Security consultants tend to specialise fairly early in their careers, and one of the areas I chose to specialise in, and something that Digital Interruption offers our clients, is mainframe security assessments.
For many of us, unless you’re over a certain age, or have a strange fixation on weird machines, you’ll likely have never interacted with a mainframe before. There are a few popular (and contradictory) myths in the infosec community about mainframes:
- They’re legacy
- They’re the same as supercomputers
- Nothing a cluster of cloud computers can’t beat
- Nobody uses them any more
- AS/400s are mainframes (they’re not)
Like all myths, these are formed from only grains of truth. IBM’s mainframe hardware, System Z can boast about backwards compatibility to the days of punch cards, but the last stable release at the time of writing was September 2017. Interestingly, a lot of the functionality we take for granted these days, like virtual machines, have been a staple of IBM’s big iron for the last 30 years. z/VM, IBM’s virtualisation-specific mainframe, casually supports practical virtualisation five levels deep. IBM created the term hypervisor and it dates back to the 1960s. As far as legacy is concerned, everyone else is playing catch-up.
Mainframe is not interchangeable with supercomputer. Supercomputers, at least in the early days, used architectural tricks to implement super-fast vector processing while more general purpose computation was performed with scalar processing. Nowadays, we have vector processing in most mainstream CPUs including mobile phones,. Supercomputers are essentially huge, specialised, streamlined CPU/GPU farms.
Mainframes differ in that are not created to perform super fast calculations, but designed to handle tens of thousands of concurrent transactions. A good example might be a bank processing credit card information. IBM defines these tasks as “a logical unit of work”.
Mainframes are designed with resilience in mind. Almost everything can be hot swapped on a System Z machine – memory, power and even cooling pumps. One of the last mainframes I pen tested had an uptime of 19 years, and I was informed that actually, the real uptime was probably a number of years higher. And yes, they are still used. They are everywhere. They tend to be the underlying force propelling banks and stock exchanges and flight reservation systems, among others. Most importantly, they’re absolutely fascinating.
This isn’t going to be an in-depth examination of mainframe security, but I want to touch on at least some of the interesting things I’ve seen during mainframe assessments (both z/OS and HP’s NonStop), and a little bit about the risks to mainframes and why they need to be included in a penetration test.
I’m going to start with the risk – while there’s something of an impression that mainframes aren’t hackable, this isn’t true. In 2012, there was a rather impressive mainframe hack pulled off by a group when they compromised a mainframe run by Logica on behalf of the Swedish government, and another mainframe run by one of the major Swedish banks, Nordea. There’s a lot to unpack in this breach and an analysis of the breach is worth a blog post in itself (although an excellent analysis can be found at here), but the attackers deployed multiple backdoors and at least two 0-day exploits.
In the case of the bank, they attempted to transfer almost a million dollars and they stole a very significant amount of personal information from the mainframe. While compromising a mainframe requires a very specialised talent, attackers like that out there exist. People often assume that the keys to the kingdom of a network are things like the Active Directory server, but mainframes, if they’re present, are infinitely more valuable, and often overlooked as potential targets, and overlooked for hardening.
During one mainframe assessment, I was able to use an account from SYS1.UADS (think a legacy version of /etc/shadow on Linux) which was unknown to RACF to bypass access controls and view a sysprog’s normal user’s datasets – including one where they stored the password for IBMUSER, the superuser on the system. On another assessment which involved HP NonStops, I was able to get access via the NULL.NULL default user account to OSS and then list all users – one of the superusers had the same password as username, which allowed me to then gain full access to several other NonStop via SSH (a very simple tool to speed up the process of some basic enumeration of NonStop can be found on my github). These are pretty serious mistakes to make, but they do happen.
People are understandably wary of getting mainframes tested – a lot of consultants and security companies do not have specialised in-house testers with experience on mainframes, but a number do. Penetration testing doesn’t have to be unintelligent scanning. It’s very possible to provide assurance and a comprehensive mainframe penetration test without any risk to the system, and here at Digital Interruption, this is just one of many specialised services we can provide.