Highlights of Mainframe Security
Hello! I’m Elizabeth Schweinsberg, an Engineer with the United States Digital Service (USDS). We help U.S. federal agencies modernize their digital services, like the Veterans Affairs website, Healthcare.gov, and Login.gov. I started at the USDS a year ago, in August 2020, after 15 years in digital forensics and incident response. I recently gave a lightning talk on mainframe security and shared the resources I used to learn about mainframes and security. The following is the text from my speech, and I’ve annotated it with links to the tools mentioned, videos that explain more, and other resources to get you started in mainframe security.
Do you remember March and April of 2020 when the national public health crisis started to ramp up? There was an explosion of unemployment claims to states and a similarly-sized explosion of news articles on how many of the states were still using mainframes to run the programs to pay unemployment. Where did these mainframes come from? Fun fact — they were there all along! Banks, governments, insurance companies, and airlines continue to use mainframes as the basis for their software. Over the last 60 years, mainframes have evolved to keep up but have never lost their true selves.
DEF CON 29 was a month ago; how many mainframe talks do you think there were? Only one, about escaping containers on the mainframe[1A]. It is a fabulous talk. There were eleven Windows talks and seven MacOS talks. Despite being the basis of the world’s economies, there is not enough conversation about mainframe security. This talk aims to help change that and focuses on the IBM z/OS family — as this is where the research is.
Mainframes are optimized for business transaction processing — take a file full of records and do something with it, like create monthly bank statements. They are well suited to encrypting files fast, which makes them awesome for running ransomware on[1B]!
Modern mainframes are 1 to 4 server racks big, and contain all of the processing, memory, and storage needed to run[2B]. These giant machines can get split up into multiple logical partitions — one of the original virtual machines. Or multiple racks can be combined into a single partition. It just depends on how much processing power you need. Over time, IBM’s z/OS has grown to include a Linux subsystem, Java, and TCP/IP networking.
Mainframes have two sides: the administration side, and the application side. The administration side is like logging into your Linux terminal and directly accessing files or running scripts. The application side is called CICS: it is a small web server that can only display eight colors and has a screen of 24x80 characters. There is typically one system that manages all the users, though users can be granted permissions to only log into the admin or the web server side.
From here, all of the typical offensive security techniques work, just a little differently[3B]. Note: I did not figure any of this out; some very generous people have been publishing their mainframe security research over the years, and I am standing on the shoulders of giants. My research drew heavily on the work of Phil Young and Chad Rikansrud, among others.
Here’s an example of some of the techniques applied. First, get someone to let you poke at their mainframe for penetration testing or other defensive purposes. Note: please do not attempt to access a mainframe without permission.
Then, learn more about the mainframe and try to brute force passwords with nmap. The network connection is a special flavor of Telnet called TN3270, and the passwords are at most eight characters long. You have to be super careful because mainframes have strict lock-out settings — there are five tries max before your account is locked out, and you have to call the help desk to get it re-set[4B].
Did you get a valid username and password? Awesome! Check out the Metasploit modules for z/OS, now with privilege escalation[5B]. At the end of the day, mainframes run assembly. It’s just not Intel x86, so you’ll have to find a reference manual for it.
You can fuzz the web applications by trying to see what you can put into the entry fields — and seeing which entry fields are hidden that you can override and fuzz[6B], too. Big Iron Recon and Pwnage (BIRP) and CICSPwn[7B] will help you here.
By this point you’ll probably have root or at least enough privileges to run your own code. It doesn’t have to be COBOL, though it is a highly readable language. You can also use a Python-like language called REXX.
There is some momentum around talking about mainframe security that we should continue. Mainframes are continuing to evolve to include new technologies (like containers), and they should be integrated into an enterprise’s security strategy. This should include everything from zero trust architecture to threat detection and monitoring. This talk focused on offensive security because that’s what is available. There is a definite opportunity to share more on defensive and architecture topics.
Getting hands-on experience with mainframes can be tricky — there isn’t a free virtual mainframe you can download, and the hardware tends to be expensive to buy (and hard to store in a home office). But there are some opportunities out there. Coursera has a COBOL programming class that is free to audit, and IBM offers a competition called “Master the Mainframe,” where you can learn different parts of administration and programming.
There are plenty of mainframes left in the US government, and the Cybersecurity Executive Order[1C] does not leave them out. Through USDS there are opportunities for experienced security and software engineers to help define what “Zero Trust [2C]Architecture” means for mainframes, as well as continued opportunities to assist in modernizing legacy software. Getting into mainframe security could keep you busy for years to come!
[1B] Z Ransomware from SHARE 2017 by Chad Rikansrud https://www.bigendiansmalls.com/files/ransomware_share_2017.mp4
[6B] “Hacking Mainframes; Vulnerabilities in applications exposed over TN3270 — Dominic White Derbycon 2014”: https://www.irongeek.com/i.php?page=videos/derbycon4/t217-hacking-mainframes-vulnerabilities-in-applications-exposed-over-tn3270-dominic-white
[7B] “CICS Breakdown” by Ayoub ELAASSAL (Note: these are just slides, and it assumes some knowledge about CICS: https://hitcon.org/2016/pacific/0composition/pdf/1201/1201%20R2%201320%20cics%20breakdown.pdf
[2C] And if you’re visiting this post in September 2021, and are interested in shaping what “zero trust” means for the government’s mainframes (and other systems) — OMB, USDS, and CISA are asking for public feedback on exactly this subject at https://zerotrust.cyber.gov.