Discussion:
Ransomware on Mainframe application ?
(too old to reply)
Jake Anderson
2017-05-15 06:59:23 UTC
Permalink
Raw Message
Hi

Just curious if recent ransomware attack has capability to infect any
applications running on Mainframe ?

Regards
Jake

----------------------------------------------------------------------
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to ***@listserv.ua.edu with the message: INFO IBM-MAIN
Edward Finnell
2017-05-15 07:47:52 UTC
Permalink
Raw Message
The 'wannacry' exploits security holes in Windows that have been there
forever. M$ released patches for Win7 and Win10(not sure about 8 and 9). These
were exposed by wikileaks dump of some NSA tricks to backdoor PC's and
networks.

I guess there is potential, but for right now I'd say the MF apps are OK,
the end user just can't get to them with back level Windoze software.


In a message dated 5/15/2017 2:00:34 A.M. Central Daylight Time,
***@GMAIL.COM writes:

Just curious if recent ransomware attack has capability to infect any
applications running on Mainframe ?


----------------------------------------------------------------------
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to ***@listserv.ua.edu with the message: INFO IBM-MAIN
Tony Harminc
2017-05-15 16:37:41 UTC
Permalink
Raw Message
On 15 May 2017 at 03:48, Edward Finnell <
Post by Edward Finnell
The 'wannacry' exploits security holes in Windows that have been there
forever. M$ released patches for Win7 and Win10(not sure about 8 and 9). These
were exposed by wikileaks dump of some NSA tricks to backdoor PC's and
networks.
It wasn't Wikileaks; they show at least some sense of responsibility in
what they disclose. This was the so-called Shadow Brokers - the guys with
the weirdly fake Russian English who last year purported to be auctioning
NSA material, and then recently published the key to the encrypted data
they had previously published, and which was widely mirrored already.

https://www.schneier.com/blog/archives/2017/05/who_is_publishi.html

Schneier thinks it's the Russians, but who of us without clearances (or
maybe even with) really knows...

Tony H.

----------------------------------------------------------------------
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to ***@listserv.ua.edu with the message: INFO IBM-MAIN
Charles Mills
2017-05-15 15:34:55 UTC
Permalink
Raw Message
No, but Chad Rikansrud did a presentation on the possibility of mainframe ransomware at SHARE San Jose that was positively chilling.

He demonstrated (independent of each other) five building blocks that would be all someone would need to lock up a mainframe. "Two things that mainframes do really well: encryption and fast disk I/O." Consider the implications if your primary backup is real-time replication ...

But, you say, mainframes don't have people clicking on links in e-mail. No, but system programmers with privileged access have PCs and click on links in e-mail.

Charles


-----Original Message-----
From: IBM Mainframe Discussion List [mailto:IBM-***@LISTSERV.UA.EDU] On Behalf Of Jake Anderson
Sent: Monday, May 15, 2017 12:00 AM
To: IBM-***@LISTSERV.UA.EDU
Subject: Ransomware on Mainframe application ?

Hi

Just curious if recent ransomware attack has capability to infect any applications running on Mainframe ?

----------------------------------------------------------------------
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to ***@listserv.ua.edu with the message: INFO IBM-MAIN
Ward, Mike S
2017-05-15 19:33:31 UTC
Permalink
Raw Message
Do you have a link to the Share presentation?

-----Original Message-----
From: IBM Mainframe Discussion List [mailto:IBM-***@LISTSERV.UA.EDU] On Behalf Of Charles Mills
Sent: Monday, May 15, 2017 10:35 AM
To: IBM-***@LISTSERV.UA.EDU
Subject: Re: Ransomware on Mainframe application ?

No, but Chad Rikansrud did a presentation on the possibility of mainframe ransomware at SHARE San Jose that was positively chilling.

He demonstrated (independent of each other) five building blocks that would be all someone would need to lock up a mainframe. "Two things that mainframes do really well: encryption and fast disk I/O." Consider the implications if your primary backup is real-time replication ...

But, you say, mainframes don't have people clicking on links in e-mail. No, but system programmers with privileged access have PCs and click on links in e-mail.

Charles


-----Original Message-----
From: IBM Mainframe Discussion List [mailto:IBM-***@LISTSERV.UA.EDU] On Behalf Of Jake Anderson
Sent: Monday, May 15, 2017 12:00 AM
To: IBM-***@LISTSERV.UA.EDU
Subject: Ransomware on Mainframe application ?

Hi

Just curious if recent ransomware attack has capability to infect any applications running on Mainframe ?

----------------------------------------------------------------------
For IBM-MAIN subscribe / signoff / archive access instructions, send email to ***@listserv.ua.edu with the message: INFO IBM-MAIN

==========================
This email, and any files transmitted with it, is confidential and intended solely for the use of the individual or entity to which it is addressed. If you have received this email in error, please notify the system manager. This message contains confidential information and is intended only for the individual named. If you are not the named addressee, you should not disseminate, distribute or copy this e-mail. Please notify the sender immediately by e-mail if you have received this message by mistake and delete this e-mail from your system. If you are not the intended recipient, you are notified that disclosing, copying, distributing or taking any action in reliance on the contents of this information is strictly prohibited.

----------------------------------------------------------------------
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to ***@listserv.ua.edu with the message: INFO IBM-MAIN
Charles Mills
2017-05-15 20:12:07 UTC
Permalink
Raw Message
I don't see it on the SHARE site and I am not sure what is private and what is public in any event. Also much of what he showed was live so it would not survive in a PDF.

Chad is on this list as @Bigendian Smalls. Perhaps he will jump in. I BCC'ed his real e-mail address.

Charles


-----Original Message-----
From: IBM Mainframe Discussion List [mailto:IBM-***@LISTSERV.UA.EDU] On Behalf Of Ward, Mike S
Sent: Monday, May 15, 2017 12:34 PM
To: IBM-***@LISTSERV.UA.EDU
Subject: Re: Ransomware on Mainframe application ?

Do you have a link to the Share presentation?

-----Original Message-----
From: IBM Mainframe Discussion List [mailto:IBM-***@LISTSERV.UA.EDU] On Behalf Of Charles Mills
Sent: Monday, May 15, 2017 10:35 AM
To: IBM-***@LISTSERV.UA.EDU
Subject: Re: Ransomware on Mainframe application ?

No, but Chad Rikansrud did a presentation on the possibility of mainframe ransomware at SHARE San Jose that was positively chilling.

He demonstrated (independent of each other) five building blocks that would be all someone would need to lock up a mainframe. "Two things that mainframes do really well: encryption and fast disk I/O." Consider the implications if your primary backup is real-time replication ...

But, you say, mainframes don't have people clicking on links in e-mail. No, but system programmers with privileged access have PCs and click on links in e-mail.

----------------------------------------------------------------------
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to ***@listserv.ua.edu with the message: INFO IBM-MAIN
Mike Schwab
2017-05-15 20:21:57 UTC
Permalink
Raw Message
Here is some lengthy video interviews with him.
https://www.google.ca/search?q=big+endian+smalls&newwindow=1
Post by Charles Mills
I don't see it on the SHARE site and I am not sure what is private and what is public in any event. Also much of what he showed was live so it would not survive in a PDF.
Charles
-----Original Message-----
Sent: Monday, May 15, 2017 12:34 PM
Subject: Re: Ransomware on Mainframe application ?
Do you have a link to the Share presentation?
-----Original Message-----
Sent: Monday, May 15, 2017 10:35 AM
Subject: Re: Ransomware on Mainframe application ?
No, but Chad Rikansrud did a presentation on the possibility of mainframe ransomware at SHARE San Jose that was positively chilling.
He demonstrated (independent of each other) five building blocks that would be all someone would need to lock up a mainframe. "Two things that mainframes do really well: encryption and fast disk I/O." Consider the implications if your primary backup is real-time replication ...
But, you say, mainframes don't have people clicking on links in e-mail. No, but system programmers with privileged access have PCs and click on links in e-mail.
----------------------------------------------------------------------
For IBM-MAIN subscribe / signoff / archive access instructions,
--
Mike A Schwab, Springfield IL USA
Where do Forest Rangers go to get away from it all?

----------------------------------------------------------------------
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to ***@listserv.ua.edu with the message: INFO IBM-MAIN
Paul Gilmartin
2017-05-15 16:45:32 UTC
Permalink
Raw Message
Post by Charles Mills
But, you say, mainframes don't have people clicking on links in e-mail. No, but system programmers with privileged access have PCs and click on links in e-mail.
A recurrent question in these fora is, "How can I make links appearing in documents
viewed in a mainframe editor active?" Cbttape.org probably has an answer. Or an ISV.

Many years ago, when the risks of TCP/IP were first suspected (the perceived hazard
then was information theft), someone suggested hereabouts that only authorized
data administrators should be allowed use of TCP/IP. No, was the counter, people
with such authority should be forbidden TCP/IP, which shoulc be allowed only to
users with weak, harmless IDs and no access to sensitive data.

Years ago, at the height of the Good Times virus hoax, the conventional and correct
wisdom was that viruses spread only by floppy disks, not by email. Microsoft and
others jumped in to fill that void.

-- gil

----------------------------------------------------------------------
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to ***@listserv.ua.edu with the message: INFO IBM-MAIN
Anne & Lynn Wheeler
2017-05-15 17:32:08 UTC
Permalink
Raw Message
Post by Paul Gilmartin
A recurrent question in these fora is, "How can I make links appearing
in documents viewed in a mainframe editor active?" Cbttape.org
probably has an answer. Or an ISV.
Many years ago, when the risks of TCP/IP were first suspected (the
perceived hazard then was information theft), someone suggested
hereabouts that only authorized data administrators should be allowed
use of TCP/IP. No, was the counter, people with such authority should
be forbidden TCP/IP, which shoulc be allowed only to users with weak,
harmless IDs and no access to sensitive data.
Years ago, at the height of the Good Times virus hoax, the
conventional and correct wisdom was that viruses spread only by floppy
disks, not by email. Microsoft and others jumped in to fill that
void.
predating morris worm
https://en.wikipedia.org/wiki/Morris_worm

by nearly year, was xmas exec (email) on bitnet (this fora originated on
corporate sponsored university bitnet).
https://en.wikipedia.org/wiki/BITNET
https://en.wikipedia.org/wiki/Christmas_Tree_EXEC

we had looked at problem before that ... but people wanted to do things
like that anyway.

recent thread
http://www.garlic.com/~lynn/2017e.html#47 A flaw in the design; The Internet's founders saw its promise but didn't foresee users attacking one another
http://www.garlic.com/~lynn/2017e.html#49 A flaw in the design; The Internet's founders saw its promise but didn't foresee users attacking one another
http://www.garlic.com/~lynn/2017e.html#50 A flaw in the design; The Internet's founders saw its promise but didn't foresee users attacking one another
http://www.garlic.com/~lynn/2017e.html#56 A flaw in the design; The Internet's founders saw its promise but didn't foresee users attacking one another
http://www.garlic.com/~lynn/2017e.html#59 A flaw in the design; The Internet's founders saw its promise but didn't foresee users attacking one another
http://www.garlic.com/~lynn/2017e.html#83 Time to sack the chief of computing in the NHS?
http://www.garlic.com/~lynn/2017e.html#85 Time to sack the chief of computing in the NHS?

at 1996 Moscone MDC, all the banners said "internet" but the constant
refrain in all the sessions was "preserve your investment". The issue
was that a paradigm of automatic executed scripts included in data files
had grown on on small, private, safe, business lans ... and was being
extended to the wild anarchy of the internet w/o any additional
countermeasures.

Until he passes, the Internet RFC standards editor use to let me help
with STD1. He also sponsored my talk on Why the internet isn't business
critical dataprocessing for ISI and USC computer security graduate
students (in part based on the compensating procedures I had to do for
"electronic commerce"). recent reference
http://www.galric.com/~lynn/2017e.html#11 The Geniuses that Anticipated the Idea of the Internet
http://www.galric.com/~lynn/2017e.html#14 The Geniuses that Anticipated the Idea of the Internet

Shortly after graduation and joining the science center had (also)
ported APL\360 to CP/67-CMS for CMS\APL ... redoing memory management
for large virtual memory, demand paged environment, also adding API to
system services (like file i/o), opening APL to doing real world
applications. One of the early users on CMS\APL on the science center
system were the business planners in Armonk hdqtrs, loading the most
valuable corporate data ... detailed customer information, and doing
business models. The science center also had a lot of non-employee
users, including staff and students from universities in the boston area
(mit, bu, etc). As a result, we had to demonstrate a very high level of
integrity and security.

A couple years later, IBM had hired former gov. employee as CSO (at one
time had been head of presidential detail) and I got assigned to run
around with him ... talking about computer security (and learning a
little about physical security).
--
virtualization experience starting Jan1968, online at home since Mar1970

----------------------------------------------------------------------
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to ***@listserv.ua.edu with the message: INFO IBM-MAIN
Anne & Lynn Wheeler
2017-05-15 19:03:26 UTC
Permalink
Raw Message
trivia from long ago and far away, gone 404, but lives on
at the way back machine:
http://web.archive.org/web/20090117083033/http://www.nsa.gov/research/selinux/list-archive/0409/8362.shtml

I didn't learn about them until much later. As undergraduate did lots of
work on IBM software and I would even get requests from IBM for
enhancements ... in retrospect, some of the requests may have originated
from these guys.

ibmmain post from march about learning that there were three kinds of
crypto around the mid-80s.
http://www.garlic.com/~lynn/2017c.html#69 ComputerWorld Says: Cobol plays major role in U.S. government breaches
also referenced in this more recent post
http://www.garlic.com/~lynn/2017e.html#58 A flaw in the design; The Internet's founders saw its promise but didn't foresee users attacking one another
--
virtualization experience starting Jan1968, online at home since Mar1970

----------------------------------------------------------------------
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to ***@listserv.ua.edu with the message: INFO IBM-MAIN
Chad Rikansrud
2017-05-15 21:48:14 UTC
Permalink
Raw Message
Hi Mike,

It's the second link here:

https://www.bigendiansmalls.com/share2017/

As Charles pointed out - the hypothetical attack is about just taking over the privileged user's PC and launching from there.

Happy to discuss if you want to email me offline.

Chad

----------------------------------------------------------------------
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to ***@listserv.ua.edu with the message: INFO IBM-MAIN
Anne & Lynn Wheeler
2017-05-15 22:17:03 UTC
Permalink
Raw Message
Post by Chad Rikansrud
As Charles pointed out - the hypothetical attack is about just taking
over the privileged user's PC and launching from there.
when corporations first started using VPN software over internet into
corporate sites ... we pointed out trivial attack to take over the PC
via the internet connection ... and then from the PC, tunnel through the
VPN connection into corporate dataprocessing.

in IBM Retirees facebook discussion, there has been a lot about recent
news articles on buffett unloading IBM:

Buffett cuts stake in IBM and shares slide
https://phys.org/news/2017-05-buffett-stake-ibm.html
Not Just Buffett: IBM Unit Sells IBM, Wells Fargo
http://www.barrons.com/articles/not-just-buffett-ibm-unit-sells-ibm-wells-fargo-1494590407

But Buffett has also waded in on cybersecurity

Warren Buffett's cybersecurity wake-up call -- are we listening?
http://thehill.com/blogs/pundits-blog/technology/333026-warren-buffetts-cybersecurity-wake-up-call-are-we-listening

recent post about this predates Buffett recent reference going back more
than 20yrs
http://www.garlic.ccom/~lynn/2017e.html#85 Time to sack the cheif of computing in the NHS

includes reference to conference that Tandem/Compaq & Atalla (ATM
machine crypto company that Tandem had bought) put on for me ... really
long winded posting from Jan1999:
http://www.garlic.com/~lynn/aepay3.htm#riskm

I have prototype secure chip (strong authentication for both sessions
and transactions) demos/booth at world wide retail banking show Dec1999:
http://www.garlic.com/~lynn/99.html#224 X9.59/AADS announcement at BAI this week

trivia: the CEO of one of the security companies that participated in
both the conference and the BAI demo ... had at one time been head of
mainframe POK.

recent posts
http://www.garlic.com/~lynn/2017e.html#90 Ransomware on Mainframe application ?
http://www.garlic.com/~lynn/2017e.html#91 Ransomware on Mainframe application ?
http://www.garlic.com/~lynn/2017e.html#92 Check out New Wave of Ransom Threats Seen in Unprecedented Attack - Bloomberg
--
virtualization experience starting Jan1968, online at home since Mar1970

----------------------------------------------------------------------
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to ***@listserv.ua.edu with the message: INFO IBM-MAIN
Paul Gilmartin
2017-05-16 00:29:06 UTC
Permalink
Raw Message
Post by Anne & Lynn Wheeler
...
predating morris worm
https://en.wikipedia.org/wiki/Morris_worm
by nearly year, was xmas exec (email) on bitnet (this fora originated on
corporate sponsored university bitnet).
https://en.wikipedia.org/wiki/BITNET
https://en.wikipedia.org/wiki/Christmas_Tree_EXEC
Which seems still to be available by following links from there.

But it's designed not to work after 1987.

But Y2K may have reactivated it.

-- gil

----------------------------------------------------------------------
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to ***@listserv.ua.edu with the message: INFO IBM-MAIN
Glenn Wilcock
2017-05-19 16:38:49 UTC
Permalink
Raw Message
<duplicate post in plain text as opposed to prior post which was html>
Pointers to some information from IBM on this topic...

https://securityintelligence.com/ is an IBM site that provides security related insight & analysis and provides valuable information regarding Ransomware, including WannaCry.

https://www-03.ibm.com/systems/z/solutions/security_integrity.html provides an overview of z Systems Security and is intended to help you stay current with security and system integrity fixes by providing current patch data and associated Common Vulnerability Scoring System (CVSS) ratings for new APARs. Security Notices are also provided to address highly publicized security concerns.

This link also includes the IBM z/OS System Integrity Statement, a portion of which states "IBM’s long-term commitment to System Integrity is unique in the industry, and forms the basis of z/OS’ industry leadership in system security. z/OS is designed to help you protect your system, data, transactions, and applications from accidental or malicious modification. This is one of the many reasons IBM z Systems remains the industry’s premier data server for mission-critical workloads."

In addition to preventing Ransomware, enterprises need to protect data from being stolen. IBM issued a Statement of Direction in the Announcement letter IBM United States Software Announcement 216-392, dated October 4, 2016, communicating "IBM plans to deliver application transparent, policy-controlled dataset encryption in IBM z/OS®. IBM DB2® for z/OS and IBM Information Management System (IMS™) intend to exploit z/OS dataset encryption."

When recovering from an accidental or malicious data destruction event, z/OS DB2 provides the RESTORE SYSTEM utility that recovers a DB2 instance to a specific point in time before the data was destroyed. Additionally, IBM is gathering client feedback regarding extending this functionality to an entire enterprise.

Glenn Wilcock
DFSMS Architect

----------------------------------------------------------------------
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to ***@listserv.ua.edu with the message: INFO IBM-MAIN
Loading...