BG - Mainframe Hacking for CICS and Giggles

good morning and welcome to besides Las Vegas breaking ground this talk is Mainframe hacking for kicks and giggles and is given by Jay and John a few announcements before we begin we'd like to thank our sponsors especially our Diamond sponsor Adobe and our gold sponsors semrep Toyota conductor 1 it's their support along with our other sponsors donors and volunteers that make this event possible possible these talks are being streamed live and as a courtesy to our speakers and audience we ask that you check to make sure that your cell phones are set to silent if you have a question use the audience microphone so YouTube can hear you the microphone is right up here up

front as a reminder the bsides Los Vegas photo policy prohibits taking pictures without the EXP Express EXP licit I'm sorry permission of everyone in the frame these talks are all being recorded and will be available on YouTube in the future all right with that let's let's get started morning oh uh so thank you for being here this morning especially on a topic as esoteric as mainframes uh specifically Mainframe applications um so showah hands how many people here have used a Mainframe as a developer assist progue or a user okay good amount how many of those in The Last 5 Years even less and then how many people have done a security assessment on a Mainframe okay a few there should be way

more people than that um and it turns out that it's really really hard to do this stuff for reasons that we're going to get into so a bit of housekeeping uh the first thing is that we have a lot to talk about and we only have a short amount of time to do it so by necessity we're going to have to move fast and it's going to feel like drinking out of a fire hose uh as they said this is on YouTube so you can always go back and look at it later the second thing is that we are not Mainframe experts uh we're security researchers who were asked to look at Mainframe applications and we kind of

had to figure this stuff out from the ground up so if you're a Mainframe expert whether that's a developer or CIS prog or whatever you know we apologize in advance for anything we say wrong we're security researchers not Mainframe gurus and then the final thing is a disclaimer um we are not here on behalf of representing our employer and anything that we say is our own views and not those of our employer so with all of that out of the way uh this is the research team my name is Jay Smith I've been doing it for about 25 years I've done everything from thank you for calling the help desk uh systems and network engineering sockwork notwork

developments and now I'm Elite security researcher at my company my name is John I got my career started in software development then I moved into uh information security compliance and eventually I got into application security I've worked mostly with h TP based applications um some native mobile apps and most recently mainframes which we're excited to talk to you all about today and then the third member of our research team is Garland uh he could not be here even though he should be uh his contributions were extremely valuable and we want to make sure that everyone knows he was a part of this this project so uh when you talk about any other topic in security there's a basic

amount of information that you can assume people have they know how web applications work they know how Windows Works Linux works and so on we don't really have that foundation with mainframes so to really talk about this we have to talk about what mainframes are and how they work so when I talk to people about this kind of research and I say hey I do a lot of stuff with mainframes this is what they think of um they think it's this Legacy archaic system you know was built back in the 70s or 80s and is shoved in a back room of a closet somewhere all the time I get oh I worked with those things back in

the ' 80s they're still around um or they think it's this giant monolithic machine that takes takes up an entire room and requires a team of people to operate like Joshua from War Games well the reality is today they look like this uh this is a Z16 Mainframe topof the line uh costs High six low seven figures and it's one of the most powerful commercial computers you can buy uh it runs an architecture known as the Z architecture and an operating system known as zos and just to give you an example of how powerful they can be one of these can run over 200 server grade CPUs 40 terabyt of RAM and pedabytes and pedop pites of storage

so these are there's nothing archaic or Legacy about them they are extremely powerful in modern machines and whether you realize it or not you rely on them all the time probably every single person in here has relied on it one just to get here uh if you've ever used a credit cards withdrawn money from an ATM booked a plane uh scanned a check for a mobile deposit anything like that you have relied at some point on a Mainframe during that interaction uh they have been and continue to be the backbone of many modern Industries uh and diverse Industries such as finance and banking Health Care utilities government insurance all of these industries rely on mainframes to do

their day-to-day operations and you might be asking why I mean these things were in the 50s and 60s why are people still using them and there's a lot of reasons but just to give a couple of examples these machines can have meantime between failures measured in decades uh you can take an application that was developed in the 70s and drop it on a brand new Z16 Mainframe that you just got and it's going to work right out of the box uh that's like taking a Dos application and running it on Windows 11 with no emulation or compatibility it just runs um and for our purposes they are very very good at highspeed transaction processing and this is one of the

primary reasons they're used uh to give some context a modern Mainframe can process up to 100 billion transactions per day so that's the equivalent of hundreds of cyber Munday per day per machine so these are incredibly powerful machines given the power of them and given the criticality of them they are also incredibly high-risk systems so if Twitter or Facebook or Instagram or something like that were to go offline today people would whine about it they'd moan about it but something else would pop their place and life pop up in their place and life would go on if mainframes were to stop working today it would be global economic pandemonium and that's not an exaggeration uh Finance would grind to a

halt so you can't get money you can't spend money uh food shells grocery stores would be empty because Logistics would stop working Planes Trains all of it would stop they are that critical to our uh infrastructure um unfortunately for reasons that we will get into they are not tested as frequently enough or as thoroughly enough as they need to be uh so now I'm going to hand it over to John as going to talk about the application side great so the first thing we'll cover is how Mainframe applications differ from traditional distributed systems let's say you have a web application whether it's in the cloud or on premise you'll likely have an application server a database server an

authentication server a logging server and all these distinct systems that support the same application on the Mainframe everything is self-contained there are no distributed components so if you need a database well M frames have subsystems rather that do pretty much anything you need for an application so if you need a database there's a subsystem for db2 if you need to access control there's a subsystem for rack F if if you need a facility for maintenance and development there's a subsystem for Tso and so on so now Mainframe applications generally fall into one of two categories depending on the type of processing they perform the first kind is batch processing so if these applications you'll typically submit a

task work related to that task is completed and eventually you get some kind of result so for example a utility company with a Mainframe will likely have a monthly batch process that calculates consumption data and generates billing statements for all of their customers so the time that these take to run is proportionate to the task that's being performed so we can have batch processes processes running for minutes hours or even days and because of this end users aren't typically interfacing with batch applications directly instead these are scheduled or just kicked off by some back-end process and they just run until they're done in contrast we have Mainframe applications that perform online transaction processing or oltp and these

are more like the types of applications that we're all familiar with right so this is when a n user submits a task and they'll get an immediate response or submits a request and gets an immediate response so you're an you're at an ATM you tap to view your account balance and you're immediately presented with your account balance we're not waiting around for a batch process to finish because these applications are running online so the most common oltp system on the main frame is kicks where the the customer information control system and kixs is just another subsystem that supports the running of Mainframe applications online and these are more like the types of applications we're all familiar

with right um say you're at an ATM you tap to view your account balance you're immediately presented with your account balance um so we can think of kicks as a Proto web server before the web and this is a rough analogy but it'll help us understand some of the terminology so when you're working with a kixs application the terminal can be thought of as your web browser and kixs does have other front ends but if you're interacting with kicks directly on the main frame you're going to be using a terminal emulator so once you're in the terminal emulator you need to know where to go on a web application you'll typically just enter a URL in your web

browser in a kicks application this is your region so you need to know what region you're logging into so this example dvca prod is a region that we're logging into from our terminal so once you're logged into your region you need to know what page on that website you want to get to so in kicks this is a transaction it's a four character alpha numeric transaction ID so once you're logged into the region you enter the transaction ID for the screen that you want to access and you can access any transaction on that region provided you're authorized to do so so as I mentioned earlier there are multiple ways to interface with kicks most of these are facilitated by apis

that expose kicks to systems outside of the Mainframe so you can have web applications web services RPC clients desktop applications native mobile applications and all these various interfaces that interact with kicks as a backend system now you may not realize it but many of the applications we all use today utilize kixs as a backend processing system so kixs is still one of IBM's Flagship Mainframe products in fact the the latest version of kixs was released just last year however kixs suffers from this concept of a legacy codebase running on Modern infrastructure so as Jay mentioned earlier you can take a kicks application that was developed 50 years ago drop it on a modern Mainframe and

it's just going to run this is great for maintenance and compatibility but it's terrible for security because many of these applications were developed at a time when security just wasn't a priority in fact it's not uncommon for kicks appli to go 10 plus years without a single code release and part of this problem is that the original developers retired 10 plus years ago and the ones left maintaining it have no idea how anything works so this is a problem that reinforces the need for ongoing security testing of these applications unfortunately that's easier said than done and Jay's going to tell us why right so the reason that we're all here testing this stuff uh so management

came to us and said we need people to test Mainframe applications and we're like cool that sounds awesome let's do that how do we do that and they were like we don't know figure it out uh so we tried to figure it out and this was us for the first year um to say that main frames are difficult to work with is a drastic understatement um there's really no parallels you can draw to other kind of work whether it's system engineering network engineering development whatever all of that goes out the window when working with mainframes you have to learn a completely new language completely new world everything so that's what we started to do but we ran into a number

of problems so the first one and the biggest one is gatekeeping um to say that Mainframe developers and CIS progs are prickly is an understatement um whenever we try to talk to them if you don't know the terminology if you don't know how to say what they want you to say or the way they want you to say it they'll flat out tell you to get out of their face they don't want you near their systems they don't want you touching their stuff they don't want anything to do with you and to be fair to them they have some reasons to do that because if you don't don't know what you're doing it's pretty easy to bring down an entire elar ask me

how I know that um when you get that that phone call from a pissed off Mainframe Dev like they're angry um so they they do have some legitimate reasons for not wanting people on their system but when you try to research this stuff if you think Reddit is like a Cess poool read Mainframe forums so trying to look at stuff so I I just spent literally 2 minutes on one of the popular Mainframe forums just looking for examples of developers being um so here we have one where they said if it's so urgent why don't you read the manual well if it's urgent you don't have time to read the manual plus the manuals are almost impossible

to read uh this dude and he has a lot of these posts he won't even touch your post if you don't make a colorful and pretty for him and then this is my favorite um I doubt it's throwing errors because errors are not thrown on the main frame so this is what you will come across all the time when working with Mainframe developers so that was the the first hurdle that we ran into uh the second one is cost now thankfully we had the backing of our company and we had access to True Big Iron Mainframe so we could do this stuff but if you're just an Enthusiast or working with a smaller company and you want to emulate a zos

system you're looking at about $6,000 per person per year just to have an emulated zos and that's well outside the range of an average researcher uh there are there is an open source solution which we will get into later if you want to do any other kind of uh testing out there web applications thick clients active directory whatever there is a wealth of tools out there there's tools for every single thing that you would want to do and it's easy to build your own tools because there's already so many tools out there well with mainframes almost none of that exists from an application perspective we found three tools that could kind of do what we wanted two of them hadn't

been updated in 5 to eight years and one of them only kind of did surface stuff uh so in the end we had to build our own tool and then finally the gatekeeping combined with the difficulty of mainframes makes it an extremely steep learning curve so whatever it is that you want to learn there's a training body out there and probably a certification but none of the training bodies out there Sans offsec TCM security like nobody offers anything in the way of Mainframe offensive security work um I ended up so these are some of my personal library and I learned more digging through these books than I did on anything online on any course that I found um so it it's a

difficult thing to get into so at this point we were tasked with looking at these applications and we realized we had no idea what we doing so we just kind of had to started digging and researching and I'm going to hand it over to John to talk about the research right so once we figured out those challenges we came across another problem we had no idea how to get started and little reference material so we continued our research and eventually came across a 3270 data stream programmers reference and this was the official reference manual for developing 3270 based applications which means it had everything we needed to build an attack model and start developing test cases so this is what we

learned the 3270 terminal is a block mode terminal which means anything you change on the screen is only sent back to the main frame if you press one of about 35 attention identifier keys and these were all physical keys on the 327 on the terminal keyboard which we don't see on keyboards today and this will be relevant once we get to the demo the screen buffer stores the data that represents the content you see on the screen so it stores all the field values and information on how the fields on how those fields should behave in the in the uh terminal notice how you can this might be might be hard to see but notice you can click anywhere on the

screen and it doesn't matter if there's data if it's a field or if it's just some random empty spot this is because each character position in the screen corresponds a location on the screen buffer so when you're performing a security assessment on pretty much any application an important consideration becomes how that application communicates with upstream and downstream systems traffic between the Mainframe and the terminal emulator occurs over the tn3270 protocol and this was IBM's way of adapting to the prevalence of tcpip and personal computers in the early 80s because before that mainframes were accessed using a dedicated terminal that was physically connected to the main frame over coax cable so IBM solution was to wrap their existing 3270 data stream in

tnet and call it tn3270 um so this owed main frames to be accessed over tcpip using a terminal emulator on pretty much any device that supports it so you can analyze this traffic in wi shark just like you would any other protocol in fact wi shark has a diss sector for tn3270 and you can even begin to uncover sensitive information in Hidden Fields this way but in order to make some of the more interesting test cases possible we needed a deeper understanding of the protocol fortunately everything we needed was in chapter 4 of the reference manual so there there are two characteristics that made the majority of our test cases possible start field orders and field attributes an order is

just a bite in the 3270 data stream that tells the terminal how to render the screen so this is a field this is where I want you to position that field on the screen each order corresponds to a specific bite value so in this example the first bite is equal to the bite the hex value 11 so we know it's a set buffer address order which sets a Field's location in the screen buffer the next two bytes are just parameters for column and row that indicate the exact position on the screen but the bite we're interested in is the start field order because not only does this indicate the start of a field it also indicates the start of a

field attribute which is the bite right next to it so in order to illustrate why these bittes are important I'll continue the web analogy so whereas a web browser renders HTML that's transferred over http a terminal emulator renders a 3270 data stream that's transferred over T n3270 and we like to think of the start field order as an HTML input tag and the field attribute bite as HTML attributes for hiding and disabling an input tag so let's focus in on the field attribute bite each highlighted bit in this bite has something to say about how that field is displayed on the screen so the bit in position two determines whether a field is protected or

unprotected the bit in position three determines whether a field is numeric or alpha numeric and the bits in positions four and five work together to determine whether a field is hidden or displayed so we were especially interested in bits 2 four and five because if we could intercept this traffic and flip these bits so that protected Fields become unprotected and hidden Fields become visible we would have viable test cases for hacking Mainframe applications and we get to share this research with you today because it worked um before we get into the the demo just a quick word on encryption our tool sort of works like burp Suite so we're in we're sitting in between the main frame and the emulator

we're just tra uh we're proxying traffic between the Mainframe and the emulator so we negotiate TLS with the Mainframe but because the emulator emulators listening or connecting via loot back we don't actually negotiate TLS with the emulator and it doesn't enforce the need for encrypted traffic um this is why we can intercept this traffic or analyze this traffic through wire shark because it's plain text um the connection between our tool and the and the emulator so yes while tn3270 does support encryption it doesn't actually prevent any of our test cases all right so we're just about ready for the demo um before we do uh we'll show disabling field protections we'll show uh Reve revealing sensitive

information in Hidden fields and then we have some bonus attacks we'll iterate through all known transaction IDs and then we'll Brute Force some application level secrets so a little word about the demo as we mentioned if you wanted an emulated version of zos for your personal use you're going to pay about $6,000 a year uh I did mention that there was an open source solution and that solution is mvs 3.8 uh due to historical legal reasons it is a perfectly legal open- Source version of an older Mainframe OS that you are able to run on your machine and it's used with an emulator known as Hercules there's a few ways to get it the two primary ones and I have the

links there the first one is TK4 and what this is this is essentially a zip file that you just download un uh unpack and run a shell script and you have a Mainframe up and running uh the other one is a Docker container from mvs Community Edition and this is the one I do recommend using because with it being the Community Edition there have been numerous quality of life changes added to 3 to mvs 3.8 to make it much easier to use there's tools that have been added libraries that have been added uh programs that have been added so it's just a much easier to use version of MBS and again it's wrapped in a Docker

container so just Docker pull and you're good to go now that gives you your your Mainframe that's like okay now I can log it I can play with it I can learn with it but you can't do anything that we're going to demo with just this so we reached out to Soldier of Fortran and we said hey we need a vulnerable kicks application but we don't have the knowledge to do this ourselves uh can you help us out and he's like yeah I got you man and he created dvca which is damn vulnerable kicks application this is along the same lines as web application thick application it's just an intentionally vulnerable application for you to play with uh it comes also in

a Docker container and that Docker container is the mvsc with this application bundled in it so you just pull this start it and you have a vulnerable application uh ready to go but then you need to use something against that vulnerable application and today we're releasing the tool that we've been working on for the past year uh hack 3270 so this is essentially burp for 3270 traffic it allows you to intercept all the traffic and manipulate it in any number of ways so you can read the hidden Fields you can disable protected Fields you can change each individual attributes uh it has full logging capabilities including a CSV export so if you're on a penetration

test and you need those artifacts for for the test you have all of that available for the client um it also has Brute Force capabilities so you can iterate through Aid Keys you can iterate through um passwords uh ticks transactions whatever so it's we think a fully featured tool that is available at the URL down below you can go download it today and and start playing with it uh so we're going to try and do a live demo um 3270 is in tly finicky especially over a Docker container and live demos you know are always subject to the demo Gods which in fact they've already hit us because we can't do mirrored so we're going to have to look

at this while we do our demo uh so wish us

luck uh did that already start hold on uh there we go okay uh this is going to be fun so I'm going to start the docker container and then so with our tool

I uh so uh with our tool so we start it and we give it the server and Port that we're connecting to and then the listening port so in this case we're connecting to the docker container on Port 3270 and we're listening for connections on 3271 I need to bring this down a bit all right so all right so now this is the equivalent of burp uh when you have intercept turned on it's waiting for you to send something through it and uh allow the traffic to go through so now I'm going to connect to that

and oh I should change the screen all right so it has detected the connection it says okay hey I I see a connection on 3271 let's let's go ahead and do this so I click continue and you can see that we are now on the docker container and again I apologize that we can't mirror this but that should be the last time I have to move anything over all right um don't do this there we go okay so the tool is running we're proxying all traffic through the tool I'm going to log

on and this is our vulnerable application and John's going to go ahead and uh walk through the next part all right is it going to be a challenge but we'll get through it all right so dvca is a generic application for ordering office supplies um this is the main menu we have three menu options the first option allows us to order those office supplies

okay so here we have uh printer paper we have a three- hole paper puncher we have some Rosé we have a 24 karat gold MacBook Pro all right so I'll go back to the main menu and menu option two allows us to edit the shipping address that those items get sent to right but notice that in in order for us to edit this shipping address we have a supervisor code that we need to get past all right so we'll get back to the main menu menu option three is just a an order history so I'll go in and notice that we haven't ordered anything right yet right so let's order something but before we do that we have to get past

that supervisor code so I'll go back to the shipping address menu which is menu option two and I'll start to make some updates here I want to actually go through all this it's really hard to see from here um but let's just make a couple of updates here all right so instead of sending that to Jay we'll send it to me we'll just update this to the hotel okay let's change this

to okay

all right I'll just change this to the LA let's leave that that'll be the last update I make here all right so we made some updates to our shipping address but if I try to enter this and persist this transaction we'll get an error right so it says invalid supervisor code which appears to be a four-digit code so in if you were using burp you would probably use something like Intruder right in burp in our tool we have um inject in we have inject into Fields

tab it's on the other side all right okay so we have this injected into Fields tab so the first thing we would do is we would select our payload list so in this case we would have uh typically have a list of 10,000 payloads right or um injections um one for each permutation of a four-digit supervisor code um we haven't a bridge uh payload this for the purpose of the demo um so I'm just going to go ahead and select that so the next thing you would do is select the injection field right so we would click setup um we would select a mask character um you can customize this we'll leave it at an asterisk for now so

I'll go back into the app and I'll change the supervisor code to our mask character so we'll do for asterisks here so our tool is asking us to submit a sample transaction using the mask character right so I'll go ahead and do that and notice now the tool um was able to identify the injection field and it indicates that it's now ready for injection so I'll go ahead and press inject and notice you can see see here all the permutations that it's iterating through um So eventually it'll hit the correct supervisor code I can't I can't quite you can't see does it say does it say it it works all right cool all right so we were able to

brute force that supervisor code and make updates that we're not authorized to do so so that's our first test case we back to the main menu now that we've updated our shipping address we can go in and order some office supplies so I'll get go back into menu option one and let's order that 24 karat gold MacBook Pro so it's $20,000 right it's a little uh bit past our budget so it'd be nice if we could edit that field right like in in a web app you'd probably use uh developer tools or just proxy through burp and and make those updates and hopefully get some authorization bypass within our tool we can use the hack field tab

yeah all right so I'll trag that back over again is it on all right there it is okay so the hack field tabs we have a couple of options here the start field start field extended and modified field we're effectively telling the tool which start field order two pars currently we have all of them selected by default and then on the left side we have disable field protection um enable hidden fields and remove numeric only restrictions so here that that's where we're flipping those bits um in the field attribute bite and we have some other options here for um the field intensity to highlight those fields that we're modifying so we can toggle this now enable hack

fields and I'll go back to my tool and I'll try to make some updates here right so I'll change this field which is a protected field and I'll update it from 20 grand to something a bit more reasonable right like a dollar so because we've enabled hack Fields we've disabled field protections so now if we hit enter okay right so I have to go down indicate that yes we want to purchase and then hit ear and now we we we were able to purchase that MacBook Pro yeah okay let's update this again okay okay so now hopefully we're able to purchase that MacBook Pro for a dollar not 20 grand so I'll disable hack Fields now

and I'll go to the next item let's see what we have so we have an ancient golden idol right so if I try to purchase this I would get an error indicating that it's denied right where we can't purchase this Golden Idol so I'll enable hack Fields again and notice we have this hidden field right so if I togg it toggle it off we don't see that field I toggle it on we do see that field and it's a field that seems to indicate whether or not we can purchase this item so I'll change this from yes or from no to yes I'll purchase the item and now we're able to purchase an item that we were previously not

authorized to do so so I'm going to disable hack fields and go back to the main

menu okay and we'll go into the order history to see some of the work we've just done all right so it looks like we purchased the MacBook Pro we were able to purchase it for a dollar um and then we were able to purchase the ancient golden idle despite it being um not purchasable so wouldn't it be nice if we could cover our tracks and delete this order history all right so we'll go back to the main

menu sorry again it's hard to see yeah we can't there we

go all right okay so we're back at the main menu we'll enable hack fields and notice now that there's a hidden menu option for deleting our order history so we'll go in we'll select that menu option okay we'll headit enter and now we've deleted all of our records from our order history so let's go back in and confirm that that's the case Okay menu option three and there you have it we we're able to cover our tracks we deleted all of the order history okay so up until now we've demoed disabling field protections enabling hidden fields and brute forcing known um application level secrets right so the next test case will be using the okay we'll be using the inject key

presses tab let me see if I bring this back over

again okay so if we recall from earlier I mentioned that there are about 35 attention identifier keys that send data to the Mainframe right so we have the enter key um the clear uh key 24 function keys and I think three uh program access keys so what we're doing here is we're iterating through all these known attent attention identifier keys in hopes of finding hidden functionality um so because these applications were potentially developed decades ago and because keyboards today don't necessarily have these pH physical Keys um it's not a stretch of the imagination to think that Mainframe developers and operators could have hidden functionality behind some of these Keys um not necessarily out of malicious intent but just to facilitate

systems maintenance so I'll go ahead and press the send keys button yeah yeah I'll do that so I'll let that run we'll run it on this

screen okay then we'll go back to the main screen we'll run that again notice some of these options are not selected that's because if uh some applications if you iterate through the clear button for instance it'll just log you out of the out of that um application so we've unselected some of these but of course you can um toggle those as needed so notice we found this hidden screen within the application Within dvca by iter iterating through all known um a keys so we could use the logs tab if we do have some uh logging capabilities this will be maybe the last time we have to do

this

okay so we do have some logging capabilities here we have a column for just uh for that ID that traffic ID we have the timestamp um we have an indicator on whether that traffic was set from the server or the client we have a length that you can use to check for discrepancies in the response from the server um and then we have some notes regarding that that traffic so all sort by ID here you can sort by these columns um and notice that we have the traffic that we sent while we were iterating through all known transaction IDs so you can actually click through um some of these entries here and if you clip on if you click on the server

response it'll actually update the screen on the terminal emulator so you can see what was sent uh during that specific um entry um so on this case you would click through you can see what was going on during that attack so here was s um the program access key one program access key 2 3 and then you can click on these and you know see which one led to u a successful attack see which one led to discovering hidden functionality in the application um you can also just check the length right and check for discrepancies and length and that can be an indicator of some hidden functionality there um you can also you can also scroll

down um you can see whenever you toggle um the hidden fields or hack fields you should be able to see that here okay so here hack Fields was toggled off here hack Fields was enabled you can see exactly which um start field orders we were parsing which field attributes got modified all right so we do have extensive logging here that can substantiate your security assessment on on a kicks application um you could also use this if you're during your peer review process right if your peer riewer wants to um review what another tester did this would be a good place to do that so the last tab here we'll demo yes this this is the last screen um

so we have a statistics tab that again you can use as a quick um reference to see what was tested during that engagement um and you have some stats here regarding uh the number of attacks that were performed and the server IP address you connected to um and so on again this can be used as an artifact to to substantiate your assessment so if that was our demo um well now we'll cover some closing thoughts before we wrap up right so as he said some closing thoughts uh mitigations there IBM does have a 3270 IDs but we wouldn't recommend using it for reasons that we're about to get into um what we would recommend using is rack F or some other

authentication and authorization system uh those systems do have the ability to protect the transactions at the individual transaction level uh do not on hidden Fields so don't hide anything in Hidden Fields you don't want people to see um these are all things that we have seen on real world engagements and then secure your attention identifier keys so don't have any hidden functionality developer functionality back doors whatever in those keys thinking that people can't get to them uh a quick word about the IDS so there are two versions of the IDS there's the BMS intrusion detection service which is implemented at the kicks region level unfortunately it can only detect attacks that were done through applications developed using BMS

Maps and we have seen a number of kicks applications that were not and in those cases this is completely useless uh the other one is the vam 3270 IDs and this is set at the communication server level so it affects every region on that server but it is a massive resource hog so much so that when we tested it and worked with them they were like this we can't use this it takes up too much resources and on top of that they both have the same flaw of false positives because they can't determine malicious traffic from Just Junk traffic so they'll AB in frequently or send a lot of false law false alerts so it's just

not really a good uh IDs to use and even IBM doesn't recommend using it in the documentation uh the key takeaways we want you to have is that Mainframe Computing is not a dinosaur it's alive and well it's a critical piece of our modern infrastructure and they're not necessarily as secure from exploits uh there are ways to do attacks and everything that we've showed you on here we have done in real world kicks applications uh there are now open source solutions for you to learn this stuff and now an open source tool for you to do this testing on on your own uh we do want to give a special thanks to Soldier of Fortran not only did he

develop the dbca application for us he was kind of a mentor to us for a lot of this stuff um so he has literally hours and hours of Talks on YouTube just go search for him on YouTube and you can find so much information uh this is our contact information uh feel free to reach out to us for any questions that you may have and there's a link again to the GitHub repo with the tool and uh thank you very much thanks everyone [Applause] it looks like we have like two or three minutes for questions if anyone has

one two two quick questions sure um how big a deal is Linux in the Mainframe world now I'm sorry how big a deal is Linux I've seen IBM saying hey we run Linux life is good yeah they they have USS which is the Unix um um uh interface and then they have Linux on Z and it is gaining prevalence um I mean we still see TSO a lot and that's still one of the main interfaces but Linux on Z is definitely gaining ground is it emulated or does it run natively it runs natively it's it's something you would install on the elpar like you would zos and and my second question is uh is SE ciic still

like the the Everything is epiic Everything is epiic yeah so that was that was kind of our first clue when we were doing the wire shark analysis and we were able to decode it using epiic and then that was kind of what led us down the rabbit hole but everything over 3270 is epiic yep lovely thanks a lot great sure thank you all right well thank you very much thanks everyone