1. Delivering the best in z services, so2ware, hardware and training. Delivering the best in z services, so2ware, hardware and training.
World Class, Full Spectrum, z Services
How to Protect Your Mainframe from
Hackers
Rui Miguel Feio
Security Lead

2. Agenda
• Introduc@on
• Mainframe Hacking – Fact or Fic@on?
• Securing the Mainframe
• Is this Enough?
• Warning! The Human Factor
• References and Resources
• Ques@ons?

3. Introduc@on
Rui Miguel Feio is…
– Security lead at RSM Partners
– Mainframe technician specialising in mainframe security:
• Penetra@on Tes@ng
• Security Audit
• Security Improvement
– Has been working with mainframes for the past 16 years
– Started as an MVS Systems Programmer
– Experience in other plaTorms as well

4. Mainframe Hacking
– Fact or Fic@on?

5. “It is a fairly open secret that almost all systems
can be hacked, somehow. It is a less spoken of
secret that such hacking has actually gone quite
mainstream.”
Dan Kaminsky

6. Hacking a Mainframe
• The mainframe is highly securable but not secure by default.
– You need to invest @me and resources to make it secure.
• Can the mainframe be hacked?
– Not only it can be hacked but it has already been hacked!
• Most mainframe hacking cases are not reported.
• But there are cases that have come to public…

7. Mainframe Hacking In the News

8. Mainframe Hacking In the News

9. Hacking the Mainframe on YouTube

10. Hacking the Mainframe on YouTube

11. Hacking the Mainframe on YouTube

12. Hacking the Mainframe on YouTube

13. Securing the Mainframe

14. Top 10 Security Vulnerabili@es
1. Excessive access to APF libraries
2. Number of users with System Special
3. User SVCs reques@ng privileged func@ons
4. USS controls (UNIXPRIV, UID=0)
5. Started tasks not defined as PROTECTED
6. RACF database not properly protected
7. Profiles in OPERCMDS Class not properly set
8. SURROGAT profiles permihng use of privileged userids
9. RACF profiles with UACC or ID(*) > NONE
10. Batch Jobs with excessive resource access

15. What’s the Problem?
• Excessive access to APF libraries
– Users with UPDATE access or higher to an APF library can create an authorised
program that can bypass security controls and execute privileged instruc@ons.
• Number of users with System Special
– SPECIAL aoribute gives the user full control over all of the RACF profiles in the
RACF database. At the system level, the SPECIAL aoribute allows the user to
issue all RACF commands.
• User SVCs reques@ng privileged func@ons
– They are extensions to the opera@ng system, receiving control in Supervisor
State and in the master storage protected key (key 0). This means that they
have the power to circumvent security measures by altering otherwise
protected storage areas.

16. What’s the Problem?
• USS controls (UNIXPRIV, UID=0)
– The UNIXPRIV class resource rules are designed to give a limited subset of the
superuser UID=0 capability. Userids with superuser authority (UID=0), have
full access to all USS directories and files and full authority to administer.
• Started tasks not defined as PROTECTED
– Userids associated with started tasks should be defined as PROTECTED which
will exempt them from revoca@on due to inac@vity or excessive invalid
password aoempts, as well as being used to sign on to an applica@on.
• RACF database not properly protected
– A user who has READ access to the RACF database could make a copy and
then use a cracker program to find the passwords of userids.

17. What’s the Problem?
• Profiles in OPERCMDS Class not properly set
– Controls who can issue operator commands: JES, MVS, operator commands.
• SURROGAT profiles permihng use of privileged userids
– This class allows userids to access the privileges of other userids by submihng
work under their authority without requiring a password.
• RACF profiles with UACC or ID(*) > NONE
– If a userid is not defined to the Access Control List (ACL) of a RACF profile,
UACC or ID(*) will provide them the access. In some cases, READ access can be
a security risk because it can provide access to sensi@ve data.

18. What’s the Problem?
• Batch Jobs with excessive resource access
– It is common to see the userid of the batch job having too much access to.
This means that when the job enters into the job scheduler, it can accidentally
or maliciously access sensi@ve data or resources.

19. But There Are Many More!!
• Profiles in Warning mode
• Userids with no Password
Interval
• Data transfer methods
• U@li@es (e.g. ISRDDN, TASID)
• RACF Class Facility
• RACF Class XFACILIT
• RACF Class SERVAUTH
• RACF Class JESINPUT
• RACF Class JESJOBS
• …

20. Monitoring and Aler@ng Systems
• Monitoring and Aler@ng is essen@al but does not always work.
• Monitoring processes:
– Not covering the essen@als
– Teams not skilled enough to iden@fy problems
• Aler@ng processes:
– Not covering the essen@als
– Not properly configured
– Can be compromised

21. Compromising the Aler@ng System
• Let’s use the example of IBM zSecure Alert…
• HLQ.C2POLICE.C2PCUST contains all the aler@ng code and
configura@on sehngs
• Whoever has READ access to this dataset will be able to:
– Check the configura@on and the alerts
– Check for example to which email address the alerts are being sent and flood
the email address with false posi@ves
– While problem is being iden@fied, the hacker has a window of opportunity to
perform malicious ac@vi@es

22. Is This Enough?

23. “The hacker is going to look for
the crack in the wall…”
Kevin Mitnick in “The Art of Intrusion”

24. Once he finds it… It’s Play@me!

25. 7 Security Principles
• Know what are you trying to protect 1
• Know the environment 2
• Know your enemy 3
• Know your weaknesses and strengths 4
• Assess and plan 5
• Define a strategy 6
• Adapt and evolve or ‘die’ 7

26. The Mainframe is Part of Something
The mainframe is part of an
ecosystem:
– Servers
– Terminals
– Other mainframes
– Smart phones
– Tablets
– Routers
– Switches
– IoT devices
– Users (technical and non-technical)
– 3rd par@es
– …

27. The 3 Main ‘Actors’
Hacker Techie User

28. 5 Stages of Hacking
Cover Tracks
Maintain Access
Gain Access
Scanning
Reconnaissance

29. Strengths and Weaknesses
• Technological estate
• Processes & procedures
• Technical documents
• Access requirements
• Segrega@on of du@es
• Training and educa@on to staff and 3rd
par@es
• Systems’ updates
• Process to keep systems up-to-date
• Team work
• Request help!

30. Assess, Plan and Define a Strategy

31. Adapt and Evolve
• Security is not a one @me @ck in a box process
• Security requires a daily effort and constant improvements
• You should consider performing regular:
– Penetra@on tests
– Security Audits
– Implementa@on of Security Improvement programmes
– Run vulnerability scannings
• Remember: Hackers have all the @me in the world and are
constantly developing new ways of aoacking and compromising!

32. Warning! The Human
Factor

33. “Most advanced aoacks rely as much on
exploi@ng human flaws as on exploi@ng system
flaws.”
An Hacker

34. Humans – The Inside Threat
* Figure from the “IBM 2015 Cyber Security Intelligence Index” report

35. The Weakest Link
Insider Associate Affiliate Dumbass

36. Conclusion

37. To Summarise…
• There’s a lot of work to be done to protect the mainframe,
internally, and externally.
• Training and educa@on are essen@al!
• Need to keep up to date.
• Humans are the weakest link.
• Security MUST be taken seriously!
* Dark Reading visitors responding to “What do you consider the greatest security threat to your organiza5on?”

38. References & Resources

39. Light Reading
• “IBM 2015 Cyber Security Intelligence Index”, IBM
• “2015 Threat Report”, Websense
• “2015 Cost of Cyber Crime Study: Global”, Ponemon Ins@tute
• “The Human Factor 2015”, Proofpoint
• “The Insider Threat: Detec@ng Indicators of Human Compromise”, Tripwire
• “White Hats, Black Hats. A Hacker Community is Emerging Around the
Mainframe. What You Need to KNow…”, Mike Rogers @ Aoachmate.com
• “The Art of War”, Sun Tzu

40. Web Sites
• PC World:
– hop://www.pcworld.com/ar@cle/2034733/pirate-bay-cofounder-charged-with-hacking-ibm-
mainframes-stealing-money.html
• The Register:
– hop://www.theregister.co.uk/2013/03/04/convicted_hacker_hack_into_prison/
• Daily Mail:
– hop://www.dailymail.co.uk/news/ar@cle-2526726/Married-Barclays-boss-spent-stolen-2million-call-
girls-Banker-accused-five-year-cash-the2.html

41. YouTube Videos
• Hacking Mainframes Vulnerabili@es in applica@ons exposed over TN3270, Dominic
White:
– hops://www.youtube.com/watch?v=3HFiv7NvWrM&feature=youtu.be
• Mainframes Mopeds and Mischief A PenTesters Year in Review, Tyler Wrightson:
– hops://www.youtube.com/watch?v=S-9Uk706wuc
• Smashing the Mainframe for Fun and Prison Time, Philip Young:
– hops://www.youtube.com/watch?v=SjtyifWTqmc&feature=youtu.be
• Black Hat 2013 - Mainframes: The Past Will Come to Haunt You, Philip Young:
– hops://www.youtube.com/watch?v=uL65zWrofvk&feature=youtu.be

42. Ques@ons?
Hands Up!!

43. Rui Miguel Feio, RSM Partners
ruif@rsmpartners.com
mobile: +44 (0) 7570 911459
linkedin: www.linkedin.com/in/rfeio
www.rsmpartners.com
Contact