Why mainframe is not hackable?



All about SAF, RACF, encryption, Firewall, Risk assessment and integrity concepts

Why mainframe is not hackable?

Postby bazzigar » Mon Feb 13, 2012 8:11 pm

Hello,

Why mainframe is not hackable?

Thanks,
Last edited by bazzigar on Mon Feb 13, 2012 8:20 pm, edited 1 time in total.
bazzigar
 
Posts: 29
Joined: Sat Feb 11, 2012 7:20 am
Has thanked: 0 time
Been thanked: 0 time

Re: Why mainframe is not hackable?

Postby Akatsukami » Mon Feb 13, 2012 8:16 pm

Because skript kiddies are even more ignorant than usual when it comes to z/OS, MVS, etc.
"You have sat too long for any good you have been doing lately ... Depart, I say; and let us have done with you. In the name of God, go!" -- what I say to a junior programmer at least once a day
User avatar
Akatsukami
Global moderator
 
Posts: 1058
Joined: Sat Oct 16, 2010 2:31 am
Location: Bloomington, IL
Has thanked: 6 times
Been thanked: 51 times

Re: Why mainframe is not hackable?

Postby Ed Goodman » Mon Feb 13, 2012 9:26 pm

Not sure why you think they aren't.

I think the biggest difference between legacy mainframe OSs and new OSs is that mainframe assumes nothing is your business unless you have explicit permission to see it. Whereas Windows assumes you have access unless it's been told to stop you.

I'd bet the early versions of the mainframe OSs were just as naive.

Also, the things that allow a lot of modern hacks are the result of exception handling that isn't well thought out. Those "buffer overruns" and things like that. These have been plugged for along time on legacy mainframe systems.

I don't know if the newer mainframe OSs are as safe as the legacy systems. Here I'm talking about the Linux/Unix environments.
Ed Goodman
 
Posts: 341
Joined: Thu Feb 24, 2011 12:05 am
Has thanked: 3 times
Been thanked: 17 times

Re: Why mainframe is not hackable?

Postby angrybeaver » Tue Feb 14, 2012 4:36 am

Every OS is hackable if configured wrong. Robert S Hansel has some obvious "bad security" points on his site you could read up on (ie; profiles with UACC ALTER)

In terms of remote buffer overflows I guess anything is possible but your average Linux (and moreso Windows) user would likely be COMPLETELY lost in a TSO environment assuming they could somehow get SPECIAL authority on a console. Something tells me most services would just abend versus granting godly authority.

zOS is not readily available to the masses. You can install Hercules with an ancient version of MVS but getting a similar setup to a big corporation to even begin to REALLY discover the possibilities is extremely unlikely unless somebody walked off with the install tapes. There might be a few kids at universities that work on the mainframes there and start to get a grasp on how security works and how it could be exploited. On the flip side EVERYBODY can get access to Linux/Windows boxes to learn how to find security flaws and exploit them then very easily enumerate the security setup of a business with all sorts of tools (ie; metasploit) which are readily available.

Another possibility could be sniffing unencrypted traffic to capture logins/passwords. I imagine most reputable companies would have converted to SSL for their 3270 sessions by now though.

Probably the easiest way would be to socially engineer a DBA or somebody with SYSTEM OPERATIONS or BLP capability to go sniffing around for data for you. Pretend you're an auditor or senior leader. Most folks will do anything for those types even if it defies all logic.
angrybeaver
 
Posts: 11
Joined: Sat Jan 21, 2012 10:09 am
Has thanked: 0 time
Been thanked: 1 time

Re: Why mainframe is not hackable?

Postby steve-myers » Tue Feb 14, 2012 7:03 am

Ed Goodman wrote:... I'd bet the early versions of the mainframe OSs were just as naive. ...
Absolutely. The PCP and MFT variants of OS/360 were a joke. It was not uncommon for common user programs to write over critical data and crash the system/or (in MFT) the partition where your job was running, which amounted to the same thing. I did it myself several times, but by accident, not intent. The MVT variant of OS/360 was better, but definitely hackable. There were no data security systems for any OS/360 system; anyone could read or write just about anything. The knowledge to do damage was usually lacking, but ...

MVS was designed from the beginning to be much better, though it took some time for effective data security systems to arrive. The original RACF was a joke, but even the earliest "ACF2" systems were quite good. I don't know how effective the early "Top Secret" or "Secure" systems were, but they had to be better than the original RACF.

CP67/CMS and early VM/370 systems were probably pretty hard to "hack," especially compared to PCP and MFT, but I never had direct experience with them.
steve-myers
Global moderator
 
Posts: 2105
Joined: Thu Jun 03, 2010 6:21 pm
Has thanked: 4 times
Been thanked: 243 times

Re: Why mainframe is not hackable?

Postby AndreasHardt » Tue Apr 10, 2012 2:04 pm

Hello. I work for IBM and my task is security health check. That means I control RACF and the complete z/OS if the system safety. For this I have special IBM tools, we done peneration test a.s.o. Sure mainframe is very safe but not hackable ? I don't know but to say mainframe is not hackable is the same to say an airplane have never an accident. You will hope never but it's reality :? . Perhaps not hackable from outside but from inside. Round about 95% of all mainframe attack came from inside (that means people the work inside the company). The rest came from external workers.
AndreasHardt
 
Posts: 1
Joined: Wed Apr 04, 2012 7:40 pm
Has thanked: 0 time
Been thanked: 0 time

Re: Why mainframe is not hackable?

Postby dick scherrer » Tue Apr 10, 2012 9:46 pm

Hello Andreas and welcome to the forum,

Hopefully, you will find something(s) of interest or use here.
Hope this helps,
d.sch.
User avatar
dick scherrer
Global moderator
 
Posts: 6268
Joined: Sat Jun 09, 2007 8:58 am
Has thanked: 3 times
Been thanked: 93 times


Return to Mainframe Security

 


  • Related topics
    Replies
    Views
    Last post