Times are changing and we all need to take notice. The mainframe computing environment, with protocols dating back decades, is a new frontier of exploration for both the White Hat and the Black Hat hackers. A White Hat is an ethical hacker who seeks to expose vulnerabilities publicly so they can be addressed before they are exploited by malicious hackers. A Black Hat is a criminal hacker who hacks for illegal purposes or for notoriety. Large computing environments have been ignored by the hacker community for many years, but mainframe data now has a target on its back.
The Bottom Line: Hacking tools have gone public, and they may be running on your network, connected to your mainframes.
The White Hats
“Ultimately we want people to understand that, because of its widespread usage as a core system in many critical infrastructures from finance to air travel; its relative obscurity; and lack of real wide-spread exposure to the hacking public; this system is rife with opportunities to be further secured and hardened.“ Chad Rikansurd (@bigendiansmalls)
What Chad is saying is that mainframe computing environments are vulnerable. What’s *new* in all of this is that hackers are cracking old protocols, like TN3270, and building tools for others to do the same.
In this video from the DebyCon 4 Conference, Dominic White demonstrates how he updated an open source 3270 emulation package to be able to see hidden fields and overwrite data in the protocol being sent back to the host. His tools are shared via open source.
His description of what these tools can do should alarm you:
“In particular, BIRP provides two capabilities for the aspiring TN3270 hacker. The first is that it shows all the data returned by the application in the screen. This includes hidden fields. The second is that it allows fields marked as “protected” aka “non modifiable” to be modified. Depending on how the application has been developed, this can allow application functionality to be modified.”
The Black Hats
Philip Young gave an excellent talk at the IBM Share conference in Seattle this year in which he described what Black Hat hackers did to penetrate a Swedish Government Mainframe and ultimately the Swedish Bank Nordea. Philip describes the tools developed by the hackers here.
Call to Action
As hacker focus shifts to the mainframe and exploits and tools are publicly released, it is more important than ever to ensure that 1) only trusted applications are connecting to your mainframes, and 2) strong security controls, such as multi-factor authentication, are implemented for protection.
The Host Access Management and Security Server (MSS) product by Attachmate (now Micro Focus) provides multifactor authentication for IBM mainframes. In addition, the MSS Security Proxy Add-On enables a security proxy to ensure that only trusted terminal emulation clients can gain access to the mainframe. With Host Access Management and Security Server, hacker tools like the one developed by Dominic can be locked out.
What to Watch, Who to Follow
- t218 Hacking Mainframes Vulnerabilities in applications exposed over TN3270 Dominic White
- Smashing the Mainframe for Fun and Prison Time
- Black Hat 2013 – Mainframes: The Past Will Come To Haunt You
- How to Embrace Hacker Culture for Z/OS | Phil Young at Share 2015 in Seattle
- Def Con 22 – Philip “Soldier of Fortran” Young – from root to SPECIAL: Pwning IBM Mainframes