RE: z/OS, OS/390 Pen testing tips/ideas/papers?

From: Bob Mahan <bmahan(at)nsoco.com>
Date: Thu Jan 30 2003 - 15:44:39 EST

It's hard to be very specific on what little information you gave. I have done a lot of work on IBM mainframes in the past. From a general point of view if the IBM systems involve dumb 3270 type devices running on their propritary VTAM network then the area's of data access controls for none RDBMS (flat, VSAM, IMS, etc) via their security software (RACF, ACF2, etc.) and database access controls for RDBMS such as DB2's DCL (Data Control Language) are key areas. You didn't mention what communications regions were involved like CICS, IMS, TSO, etc. so its are to know exactly what your up against. Also keep in mind that most likely they are also a COBOL shop and that language is as vulnerable to buffer overruns as any other. The big difference in an IBM Mainframe is that the OS is much more protected than other platforms due to its architecture. But it is just a computer and like any other, the general server stuff would apply as it would like dial-ups, default accounts, weak passwords, backups, change control, etc.

Sorry I don't have a lot of links or other areas to point you too.

Bob Mahan
Network Security Operations
Phone: (847) 571-5525
mailto:bmahan@nsoco.com
http://www.nsoco.com

> -----Original Message-----
> From: Nick Jacobsen [mailto:nick@ethicsdesign.com]
> Sent: Tuesday, January 28, 2003 7:24 AM
> To: pen-test@securityfocus.com
> Subject: z/OS, OS/390 Pen testing tips/ideas/papers?
https://alerts.securityfocus.com/

---

This list is provided by the SecurityFocus Security Intelligence Alert (SIA) Service. For more information on SecurityFocus' SIA service which automatically alerts you to the latest security vulnerabilities please see: https://alerts.securityfocus.com/ Received on Fri Jan 31 15:39:06 2003