Application Security // Database Security
8/6/2013
03:58 PM
Adrian Lane
Adrian Lane
Commentary
Connect Directly
RSS
E-Mail
50%
50%

Mainframes Hackable, But Do You Care?

Mainframes may have holes, but they aren't big targets

There have been very few database security presentations at security conferences of late, as SQLi and buffer overflow attacks have lost their novelty. That said, there is a lot of very interesting database security research going on. and I was lucky to proctor Philip Young's presentation at Blackhat USA 2013 on Mainframes: The Past Will Come Back to Haunt You. In a nutshell, Philip identified several behavioral issues that have serious security implications:

1. It was easy to find valid user accounts as the login sequence leaks information.

2. Passwords are short, don't require complexity, and relatively trivial to crack.

3. Mainframes come with a supplementary UNIX environment.

4. FTP automatically executes uploaded files (data sets).

All of which leads to fun and mayhem for an attacker, and potentially serious data breaches. But does anyone care? The presentation and -- given most of my mainframe experience was OS390 -- educational, will this public research yield increased attacks against zOS?

Unlikely.

I asked a well-known database vulnerability researcher last year "Why don't we hear about more DB2 hacks?" His response: "Because no one uses it."

The point he was making was that, in comparison to Oracle and SQL Server, DB2's market size is relatively small. The response may sound glib, but I see very few new -- Web or otherwise -- projects on any flavor of DB2, and certainly not mainframe. We said for years that Mac OS-X was "safe" from a security standpoint as it's market presence was minuscule compared to Windows. It did not warrant attackers focus as the reward vs. effort factor was out of whack. Mainframes, while still alive and running critical applications for the indefinite future, do not attract attackers, as it would require investment of a few hundred hours to understand, and access to a mainframe (emulator).

All of which is my way of saying that you, the person responsible for mainframe database security, don't have a lot to worry about. And if you were worried about these attacks, you can disable FTP to thwart malicious code uploads. Or firewall off the mainframe from Web access, as seems common. Beyond that most of the flaws must be addressed by IBM through code changes.

Adrian Lane is an analyst/CTO with Securosis LLC, an independent security analyst firm. Special to Dark Reading. Adrian Lane is a Security Strategist and brings over 25 years of industry experience to the Securosis team, much of it at the executive level. Adrian specializes in database security, data security, and secure software development. With experience at Ingres, Oracle, and ... View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
andrewboon2739
50%
50%
andrewboon2739,
User Rank: Apprentice
1/16/2014 | 8:31:05 AM
re: Mainframes Hackable, But Do You Care?
Came across another article whcih talk about hacking http://www.marcandangel.com/20...
Register for Dark Reading Newsletters
Partner Perspectives
What's This?
In a digital world inundated with advanced security threats, Intel Security seeks to transform how we live and work to keep our information secure. Through hardware and software development, Intel Security delivers robust solutions that integrate security into every layer of every digital device. In combining the security expertise of McAfee with the innovation, performance, and trust of Intel, this vision becomes a reality.

As we rely on technology to enhance our everyday and business life, we must too consider the security of the intellectual property and confidential data that is housed on these devices. As we increase the number of devices we use, we increase the number of gateways and opportunity for security threats. Intel Security takes the “security connected” approach to ensure that every device is secure, and that all security solutions are seamlessly integrated.
Featured Writers
White Papers
Cartoon
Current Issue
Dark Reading's October Tech Digest
Fast data analysis can stymie attacks and strengthen enterprise security. Does your team have the data smarts?
Flash Poll
Video
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2013-7407
Published: 2014-10-22
Cross-site request forgery (CSRF) vulnerability in the MRBS module for Drupal allows remote attackers to hijack the authentication of unspecified victims via unknown vectors.

CVE-2014-3675
Published: 2014-10-22
Shim allows remote attackers to cause a denial of service (out-of-bounds read) via a crafted DHCPv6 packet.

CVE-2014-3676
Published: 2014-10-22
Heap-based buffer overflow in Shim allows remote attackers to execute arbitrary code via a crafted IPv6 address, related to the "tftp:// DHCPv6 boot option."

CVE-2014-3677
Published: 2014-10-22
Unspecified vulnerability in Shim might allow attackers to execute arbitrary code via a crafted MOK list, which triggers memory corruption.

CVE-2014-3828
Published: 2014-10-22
Multiple SQL injection vulnerabilities in Centreon 2.5.1 and Centreon Enterprise Server 2.2 allow remote attackers to execute arbitrary SQL commands via (1) the index_id parameter to views/graphs/common/makeXML_ListMetrics.php, (2) the sid parameter to views/graphs/GetXmlTree.php, (3) the session_id...

Best of the Web
Dark Reading Radio
Archived Dark Reading Radio
Follow Dark Reading editors into the field as they talk with noted experts from the security world.