Mainframed: The Secrets Inside that Black Box

Phil Young

Tue, 7th May 2013


Speaker Bio 1:
Ever since he saw the movie TRON, Phil has been fascinated with computers, mainframes especially. Throughout his career he's had the chance to review mainframe security at various large organizations. He has worked in IT security for 9 years but ever since he learned you could emulate your own mainframe he's been knee deep in JCL, print queues and OMVS. Some people build toy trains, others model airplanes, but Phil's hobby is mainframe security. He has given a talk about mainframe security at BSidesLV, BSide, has been interviewed for podcasts and maintains a blog about mainframe security research.

Phil discusses how mainframes are used all over the world for critical IT functions: from processing your paycheck to scheduling flights, and once you peel back the legacy iron-shield you start to notice cracks. This discussion will help you understand whats inside that big black box, how to interact with it and tools that exist to help you test your mainframe.

Questions and answers

Max, Concise Courses:
Are Industrial SCADA systems considered as being mainframes?

Phil Young:
I don’t think so, because those are more industrial control systems. They were more purpose built at the time, I am sure there might be some that were mainframes, because they were the predominant OS at the time. Like a nuclear power facility built in the 1970’s – it might be running on mainframe. Generally today it will be running on a modern OS like Windows or Linux or maybe even Unix architecture.


Max, Concise Courses:
Every system can have “zero day” vulnerabilities and with that in mind, do you think it is possible to hack an IBM Z System?

Phil Young:
Yes! If you have been following me on Twitter and the Logica Breach (i.e. the hacking of the IBM mainframe of Logica, a Swedish IT firm that provids tax services to the Swedish government, and the IBM mainframe of the Swedish Nordea bank. One of the Pirate Bay founders is also implicated in this hack) which happened only a few months ago, the investigation is still on-going, there are zero-days, it’s just that no one has really taken a look at these systems.


Max, Concise Courses:
You mentioned before that the two keys problems here are the lack of expertise and no tools. In regards to the lack of expertise is there any mainframe security training courses out there that you are aware of?

Phil Young:
Not in the context that we are talking about. Yes, there are mainframe security courses but they are more geared towards security on the maninframe like for example limiting user access or preventing people from getting access from specific data sets or databases. Stu Henderson runs a great course I took. He has a fantastic course on securing and auditing and RSH Consulting also have great courses and have their slides on their website. It’s also a really good resource for material

Also, IBM red books are also very good. They will tell you straight-up if [for example] you are setting up an FTP server, disable certain things to prevent attacks. Is there one sort of place that I can say, ‘learn to hack a mainframe?’, no – there are no real resources for that available at this point.


Max, Concise Courses:
Could a specific isolated main-frame computer be a victim of a DOS attack?

Phil Young:
Sure! Back in the day mainframes were engineered to be resource specific that’s why [employees] were called ‘mainframe engineers’ and ‘system programmers’ instead of administrators. They work the OS until it is perfectly tuned, so for example, connecting to the 3270 connection you set how many maximum connections you want to allow to the mainframe on that port. So, [for example] you could have 5,000 employees and say, ‘I am going to double that number in case all of them want to connect twice’ – and that’s probably enough resources to make available for my entire company. You can take advantage of that and use up all those ports. The reason why mainframes are not allowed to be scanned by nmap, (well they should be by now), is that every time you connected to an TCP port it would kick off a job in the mainframe. Job queues are limited in how big they can get. [Nmap would] kick off a job because if you open up a SYN-AK connection, that would send its’ AK-SYN back and then wait. With an nmap SYN scan, that would open up that connection and the mainframe would wait two hours before it closed that connection. So if you scanned all 65 thousand ports and it had a job queue of 45 thousand you would delay the entire job queue for two hours, basically not letting any job allowed to run.

I am sure there are ways to DoS a mainframe today, it’s just that no one is doing research today in this space.