RE: z/OS, OS/390 Pen testing tips/ideas/papers?

From: Bob Mahan (bmahan@nsoco.com)
Date: 01/30/03

  • Next message: Noonan, Wesley: "RE: Identify OS?"
    From: "Bob Mahan" <bmahan@nsoco.com>
    To: "'Nick Jacobsen'" <nick@ethicsdesign.com>, <pen-test@securityfocus.com>
    Date: Thu, 30 Jan 2003 14:44:39 -0600
    
    

    It's hard to be very specific on what little information you gave. I
    have done a lot of work on IBM mainframes in the past. From a general
    point of view if the IBM systems involve dumb 3270 type devices running
    on their propritary VTAM network then the area's of data access controls
    for none RDBMS (flat, VSAM, IMS, etc) via their security software (RACF,
    ACF2, etc.) and database access controls for RDBMS such as DB2's DCL
    (Data Control Language) are key areas. You didn't mention what
    communications regions were involved like CICS, IMS, TSO, etc. so its
    are to know exactly what your up against. Also keep in mind that most
    likely they are also a COBOL shop and that language is as vulnerable to
    buffer overruns as any other. The big difference in an IBM Mainframe is
    that the OS is much more protected than other platforms due to its
    architecture. But it is just a computer and like any other, the general
    server stuff would apply as it would like dial-ups, default accounts,
    weak passwords, backups, change control, etc.

    Sorry I don't have a lot of links or other areas to point you too.

    Bob Mahan
    Network Security Operations
    Phone: (847) 571-5525
    mailto:bmahan@nsoco.com
    http://www.nsoco.com

    > -----Original Message-----
    > From: Nick Jacobsen [mailto:nick@ethicsdesign.com]
    > Sent: Tuesday, January 28, 2003 7:24 AM
    > To: pen-test@securityfocus.com
    > Subject: z/OS, OS/390 Pen testing tips/ideas/papers?
    >
    >
    > Hi all,
    > One of my clients has an IBM OS/390 running on one of
    > their networks I am doing some security testing on, and
    > considering I really have not dealt with any IBM mainframes
    > before when it comes to security, I was hoping that some of
    > you might be able to point me the right direction. Anything
    > would be helpful, but especially from a penetration viewpoint.
    >
    > Thank You,
    > Nick Jacobsen
    > Ethics Design
    > nick@ethicsdesign.com
    >
    >
    > --------------------------------------------------------------
    > --------------
    > This list is provided by the SecurityFocus Security
    > Intelligence Alert (SIA) Service. For more information on
    > SecurityFocus' SIA service which automatically alerts you to
    > the latest security vulnerabilities please see:
    https://alerts.securityfocus.com/

    ----------------------------------------------------------------------------
    This list is provided by the SecurityFocus Security Intelligence Alert (SIA)
    Service. For more information on SecurityFocus' SIA service which
    automatically alerts you to the latest security vulnerabilities please see:
    https://alerts.securityfocus.com/



    Relevant Pages

    • RE: Application & Iplanet/Apache web server vulnerability and pen etration testing
      ... There are a couple of recent books that look good, ... >> Security Specialist ... For more information on SecurityFocus' SIA service which ... >This list is provided by the SecurityFocus Security Intelligence Alert ...
      (Pen-Test)
    • RE: New laws in the wings
      ... New laws in the wings ... this would make almost every security professional, ... For more information on SecurityFocus' SIA service which ... This list is provided by the SecurityFocus Security Intelligence Alert ...
      (Pen-Test)
    • RE: Windows 2000 Offline Files on a Laptop
      ... Windows 2000 Offline Files on a Laptop ... > IT Risk and Security Manager: ... > SecurityFocus' SIA service which automatically alerts you to ... This list is provided by the SecurityFocus Security Intelligence Alert ...
      (Pen-Test)
    • SV: question about fuxay scanner
      ... This means that the scanner is infected or written as a backdoor. ... > This list is provided by the SecurityFocus Security ... > SecurityFocus' SIA service which automatically alerts you to ... This list is provided by the SecurityFocus Security Intelligence Alert ...
      (Pen-Test)
    • RE: Risk/Threat Assessments for Utility specific software/hardwar e
      ... applications/products or general stuff. ... Program Process Control Security Requirements Forum ... > SecurityFocus' SIA service which automatically alerts you to ... This list is provided by the SecurityFocus Security Intelligence Alert ...
      (Pen-Test)