Mainframes still exist at the core of many large or enterprise organisations. Especially within Banking; when your Bank appears to have problems for two or more days, and you can’t get at your cash or pay your bills. This is usually due to a Mainframe crash or problem, usually caused by a botched maintenance routine. The average age of a Mainframe Programmer (or System Programmer) is approximately 55+, most have already retired, and we can see potentially more retiring in the near future. It looks as if a skills gap has now appeared in this area?
But aren’t mainframes legacy, aren’t they getting phased out for newer servers! NO! Mainframes are should not be regarded as legacy, as IBM typically releases a new version of the OS every 10+ years:
- OS/360 – 1960
- OS/370 – 1970
- OS/390 – 1990
- Z/OS – 2000
Mainframes can be daunting, but thanks to Phil ‘Solider of Fortran‘ Young, we get a look at Mainframes from the perspective of one of our peers in the IT security sector. Phil has highlighted many interesting problems when security reviewing mainframes and how to overcome them. But aren’t there check in Tenables Nessus ? There are approximately 6x checks for the iSeries AS400 in Nessus, and a book on Hacking iSeries. However, there is nothing on zSeries, which is why Phil Young is now trying hard to educate the rest of the security community, and encourage more security research in this area.
Here is a small list of elements I have learnt from Phil, and stuff we should all consider when security reviewing mainframes:
- The main console, is essentially root! The console cannot be locked (unless in a room), therefore a root session is always accessible if your sitting in front of the console. This is how mainframe security was performed before the days of RACF.
- Usernames limited to 7 chars
- Password limited to 8 chars ( A-Z, 0-9, @,#,$)
- RACF – main security features; default password dataset = SYS1.RACFDS
- The default password is usually the group name.
- Only 1 user on TSO can log in at once – no concurrent sessions.
- FTP in its default state is clear-text and supports the PORT command; allowing users to potentially bounce they’re portscans through the mainframe.
- FTP usually allows SITE file=JES to execute a previously upload job-file.
- Telnet/x3270 is available by default in clear-text.
- The TSO login is vulnerable to User Enumeration Techniques
- Password policy in its default configuration is weak allowing passwords of length 4, all passwords are converted to UPPERCASE, password history = 1, no lock-out threshold, no password expiry warning, password valid for 180 days, no password complexity rules.
- su without a password if the user is in the group BPX.SUPERUSER
- Phil Young – Blackhat 2013 – Mainframe Presentation