 then you should pay much more attention at prevention, which means ...no, NOT ANOTHER PRODUCT. Definitely first: professional staff, procedures, audit. And then maybe some tools. IBM Cyber Resiliency tools: Guardium, zSecure Suite, QRadar SIEM, Safeguarded Copy... -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN . -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN . -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN
Re: Mainframe ransomware solution
The thing about you list dominators, is you think you know it all and should never be challenged. I love when the IBM experts corrects one of you. Sent from Yahoo Mail for iPhone On Thursday, October 7, 2021, 6:01 PM, Charles Mills wrote: Exactly, and "that was not a real hack" would not get your data back. Charles -Original Message- From: IBM Mainframe Discussion List [mailto:IBM-MAIN@LISTSERV.UA.EDU] On Behalf Of Tom Brennan Sent: Thursday, October 7, 2021 4:50 PM To: IBM-MAIN@LISTSERV.UA.EDU Subject: Re: Mainframe ransomware solution I'll repeat what I always say about this. If I was hacking a mainframe I wouldn't start with the mainframe, I'd start with the sysprog or security admin's PC or Mac or email or phone or whatever. In that case it doesn't matter one bit how well the mainframe is protected internally. And please stop with the political remarks. This seems to be the one place on earth I can go without reading about politics. A place where I can enjoy a 50+ post back-and-forth between Seymour and Gil, for example, without hearing one word about US politics. -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN
Re: Mainframe ransomware solution
Exactly, and "that was not a real hack" would not get your data back. Charles -Original Message- From: IBM Mainframe Discussion List [mailto:IBM-MAIN@LISTSERV.UA.EDU] On Behalf Of Tom Brennan Sent: Thursday, October 7, 2021 4:50 PM To: IBM-MAIN@LISTSERV.UA.EDU Subject: Re: Mainframe ransomware solution I'll repeat what I always say about this. If I was hacking a mainframe I wouldn't start with the mainframe, I'd start with the sysprog or security admin's PC or Mac or email or phone or whatever. In that case it doesn't matter one bit how well the mainframe is protected internally. And please stop with the political remarks. This seems to be the one place on earth I can go without reading about politics. A place where I can enjoy a 50+ post back-and-forth between Seymour and Gil, for example, without hearing one word about US politics. -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN
Re: Mainframe ransomware solution
I did not start when I was 12 and I do not need (financially) to work. I love coding and I like this platform. I have been very involved with security solutions for the mainframe. I do not currently exactly sell mainframe security. I recently did a presentation on how certificates work. Is that selling security? I suppose it is. Disagrees with Bill Johnson does not equal hates the mainframe. Charles -Original Message- From: IBM Mainframe Discussion List [mailto:IBM-MAIN@LISTSERV.UA.EDU] On Behalf Of Bill Johnson Sent: Thursday, October 7, 2021 4:39 PM To: IBM-MAIN@LISTSERV.UA.EDU Subject: Re: Mainframe ransomware solution Started when you were 12 or still needing to work into your 70’s? -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN
Re: Mainframe ransomware solution
I’d like to see anyone hack a mainframe using my phone. Or email. Let me guess. Mills and you sell security? Sent from Yahoo Mail for iPhone On Thursday, October 7, 2021, 5:50 PM, Tom Brennan wrote: I'll repeat what I always say about this. If I was hacking a mainframe I wouldn't start with the mainframe, I'd start with the sysprog or security admin's PC or Mac or email or phone or whatever. In that case it doesn't matter one bit how well the mainframe is protected internally. And please stop with the political remarks. This seems to be the one place on earth I can go without reading about politics. A place where I can enjoy a 50+ post back-and-forth between Seymour and Gil, for example, without hearing one word about US politics. On 10/7/2021 3:21 PM, Bill Johnson wrote: > You’d have to be a poorly run shop to permit any of those to occur. Maybe > that’s why mainframe hacks have actually never happened.Biden > successfully extracted 124,000 from Afghanistan in a few weeks. Amazing. > > > Sent from Yahoo Mail for iPhone > > > On Thursday, October 7, 2021, 2:12 PM, Charles Mills wrote: > > And assuming you never make a mistake. Never leave an APF data set > unprotected. Never give the wrong person console authority. Fully understand > APF on UNIX. Never have a Rexx PDS used by privileged users that is > modifiable by others. Have no magic SVCs. Have no flawed APF code, no APF > "tools" available inappropriately. > > Charles > > > -Original Message- > From: IBM Mainframe Discussion List [mailto:IBM-MAIN@LISTSERV.UA.EDU] On > Behalf Of Radoslaw Skorupka > Sent: Wednesday, October 6, 2021 2:13 PM > To: IBM-MAIN@LISTSERV.UA.EDU > Subject: Re: Mainframe ransomware solution > > W dniu 05.10.2021 o 15:24, Tommy Tsui pisze: >>> Hi >> Any shop implement mainframe ransomware solution can share? IBM seems has >> cyber vault to handle this. Is there any other solution available ? >> Thanks for sharing > > > Yes, we have such solution. > This is combination of the following products: > 1. z/OS > 2. RACF > 3. Professional staff > > > Other means: > RACF > backup > Safeguarded copy and other vendors' solutions > audit > procedures > > Note: all of the "solutions" marketed nowadays give you some cure *after > breach happened*. However that means some problems. It is unlikely to > restore with RPO=0. If you want RPO=0 then you should pay much more > attention at prevention, which means ...no, NOT ANOTHER PRODUCT. > Definitely first: professional staff, procedures, audit. And then maybe > some tools. > IBM Cyber Resiliency tools: Guardium, zSecure Suite, QRadar SIEM, > Safeguarded Copy... > > -- > For IBM-MAIN subscribe / signoff / archive access instructions, > send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN > > > > > -- > For IBM-MAIN subscribe / signoff / archive access instructions, > send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN > . > -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN
Re: Mainframe ransomware solution
I'll repeat what I always say about this. If I was hacking a mainframe I wouldn't start with the mainframe, I'd start with the sysprog or security admin's PC or Mac or email or phone or whatever. In that case it doesn't matter one bit how well the mainframe is protected internally. And please stop with the political remarks. This seems to be the one place on earth I can go without reading about politics. A place where I can enjoy a 50+ post back-and-forth between Seymour and Gil, for example, without hearing one word about US politics. On 10/7/2021 3:21 PM, Bill Johnson wrote: You’d have to be a poorly run shop to permit any of those to occur. Maybe that’s why mainframe hacks have actually never happened.Biden successfully extracted 124,000 from Afghanistan in a few weeks. Amazing. Sent from Yahoo Mail for iPhone On Thursday, October 7, 2021, 2:12 PM, Charles Mills wrote: And assuming you never make a mistake. Never leave an APF data set unprotected. Never give the wrong person console authority. Fully understand APF on UNIX. Never have a Rexx PDS used by privileged users that is modifiable by others. Have no magic SVCs. Have no flawed APF code, no APF "tools" available inappropriately. Charles -Original Message- From: IBM Mainframe Discussion List [mailto:IBM-MAIN@LISTSERV.UA.EDU] On Behalf Of Radoslaw Skorupka Sent: Wednesday, October 6, 2021 2:13 PM To: IBM-MAIN@LISTSERV.UA.EDU Subject: Re: Mainframe ransomware solution W dniu 05.10.2021 o 15:24, Tommy Tsui pisze: Hi Any shop implement mainframe ransomware solution can share? IBM seems has cyber vault to handle this. Is there any other solution available ? Thanks for sharing Yes, we have such solution. This is combination of the following products: 1. z/OS 2. RACF 3. Professional staff Other means: RACF backup Safeguarded copy and other vendors' solutions audit procedures Note: all of the "solutions" marketed nowadays give you some cure *after breach happened*. However that means some problems. It is unlikely to restore with RPO=0. If you want RPO=0 then you should pay much more attention at prevention, which means ...no, NOT ANOTHER PRODUCT. Definitely first: professional staff, procedures, audit. And then maybe some tools. IBM Cyber Resiliency tools: Guardium, zSecure Suite, QRadar SIEM, Safeguarded Copy... -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN . -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN
Re: Mainframe ransomware solution
Started when you were 12 or still needing to work into your 70’s? Sent from Yahoo Mail for iPhone On Thursday, October 7, 2021, 5:32 PM, Charles Mills wrote: > your hatred of IBM and the mainframe My friend, now you are out there. I have 53 years on this platform, and it has been very, very good to me. Charles -Original Message- From: IBM Mainframe Discussion List [mailto:IBM-MAIN@LISTSERV.UA.EDU] On Behalf Of Bill Johnson Sent: Thursday, October 7, 2021 4:26 PM To: IBM-MAIN@LISTSERV.UA.EDU Subject: Re: Mainframe ransomware solution Right, they’re all kept under wraps in a world where privacy is next to impossible. And what you heard (suddenly not under wraps) isn’t what happened with Logica. If your kid drops his key, and someone uses it to enter a house, that’s not a break in. 60-70 years and all you’ve got is a few non hacks to feed your hatred of IBM and the mainframe. -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN
Re: Mainframe ransomware solution
Security is paramount in the 15 or so shops I’ve worked in. And supremely important in banks. And none were ever hacked. IBM makes it easy to secure the MF. Other platforms make it easy for hackers. Banks are robbed fairly often. Just through the front door. Many of you are anti mainframe. It shows quite frequently. Oh, I’m also trained in law enforcement so I have an idea about security. Sent from Yahoo Mail for iPhone On Thursday, October 7, 2021, 5:27 PM, Charles Mills wrote: The insecurity of Windows is irrelevant. The insecurity of less-secure platforms is relevant to the question "where should I implement my financial software?" but not relevant to the question "do I need to consider the possibility of a mainframe breach?" By the same logic, no bank has ever been robbed, because houses get broken into every day. I am not anti-mainframe. It is not an anti-mainframe position to advocate for mainframe security. "Oh, we have nothing to worry about" is surely the enemy of security. Charles -Original Message- From: IBM Mainframe Discussion List [mailto:IBM-MAIN@LISTSERV.UA.EDU] On Behalf Of Bill Johnson Sent: Thursday, October 7, 2021 4:08 PM To: IBM-MAIN@LISTSERV.UA.EDU Subject: Re: Mainframe ransomware solution Nearly all banks run a mainframe. If hackers wanted to break into platforms handling the worlds financial system, where all the money is, the mainframe is the platform. The MF has been around for 60-70 years and all you can come up with the Logica non hack and some hokey hack only you know about. Whereas, Microsoft, and every other platform are hacked every week. And the ransom attacks aren’t on the MF. Plus, don’t get me started on the thievery of bitcoin. Sent from Yahoo Mail for iPhone On Thursday, October 7, 2021, 4:49 PM, Charles Mills wrote: > Maybe that’s why mainframe hacks have actually never happened Assuming you don't count Logica. ("Oh, that wasn't a real mainframe hack, they came in through USS.") And assuming you don't count one other that I am aware of but under a firm request not to discuss. Charles -Original Message- From: IBM Mainframe Discussion List [mailto:IBM-MAIN@LISTSERV.UA.EDU] On Behalf Of Bill Johnson Sent: Thursday, October 7, 2021 3:21 PM To: IBM-MAIN@LISTSERV.UA.EDU Subject: Re: Mainframe ransomware solution You’d have to be a poorly run shop to permit any of those to occur. Maybe that’s why mainframe hacks have actually never happened.Biden successfully extracted 124,000 from Afghanistan in a few weeks. Amazing. -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN
Re: Mainframe ransomware solution
> your hatred of IBM and the mainframe My friend, now you are out there. I have 53 years on this platform, and it has been very, very good to me. Charles -Original Message- From: IBM Mainframe Discussion List [mailto:IBM-MAIN@LISTSERV.UA.EDU] On Behalf Of Bill Johnson Sent: Thursday, October 7, 2021 4:26 PM To: IBM-MAIN@LISTSERV.UA.EDU Subject: Re: Mainframe ransomware solution Right, they’re all kept under wraps in a world where privacy is next to impossible. And what you heard (suddenly not under wraps) isn’t what happened with Logica. If your kid drops his key, and someone uses it to enter a house, that’s not a break in. 60-70 years and all you’ve got is a few non hacks to feed your hatred of IBM and the mainframe. -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN
Re: Mainframe ransomware solution
The insecurity of Windows is irrelevant. The insecurity of less-secure platforms is relevant to the question "where should I implement my financial software?" but not relevant to the question "do I need to consider the possibility of a mainframe breach?" By the same logic, no bank has ever been robbed, because houses get broken into every day. I am not anti-mainframe. It is not an anti-mainframe position to advocate for mainframe security. "Oh, we have nothing to worry about" is surely the enemy of security. Charles -Original Message- From: IBM Mainframe Discussion List [mailto:IBM-MAIN@LISTSERV.UA.EDU] On Behalf Of Bill Johnson Sent: Thursday, October 7, 2021 4:08 PM To: IBM-MAIN@LISTSERV.UA.EDU Subject: Re: Mainframe ransomware solution Nearly all banks run a mainframe. If hackers wanted to break into platforms handling the worlds financial system, where all the money is, the mainframe is the platform. The MF has been around for 60-70 years and all you can come up with the Logica non hack and some hokey hack only you know about. Whereas, Microsoft, and every other platform are hacked every week. And the ransom attacks aren’t on the MF. Plus, don’t get me started on the thievery of bitcoin. Sent from Yahoo Mail for iPhone On Thursday, October 7, 2021, 4:49 PM, Charles Mills wrote: > Maybe that’s why mainframe hacks have actually never happened Assuming you don't count Logica. ("Oh, that wasn't a real mainframe hack, they came in through USS.") And assuming you don't count one other that I am aware of but under a firm request not to discuss. Charles -Original Message- From: IBM Mainframe Discussion List [mailto:IBM-MAIN@LISTSERV.UA.EDU] On Behalf Of Bill Johnson Sent: Thursday, October 7, 2021 3:21 PM To: IBM-MAIN@LISTSERV.UA.EDU Subject: Re: Mainframe ransomware solution You’d have to be a poorly run shop to permit any of those to occur. Maybe that’s why mainframe hacks have actually never happened.Biden successfully extracted 124,000 from Afghanistan in a few weeks. Amazing. -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN
Re: Mainframe ransomware solution
Right, they’re all kept under wraps in a world where privacy is next to impossible. And what you heard (suddenly not under wraps) isn’t what happened with Logica. If your kid drops his key, and someone uses it to enter a house, that’s not a break in. 60-70 years and all you’ve got is a few non hacks to feed your hatred of IBM and the mainframe. Sent from Yahoo Mail for iPhone On Thursday, October 7, 2021, 5:18 PM, Charles Mills wrote: The one I am privately aware of I did not work on and is four years (?) in the past. It was a US government system. There are varying versions of the Logica story. The one I read in the police report and accept as factual involved the exploitation of a flaw in a Web browser running on z/OS UNIX. They used that to utterly take over the machine, issuing multiple userids and making them SPECIAL and so forth. They installed their own login server to make things easier for themselves. I would call that a mainframe breach. I think a focus on "was it a real hack" is a mistake. If your senior systems programmer writes his password on the back of his business card and accidentally leaves it in a bar, that is not a "real hack" but your data is just as much at risk as if it were. The focus should be on vulnerabilities (in that case, lack of MFA and lack of user education) not "was it a real hack?" If your teenaged son dropped his housekey in your driveway and someone used it to come in and steal your TV, would you say "that was not a real burglary"? At best you can't say mainframe hacks have never happened, you can only say you don't know of any. There is a well-known tendency for shops not to discuss. (Nor for that matter can one assert unequivocally that they have; only that there are none that are well-documented.) Charles -Original Message- From: IBM Mainframe Discussion List [mailto:IBM-MAIN@LISTSERV.UA.EDU] On Behalf Of Bill Johnson Sent: Thursday, October 7, 2021 3:59 PM To: IBM-MAIN@LISTSERV.UA.EDU Subject: Re: Mainframe ransomware solution Logica isn’t actually a hack. And of course the phantom one you’re working on. -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN
Re: Mainframe ransomware solution
Interesting thought. Has anyone ever tested for a buffer overrun exploit in USS (the old USS, the real USS)? Charles -Original Message- From: IBM Mainframe Discussion List [mailto:IBM-MAIN@LISTSERV.UA.EDU] On Behalf Of Paul Gilmartin Sent: Thursday, October 7, 2021 3:59 PM To: IBM-MAIN@LISTSERV.UA.EDU Subject: Re: Mainframe ransomware solution On Thu, 7 Oct 2021 15:47:11 -0700, Charles Mills wrote: >I don't know, but what the professional Pen Testers tell me is that they never >fail to find things like that. > Do you mean they always find one or they always find all? On Thu, 7 Oct 2021 15:49:17 -0700, Charles Mills wrote: >> Maybe that’s why mainframe hacks have actually never happened > >Assuming you don't count Logica. ("Oh, that wasn't a real mainframe hack, they >came in through USS.") > For once, the question, "Which USS?" might be meaningful. -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN
Re: Mainframe ransomware solution
The one I am privately aware of I did not work on and is four years (?) in the past. It was a US government system. There are varying versions of the Logica story. The one I read in the police report and accept as factual involved the exploitation of a flaw in a Web browser running on z/OS UNIX. They used that to utterly take over the machine, issuing multiple userids and making them SPECIAL and so forth. They installed their own login server to make things easier for themselves. I would call that a mainframe breach. I think a focus on "was it a real hack" is a mistake. If your senior systems programmer writes his password on the back of his business card and accidentally leaves it in a bar, that is not a "real hack" but your data is just as much at risk as if it were. The focus should be on vulnerabilities (in that case, lack of MFA and lack of user education) not "was it a real hack?" If your teenaged son dropped his housekey in your driveway and someone used it to come in and steal your TV, would you say "that was not a real burglary"? At best you can't say mainframe hacks have never happened, you can only say you don't know of any. There is a well-known tendency for shops not to discuss. (Nor for that matter can one assert unequivocally that they have; only that there are none that are well-documented.) Charles -Original Message- From: IBM Mainframe Discussion List [mailto:IBM-MAIN@LISTSERV.UA.EDU] On Behalf Of Bill Johnson Sent: Thursday, October 7, 2021 3:59 PM To: IBM-MAIN@LISTSERV.UA.EDU Subject: Re: Mainframe ransomware solution Logica isn’t actually a hack. And of course the phantom one you’re working on. -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN
Re: Mainframe ransomware solution
Nearly all banks run a mainframe. If hackers wanted to break into platforms handling the worlds financial system, where all the money is, the mainframe is the platform. The MF has been around for 60-70 years and all you can come up with the Logica non hack and some hokey hack only you know about. Whereas, Microsoft, and every other platform are hacked every week. And the ransom attacks aren’t on the MF. Plus, don’t get me started on the thievery of bitcoin. Sent from Yahoo Mail for iPhone On Thursday, October 7, 2021, 4:49 PM, Charles Mills wrote: > Maybe that’s why mainframe hacks have actually never happened Assuming you don't count Logica. ("Oh, that wasn't a real mainframe hack, they came in through USS.") And assuming you don't count one other that I am aware of but under a firm request not to discuss. Charles -Original Message- From: IBM Mainframe Discussion List [mailto:IBM-MAIN@LISTSERV.UA.EDU] On Behalf Of Bill Johnson Sent: Thursday, October 7, 2021 3:21 PM To: IBM-MAIN@LISTSERV.UA.EDU Subject: Re: Mainframe ransomware solution You’d have to be a poorly run shop to permit any of those to occur. Maybe that’s why mainframe hacks have actually never happened.Biden successfully extracted 124,000 from Afghanistan in a few weeks. Amazing. -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN
Re: Mainframe ransomware solution
Logica isn’t actually a hack. And of course the phantom one you’re working on. Sent from Yahoo Mail for iPhone On Thursday, October 7, 2021, 4:49 PM, Charles Mills wrote: > Maybe that’s why mainframe hacks have actually never happened Assuming you don't count Logica. ("Oh, that wasn't a real mainframe hack, they came in through USS.") And assuming you don't count one other that I am aware of but under a firm request not to discuss. Charles -Original Message- From: IBM Mainframe Discussion List [mailto:IBM-MAIN@LISTSERV.UA.EDU] On Behalf Of Bill Johnson Sent: Thursday, October 7, 2021 3:21 PM To: IBM-MAIN@LISTSERV.UA.EDU Subject: Re: Mainframe ransomware solution You’d have to be a poorly run shop to permit any of those to occur. Maybe that’s why mainframe hacks have actually never happened.Biden successfully extracted 124,000 from Afghanistan in a few weeks. Amazing. -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN
Re: Mainframe ransomware solution
On Thu, 7 Oct 2021 15:47:11 -0700, Charles Mills wrote: >I don't know, but what the professional Pen Testers tell me is that they never >fail to find things like that. > Do you mean they always find one or they always find all? On Thu, 7 Oct 2021 15:49:17 -0700, Charles Mills wrote: >> Maybe that’s why mainframe hacks have actually never happened > >Assuming you don't count Logica. ("Oh, that wasn't a real mainframe hack, they >came in through USS.") > For once, the question, "Which USS?" might be meaningful. -- gil -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN
Re: Mainframe ransomware solution
> Maybe that’s why mainframe hacks have actually never happened Assuming you don't count Logica. ("Oh, that wasn't a real mainframe hack, they came in through USS.") And assuming you don't count one other that I am aware of but under a firm request not to discuss. Charles -Original Message- From: IBM Mainframe Discussion List [mailto:IBM-MAIN@LISTSERV.UA.EDU] On Behalf Of Bill Johnson Sent: Thursday, October 7, 2021 3:21 PM To: IBM-MAIN@LISTSERV.UA.EDU Subject: Re: Mainframe ransomware solution You’d have to be a poorly run shop to permit any of those to occur. Maybe that’s why mainframe hacks have actually never happened.Biden successfully extracted 124,000 from Afghanistan in a few weeks. Amazing. -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN
Re: Mainframe ransomware solution
I don't know, but what the professional Pen Testers tell me is that they never fail to find things like that. I've never met any group that never made a mistake, never had an "oops," never "missed something." Magic SVCs were widespread until recently. Has every single one vanished? Charles -Original Message- From: IBM Mainframe Discussion List [mailto:IBM-MAIN@LISTSERV.UA.EDU] On Behalf Of Bill Johnson Sent: Thursday, October 7, 2021 3:21 PM To: IBM-MAIN@LISTSERV.UA.EDU Subject: Re: Mainframe ransomware solution You’d have to be a poorly run shop to permit any of those to occur. Maybe that’s why mainframe hacks have actually never happened.Biden successfully extracted 124,000 from Afghanistan in a few weeks. Amazing. Sent from Yahoo Mail for iPhone On Thursday, October 7, 2021, 2:12 PM, Charles Mills wrote: And assuming you never make a mistake. Never leave an APF data set unprotected. Never give the wrong person console authority. Fully understand APF on UNIX. Never have a Rexx PDS used by privileged users that is modifiable by others. Have no magic SVCs. Have no flawed APF code, no APF "tools" available inappropriately. Charles -Original Message- From: IBM Mainframe Discussion List [mailto:IBM-MAIN@LISTSERV.UA.EDU] On Behalf Of Radoslaw Skorupka Sent: Wednesday, October 6, 2021 2:13 PM To: IBM-MAIN@LISTSERV.UA.EDU Subject: Re: Mainframe ransomware solution W dniu 05.10.2021 o 15:24, Tommy Tsui pisze: >> Hi > Any shop implement mainframe ransomware solution can share? IBM seems has > cyber vault to handle this. Is there any other solution available ? > Thanks for sharing Yes, we have such solution. This is combination of the following products: 1. z/OS 2. RACF 3. Professional staff Other means: RACF backup Safeguarded copy and other vendors' solutions audit procedures Note: all of the "solutions" marketed nowadays give you some cure *after breach happened*. However that means some problems. It is unlikely to restore with RPO=0. If you want RPO=0 then you should pay much more attention at prevention, which means ...no, NOT ANOTHER PRODUCT. Definitely first: professional staff, procedures, audit. And then maybe some tools. IBM Cyber Resiliency tools: Guardium, zSecure Suite, QRadar SIEM, Safeguarded Copy... -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN
Re: Mainframe ransomware solution
You’d have to be a poorly run shop to permit any of those to occur. Maybe that’s why mainframe hacks have actually never happened.Biden successfully extracted 124,000 from Afghanistan in a few weeks. Amazing. Sent from Yahoo Mail for iPhone On Thursday, October 7, 2021, 2:12 PM, Charles Mills wrote: And assuming you never make a mistake. Never leave an APF data set unprotected. Never give the wrong person console authority. Fully understand APF on UNIX. Never have a Rexx PDS used by privileged users that is modifiable by others. Have no magic SVCs. Have no flawed APF code, no APF "tools" available inappropriately. Charles -Original Message- From: IBM Mainframe Discussion List [mailto:IBM-MAIN@LISTSERV.UA.EDU] On Behalf Of Radoslaw Skorupka Sent: Wednesday, October 6, 2021 2:13 PM To: IBM-MAIN@LISTSERV.UA.EDU Subject: Re: Mainframe ransomware solution W dniu 05.10.2021 o 15:24, Tommy Tsui pisze: >> Hi > Any shop implement mainframe ransomware solution can share? IBM seems has > cyber vault to handle this. Is there any other solution available ? > Thanks for sharing Yes, we have such solution. This is combination of the following products: 1. z/OS 2. RACF 3. Professional staff Other means: RACF backup Safeguarded copy and other vendors' solutions audit procedures Note: all of the "solutions" marketed nowadays give you some cure *after breach happened*. However that means some problems. It is unlikely to restore with RPO=0. If you want RPO=0 then you should pay much more attention at prevention, which means ...no, NOT ANOTHER PRODUCT. Definitely first: professional staff, procedures, audit. And then maybe some tools. IBM Cyber Resiliency tools: Guardium, zSecure Suite, QRadar SIEM, Safeguarded Copy... -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN
Re: Mainframe ransomware solution
And assuming you never make a mistake. Never leave an APF data set unprotected. Never give the wrong person console authority. Fully understand APF on UNIX. Never have a Rexx PDS used by privileged users that is modifiable by others. Have no magic SVCs. Have no flawed APF code, no APF "tools" available inappropriately. Charles -Original Message- From: IBM Mainframe Discussion List [mailto:IBM-MAIN@LISTSERV.UA.EDU] On Behalf Of Radoslaw Skorupka Sent: Wednesday, October 6, 2021 2:13 PM To: IBM-MAIN@LISTSERV.UA.EDU Subject: Re: Mainframe ransomware solution W dniu 05.10.2021 o 15:24, Tommy Tsui pisze: >> Hi > Any shop implement mainframe ransomware solution can share? IBM seems has > cyber vault to handle this. Is there any other solution available ? > Thanks for sharing Yes, we have such solution. This is combination of the following products: 1. z/OS 2. RACF 3. Professional staff Other means: RACF backup Safeguarded copy and other vendors' solutions audit procedures Note: all of the "solutions" marketed nowadays give you some cure *after breach happened*. However that means some problems. It is unlikely to restore with RPO=0. If you want RPO=0 then you should pay much more attention at prevention, which means ...no, NOT ANOTHER PRODUCT. Definitely first: professional staff, procedures, audit. And then maybe some tools. IBM Cyber Resiliency tools: Guardium, zSecure Suite, QRadar SIEM, Safeguarded Copy... -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN
Re: Mainframe ransomware solution
Everyone, First in full disclosure I work for Dell Technologies Mainframe Practice, now that is out of the way I will proceed. Dell Technologies does off a Cyber Protection solution for the Mainframe using our PowerMax hardware and Software for DASD and our DLm Solution for Tape. Both have the capabilities to use space efficient snapshots and in each case these can be made immutable. I have left out all the details and capabilities because I do not think this is the place, and I am only answering the question asked. Carl Swanson 1427 Forsythia Cir Jamison, Pa 18929 215-688-1459 carl.swans...@verizon.net -Original Message- From: IBM Mainframe Discussion List On Behalf Of Radoslaw Skorupka Sent: Wednesday, October 6, 2021 5:13 PM To: IBM-MAIN@LISTSERV.UA.EDU Subject: Re: Mainframe ransomware solution W dniu 05.10.2021 o 15:24, Tommy Tsui pisze: >> Hi > Any shop implement mainframe ransomware solution can share? IBM > seems has cyber vault to handle this. Is there any other solution available ? > Thanks for sharing Yes, we have such solution. This is combination of the following products: 1. z/OS 2. RACF 3. Professional staff Other means: RACF backup Safeguarded copy and other vendors' solutions audit procedures Note: all of the "solutions" marketed nowadays give you some cure *after breach happened*. However that means some problems. It is unlikely to restore with RPO=0. If you want RPO=0 then you should pay much more attention at prevention, which means ...no, NOT ANOTHER PRODUCT. Definitely first: professional staff, procedures, audit. And then maybe some tools. IBM Cyber Resiliency tools: Guardium, zSecure Suite, QRadar SIEM, Safeguarded Copy... My €0.02 -- Radoslaw Skorupka Lodz, Poland -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN
Re: Mainframe ransomware solution
W dniu 05.10.2021 o 15:24, Tommy Tsui pisze: Hi Any shop implement mainframe ransomware solution can share? IBM seems has cyber vault to handle this. Is there any other solution available ? Thanks for sharing Yes, we have such solution. This is combination of the following products: 1. z/OS 2. RACF 3. Professional staff Other means: RACF backup Safeguarded copy and other vendors' solutions audit procedures Note: all of the "solutions" marketed nowadays give you some cure *after breach happened*. However that means some problems. It is unlikely to restore with RPO=0. If you want RPO=0 then you should pay much more attention at prevention, which means ...no, NOT ANOTHER PRODUCT. Definitely first: professional staff, procedures, audit. And then maybe some tools. IBM Cyber Resiliency tools: Guardium, zSecure Suite, QRadar SIEM, Safeguarded Copy... My €0.02 -- Radoslaw Skorupka Lodz, Poland -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN
Re: Mainframe ransomware solution
Perhaps Infinidat storage has ransomware-specific recovery too. - KB ‐‐‐ Original Message ‐‐‐ On Tuesday, October 5th, 2021 at 8:33 PM, Charles Mills wrote: > Also make sure that your decryption keys for the backed up data are stored > somewhere off mainframe and air-gapped from the Internet. A backup won't do > you much good if you can't decrypt it. > > Charles > > -Original Message- > > From: IBM Mainframe Discussion List [mailto:IBM-MAIN@LISTSERV.UA.EDU] On > Behalf Of Bfishing > > Sent: Tuesday, October 5, 2021 7:14 AM > > To: IBM-MAIN@LISTSERV.UA.EDU > > Subject: Re: Mainframe ransomware solution > > As already mentioned, having defined copies of your data over time helps. > > Just make sure your recovery point and time are understood since the real > > tricky part is going back to a point before you were hacked. > > IBM's Safeguarded Copy will give you the isolated copies of data over time. > > Just make sure you pick the correct one. > > https://www.ibm.com/downloads/cas/BNZGVJKD > > On Tue, Oct 5, 2021 at 9:24 AM Tommy Tsui tommyt...@gmail.com wrote: > > > > Hi > > > > Any shop implement mainframe ransomware solution can share? IBM seems has > > > > cyber vault to handle this. Is there any other solution available ? > > > > Thanks for sharing > > For IBM-MAIN subscribe / signoff / archive access instructions, > > send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN
Re: Mainframe ransomware solution
Also make sure that your decryption keys for the backed up data are stored somewhere off mainframe and air-gapped from the Internet. A backup won't do you much good if you can't decrypt it. Charles -Original Message- From: IBM Mainframe Discussion List [mailto:IBM-MAIN@LISTSERV.UA.EDU] On Behalf Of Bfishing Sent: Tuesday, October 5, 2021 7:14 AM To: IBM-MAIN@LISTSERV.UA.EDU Subject: Re: Mainframe ransomware solution As already mentioned, having defined copies of your data over time helps. Just make sure your recovery point and time are understood since the real tricky part is going back to a point before you were hacked. IBM's Safeguarded Copy will give you the isolated copies of data over time. Just make sure you pick the correct one. https://www.ibm.com/downloads/cas/BNZGVJKD On Tue, Oct 5, 2021 at 9:24 AM Tommy Tsui wrote: > > > > Hi > > Any shop implement mainframe ransomware solution can share? IBM seems has > cyber vault to handle this. Is there any other solution available ? > Thanks for sharing -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN
Re: Mainframe ransomware solution
As already mentioned, having defined copies of your data over time helps. Just make sure your recovery point and time are understood since the real tricky part is going back to a point before you were hacked. IBM's Safeguarded Copy will give you the isolated copies of data over time. Just make sure you pick the correct one. https://www.ibm.com/downloads/cas/BNZGVJKD On Tue, Oct 5, 2021 at 9:24 AM Tommy Tsui wrote: > > > > Hi > > Any shop implement mainframe ransomware solution can share? IBM seems has > cyber vault to handle this. Is there any other solution available ? > Thanks for sharing > > -- > For IBM-MAIN subscribe / signoff / archive access instructions, > send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN > -- ><º>`·.¸¸´¯`·.¸.·´¯`·...¸>(((º> .·´¯`·.><º>`·.¸¸.·´¯`·.¸.·´¯`·...¸><º> <>< Go fishing ><> -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN
Re: Mainframe ransomware solution
Shops I've worked at have mostly relied on the general protections against intrusion, plus good (frequently tested) backup copies. I'd go further and say that a proper archive (write once, can't update) is essential if you rely on old data. Roops On Tue., Oct. 5, 2021, 14:24 Tommy Tsui, wrote: > > > > Hi > > Any shop implement mainframe ransomware solution can share? IBM seems has > cyber vault to handle this. Is there any other solution available ? > Thanks for sharing > > -- > For IBM-MAIN subscribe / signoff / archive access instructions, > send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN > -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN