By Reg Harbeck with Phil Young
This is part eight of a 10-part series on security for the mainframe. During SHARE San Jose 2017 Reg Harbeck, chief strategist with Mainframe Analytics Ltd. and member of the SHARE Editorial Advisory Committee, sat down with Phil Young, co-founder of zedsec 390 to explore critical security topics, and offer tips and tactics to help create a more secure mainframe environment.
So, here’s the million-dollar question: Why do the hackers do it? In other words, what’s in it for them? And how?
Here is what Phil said: “Hackers target platforms for various reasons. Sometimes it is for notoriety or bragging rights, sometimes there’s monetary reasons behind it, other times it could be in retaliation for a perceived or real slight. For example, there was a breach in Sweden of a mainframe hosting company called Logical. It’s phenomenal what the attacker was able to do from a computer in Cambodia. His motivation was initially retaliation from a lawsuit but eventually turned to monetary. He targeted the federal mainframe environment and using exploits he developed on z/OS V1R4 (version one, release four) he was able to gain unauthorized access. Using this access he downloaded datasets/files that amounted to the entirety of their social security database and their version of witness protection, along with the source code to their tax processing system. With the knowledge he gained he then targeted banks and successfully stole funds.”
“In Sweden, that was their realization that mainframe security was no joke. Their federal government started taking a keen interest in the platform security, moreso than they were previously.”
“Think of this now from a bad actor perspective in the US. If I was able to compromise the IRS and steal the source code to their software and analyze it. What I’d be looking for is what checks/threasholds kick off an audit by a human. Knowing those numbers I can now ensure that I, and anyone I wish to sell that information to, will never be audited.”
“The attacker of the Logica mainframe was ultimately caught and arrested and I was never able to find copies of their tax processing source code for sale or for free on the darknet.”
So what did that mean for the rest of the mainframe community? According to Phil, “The Logica breach was an important watershed moment because the entire investigation was published online and made freely available. Normally IBM makes sure this type of information would never make it to the public eye, however the attacker was already well known in Sweden and so, fearing public political backlash, released the entire investigation files. People already knew the why, but this explained the how. It essentially went from stealing a persons credentials to being able to execute APF authorized programs through various means (poorly coded SVCs, a buffer overflow in an OMVS library, etc).”
“Having learned these new skillsets the attacker went on to find other targets. Interestingly at the same time, three or four mainframes that were on the internet disappeared. And we think-one of them was in China. Other security researchers think the attacker also breached those mainframes because part of the breach investigation had logs, and some of those logs had IP addresses to other places that were mainframes. And those mainframes since have disappeared off the internet. So, the thinking is he breached multiple other mainframes using other techniques but likely didn’t report it because breach notification laws are sparse and the IBM mainframe community has a habit of keeping things quiet.”
Something clearly has to change. But what? Next time: tools and rules.
Read part 7 - Young, the Mainframe Hacker: Ob-Sec-urity.
Read part 6 - Young, the Mainframe Hacker: Public Disclosures.
Read part 5 - Young, the Mainframe Hacker: A Patchy SLA?.
Read part 4 - Young, the Mainframe Hacker: Pro Script Shun?.
Read part 3 - Young, the Mainframe Hacker: Inoculating the Herd.
Read part 2 - Young, the Mainframe Hacker: Young Mainframe Devolution.
Read part 1 - Young, the Mainframe Hacker: The Saga Begins.