This article originally appeared on SearchSecurity.com.
LAS VEGAS -- A security researcher at the recent DefCon USA 2006 hacker conference believes IBM mainframes, many of which store and process millions of transactions each day, could be vulnerable to attack, putting those transactions at risk.
Martyn Ruks, a UK-based penetration tester and security researcher, outlined a methodology for attacking IBM mainframes running the Systems Network Architecture (SNA) protocol, the proprietary IBM networking protocol created more than 30 years ago and commonly used by IBM mainframes and iSeries (AS/400) computers. Despite the emergence of cheaper alternatives, such systems have been mainstays in corporate data centers for years because of their reliability in running mission-critical finance, inventory and point-of-sale applications.
Ruks detailed how a script written in the Python programming language allows an individual to query a Data-Link Switching (DLSw)-capable router and allow for information gathering of the router version, MAC address, NetBIOS name and other relevant information as part of the "footprinting," or data gathering phase of an intrusion.
Networking hardware also vulverable
Listing several ways to gain credentials for mainframe access, Ruks also spoke about gaining access to routers, including those from networking vendor Cisco Systems Inc. that, if not properly patched, could leak information from DLSw circuits or be directly compromised.
The proof-of-concept Python script "only takes you about halfway to the goal," Ruks provided direction for writing SNA attack scripts to exploit vulnerable systems.
Ruks pointed out several weaknesses as a methodological approach, as opposed to a specific new attack vector. As with all attacks, if the routers aren't patched or the networks aren't secured properly, they are vulnerable to a number of older attacks. He commented that since these systems are not seen as low hanging fruit, many companies neglect to properly secure these systems.
He said several of his clients hadn't patched their routers and, with a little SNA knowledge, this could allow an attacker a means into the network. He also said that there was little literature on the subject and that attackers must be well-versed in SNA infrastructure to properly exploit the issue.
But let there be no mistake, he said: After fully exploiting the weakness, an attacker can do just about anything he wants with a victimized mainframe.
Ruks also illustrated before and after diagrams of local and remote attack procedures, and offered recommendations for protecting the routers and communications channels to the mainframe, including turning on encryption between routers and on communication channels on the network, along with other networking and security best practices.
While Ruks gave the caveat that a properly configured and maintained network -- along with network administrators supporting best practices -- can harden these systems from attack, he said his experiences this hasn't always been the case.
Ruks outlined that while these SNA networked systems may be old relative to other technologies, a large number of these systems are still used by large corporations to support mission critical and high value applications along with their valuable data. Yet he said it is the combination of SNA alongside more contemporary systems running TCP/IP that exposes mainframes to attack.
Following the presentation, a Cisco spokesperson acknowledged interest in Ruks' talk and stated that Cisco will start a communications channel with Ruks.
Victor R. Garza is a technology/security consultant and lecturer at the Naval Postgraduate School in Monterey, Calif.