WhiteWinterWolf.com - mainframehttps://www.whitewinterwolf.com/2017-10-01T00:00:00+02:00Introduction to z/OS and IBM mainframes world and security2017-10-01T00:00:00+02:002017-10-01T00:00:00+02:00WhiteWinterWolftag:www.whitewinterwolf.com,2017-10-01:/posts/2017/10/01/introduction-to-zos-and-ibm-mainframes-world-and-security/<p>Mainframes are often designated as <em>“legacy platforms”</em>.
This triggers the mental image of those old 80’s era enormous bulky computers
which can be found in any good computers museum and vintage videos, and leaves a
mixed feeling about the place of such machines in todays computing world.</p>
<p>However, nothing could be such wrong:</p>
<ol>
<li>
<p>A lot of the technologies which made today’s computing what it is actually
owe to the mainframe world.</p>
<p>Things like non-executable memory, process isolation, virtualization and
symmetric multiprocessing to name just a few are all technologies that were
first developed for mainframes environments, and only then ported onto
other architectures.</p>
</li>
<li>
<p>Today’s mainframes hardware has nothing in common with antique computers,
they evolved as the rest of the computer world did.</p>
<p>They are bulky but not as much as one may imagine, the size of a large
fridge to give a rough idea.
They remains …</p></li></ol><p>Mainframes are often designated as <em>“legacy platforms”</em>.
This triggers the mental image of those old 80’s era enormous bulky computers
which can be found in any good computers museum and vintage videos, and leaves a
mixed feeling about the place of such machines in todays computing world.</p>
<p>However, nothing could be such wrong:</p>
<ol>
<li>
<p>A lot of the technologies which made today’s computing what it is actually
owe to the mainframe world.</p>
<p>Things like non-executable memory, process isolation, virtualization and
symmetric multiprocessing to name just a few are all technologies that were
first developed for mainframes environments, and only then ported onto
other architectures.</p>
</li>
<li>
<p>Today’s mainframes hardware has nothing in common with antique computers,
they evolved as the rest of the computer world did.</p>
<p>They are bulky but not as much as one may imagine, the size of a large
fridge to give a rough idea.
They remains made of thick steel though with the main unit weighting a
around a ton, hence their pet name of <em>“big iron”</em>.
Despite of this, some <a href="https://www.youtube.com/watch?v=45X4VP8CGtk" rel="external" title="Connor Krukosky - Here's What Happens When an 18 Year Old Buys a Mainframe (SHARE channel YouTube)">student</a> managed to install one in his
basement, and the Australian custom’s cargo processing and intelligence
center in Sydney International Airport managed to get two simply
<a href="http://www.smh.com.au/articles/2003/09/04/1062548967124.html" rel="external" title="The brazen airport computer theft that has Australia's anti-terror fighters up in arms (The Sydney Morning Herald)">stolen</a> from their top-security room.</p>
<p>On the inside, the latest generation (introduced in July, 2017) can host up
to 170 central processors, each with 10 cores and backed by numerous other
purpose specific processors, the whole thing lying on up to 32 <span class="caps">TB</span> <span class="caps">RAM</span> and
fiber channels for data communication.</p>
</li>
</ol>
<p>This is not exactly what I would call a <em>“legacy system”</em>.
What is usually <em>legacy</em> in fact is not the system itself, but the application
running on it.</p>
<p>One of the key point of the mainframe system is indeed <em>backward-compatibility</em>.
Mainframes are used in the most sensitive environments where any bug will most
likely have huge consequences.
In such environments, as long as things work, people are always wary of
touching anything.
The usual motto is:</p>
<blockquote>
<p>If it ain’t broke, don’t fix it.<sup id="fnref-lance"><a class="footnote-ref" href="#fn-lance">1</a></sup></p>
</blockquote>
<p>So don’t think of rewriting or migrating to a different software: things worked
this way by the past, so the best way to make work in the future is to keep
them as-is.</p>
<p>Mainframe architecture and its main operating system z/<span class="caps">OS</span> (a mainframe is
designed to run several operating systems in parallel, even Linux including
<span class="caps">KVM</span> support) ensure that the applications that worked for the last 20 years
will continue to work the same on newer systems.</p>
<p>Despite the system characteristics mentioned above, mainframe systems must
however not be confused with super-computer (which usually run Linux as their
main operating system by-the-way):</p>
<ul>
<li>
<p>As expected super-computers excel in <em>fast</em> processing.
They can handle highly complex computational tasks, such as weather
forecasting, very quickly and very efficiently.</p>
</li>
<li>
<p>On the other side mainframes computers would be inefficient for such task.
Where they particularly shine however is <em>parallel</em> processing.
They can handle thousands of simultaneous transactions with very high
exigences in terms of throughput, reliability, integrity and accountability.
This is for instance a mainframe which will at the end update your bank
account when you fetch some money at a cash dispenser.</p>
</li>
</ul>
<h3 id="what-on-earth-is-a-mainframe-david-stephens"><a class="toclink" href="#what-on-earth-is-a-mainframe-david-stephens">What On Earth is a Mainframe? (David Stephens)</a></h3>
<p><span class="lb-small floatright"><a href="#what-on-earth-is-a-mainframe.jpg" id="what-on-earth-is-a-mainframe.jpg-thumb" title="Click to enlarge"><img alt="Cover of 'What On Earth is a Mainframe?'" src="https://www.whitewinterwolf.com/posts/2017/10/01/introduction-to-zos-and-ibm-mainframes-world-and-security/what-on-earth-is-a-mainframe.jpg"/></a></span>
<em>What On earth is a Mainframe</em> is a low-technical introduction to the
mainframe world.
It is subtitled
<em>“An introduction to <span class="caps">IBM</span> zSeries Mainframes and z/<span class="caps">OS</span> Operating System for Total Beginners”</em>,
which accurately describes the content of this book.</p>
<p>David Stephens worked in various positions at managing and operating mainframes
and condensed in a short (200 pages) and easy-to-read book all
you need to know to become more familiar with what may first appear as an
obscure world:</p>
<ul>
<li>
<p>A bit of history but mostly to focus on the principles that made the
mainframes what they are now and explain how they acquired and kept
their position at the core of the most critical infrastructures.</p>
</li>
<li>
<p>A good description of the hardware, the storage, terminals, networking.</p>
</li>
<li>
<p>The operating system and the main software you will usually encounter in
mainframe environments (including from non-<span class="caps">IBM</span> providers).</p>
</li>
<li>
<p>The people gravitating around the mainframe system and their respective
roles and duties.</p>
</li>
<li>
<p>The procedures designed to reduce unavailability time, such as change
management and disaster recovery, as they are applied in such sensitive environments.</p>
</li>
</ul>
<p>This book manages to be both high-level enough to remain readable and
interesting to low-technical people, while still remaining accurate, factual
and informative to be also interesting to technical people not used to the
mainframe world or only to a part of it and who would-like to grasp a larger
picture of it.</p>
<p class="buy button"><a href="https://www.amazon.com/What-Earth-Mainframe-David-Stephens/dp/1409225356/?tag=electronicfro-20" rel="external" title="Buy 'What On Earth is a Mainframe?' (Amazon)">Buy on Amazon</a></p>
<h3 id="mainframe-basics-for-security-professionals-pomerantz-vander-weele-nelson-hahn"><a class="toclink" href="#mainframe-basics-for-security-professionals-pomerantz-vander-weele-nelson-hahn">Mainframe Basics for Security Professionals (Pomerantz, Vander Weele, Nelson <span class="amp">&</span> Hahn)</a></h3>
<p><span class="lb-small floatright"><a href="#mainframe-basics-for-security-professionals.jpg" id="mainframe-basics-for-security-professionals.jpg-thumb" title="Click to enlarge"><img alt="Cover of 'Mainframe Basics for Security Professionals: Getting Started with RACF'" src="https://www.whitewinterwolf.com/posts/2017/10/01/introduction-to-zos-and-ibm-mainframes-world-and-security/mainframe-basics-for-security-professionals.jpg"/></a></span>
This book is designed for people who come from a Unix background and would-like
to know more about mainframe security from a practical perspective.</p>
<p>This book too is short, around 200 pages, and relies heavily on practice.
In fact, the reader is expected to read it while having access to a z/<span class="caps">OS</span> image
where he can test and play with the book’s commands.</p>
<ul>
<li>
<p>This book assumes no previous knowledge on mainframes, so it start very slowly
with how to connect to a mainframe and display a first “Hello world” on the <span class="caps">TSO</span> prompt.</p>
</li>
<li>
<p>Then it builds over that, step-by-step and covering users management,
data protection (including <em>z/<span class="caps">OS</span> <span class="caps">UNIX</span></em> and <em>Security Labels</em>, the latter
should remind something to people already familiar with SELinux ;) )
and logging.</p>
</li>
<li>
<p>Once these technical basis are set mainframes auditing and limited-authority
administrators are covered.</p>
</li>
<li>
<p>At last the books closes with a more theoretical overview of
enterprise-wide security.</p>
</li>
</ul>
<p>It is designed as a practical entry into the mainframe world, and accomplishes
this task very well.
A number of subjects are only over-viewed to keep the book short and
to-the-point, but this is always clearly told and numerous references to the
official documentation is provided to deepen any particular subject.</p>
<p class="buy button"><a href="https://www.amazon.com/Mainframe-Basics-Security-Professionals-Getting/dp/0131738569/?tag=electronicfro-20" rel="external" title="Buy 'Mainframe Basics for Security Professionals: Getting Started with RACF' (Amazon)">Buy on Amazon</a></p>
<h3 id="pentesting-mainframes-philip-young-and-dominic-white-talks"><a class="toclink" href="#pentesting-mainframes-philip-young-and-dominic-white-talks">Pentesting mainframes (Philip Young and Dominic White talks)</a></h3>
<p><span class="lb-small"><a href="#smashing-the-mainframe.jpg" id="smashing-the-mainframe.jpg-thumb" title="Click to enlarge"><img alt="Philip Young - Smashing the Mainframe for Fun and Prison Time at Hacktivity, 2014" src="https://www.whitewinterwolf.com/posts/2017/10/01/introduction-to-zos-and-ibm-mainframes-world-and-security/smashing-the-mainframe.jpg"/></a></span></p>
<p>Philip Young is an advocacy of practical testing of mainframe security.
He gave numerous talks, stating the same fact:</p>
<blockquote>
<p>There is a huge disconnect between security and the mainframe world,
even-though the mainframe is sort of build as this amazing security platform.</p>
</blockquote>
<p>I recommend you in particular the following presentations:</p>
<ul>
<li><a href="https://www.youtube.com/watch?v=SjtyifWTqmc" rel="external" title="Philip Young - Smashing the Mainframe for Fun and Prison Time - Hacktivity, 2014 (Hacktivity channel, YouTube)">Smashing the Mainframe for Fun and Prison Time</a>,
speaking of mainframes in front of hackers.</li>
<li><a href="https://www.youtube.com/watch?v=5Ra4Ehmifh4" rel="external" title="Philip Young - How to Embrace Hacker Culture For z/OS - SHARE, 2015 (SHARE channel, YouTube)">How to Embrace Hacker Culture For z/<span class="caps">OS</span></a>, speaking
of hackers in front of mainframes administrators and operators.</li>
</ul>
<p>He describes the researches he started back in 2012, and the trouble he got
as it was during the same period that a major hack targeting mainframes notably
used by the Swedish government happened<sup id="fnref-anakata"><a class="footnote-ref" href="#fn-anakata">2</a></sup>.
He then describes the vulnerabilities that were revealed by these attacks plus
some others from his own research.</p>
<p>The Swedish government had to force <span class="caps">IBM</span> to publish CVEs for the vulnerabilities
revealed by the above-mentioned attack.
In fact, mainframe vulnerabilities are normally kept secret by <span class="caps">IBM</span>.
This is also a subject of worry to Philip who find it
<em>“unbelievable that vulnerabilities are kept secret”</em>:</p>
<blockquote>
<p>People are more concerned about their system’s availability than they are in
having them tested.
In the Windows and Linux world where I come from you just assume it gets
tested all the time.
If you put a machine on the Internet, it’s just getting hit non-stop.
It’s just background noise on the Internet.
<br/><em>[…]</em><br/>
The more people you have looking at something, the more secure it’s going to
be.
The more people who are actively to break into a system (in their spare-time,
at home, they aren’t breaking into their bank), the more secure it’s going to
be for you and for the world.</p>
</blockquote>
<p>Personally what worries me even more is that for most of their life mainframes
could indeed be assumed as secure because:</p>
<ul>
<li>The knowledge how to operate them was uncommon.</li>
<li>They ran unusual services.</li>
<li>They were not connected to common networks (old-generation mainframes had
no <span class="caps">IP</span> support, you used <span class="caps">SNA</span>/<span class="caps">LU</span> instead, don’t expect to use <code>nmap</code> or
<code>netcat</code> over this!).</li>
<li>Enough profit could be obtained by exploiting far easier targets than
having to deal with the big iron thing.</li>
</ul>
<p>However time went on:</p>
<ul>
<li>Anyone can learn and study mainframes at home now: enough software and
documentation is available.</li>
<li>Mainframes now run Unix with standard services, they run Java, parse <span class="caps">XML</span> files.</li>
<li>They are widely connected to <span class="caps">IP</span> networks, some are even directly facing the Internet.</li>
<li>Due to years of extensive testing, the rest of the infrastructure became
more and more protected by equipping itself with <abbr title="Intrustion Detection Service"><span class="caps">IDS</span></abbr>, <abbr title="Intrustion Prevention Service"><span class="caps">IPS</span></abbr>, <span class="caps">SIEM</span>, network
segmentation, next-generation firewalls, hardened hosts and services, and
so on.
The lack of practical testing of the mainframe system can now easily turn
it from the central, secure and safe position it had to become part of the
weakest components of the security chain, where the expected profit vs.
exploit complexity ratio could designate it as the most interesting target.
The talks linked here show how security issues that were solved
dozens of years ago on classical architectures (what is the last time you
saw a Unix server still using <span class="caps">DES</span> to protect system passwords?) are still
current on mainframes.</li>
</ul>
<p>In case you are still not depressed enough, note that Philip mainly focuses his
research on the mainframe system itself.
<a href="https://www.youtube.com/watch?v=3HFiv7NvWrM" rel="external" title="Hacking Mainframes Vulnerabilities in applications exposed over TN3270, Dominic White (YouTube)">Dominic White</a> on his side focuses on mainframe applications just to
find that the picture was the same with blatant security holes including
security relying <em>on the client</em> through the use of hidden fields just like
if a web server would store your access level in clear in a cookie and rely
on it to determine your privileges, that applied to systems critical to
governments, financial institutions, etc.</p>
<div class="footnote">
<hr/>
<ol>
<li id="fn-lance">
<p>This phrase, originally attributed to the businessman
<a href="https://en.wikipedia.org/wiki/Bert_Lance#.22If_it_ain.27t_broke.2C_don.27t_fix_it..22" rel="external" title="Bert Lance: 'If it ain't broke, don't fix it.' (Wikipedia)">Bert Lance</a>, often serves as a justification to keep old and
obsolete technologies in production… until a disaster happens. <a class="footnote-backref" href="#fnref-lance" title="Jump back to footnote 1 in the text">↩</a></p>
</li>
<li id="fn-anakata">
<p>This hack has been perpetrated in 2012 by <a href="https://en.wikipedia.org/wiki/Gottfrid_Svartholm" rel="external" title="Gottfrid Svartholm (Wikipedia)">Gottfrid Svartholm Warg</a>,
alias Anakata, one of the co-founder of The Pirate Bay torrent exchange website
and targeted Swedish governmental and banking data.
Found guilty of breaking copyright rules with The Pirate Bay in 2010, he did
not present himself to the Swedish authorities but settled-down in Cambodia.
I can imagine that these hacks may have been some kind of revenge on his part.
The Pirate Bay trial is the object of a very well-made film i heavily recommend:
<a href="https://www.youtube.com/watch?v=eTOKXCEwo_8" rel="external" title="TPB AFK: The Pirate Bay Away From Keyboard (YouTube)">The Pirate Bay - Away From Keyboard</a> <a class="footnote-backref" href="#fnref-anakata" title="Jump back to footnote 2 in the text">↩</a></p>
</li>
</ol>
</div>