Application Security // Database Security
8/6/2013
03:58 PM
Adrian Lane
Adrian Lane
Commentary
Connect Directly
RSS
E-Mail
50%
50%
Repost This

Mainframes Hackable, But Do You Care?

Mainframes may have holes, but they aren't big targets

There have been very few database security presentations at security conferences of late, as SQLi and buffer overflow attacks have lost their novelty. That said, there is a lot of very interesting database security research going on. and I was lucky to proctor Philip Young's presentation at Blackhat USA 2013 on Mainframes: The Past Will Come Back to Haunt You. In a nutshell, Philip identified several behavioral issues that have serious security implications:

1. It was easy to find valid user accounts as the login sequence leaks information.

2. Passwords are short, don't require complexity, and relatively trivial to crack.

3. Mainframes come with a supplementary UNIX environment.

4. FTP automatically executes uploaded files (data sets).

All of which leads to fun and mayhem for an attacker, and potentially serious data breaches. But does anyone care? The presentation and -- given most of my mainframe experience was OS390 -- educational, will this public research yield increased attacks against zOS?

Unlikely.

I asked a well-known database vulnerability researcher last year "Why don't we hear about more DB2 hacks?" His response: "Because no one uses it."

The point he was making was that, in comparison to Oracle and SQL Server, DB2's market size is relatively small. The response may sound glib, but I see very few new -- Web or otherwise -- projects on any flavor of DB2, and certainly not mainframe. We said for years that Mac OS-X was "safe" from a security standpoint as it's market presence was minuscule compared to Windows. It did not warrant attackers focus as the reward vs. effort factor was out of whack. Mainframes, while still alive and running critical applications for the indefinite future, do not attract attackers, as it would require investment of a few hundred hours to understand, and access to a mainframe (emulator).

All of which is my way of saying that you, the person responsible for mainframe database security, don't have a lot to worry about. And if you were worried about these attacks, you can disable FTP to thwart malicious code uploads. Or firewall off the mainframe from Web access, as seems common. Beyond that most of the flaws must be addressed by IBM through code changes.

Adrian Lane is an analyst/CTO with Securosis LLC, an independent security analyst firm. Special to Dark Reading. Adrian Lane is a Security Strategist and brings over 25 years of industry experience to the Securosis team, much of it at the executive level. Adrian specializes in database security, data security, and secure software development. With experience at Ingres, Oracle, and ... View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
andrewboon2739
50%
50%
andrewboon2739,
User Rank: Apprentice
1/16/2014 | 8:31:05 AM
re: Mainframes Hackable, But Do You Care?
Came across another article whcih talk about hacking http://www.marcandangel.com/20...
Register for Dark Reading Newsletters
White Papers
Flash Poll
Current Issue
Video
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2011-0460
Published: 2014-04-16
The init script in kbd, possibly 1.14.1 and earlier, allows local users to overwrite arbitrary files via a symlink attack on /dev/shm/defkeymap.map.

CVE-2011-0993
Published: 2014-04-16
SUSE Lifecycle Management Server before 1.1 uses world readable postgres credentials, which allows local users to obtain sensitive information via unspecified vectors.

CVE-2011-3180
Published: 2014-04-16
kiwi before 4.98.08, as used in SUSE Studio Onsite 1.2 before 1.2.1 and SUSE Studio Extension for System z 1.2 before 1.2.1, allows attackers to execute arbitrary commands via shell metacharacters in the path of an overlay file, related to chown.

CVE-2011-4089
Published: 2014-04-16
The bzexe command in bzip2 1.0.5 and earlier generates compressed executables that do not properly handle temporary files during extraction, which allows local users to execute arbitrary code by precreating a temporary directory.

CVE-2011-4192
Published: 2014-04-16
kiwi before 4.85.1, as used in SUSE Studio Onsite 1.2 before 1.2.1 and SUSE Studio Extension for System z 1.2 before 1.2.1, allows attackers to execute arbitrary commands as demonstrated by "double quotes in kiwi_oemtitle of .profile."

Best of the Web