RE: z/OS, OS/390 Pen testing tips/ideas/papers?

From: Bob Mahan (bmahan@nsoco.com)
Date: Thu Jan 30 2003 - 15:44:39 EST

• Next message: Noonan, Wesley: "RE: Identify OS?"
• Previous message: Nick Jacobsen: "Identify OS?"
• In reply to: Nick Jacobsen: "z/OS, OS/390 Pen testing tips/ideas/papers?"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

It's hard to be very specific on what little information you gave. I
have done a lot of work on IBM mainframes in the past. From a general
point of view if the IBM systems involve dumb 3270 type devices running
on their propritary VTAM network then the area's of data access controls
for none RDBMS (flat, VSAM, IMS, etc) via their security software (RACF,
ACF2, etc.) and database access controls for RDBMS such as DB2's DCL
(Data Control Language) are key areas. You didn't mention what
communications regions were involved like CICS, IMS, TSO, etc. so its
are to know exactly what your up against. Also keep in mind that most
likely they are also a COBOL shop and that language is as vulnerable to
buffer overruns as any other. The big difference in an IBM Mainframe is
that the OS is much more protected than other platforms due to its
architecture. But it is just a computer and like any other, the general
server stuff would apply as it would like dial-ups, default accounts,
weak passwords, backups, change control, etc.

Sorry I don't have a lot of links or other areas to point you too.

Bob Mahan
Network Security Operations
Phone: (847) 571-5525
mailto:bmahan@nsoco.com
http://www.nsoco.com

> -----Original Message-----
> From: Nick Jacobsen [mailto:nick@ethicsdesign.com]
> Sent: Tuesday, January 28, 2003 7:24 AM
> To: pen-test@securityfocus.com
> Subject: z/OS, OS/390 Pen testing tips/ideas/papers?
>
>
> Hi all,
> One of my clients has an IBM OS/390 running on one of
> their networks I am doing some security testing on, and
> considering I really have not dealt with any IBM mainframes
> before when it comes to security, I was hoping that some of
> you might be able to point me the right direction. Anything
> would be helpful, but especially from a penetration viewpoint.
>
> Thank You,
> Nick Jacobsen
> Ethics Design
> nick@ethicsdesign.com
>
>
> --------------------------------------------------------------
> --------------
> This list is provided by the SecurityFocus Security
> Intelligence Alert (SIA) Service. For more information on
> SecurityFocus' SIA service which automatically alerts you to
> the latest security vulnerabilities please see:
https://alerts.securityfocus.com/

----------------------------------------------------------------------------
This list is provided by the SecurityFocus Security Intelligence Alert (SIA)
Service. For more information on SecurityFocus' SIA service which
automatically alerts you to the latest security vulnerabilities please see:
https://alerts.securityfocus.com/

• Next message: Noonan, Wesley: "RE: Identify OS?"
• Previous message: Nick Jacobsen: "Identify OS?"
• In reply to: Nick Jacobsen: "z/OS, OS/390 Pen testing tips/ideas/papers?"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

This archive was generated by hypermail 2.1.7 : Sat Apr 12 2008 - 10:53:27 EDT