1234 How to break into a Tandem System… …and how to prevent it! Carl Weber GreenHouse Software & Consulting Security SIG of ETUG, 25. September 2012
1234 This This is is what what you you have have to to secure secure
1234 The security The security advice advice (PCI) (PCI)
1234 The security The security mechanism mechanism
1234 … nad … nad this this is is how how it it looks looks like like - BUT… BUT…
1234 … this … this is your your environment! nvironment!
1234 And you And you still still believe believe you you are are secure? secure?
1234 Currently… Currently… The government of Nordrhein-Westfalen bought and still buys tax related data, stolen from Swiss banks. All these banks for sure successfully passed a PCI audit! What does this mean in terms of being PCI compliant?
1234 What What you you really really need! need!
1234 Brief Brief intro Carl Weber intro Carl Weber � Started with Tandem (*) Germany in October 1978. � ‘In security’ since 1985, when SAFEGUARD was introduced in Cupertino by Tim Chou. � Leading the German system evaluation at GISA and participating in the NCSC evaluation (1989-1993). � Started GreenHouse 1994 as a Tandem Alliance Partner. www.GreenHouse.de � Specialized in security consulting and security reviews, security product and tool development, PRIV system code, and code specialties. (*) to me it still is Tandem …
1234 Session overview Session overview � How secure is a Tandem system? � Can be broken in? Easily? � Is there an easy way to detect and prevent it? � Solutions! � This presentation is related to the GUARDIAN side only: There is OSS and the network (LAN) as well!
1234 Well known truths Well known truths Ignorance doesn’t solve the problem … it just lets you sleep better… Once you lost your integrity … the rest is easy … Good judgment comes from experience. Experience comes from bad judgment.
1234 Well known truths Well known truths Everybody has his price … trust me … In theory, there is no difference between theory and practice; in practice, there is. Chuck Reid
1234 What you possibly think about me … What you possibly think about me … Security people do have a good heart … but a sick mind …
1234 … but … … but … Hackers do have a sick heart AND a sick mind!
1234 Keep in Mind Keep in Mind � SAFEGUARD does not introduce a better security, but a better granularity as well as auditing. (an error 48 in GUARDIAN is as solid as in SAFEGUARD) � Automated security checks are nice to watch – but it is better to understand, what they do, and what they do NOT do! � Train yourself , and/or hire a trustworthy expert. � Test your system before intruders or POIEs (*) do. � Have OSS and LAN on your radar as well! (*) POIE = pissed off internal expert [not politically correct, but precise]
1234 Questions Questions � NonStop Systems are considered to be FailSafe – but what about their security? � Does/can GUARDIAN and SAFEGUARD protect all system assets? � OK - GUARDIAN/SAFEGUARD does have two (outdated) certificates: - NCSC (C2) and - GISA (F2 @Q3 and F7 @Q3) � So what … ???
1234 Questions Questions � Can be broken into the system, or an application? � Is it possible to gain access to ID’s without the knowledge of the password? � In case there are real threats - are there effective countermeasures?
1234 General General � All my attacks start from a NON PRIV logged on TACL with the ID of SA.CARL = 100,5 - NO SUPER.SUPER (255,255) - NO SUPER group (255,n) - NO group Manager (n,255) and available system I have access to, e.g.: - PATHCOM, SQLCI, SCF etc. � Sounds like a first hurdle – but all your administrators, operators, developers, and system users do have interactive access to your system!
1234 General General � Demos run on \GINKGO of GreenHouse. (NS1002, H06.24.01) � Connection by VPN through the Internet.
1234 General General � Used system software: - MyLogin (single sign on TO the system) - SECOM (single sign on ON the system; command level security, ID hopping) - GreenHouse tools - Special demo programs (TAL/native TAL) - TACL macros - GreenHouse developed hack code using well documented GUARDIAN procedure calls … and here we go …
1234 PATHWAY-Threat PATHWAY-Threat � Getting access to the application ID. � Getting access to application data. � Worst case: Getting interactive access to SUPER.SUPER. � This is my classic way to break into a system!
1234 PATHWAY-Threat PATHWAY-Threat � Weak point is insufficient default security of PATHWAY monitor. � Unknown security mechanism. � System applications are often started from SUPER.SUPER (do you use SUPER.SUPER in the day-to-day business?). � Requirement to succeed an attack: Interactive access to the system with possibly ANY ID!
1234 PATHWAY-Threat PATHWAY-Threat � PATHWAY system (PATHMON) - PAID Is the ID of the starting user. - Owner By default the starting user; can be configured differently! By default “N”; - Security can be configured differently! This has changed with TS/MP 2.3 from N to O. It is available starting H06.14, but can be installed on any system beginning H06.06 or later( * ). *** BUT NOT IN PATHWAY *** * 18. December 2008, Evans, Keith B (NonStop) [keith.b.evans@hp.com], HP Product manager for PATHWAY
1234 PATHWAY-Threat PATHWAY-Threat � PAID (Process Access ID) - Derived from the starting user - Propagated to all programs (= Servers), started from PATHMON - A PRIV ID even gives management users access rights they should not get to
1234 PATHWAY-Threat PATHWAY-Threat � Owner - Set to PAID by default. - Can easily be changed to any other user ID. - Is used to manage the system via PATHMON.
1234 PATHWAY-Threat PATHWAY-Threat � Security - Set to “N” by default – still! - Allows ALL system users to manage this PATHWAY system (e.g. to stop it!) - Can easily be changed to any other (more secure) GUARDIAN security vector - Related to PATHWAY “Owner”
1234 PATHWAY-Attack PATHWAY-Attack � Search for PATHMON’s, running SUPER.SUPER, or any other interesting application owner ID $GHS1 ARROW 23> status *,user super.super,prog $system.sys*.pathmon Process Pri PFR %WT Userid Program file Hometerm $GHS 0,46 167 005 255,255 $SYSTEM.SYSTEM.PATHMON $ZHOME $S600 0,54 180 005 255,255 $SYSTEM.SYSTEM.PATHMON $ZHOME $GHS B 1,58 167 001 255,255 $SYSTEM.SYSTEM.PATHMON $ZHOME $S600 B 1,74 180 001 255,255 $SYSTEM.SYSTEM.PATHMON $ZHOME $GHS1 ARROW 24>
1234 PATHWAY-Attack PATHWAY-Attack � Check PATHMON security setting $GHS1 ARROW 24> pathcom $ghs;info pathway PATHWAY MAXASSIGNS 100 [CURRENTLY 63] MAXDEFINES 0 [CURRENTLY 0] . . MAXTERMS 60 [CURRENTLY 0] MAXTMFRESTARTS 5 OWNER \GINKGO.255,255 SECURITY “N" $GHS1 ARROW 25>
1234 PATHWAY-Attack PATHWAY-Attack … and how does it work? � Introduce a new server, such as SQLCI, FUP, BACKUP etc. � SUPER.SUPER even gives access to ANY other system ID WITHOUT the need to know a password, AND: This break in is NOT audited in SAFEGUARD!
1234 PATHWAY-Showtime PATHWAY-Showtime � Showtime … (\GINKGO.$GHS1.ETUG) - starting an insecure SUPER.SUPER PATHMON - demonstrating interactive access to SUPER.SUPER - starting a correct secured SUPER.SUPER PATHMON - demonstrating its robustness
1234 PATHWAY - PATHWAY - Solution olution � Prevent starting a PATHWAY application from a privileged system ID such as: - SUPER.SUPER - SUPER.xxx - xxx.MANAGER � Set PATHWAY management security to “O”. � Define a real user as PATHMON manager; can be different from the PATHMON PAID!
1234 PATHWAY - PATHWAY - Solution olution � Optionally put an ACL on the PATHMON process name (know the consequences!). � Activate the PATHWAY log, and check it on a regular basis (does not really help …). � Make sure only authorized users can change the configuration files. This is true for ALL configuration files!
1234 PATHWAY - PATHWAY - Solution olution � Use the FreeWare tool GetPWSS to check all your pathway applications within seconds. � Use command level security products (such as SECOM) to give management access rights on (sub)command level. (who is allowed to restart which server at what time from which IP address …)
1234 PATHWAY - PATHWAY - Advanced Solution Advanced Solution � Run all PATHWAY-applications in ONE user group: This allows pretty stringent security settings for the PATHWAY environments as well as for the data base! � Using non existing IDs to run the applications enforces the best security and access control possible.
1234 SPOOLER-Threat SPOOLER-Threat � My second classic way to break into a system. � Same problem as with PATHWAY.
1234 SPOOLER-Threat SPOOLER-Threat � SPOOLERs are often started from SUPER.SUPER at cold load time. � Weak point is unknown security mechanism. � Requirement: Interactive access to the system with ANY SUPER-Group ID.
Recommend
More recommend
