Application Security // Database Security
8/6/2013
03:58 PM
Adrian Lane
Adrian Lane
Commentary
Connect Directly
RSS
E-Mail
50%
50%
Repost This

Mainframes Hackable, But Do You Care?

Mainframes may have holes, but they aren't big targets

There have been very few database security presentations at security conferences of late, as SQLi and buffer overflow attacks have lost their novelty. That said, there is a lot of very interesting database security research going on. and I was lucky to proctor Philip Young's presentation at Blackhat USA 2013 on Mainframes: The Past Will Come Back to Haunt You. In a nutshell, Philip identified several behavioral issues that have serious security implications:

1. It was easy to find valid user accounts as the login sequence leaks information.

2. Passwords are short, don't require complexity, and relatively trivial to crack.

3. Mainframes come with a supplementary UNIX environment.

4. FTP automatically executes uploaded files (data sets).

All of which leads to fun and mayhem for an attacker, and potentially serious data breaches. But does anyone care? The presentation and -- given most of my mainframe experience was OS390 -- educational, will this public research yield increased attacks against zOS?

Unlikely.

I asked a well-known database vulnerability researcher last year "Why don't we hear about more DB2 hacks?" His response: "Because no one uses it."

The point he was making was that, in comparison to Oracle and SQL Server, DB2's market size is relatively small. The response may sound glib, but I see very few new -- Web or otherwise -- projects on any flavor of DB2, and certainly not mainframe. We said for years that Mac OS-X was "safe" from a security standpoint as it's market presence was minuscule compared to Windows. It did not warrant attackers focus as the reward vs. effort factor was out of whack. Mainframes, while still alive and running critical applications for the indefinite future, do not attract attackers, as it would require investment of a few hundred hours to understand, and access to a mainframe (emulator).

All of which is my way of saying that you, the person responsible for mainframe database security, don't have a lot to worry about. And if you were worried about these attacks, you can disable FTP to thwart malicious code uploads. Or firewall off the mainframe from Web access, as seems common. Beyond that most of the flaws must be addressed by IBM through code changes.

Adrian Lane is an analyst/CTO with Securosis LLC, an independent security analyst firm. Special to Dark Reading. Adrian Lane is a Security Strategist and brings over 25 years of industry experience to the Securosis team, much of it at the executive level. Adrian specializes in database security, data security, and secure software development. With experience at Ingres, Oracle, and ... View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
andrewboon2739
50%
50%
andrewboon2739,
User Rank: Apprentice
1/16/2014 | 8:31:05 AM
re: Mainframes Hackable, But Do You Care?
Came across another article whcih talk about hacking http://www.marcandangel.com/20...
Register for Dark Reading Newsletters
White Papers
Cartoon
Current Issue
Video
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2012-3946
Published: 2014-04-24
Cisco IOS before 15.3(2)S allows remote attackers to bypass interface ACL restrictions in opportunistic circumstances by sending IPv6 packets in an unspecified scenario in which expected packet drops do not occur for "a small percentage" of the packets, aka Bug ID CSCty73682.

CVE-2012-5723
Published: 2014-04-24
Cisco ASR 1000 devices with software before 3.8S, when BDI routing is enabled, allow remote attackers to cause a denial of service (device reload) via crafted (1) broadcast or (2) multicast ICMP packets with fragmentation, aka Bug ID CSCub55948.

CVE-2013-6738
Published: 2014-04-24
Cross-site scripting (XSS) vulnerability in IBM SmartCloud Analytics Log Analysis 1.1 and 1.2 before 1.2.0.0-CSI-SCALA-IF0003 allows remote attackers to inject arbitrary web script or HTML via an invalid query parameter in a response from an OAuth authorization endpoint.

CVE-2014-2391
Published: 2014-04-24
The password recovery service in Open-Xchange AppSuite before 7.2.2-rev20, 7.4.1 before 7.4.1-rev11, and 7.4.2 before 7.4.2-rev13 makes an improper decision about the sensitivity of a string representing a previously used but currently invalid password, which allows remote attackers to obtain potent...

CVE-2014-2392
Published: 2014-04-24
The E-Mail autoconfiguration feature in Open-Xchange AppSuite before 7.2.2-rev20, 7.4.1 before 7.4.1-rev11, and 7.4.2 before 7.4.2-rev13 places a password in a GET request, which allows remote attackers to obtain sensitive information by reading (1) web-server access logs, (2) web-server Referer log...

Best of the Web