Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Application Security //

Database Security

8/6/2013
03:58 PM
Adrian Lane
Adrian Lane
Commentary
50%
50%

Mainframes Hackable, But Do You Care?

Mainframes may have holes, but they aren't big targets

There have been very few database security presentations at security conferences of late, as SQLi and buffer overflow attacks have lost their novelty. That said, there is a lot of very interesting database security research going on. and I was lucky to proctor Philip Young's presentation at Blackhat USA 2013 on Mainframes: The Past Will Come Back to Haunt You. In a nutshell, Philip identified several behavioral issues that have serious security implications:

1. It was easy to find valid user accounts as the login sequence leaks information.

2. Passwords are short, don't require complexity, and relatively trivial to crack.

3. Mainframes come with a supplementary UNIX environment.

4. FTP automatically executes uploaded files (data sets).

All of which leads to fun and mayhem for an attacker, and potentially serious data breaches. But does anyone care? The presentation and -- given most of my mainframe experience was OS390 -- educational, will this public research yield increased attacks against zOS?

Unlikely.

I asked a well-known database vulnerability researcher last year "Why don't we hear about more DB2 hacks?" His response: "Because no one uses it."

The point he was making was that, in comparison to Oracle and SQL Server, DB2's market size is relatively small. The response may sound glib, but I see very few new -- Web or otherwise -- projects on any flavor of DB2, and certainly not mainframe. We said for years that Mac OS-X was "safe" from a security standpoint as it's market presence was minuscule compared to Windows. It did not warrant attackers focus as the reward vs. effort factor was out of whack. Mainframes, while still alive and running critical applications for the indefinite future, do not attract attackers, as it would require investment of a few hundred hours to understand, and access to a mainframe (emulator).

All of which is my way of saying that you, the person responsible for mainframe database security, don't have a lot to worry about. And if you were worried about these attacks, you can disable FTP to thwart malicious code uploads. Or firewall off the mainframe from Web access, as seems common. Beyond that most of the flaws must be addressed by IBM through code changes.

Adrian Lane is an analyst/CTO with Securosis LLC, an independent security analyst firm. Special to Dark Reading. Adrian Lane is a Security Strategist and brings over 25 years of industry experience to the Securosis team, much of it at the executive level. Adrian specializes in database security, data security, and secure software development. With experience at Ingres, Oracle, and ... View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
andrewboon2739
50%
50%
andrewboon2739,
User Rank: Apprentice
1/16/2014 | 8:31:05 AM
re: Mainframes Hackable, But Do You Care?
Came across another article whcih talk about hacking http://www.marcandangel.com/20...
Manchester United Suffers Cyberattack
Dark Reading Staff 11/23/2020
As 'Anywhere Work' Evolves, Security Will Be Key Challenge
Robert Lemos, Contributing Writer,  11/23/2020
Cloud Security Startup Lightspin Emerges From Stealth
Kelly Sheridan, Staff Editor, Dark Reading,  11/24/2020
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Write a Caption, Win an Amazon Gift Card! Click Here
Latest Comment: This comment is waiting for review by our moderators.
Current Issue
2021 Top Enterprise IT Trends
We've identified the key trends that are poised to impact the IT landscape in 2021. Find out why they're important and how they will affect you today!
Flash Poll
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2020-29367
PUBLISHED: 2020-11-27
blosc2.c in Blosc C-Blosc2 through 2.0.0.beta.5 has a heap-based buffer overflow when there is a lack of space to write compressed data.
CVE-2020-26245
PUBLISHED: 2020-11-27
npm package systeminformation before version 4.30.5 is vulnerable to Prototype Pollution leading to Command Injection. The issue was fixed with a rewrite of shell sanitations to avoid prototyper pollution problems. The issue is fixed in version 4.30.5. If you cannot upgrade, be sure to check or sani...
CVE-2017-15682
PUBLISHED: 2020-11-27
In Crafter CMS Crafter Studio 3.0.1 an unauthenticated attacker is able to inject malicious JavaScript code resulting in a stored/blind XSS in the admin panel.
CVE-2017-15683
PUBLISHED: 2020-11-27
In Crafter CMS Crafter Studio 3.0.1 an unauthenticated attacker is able to create a site with specially crafted XML that allows the retrieval of OS files out-of-band.
CVE-2017-15684
PUBLISHED: 2020-11-27
Crafter CMS Crafter Studio 3.0.1 has a directory traversal vulnerability which allows unauthenticated attackers to view files from the operating system.