PG - The Immortal Retrofuturism of Mainframe Computers and How to Keep Them Safe

thank you welcome everybody this is uh my first talk presenting for cyber security so it's a very special moment thank you for being here with me today who am I I'm Michelle edar as mentioned before I'm a security consultant at netspy um meaning I'm a pentester so that's what I do by trade um I've been there a couple of years I focus on Mainframe pen testing I do web applications as well Network penetra penetration testing so um I have a background in accounting finance and project management and uh passionate about Legacy tech security I also have you know a little heart out for industrial control systems but mostly it's a Mainframe type of world for me so

and I I got to give a shout out to my homie Phil young here who actually pulled me into Mainframe um it was a great very long conversation we had that consisted of two sentences wherein he said you know I'm thinking of getting you into Mainframe and I go that sounds cool and about a year later here we are so it was it was great it was great great introduction there um today we're going to do a quick history debrief about what Mainframe Tech even is some notable changes that have occurred over the years with a technology we're going to wait for him to pour the ice and the water in the back thank you sir it is

100 plus degrees so we are thirsty then we're going to look at some Mainframe today as far as why people elect to use it what are the strengths of it um we'll look at some Modern threats to the Mainframe ecosystem looking at some of the Integrations that can introduce threats and also some things that we see in our pentests uh when the main frames themselves some sort of inherent insecurities that we might find uh and then some tips to secure I am a bit biased of course I'm a pentester so I'm definitely coming from the red team side the offensive security side but we're all working together here so the goal is to make things more secure whether

you're defending or attacking all right so first I'd like to see who does not currently work with Mainframe uh great great anybody with a hand up want to keep it up and say what you think Mainframe isine main frames yes can you define it this is I'm asking you guys series you could make an argument fori series no you canot make that AR I could make that AR we will have an AR it's a computer that you trust to not die right yes that's that's pretty close it's pretty good definition so they are computers they essentially are you know high performance computer systems they're specialized they have very fast input output they do billions of

transactions on on a daily basis um they have you know unique operating systems like zos or Linux on IBM z um they're computers so they're just special fancy computers that we really like they're very strong we'll learn more about them in a minute uh we're going to look at some myths Now versus facts okay so one myth is that Mainframe is outdated right this is a picture I love old pictures you'll see that um you know this is like 1960s era it's basically one computer in a huge room and that's it or maybe you're thinking about an 80s movie and there's the terminal with the green type face um all accurate as to that time frame uh

but they have continuously evolved they're among the early systems to adopt things like virtualization built-in encryption there's AI stuff coming down the pike as with most Technologies we're seeing today so they're not locked in the past they are current and being used right now another myth is that cloud replaces m frame um unfortunately that's just not the case we have things like Regulatory Compliance and barriers to entry that make that impossible so if you're looking at the military they can't put their databases in the cloud right disallowed if you're thinking about you know your healthc care records your you know maybe uh Banks we do a lot of Bank testing so all of that can't be

in the cloud either right it has to be a little more locked down um and then hybridization I want to say make a note of this as far as the cloud environment we're more likely going to see hybridization as opposed to a full out replacement so I think this elt that's a is ex I can't remember the first word but it's your you export load and then translate yes that's what it was so you take what's on the Mainframe right you're going to export that data and then you load it to the cloud and then once it's in that final platform then it gets translated right so as opposed to trying to translate as you go or try to translate

within the main frame environment something from Cobalt right you can take different steps to get there so now once your data is in the cloud then you can do your analytics on it then you can apply it to you know different different AI Frameworks and things to get what you need out of that data that has been stored in the main frame okay and last myth I want to touch on is it's just too specialized who even does it right do how many people are are best friends with you know Mainframe people not many um yes I can be your friend now too um well it is specialized I'm not going to lie to you but there are initiatives

under place to make Mainframe more accessible so I was just at a conference in March uh it's called share and they do a couple of them a year it's like the biggest Mainframe conferences that occur in the United States every year um and I met a lot of people that were you know early career professionals or um people who are in college actually learning Cobalt learning these very Mainframe specific uh languages and things about the stack itself so that they can specifically work in this industry so there are initiatives in the industry to build that Workforce that did take a hit there was a dip I would say from the mid90s to like the 2010s where there

weren't a lot of people coming into the workforce it's being addressed uh so that's cool and then we're seeing things you know of course Watson X AI code assist to translate Cobalt to Java it's a lot easier to find a Java developer than somebody who works in Cobalt even though that is being addressed um we're coming at from different angles to sort of rebuild this Workforce and get more traction in the industry so practitioners we're coming back up okay brief history as I mentioned before and the old pictures I love these okay so this is the US Navy uh Bureau of ships 1937 you've got analog computers mechanical calculators tabulating machines these were not digital devices

right this is like prototype type of things this is sort of like the very very old school beginning uh used for Gunnery calculations navigation engineering tasks military right this was not available to businesses or anybody else this was just for the military uh for you know wartime efforts in 1951 we see with e Mockley computer Corporation now we're getting through commercialization okay now we're seeing it used for the US Census they created the univac here um to process the census data and you know businesses could start getting in on this it wasn't just relegated specifically only to military applications at this time um and then of course we had Magnetic Tape come into place which replaced Punch Cards um

because who wants to use Punch Cards you know maybe just for fun but not for work 1965 uh oh this is great the ibmc system 360 they released unified architecture so previously you would have different main frames right these different boxes and they had different languages they couldn't talk to each other you had to have someone specialized in each you know maybe operating system on each one so unified architecture changed that it made it so that each of the systems could talk to each other so you could train in one thing and work with all the systems really cool and then of course we get the solid state replacing the vacuum tubes vacuum tubes are no good in

an earthquake obviously so that was a great jump uh 1970 Innovation continued magnetic fet cor is replaced by silicon dram memory chips virtual memory was introduced Dynamic address translation also became a thing so main frame at the Forefront a lot of these things that we're still seeing in use today really awesome stuff 1991 oh we had some bad news okay there was death announcement right this notable guy Stuart alsop he was a talking head of Tech Innovations and things that were occurring in you know in culture right he was saying quote I predict the last Mainframe will be unplugged on March 15th 1996 it just didn't happen I think he later retracted a statement you know um

but I think it's interesting that happened and so when I mentioned previously that there was sort of a Workforce slowdown and a a a Slowdown in um you know budgeting for building that um this is this is part of the reason why okay but as we can see that it is still in use by Finance by Healthcare Industries government um and Aviation as well uh and of course there new developments so there are some it's already in place but there's some machines coming out next year that are going to be even stronger in this area there's some changes coming with the telum processor as well um we're going to have some realtime AI inferencing for

fraud detection so instead of having your card you know someone runs it like someone in my family actually there was like an $800 Legoland charge like we we're not in Legoland what happened uh so instead of even getting a call 20 minutes later um as that transaction hits the main frame and it's processed you have a real-time fraud detection at that moment so that it could you know feasibly stop it from proceeding to the point where now the credit card company has to eat that lost right because that's what they do now with fraud so something to consider Forward Thinking okay so why why do we use Mainframe okay we've we understand a little bit about

the history how it came to be what it is um these are three things you're going to hear about it when you're talking to somebody who knows Mainframe who cares about Mainframe reliability availability and serviceability right nice acronyms we love our acronyms Ras um so reliability it's got built-in redundancy AC cross your various Hardware levels your input output paths your power supply your memory processors has error detection and correction right and it can handle up to seven magnitude earthquakes um so if you're looking at something like the NASDAQ right New York Stock Exchange they cannot have more than five and a half minutes of downtime in a given year in a year that is it

that is the max so it's like 99.999% uptime is required for these industries so Mainframe can do that that's why they use it one of the reasons why they use it availability right you want to make sure you can get your data got transaction roll back checkpoint restart complex job scheduling um and this is just an example about the z15 190 configurable cores on one system so you're making your own finely tuned bespoke system within your main frame just basically out of the box very very cool stuff and serviceability I love this they're modular by Design so if part of your system needs repair or updating or you have to take a piece of it out you know

we have things like parallel sysplex and basically you can just take this piece that needs to be fixed or changed and all those workflows all those processes are going to move over to your other parts of your main frame and there's no stop there's no pause you don't have to shut your entire system down just that one part that you're fixing at the time so there's no again there's no there's like almost no downtime it's pretty great um in-depth logging so you can solve your problems more easily on-site accessible for repair and maintenance so if you think about a distributed Cloud environment um quick story again from my life I was I lived near Google plant and

I was you know just a big Warehouse with a bunch of servers driving home night I could see at the plant all these police cars and a couple fire engines maybe an ambulance or two in front of the building lights like what is going on and then the road that led up to it was all blocked off same thing I didn't know what was going on I may never find out right was there a fire was there like a physical breach if your data was there would you know would your organization be told like oh well we have different regions and what if there was like a coordinated attack on all the different regions something to think about but if

it's on site at your facility right hopefully you would think that your own security would you know you would be able to understand more quickly what is that's going on versus waiting for some kind of report from whoever is holding your data at that time okay so um your access is more tightly controlled huge benefit of Mainframe right oh this is great Okay so we talked about the earthquakes right uh let's hope this plays but so about I want to say eight months ago there was an earthquake in New Jersey uh it hit a campus that had 200 Main frames on it about I think it was a 4.5 magnitude not a single Mainframe was damaged there

was no downtime there was no loss of productivity whatsoever they do this on a regular basis they shake the Dickens out of these machines you don't want to do this to like a normal Ser rack I don't think but in main frame you can and they'll be fine yeah we almost done here I mean you just imagine oh my gosh that'd be so scary test complete love that all right go to the next one okay so I skipped ahead a little bit but you get the gist of where we're going here we understand why we use Mainframe right we understand it's strong it's reliable it's fast billions of transactions input output unmatched um but what are some of

the threats right what are some concerns we have in the Mainframe landscape so this is going to talk about the expanded attack surface with Integrations that occur as part of the entire topology that Mainframe is a part of right so this TJX company's data breach it was a payment card data breach I hope that's not too small of a font for you guys but this exposed 45.7 million credit debit card numbers and this was a weakness in the wireless network right so we're going to see a trend here this one was a wireless network weakness this next one is the Heartland Payment Systems breach 100 million cards exposed so this is more than double the previous

one this was at the hands of a global cyber fraud operation it is a combined attack of network and application vulnerabilities all right this next one Equifax data breach that was 2017 now we're up to 147 million users compromised and this time it was a web application that provided the initial access so in each of these instances we see that it wasn't initially the main frame that was breached on its own was other parts of the entire topology that were used to Pivot into the Mainframe to then exfiltrate the most critical most private data okay and then this one um this one was in Sweden this was a big one really big one uh this dramatically

changed how the entire government dealt with their data um the whole investigation is actually public so if you do a bit of research you can get the documents offline um I'm pretty sure it's in Swedish uh you might I think there's some in English but it's not as um it doesn't have as much in it as maybe the Swedish documents but you guys can figure out how to translate it if you really want to get into it and find it it's there um initial access through the FTP network connection of 23 we don't like that that was present that was part of it um the hackers use Hercules which is an emulator to run zos

and they downloaded files and tax processing Source they got all the source code for the tax processing software from the logic servers from the government servers really bad news um I use an emulator for my test actually use x327 so it's not like impossible to get these and use them 10 minutes oh my gosh H okay they use zero day vulnerabilities but part of those were uh default configurations right don't use default configurations please uh let's see we'll go down a little bit and you guys can read that the use John the Ripper open source stuff like it's not incredibly complex people just chain things together and then they make an attack so just be safe

and be aware okay um I'm going to show you a demo now right and tell you what the demo is real quick and I'll show you it um so what I'm going to do in the demo is I'm going to authenticate to a logical partition in alar which is a like piece of your Mainframe remember I told you about the configurable cores and creating your own bespoke environment right so you have your alar you see me authenticate to it assume that the endpoints that I navigate to have already been enumerated previously in the same pentest okay and then the access for the user that I am authenticating with is restricted right it's a lower level user so it only can

get to specific resources um and we're going to think okay well is there another way to access let's take a look okay so this is our Nets by alar right logging in through TSO this is me and drop in my password here okay ispf now what I'm doing is I'm getting to a place where I can use a sort of Unix based um command line utility within the main frame okay so that's what I'm doing here you can put commands in here but now once I'm here it so you know this is a little more familiar for people who use something like Linux right so I can use commands like CD this is an endpoint that has

previously been enumerated right I found this op Secrets what's what's in there okay I'm going to list it out with my LS command got a readme.txt and an sshp okay let's cat the read me this is the SSH private key you need to log in as an admin do not share ah darn okay well what if I just try to C the SSH key anyways can I do it that permission denied okay game over or is it no it isn't I can go to the same IP over the web interface just using Port 880 right oh no have I authenticated no I have not so this is another endpoint right was previously enumerated we know it exists

this here when I use that feature it retrieves data from the main frame right that's happening on the back end I don't even need to use an intercepting tool I'm just using the network tab in the browser okay so now I'm going to generate the request by issuing this all right here's my post request I'm going to crack that open and see what's in it you know we're going to see some headers and then we'll see what's in the message body at the bottom here okay soorry it's so small but this is this is part of the request that is retrieving the files okay so what if I change that to the existing endpoint that I'm already aware of with

the secret file is it going to work they 200 okay sounds promising okay so there's the end point I went to uh what's in the response do you think I got anything I I did I got the yeah yeah well this is thank you yes um yeah so this is completely unauthenticated right I could not access this file as an authenticated real user on the Mainframe itself within the system because I was not an admin level user so I just went to the web app completely un authenticated and modify the request and now I have whatever I want I could probably U Pull whole lot more out of there this is just a proof concept um but this is based on a real

finding from a real company it's not exactly like this because no one wants to get in trouble but this really happened so it's important to secure okay um so that in mind is the main frame itself secure outside of these sort of external peripherals that are making it uh you know insecure and dangerous well yes so these are some things that we do see in our pentests broken Access Control local file includ of data sets Unix files insecure FTP we see this a lot unauthenticated access you know there have been instances where I would log in but actually not log in like it would start the authentication process back out and I could still run

CICS or kicks commands or maybe run Kims and run these you know sort of they should be authenticated processes I should be at least authorized to run them and I'm not even authenticated so we do see this stuff SQL injections and db2 databases job control language injections Rec scripts injections security misconfigurations default credentials like we saw in the logic attack we password policies we get mixed you know case in uh insensitive passwords all the time uh are people not using something like an external security manager I think most big shops are using something like this um but just in case please use it if you're around Mainframe okay Implement these things as possible so how do we secure

right we see that maybe there's some insecurities in the main firm itself and maybe with some of the uh Integrations that we find okay so here are some ways to secure as The Blue Team side I promised you earlier today um secure with network controls please keep in mind your entire topology don't look at Mainframe as its own sort of off in the corner Tech by itself because it's not it has API calls it has maybe you're you have your Cloud Integrations maybe you're trying to roll out some AI inferencing who knows what you're doing but you got to keep the whole topology in mind um make appropriate use of your logical partitions regions your esm

tools disallow unencrypted protocols disallow unencrypted protocols please and keep up with your pouches and updates good advice for anybody doing anything with a computer ever um secure with comp iance CSI Benchmark CS CIS benchmarking and actually I love this one the DSA Saks right this is Department of Defense I've used this on an actual test so I had a db2 test and they had actual commands that I could go to and just hold run this command and see if you can you know get this file run this command see if you can elevate your privileges it's very very very helpful um and then secure with your ongoing reviews monitor your traffic with stock logs are robust take

advantage audit your identity and access management on a regular basis Implement MFA Implement MFA right yes please thank you thank you so much um and establish recurring audits for all of your features and conduct frequent pen testing I love a good internal pen testing team right it's a different mindset of course because they're closer to the stack you know maybe they come into play when they're rolling out a new feature or something and they need to poke at it before it becomes live for whatever reason um but as far as getting a fresh set of eyes you know that's what we do that's what I love like I'm not going to get your source code typically

on an engagement I'm just going to go in there and see what I can safely break and then tell you how to fix it so that I can be much more secure in the long run for everybody involved okay so as a quick review what did we discuss today what did we cover all right here's a summary Mainframe is not going away anytime soon right steuart alsop was wrong it didn't die in '96 All right we rely on it globally to support Finance Healthcare government and other critical Industries there are more possible vulnerabilities now and more all the time with the increasing uh Integrations in the environment but with diligence we can combat these threats together right

so thank you again please stay connected again I'm Michelle Edgars security consultant at nitpy you can get me here here yay thank you thank you let talking really fast to fit it all in he said it three yeah if there's any questions I have evidently three minutes [Laughter] yes Phil oh no how have you been enjoying your Mainframe Journey Andy to repeat question how have I been enjoying my Mainframe Journey um I love it I love sort of semi Niche things I love Legacy Tech uh I love complicated complex environments and Mainframe is probably the least easy thing I've done in pen testing so I love it for that reason it's very difficult so yes yes how often

compies

actually uhuh so I would say from from my side with what I do what I see is if there's um anywhere from like a high to a critical finding they addressed almost immediately like we have to give a status reports basically same day so if it's very dangerous we tell them almost immediately and they do fix it pretty rapidly uh I'd say they're pretty responsive to medium findings as well but the lower end maybe there's a bit more lag I would say as far as you know most organizations not even just people we work with but in general um you typically put out the fires first so

does it affect the back end directly uhuh yeah so they just have to tighten down their access control issue [Music]

I could hardly hear him and see his face yeah so I don't know I don't know if your question was answered by Phil or [Laughter] not yes what would you

yeah yeah I IBM has this oh sorry you can

finish inves time in or I I think it's worth it to invest in what you feel most passionate about truly um don't just chase you know what's hotter what what has money right make sure you have a bit of passion in it um but as far as resources for early career professionals uh IBM new to Z is a really great resource they have um training modules and connections with mentors and things like that so and I don't work for them at all I don't have hardly but yeah new to Z it's a great great opportunity so okay I'm done they're kicking me out love you [Applause]