@mainframed767
DISCLAIMER
I’m not here in the name of or on behalf of my employer. All opinions expressed here at ISSA are my own.
@mainframed767
Is it Legacy?
@mainframed767
WHAT IF?
Three out of four of those pictures are what we should define as “Legacy”. Mainframes aren’t one of them.
@mainframed767
FACTS
IBM Mainframes are MODERN architectures running STATE OF THE ART operating systems.
• Current Version: 2.2 released in 2015 • Modern password crypto • Supports IOT/Web
@mainframed767
IT’S IMPORTANT
• 96 of the world’s top 100 banks, • 23 of the 25 top US retailers • 9 out of 10 of the world’s largest
insurance company • 71% of global Fortune 500 (355)
@mainframed767
HOW MANY?
Mainframes process roughly 30 billion business transactions per day, including most major credit card transactions and stock trades, money transfers, manufacturing processes, and ERP systems.
@mainframed767
SHOW OF HANDS
How many of you today are actively doing penetration testing or vulnerability scans on your mainframes?
@mainframed767
A.K.A. ABOUT ME
1992
@mainframed767
@mainframed767
@mainframed767
@mainframed767
@mainframed767
FAST FORWARD
• Degree in Computer Science • IT Security Consultant:
– Ernst & Young – Grant Thornton
• Internal Audit: Visa • Currently:
– Mainframe Pentester
@mainframed767
BEFORE & AFTER VISA
• Mainframe security reviews – Typical checklist auditor – No idea what I was actually doing
• Assigned to review mainframe at Visa – Was assigned a terrible consultant – Started personal research
Identified multiple vulnerabilities
@mainframed767
TALKIN’BOUT IT
http://bit.ly/ztalks
@mainframed767
YOU MAY BE THINKING: “Most, or all, mainframes are protected behind firewalls, VPNs, other various security controls.”
@mainframed767
INTERNET MAINFRAMES PROJECT
• Started in 2013 • Simple scan of the internet for
mainframes (using Nmap) • Found about 400+ mainframes For example:
@mainframed767
@mainframed767
@mainframed767
@mainframed767
@mainframed767
@mainframed767
@mainframed767
@mainframed767
@mainframed767
FOR THOSE WONDERING
@mainframed767
PRIMARY MAINFRAME OS
@mainframed767
@mainframed767
IT’S JUST AN OPERATING SYSTEM
• It has Files and Folders – (but they’re not called files or folders)
• It has a command line • It has a GUI • Serves up websites • It runs UNIX • TCP/IP
@mainframed767
FILES AND FOLDERS
FILES are called Datasets • Datasets are composed of:
– High Level Qualifier (HLQ) – Other Qualifiers
PHIL.PROGRAMS.TEST HLQ
FOLDERS are called Partitioned Datasets (PDS) • Same as datasets but now has ‘members’
PHIL.PROGRAMS.TESTS(JUNE2015)
HLQ
HLQ MEMBER
@mainframed767
COMMAND LINE
• Known as TSO • Identified by the red ‘READY’ prompt
@mainframed767
@mainframed767
@mainframed767
UNIX
• z/OS comes with UNIX • UNIX runs TCP/IP
– Webservers – SSH – DB2 sockets – CICS sockets
@mainframed767
@mainframed767
SECURITY DATABASE
• z/OS is governed by what’s called a SAF • Most common (IBM): RACF
– Resource Access Control Facility • Two others (CA): • ACF2 • Top Secret
@mainframed767
TO FIND THE LOCATION
• Finding RACF database is really easy:
@mainframed767
SCRIPTING LANGUAGE
• Job Control Language (JCL) • A scripting language for mainframes • For example:
@mainframed767
JOB CARD
Program Parameters
@mainframed767
STEAL CREDENTIALS
@mainframed767
AUTOMATE WITH ETTERCAP
@mainframed767
STEAL THE RACF DATABASE
• RACF hashes passwords with DES – without the newest (optional) upgrade
• John the ripper supports RACF password cracking
@mainframed767
@mainframed767
MORE ABOUT HASHING ALGO • Chad Rikansrud @bigendiansmalls • SHARE 2016
“Topics on Mainframe Encryption” http://bit.ly/zoscrypto
@mainframed767
LET’S BREAK IN INSTEAD
See if you can catch the problem
@mainframed767
@mainframed767
@mainframed767
CICS ENUMERATION?
@mainframed767
PATCH OA44855
• Disables this ability • While allowing users to log on • Again this patch/change is ‘optional’ • PASSWORDPREPROMPT ON
@mainframed767
USING FTP
• Allows for SSL – no excuses for unencrypted
• Allows wildcard searches (e.g. *RACF*)
• Allows for JCL submission
@mainframed767
METASPLOIT-ABLE
@mainframed767
Z/OS CVE’S
Only two in the world! • CVE-2012-5951 (CVSS Score: 7.2)
– Local privilege escalation • CVE-2012-5955 (CVSS Score: 10)
– CGI-BIN parser & ‘;’
@mainframed767
@mainframed767
@mainframed767
THESE CVE’S • These two CVE’s came from the Logica/Nordea breach • In 2012 a founder of the piratebay breached multiple mainframes
http://bit.ly/zbreach “Smashing the Mainframe: For Fun and Prison Time”
@mainframed767
TN3270 APPLICATIONS
• TN3270 is the protocol – That ‘green screen’
• Relies on client side security
@mainframed767
@mainframed767
DO IT YOURSELF
All these scripts are available online:
http://github.com/zedsec390 &
http://github.com/mainframed
@mainframed767
IBM POLICY
@mainframed767
IBM QUOTES
“PUBLIC release of this data was not in the best interest of the system Z community.”
@mainframed767
VULNERABILITY SCANNING
• Almost worthless on the platform • Qualys/Nessus don’t support the
platform • Scanners rely on CVEs However: • IBM doesn’t release public
vulnerabilities
@mainframed767
NOT UP TO DATE
@mainframed767
IBM TRUST IS ABSOLUTE
Show of hands: Who here trusts Microsoft to get crypto right?
CENSORED CENSORED
@mainframed767
SPEAKING OF ABSOLUTES
“Also ALL the DoD mainframes are behind firewalls and VPNs”
ALL
@mainframed767
PENSYS1.ARMY.PENTAGON.MIL
@mainframed767
PENETRATION TESTING
• No, the system won’t crash • Start forcing penetration testing against the
environment Key Take Away: The system isn’t “Legacy” and therefore shouldn’t be exempt from standard information security controls.
@mainframed767
BETTER SIEM
• The mainframe logs everything • Getting those logs is a challenge but not impossible • Multiple products exist which support mainframe logs Key Take Away: Mainframe logs should be used for alerting and follow your existing Windows/Linux processes.
@mainframed767
ASSET CLASSIFICATION
• Multiple products exist on the market to identify WHAT is on your mainframe
• Identifying critical data assets allows you to protect it! Key Take Away: Being able to identify critical data and who is accessing it is essential for forensics and appropriate control assessments.
@mainframed767
LAB ENVIRONMENT
• Get access to the mainframe yourself • Hands on learning opportunities • “Rational Development and Test Environment for
System Z” - http://bit.ly/rdtz Key Take Away: Hands on training and access provides clear connections to mainframe controls and allows for better security testing.
@mainframed767
COMPLIANCE
• Controls should be as robust as those on other systems • Standard processes should be observed despite ‘Legacy’
moniker. • Use appropriate baseline: DoD DISA STIG
– DoD STIG is only comprehensive checklist which covers entire OS
Key Take Away: Assess your current controls against those in other areas and best practices and close any gaps which exist.
@mainframed767
WHAT DO YOU THINK?
• Do you still think it’s a “secure” legacy platform?
• Who here thinks it appropriate to be out of scope from your security activities?
@mainframed767
THANKS/CONTACT You can contact me on gmail/twitter/tumblr:
Email: [email protected] Blog: Mainframed767.tumblr.com Twitter: @mainframed767
THANK YOU!
All Links: http://bit.ly/ztalks http://bit.ly/zoscrypto http://bit.ly/zbreach http://bit.ly/rdtz