As yet more evidence that mainframes are popular, at the DEF CON 22 “Hacker Conference” Philip Young presented techniques to break into (mostly carelessly managed or unmanaged to the point of IT malpractice) z/OS systems. He describes many of his findings on his blog.
I agree with his central point: many, many organizations are performing horribly when it comes to IT security, including mainframe-related security. And he’s got some solid data to back up his critique. For example, in his survey of Internet-connected, TN3270-accessible mainframes, 53% don’t even bother to TLS/SSL-encrypt connections. Yes, that’s right: RACF (or ACF2, or TopSecret) user IDs and passwords, along with everything else, flies across the public Internet in clear text to/from over half the mainframes he surveyed. (And those are the mainframes that are Internet-reachable. I would strongly argue that it’s IT security malpractice not to TLS/SSL-encrypt TN3270 connections across “internal” WANs.) Moreover, among the 47% that do TLS/SSL-encrypt TN3270 connections, only 49% of those have proper server certificates signed by a valid, well-known CA.
I’ll just go ahead and say it: that’s pathetic performance.
It is true that a fraction of the z/OS systems identified in the survey are truly public. For example, there are a few public and university library catalogs on mainframes that are Internet-reachable. There are also some non-mainframes: individuals running usually obsolete and unlicensed z/OS releases on machine emulators without permission. That said, Young’s survey found several major corporations and government organizations with real mainframes that flunked this oh-so-basic security check. Shame on them, really.
I recall helping a particular government get their mainframe services Internet-reachable securely 15 years ago. It’s 2014! WTF? You know when IBM added SSL encryption to TN3270 (and FTP), at no additional charge? Nearly 20 years ago, way back in the OS/390 releases, way before even z/OS 1.1. IBM even added TLS/SSL client certificate authentication to RACF back in the late 1990s. RACF passphrases? z/OS 1.8 (with TSO exploitation of passphrases soon after).
So why are over 75% of Internet-reachable z/OS systems not properly using what IBM has provided in z/OS (and its predecessors) for nearly two decades?
Pathetic. Sorry, but that’s the demonstrated reality. On this point (at least) I agree with Young — or at least heavily sympathize. There’s just no valid excuse here.
So, as a friendly reminder, here are two basic steps you must take, immediately, if you have not done so already:
1. Survey all the connections to your enterprise servers (including mainframes) that are directly or indirectly (via a proxy, for example) Internet- or WAN-reachable, especially (but not exclusively) via TN3270/TN3270E and FTP. Turn on TLS, and turn off the unencrypted ports. (Make sure you have CPACF enabled on your machine at least, and consider getting a CryptoExpress adapter.) Use signed certificates from well-known certificate authorities, and put in place operational procedures for rotating and revoking those certificates. Yes, that includes development, test, “demo,” and training LPARs. (Users are unfortunately likely to have common passwords across systems, so you must take at least basic steps to protect the “softer” systems, too.)
2. Turn on passphrases in RACF (or ACF2, or TopSecret, as applicable), and manage them well.
There are other steps to take, but considering there are so many mainframe operators that haven’t implemented these two very basic security features, I’m addressing a large audience right now.