[EXTERNAL] ComputerWorld Says: Cobol plays major role in U.S. government breaches

Discussion:

(too old to reply)

Edward Gould

2017-03-17 19:24:12 UTC

It's not the LA that is the problem - it is the conditional branch instructions that don't have the common sense not to branch where they shouldn't :-)

LALA Land is really the truth? Who would have thought?

Ed

--------------------------------------------------------------------------
Lionel B. Dyck
Mainframe Systems Programmer - TRA
Enterprise Operations (Station 200) (005OP6.3.10)
Information and Technology, IT Operations and Services
-----Original Message-----
Sent: Friday, March 17, 2017 9:04 AM
Subject: [EXTERNAL] Re: ComputerWorld Says: Cobol plays major role in U.S. government breaches
In related news, the Load Address instruction also plays a major role. Need to get rid of that ASAP.

LOL, bunch of horse hockey!
-----Original Message-----
On Behalf Of Mark Regan
Sent: Friday, March 17, 2017 4:41 AM
Subject: ComputerWorld Says: Cobol plays major role in U.S. government
breaches
ComputerWorld is reporting "Cobol plays major role in U.S. government
breaches"
http://www.computerworld.com/article/3181809/government-it/
cobol-plays-major-role-in-us-government-breaches.html
Watch the wrap
Thanks,
Mark Regan
--
Mark T. Regan, K8MTR
----------------------------------------------------------------------
For IBM-MAIN subscribe / signoff / archive access instructions, send
------------------------------------------------------------
------------------------------------------------------------
----------------------------
The contents of this e-mail and any attachment(s) are confidential and
intended for the named recipient(s) only.
E-mail transmission is not guaranteed to be secure or error-free as
information could be intercepted, corrupted, lost, destroyed, arrive
late or incomplete, or may contain viruses in transmission. The e mail
and its contents (with or without referred errors) shall therefore not
attach any liability on the originator or HCL or its affiliates.
Views or opinions, if any, presented in this email are solely those of
the author and may not necessarily reflect the views or opinions of
HCL or its affiliates. Any form of reproduction, dissemination,
copying, disclosure, modification, distribution and / or publication
of this message without the prior written consent of authorized
representative of HCL is strictly prohibited. If you have received
this email in error please delete it and notify the sender
immediately.
Before opening any email and/or attachments, please check them for
viruses and other defects.
------------------------------------------------------------
------------------------------------------------------------
----------------------------
----------------------------------------------------------------------
For IBM-MAIN subscribe / signoff / archive access instructions, send

--
zMan -- "I've got a mainframe and I'm not afraid to use it"
----------------------------------------------------------------------
----------------------------------------------------------------------
For IBM-MAIN subscribe / signoff / archive access instructions,

----------------------------------------------------------------------
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to ***@listserv.ua.edu with the message: INFO IBM-MAIN

John McKown

2017-03-17 19:31:36 UTC

Permalink

It's not the LA that is the problem - it is the conditional branch

instructions that don't have the common sense not to branch where they
shouldn't :-)
LALA Land is really the truth? Who would have thought?

Yeah. The hardware designers should have made an "eXecute" bit to go along
with the other "metadata" bits (such as key and change) so that a
attempting to branch to a frame which is not marked "eXecute" would cause
an exception. But even that doesn't help since you could still "wild
branch" into a code sequence. Maybe we should just all go to the IBMi
series. Lots of really advanced ideas in that box.

--
"Irrigation of the land with seawater desalinated by fusion power is
ancient. It's called 'rain'." -- Michael McClary, in alt.fusion

Maranatha! <><
John McKown

----------------------------------------------------------------------
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to ***@listserv.ua.edu with the message: INFO IBM-MAIN

Anne & Lynn Wheeler

2017-03-17 23:06:40 UTC

Permalink

Post by John McKown
Yeah. The hardware designers should have made an "eXecute" bit to go
along with the other "metadata" bits (such as key and change) so that
a attempting to branch to a frame which is not marked "eXecute" would
cause an exception. But even that doesn't help since you could still
"wild branch" into a code sequence. Maybe we should just all go to the
IBMi series. Lots of really advanced ideas in that box.

the capability hardware bit was dropped in the migration from s/38 to
AS/400.
https://en.wikipedia.org/wiki/IBM_System/38
and
https://en.wikipedia.org/wiki/IBM_System/38#Distinctions

System/38 was one of the few commercial[citation needed] computers with
capability-based addressing. (The earlier Plessey 250 was one of the few
other computers with capability architecture ever sold commercially).
Capability-based addressing was removed in the follow-on AS/400 and
iSeries models.[1]

... snip ...

Much of S/38 is touted as having been simplified version of the failed
Future System effort ... some past posts
http://www.garlic.com/~lynn/submain.html#futuresys

and Future System had picked up a lot of the ideas from things like
Multics (read, write, and execute permsissions referenced in section 1.1
Segment Addressing)
http://multicians.org/exec-env.html

Some of the CTSS people had gone to the 5th flr to do Multics, others
had gone to the IBM science center on the 4th flr and did virtual
machines, online applications, internal network, and a bunch of other
stuff.

Note that in the 70s, one of the virtual machine based online commercial
service bureaus had done a capabiity-based 370 operating system called
gnosis. When M/D bought the company, gnosis was spun off as independent
business (i was brought in to evaluate gnosis as part of the spin off).
Since then some number of subsequent capability based operating systems
have been done for other platforms based on gnosis design and
principles.

KeyKOS - A Secure, High-Performance Environment for S/370
http://cap-lore.com/CapTheory/upenn/Key370/Key370.html
http://www.cap-lore.com/CapTheory/KK/
some discussion of Keykos (secure) use of mapping hardware
http://www.cap-lore.com/CapTheory/PrivMap.html

part of Gnosis/KeyKOS was raising the application abstraction ... they
demoed a set of redone ACP/TPF applications that ran faster on KeyKOS
than on TPF (on the same hardware, in addition to providing much higher
integrity level).

we were brought in to help wordsmith some cal. state legislation. One
of the things they were doing was data breach notification law. Little
or nothing was being done about the breaches and it was hoped that the
publicity from the notifications would prompt action. An issue was that
institutions normally take security measures in self-protection, the
problem in most of the breaches was that the institutions weren't are
risk it was the public. trivia: since the cal. state legislation,
several other states have passed similar bills and there have been a
dozen or so federal (state pre-emption) bills introduced (none passed),
about evenly divided to similar to cal. original legislation and those
that would effective eliminate requirement for notification (even tho
still called data breach notification legislation).

In the 90s, the major internet exploits were from buffer length & stack
baced issues in C-language based implementations (extra long input, in
same cases containing instructions that overlayed other things). As an
aside, the original mainframe implementation was in vs/pascal which had
none of the vulnerabilities epidemic in C-language based
implementations.

In any case around turn of the century, some of the machines introduced
a "no-execute" bit (inverse of execute bit) ... aka data-only areas from
which instructions were *NEVER* fetched ... NX bit
https://en.wikipedia.org/wiki/NX_bit
in i86 ... first added by AMD for its i86 64-bit machines
https://en.wikipedia.org/wiki/NX_bit#x86

other trivia: future system (& s/38) also did one-level store like
(ibm's) tss/360 and multics. The simplified s/38 implementation did
scatter allocation across all available disk drives ... as a result an
integral single filesystem backup had to be done (involving all disks
being idle) ... and any single disk failure ... would require complete
filesystem restore. For most small s/38 configurations with only a
couple disk drives it wasn't much of problem, but failed to scaleup to
mainframe configurations with potentially hundreds of disk drives.

I had done a page-mapped filesystem for cp67/cms ... later moved to
vm370/cms ... and would pontificated that I avoided all the TSS/360
performance pitfalls (getting 3 times or better throughput than standard
cms filesystem). With the failure of Future System, it seemed to
contributed to a very jaundiced opinion of page-mapped filesystems
inside most of (mainframe) IBM.

--
virtualization experience starting Jan1968, online at home since Mar1970

----------------------------------------------------------------------
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to ***@listserv.ua.edu with the message: INFO IBM-MAIN

Paul Gilmartin

2017-03-17 19:45:22 UTC

Permalink

Post by John McKown

It's not the LA that is the problem - it is the conditional branch

instructions that don't have the common sense not to branch where they
shouldn't :-)

Some systems (TOPS-10?) have had that and an execute-only bit, used for
IP protection. You could branch to it, but not fetch from it. Nor dump it.

You can't store into a REFR program (if REFRPROT) is enabled, but you can
still branch to a writeable frame. Some conflict with JIT recompilation.

-- gil

----------------------------------------------------------------------
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to ***@listserv.ua.edu with the message: INFO IBM-MAIN

IronSphere by SecuriTeam Software

2017-03-17 21:29:21 UTC

Permalink

no the problem described, but from my experience, program developed to 3270
user interface, are face lifted using brokers, bridges and other middle
wares. The three tier design ,where some of the field verification was done
by MFS and maps and not handled any more, and the validation was planned
for printable characters only. so, for example, a DOS attack against your
transaction server (or access to data using SQL injection) can be easily
conducted.

but the truth must be said, poor input verification can be dome on any
platform in any language.

ITschak

On Fri, Mar 17, 2017 at 9:46 PM, Paul Gilmartin <

Post by Paul Gilmartin

Post by John McKown

It's not the LA that is the problem - it is the conditional branch

instructions that don't have the common sense not to branch where they
shouldn't :-)

Yeah. The hardware designers should have made an "eXecute" bit to go

along

Post by John McKown
with the other "metadata" bits (such as key and change) so that a
attempting to branch to a frame which is not marked "eXecute" would cause
an exception. But even that doesn't help since you could still "wild
branch" into a code sequence. Maybe we should just all go to the IBMi
series. Lots of really advanced ideas in that box.

Some systems (TOPS-10?) have had that and an execute-only bit, used for
IP protection. You could branch to it, but not fetch from it. Nor dump it.
You can't store into a REFR program (if REFRPROT) is enabled, but you can
still branch to a writeable frame. Some conflict with JIT recompilation.
-- gil
----------------------------------------------------------------------
For IBM-MAIN subscribe / signoff / archive access instructions,

--
ITschak Mugzach
*|** IronSphere Platform* *|** An IT GRC for Legacy systems* *| Automated
Security Readiness Reviews (SRR) **|*

----------------------------------------------------------------------
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to ***@listserv.ua.edu with the message: INFO IBM-MAIN

Anne & Lynn Wheeler

2017-03-18 00:56:28 UTC

Permalink

Post by IronSphere by SecuriTeam Software
no the problem described, but from my experience, program developed to
3270 user interface, are face lifted using brokers, bridges and other
middle wares. The three tier design ,where some of the field
verification was done by MFS and maps and not handled any more, and
the validation was planned for printable characters only. so, for
example, a DOS attack against your transaction server (or access to
data using SQL injection) can be easily conducted.

re:
http://www.garlic.com/~lynn/2017c.html#60 [EXTERNAL] ComputerWorld Says: Cobol plays major role in U.S. government breaches

we were doing cluster scaleup for our IBM HA/CMP product
http://www.garlic.com/~lynn/subtopic.html#hacmp
and some old email
http://www.garlic.com/~lynn/lhwemail.html#medusa

for both technical/scientific (with national labs) and commercial
(with RDBMS vendors) ... old post about Jan92 meeting in Ellison's
conferrence room
http://www.garlic.com/~lynn/95.html#13

within a few weeks of the Ellison meeting, the cluster scaleup is
transferred, announced as IBM supercomputer (for technical and
scientific only), and we are told we can't work on anything with more
than four processors. Shortly later we leave IBM.

Two of the people named in the Ellison meeting later leave Oracle and
are at a small client/server responsible for something called "commerce
server". We are brought in as consultants because they want to do
payments on their server, the small client/server startup had also
invented this technology called "SSL" they want to use, its now
frequently called "electronic commerce".

Most of my work is on the webserver to payment networks gateway over
which I have absolute authority (including having to deal with
possibility of DOS attacks) ... but can only make recommendations on the
client/server side ... some of which are almost immediately violated
... accounting for some number of exploits that continue to this day.

One of the things we started to notice was that RDBMS-based webservers
had significantly higher exploits than flat-file based webservers
... which was the result of various factors. In part RDBMS
implementations were a lot more complicated and failures/exploits tend
to be proportional to complexity. Common simple scenario; servers are
taken off the network and security measures disabled as part of doing
regular maintenance. RDBMS maintenance tended to be more time-consuming
and much more frequently overran the maintenance window .... and then in
the rush to get the server back up ... reenabling the security measures
was frequently overlooked (even when installation had security
regression tests that were required before reconnecting to the internet,
they would be skipped in the rush to get back online).

other triva: large percentage of breaches tend to be transaction
information from previous financial transactions in a form of replay
attack for fraudulent financial transactions. the data breach
notification people had done detailed public surveys and this was the #1
issue. This financial transaction information is used in dozens of
business transactions at millions of locations around the world. I've
periodically commented that even if the planet was buried in miles of
encryption hiding this information, it would still couldn't prevent
leakage.

I got con'ed into participating in the financial industry standard x9a10
which had been given the requirement to preserve the integrity of the
financial industry for all retail payments. We did detailed end-to-end
threat and vulernability studies. What we eventually came up was a
standard that slightly tweaked the current transactions so that crooks
couldn't use information from previous transactions for (replay attack)
fraudulent financial transactions. It did nothing to prevent breaches,
but it eliminated the ability of crooks to use the information for
fraudulent financial transactions ... and therefor the motivation for
many of breaches (significantly reduced the attack surface).
Unfortunately, it was an enormously disruptive change to electronic
payment stakeholders.

even more trivia: major use of SSL in the world today is hiding
financial transaction information while it flows over the internet, the
x9a10 work eliminated the need to hide that information (while providing
end-to-end integrity ... both in flight as well as at rest).

note that the head of IBM end of last century, leaves and becomes head
of private-equity company that will acquire beltway bandit that will
employ Snowden. There is huge uptic in outsourcing to for-profit
companies last decade, many under intensive pressure to cut corners to
provide profit for their private-equity owners. Example was those doing
outsourced security clearances found to be filling out paperwork but not
bothering to do background checks ... 70% of the intelligence budget and
over half the people
http://www.investingdaily.com/17693/spies-like-us

another example is OPM
https://firstlook.org/theintercept/2015/06/24/opm-contractor-veritas/
https://fcw.com/articles/2015/06/24/house-oversight-opm.aspx

also nothing to do with cobol (or financial) ... attackers danced
through top-security networks through much of last decade, acquiring
detailed specifications of major weapon systems (pointing finger
at cobol could just be obfuscation and misdirection).

Report: China gained U.S. weapons secrets using cyberespionage
http://www.cnn.com/2013/05/28/world/asia/china-cyberespionage/
Confidential report lists U.S. weapons system designs compromised by
Chinese cyberspies
https://www.washingtonpost.com/world/national-security/confidential-report-lists-us-weapons-system-designs-compromised-by-chinese-cyberspies/2013/05/27/a42c3e1c-c2dd-11e2-8c3b-0b5e9247e8ca_story.html

Also on the list is the most expensive weapons system ever built -- the
F-35 Joint Strike Fighter, which is on track to cost about $1.4
trillion. The 2007 hack of that project was reported previously.

... snip ...

REPORT: Chinese Hackers Stole Plans For Dozens Of Critical US Weapons Systems
http://www.businessinsider.com/china-hacked-us-military-weapons-systems-2013-5