1. Delivering the best in z services, software, hardware and training.Delivering the best in z services, software, hardware and training.
Delivering the best in z services, skills, security and software.
A New Look at Mainframe Hacking
and Penetration Testing

2. Agenda
• Introduction
• Setting the scene
• The traditional stuff!
• What tools are out there today?
• How do these tool impact us?
• What’s the state of mainframe security?
• How do we keep up to date?
• How do we protect ourselves?
• What are IBM and the vendors doing to help us?
• Summary

3. Introducing Rui
RUI MIGUEL FEIO
• Senior Technical Lead at RSM Partners
• Based in the UK but travels all over the world
• 18 years experience working with mainframes
• Started with IBM as an MVS Sys Programmer
• Specialist in mainframe security
• Experience in other platforms

4. Introducing Steve
STEVE TRESADERN
• Senior Security Architect at RSM Partners
• 30 years experience working with mainframes
• Started as a trainee computer operator in 1987.
• Specialist in mainframe security

5. Introducing RSM Partners
• Sole Focus is IBM Mainframe Services
• IBM Business Partner
• World Leading, 1000+ Man Years Experience
• Run 3 mainframes in-house
• Working with large financial, retail & utility companies
• One area of specialism is mainframe security
– Whole range of services, Audits, pen tests, migrations and
security remediation programs
• We have a reputation for….
– On time, On budget, Every Time

6. Setting the scene

7. The traditional stuff!!
• None of the traditional stuff should be ignored, if anything they
need even more attention than before
• If some of the other stuff we will discuss happens, then the risk
associated with these issues actually rises:
– Privileged Library Access (APF, Parmlib, etc)
– SVC’s and Exits
– Poorly written software that can be exploited, the unprotected
magic SVC
– The top ten audit issues found that have been presented many
times…see next slide

8. Still the – Top Ten Audit Issues
1. Excessive Number of User ID’s w/No Password Interval
2. Inappropriate Usage of z/OS UNIX Superuser Privilege, UID = 0
3. Data Set Profiles with UACC Greater than READ
4. RACF Database is not Adequately Protected
5. Excessive Access to APF Libraries
6. General Resource Profiles in WARN Mode
7. Production Batch Jobs have Excessive Resource Access
8. Data Set Profiles with UACC of READ
9. Improper Use or Lack of UNIXPRIV Profiles
10. Started Task IDs are not Defined as PROTECTED IDs

9. Carla – Identify Audit concerns
NewList type=audit TT='Audit Concerns on the mainframe'
Select AuditPriority>=20
SortList AuditPriority(nd,descending) ,
System Area AreaParm AuditConcern ,
AuditPriority ParmName ParmValue

11. What tools are out
there today?

12. What tools are out there today?
• Do a simple google search on:
– “mainframe hacking tools”
• There is plenty to read and research

13. What tools are out there today?

14. What tools are out there today?
• There’s some really interesting stuff on the list
• Some of our favourites are:
– https://www.bigendiansmalls.com/
– http://mainframed767.tumblr.com/
– https://github.com/mainframed
– http://www.openwall.com/john/

15. https://www.bigendiansmalls.com

16. https://www.bigendiansmalls.com

17. http://mainframed767.tumblr.com

18. https://github.com/mainframedhttps://github.com/mainframed

19. https://github.com/mainframedhttps://github.com/mainframed

20. https://github.com/mainframedhttps://github.com/mainframed

21. https://github.com/mainframedhttps://github.com/mainframed

22. https://github.com/mainframed

23. http://www.openwall.com/john/
• Fully supports testing using a RACF database
• Rumour on the street is that they have already added support for
the new IBM password KDFAES algorithm!
• http://www.openwall.com/john/
• http://www.openwall.com/lists/john-users/2012/03/14/1

24. http://www.openwall.com/john/

25. http://www.openwall.com/john/

26. YouTube
• How about YouTube? Try searching for “mainframe hacking”…

28. How do these tool
impact us?

29. How do these tool impact us?
• For us it’s awareness more than anything
• We have long since understood the risks
• But let’s be honest, many of us have hidden behind the fact that
nobody really took any notice of us, of the mainframe
• More “Security by obscurity”

30. How do these tool impact us?
• For us it’s awareness more than anything
• We have long since understood the risks
• But let’s be honest, many of us have hidden behind the fact that
nobody really took any notice of us, of the mainframe
• More “Security by obscurity”

31. How do these tool impact us?
• For us it’s awareness more than anything
• We have long since understood the risks
• But let’s be honest, many of us have hidden behind the fact that
nobody really took any notice of us, of the mainframe
• More “Security by obscurity”

32. What’s the state of
mainframe security?

33. What’s the state of mainframe
security?
• Unfortunately, in our opinion not great….
• We still see the same old issues:
– The top ten are still the top ten
– Comments that the mainframe is secure and we don’t need to
worry or invest in this legacy technology... still happens today!
– We wouldn’t be saying that if the mainframe was hacked from a
fridge!... buts that’s for another day!!

34. How do we keep up
to date?

35. How do we keep up to date?
• You need to find the time to do the research
• We at RSM are considering creating a mainframe security blog
where we will collate information
• But it takes time and effort
• Attending meetings:
– This one
– GSE Security Working Group and Annual Conference
– Vanguard Conference
– Share Conference
– RSA and other mainstream security conferences
– Defcon, etc

36. How do we protect
ourselves?

37. How do we protect ourselves?
• Get on the front foot
• Be proactive
• Talk to the folks in your organisation and understand what they are
doing with:
– Identity and Access Management
– SIEM
• How many times do we hear that the m/f is out of scope?
– Privileged Users and Privileged Access
– Data classification

38. How do we protect ourselves?
• Get on the front foot
• Be proactive
• Talk to the folks in your organisation and understand what they are
doing with:
– Identity and Access Management
– SIEM
• How many times do we hear that the m/f is out of scope?
– Privileged Users and Privileged Access
– Data classification

39. PEBKAC

40. The PEBKAC…

41. Always remember: stupidity rules!
• Let’s not forget our users… we as a group can only go so far... but as
long as we have users...
• PEBKAC - A useful term for demeaning the incompetent competent
user without actually saying it to their face

42. Always remember: stupidity rules!
• Techie: This isn't working. I'll have to come over there and fix it in
person
• Computer user: Really? Why?
• Techie: It's a PEBKAC issue sir. It's best handled in person.

43. PEBKAC!!

44. PEBKAC!!
44
28/06/2017

45. Summary

46. Summary
• Our world is has changing changed.
• We are not an isolated platform anymore.
• In a connected, digital world, we are the big game in town.
• The hackers, in whatever form are coming after us and they will
succeed have succeeded.
• We need to wake our management up and make them realise years
of underinvestment and a lack of attention will come back and bite
them.

47. Questions

48. Rui Miguel Feio
RSM Partners
ruif@rsmpartners.com
mobile: +44 (0) 7570 911459
www.rsmpartners.com
Contact
Steve Tresadern
RSM Partners
stevet@rsmpartners.com
mobile: +44 (0) 7718 968464
www.rsmpartners.com