All, I think we all agree that every system has vulnerabilities, where Windows, Unix,VM, or Z/OS, the methods make it difficult for hackers to get into the systems, ,no different than protecting a home from robbers. By using a big dog and a 12 gauge ..or electronic security system..many of us firewalls,routers,RACF,acf2, TSS, pass-phrases, encryption to slow down the intruder.
Sent from my iPad Scott Ford Senior Systems Engineer www.identityforge.com On Mar 27, 2012, at 2:49 PM, David Cole <[email protected]> wrote: > I'm sorry Tom. I did not intend my remarks to be personal. I deeply regret > that you feel hurt by them. Please don't let my words deter you from future > contributions. Your thoughts generally are more valuable than most. > > I just wanted to emphasize the APF Trojan horse vulnerability. It is real, it > is serious, yet for decades everyone seems to want to pretend that it does > not exist... It mystifies me. > > > > > > >> www.zassure.com is the closest thing I've seen to an MVS anti-virus program. >> After seeing a demo, I would have bought it, or recommended it to a client. >> Check it out, you will be surprised, if not shocked. > > Thank you for this. I will check it out. > > > > > > >> [Regarding SAF] I do take issue with your last sentence. SAF and an ESM >> have everything to do with anti-virus protection, provided they are >> configured to correctly protect APF-authorized resources. > > Perhaps. However, all an APF authorized program has to do is flip a bit or > two in certain RACF control blocks, and voilĂ ! He's suddenly a supervisory > program and, as such, is given a pass on all RACF calls... Alternatively, a > malicious APF program can simply dynamically front-end certain supervisory > programs, and again voilĂ ! (As I'm sure you know, APF programs can fairly > easily defeat all hardware storage protections.) > > Yes, SAF is still called even for APF programs, but an APF program can still > subvert those calls. > > > > > > >> I've never forgotten this [APF libraries]. That's why my APF-authorized >> libraries are severely limited in scope, and audited for any and all updates. > > Enforcing trust is a technical issue. RACF is very good at that. Deciding who > to trust is a management issue. Even at shops that allow only trusted vendor > software into APF authorized libraries is implicitly trusting the hundreds or > even thousands of people involved in the development of that software. > > Again, I go into more detail about this in my prior post: > "<https://bama.ua.edu/cgi-bin/wa?A2=ind0608&L=IBM-MAIN&P=R63457&I=-3&X=6EB01556E36E4D9CAC&Y=dbcole%40colesoft.com&d=No+Match%3BMatch%3BMatches>https://bama.ua.edu/cgi-bin/wa?A2=ind0608&L=IBM-MAIN&P=R63457&I=-3&X=6EB01556E36E4D9CAC&Y=dbcole%40colesoft.com&d=No+Match%3BMatch%3BMatches > ". > > > > > > > Again, please accept my apology, Tom. It was not intended to be personal. I'm > sorry it came out that way. > > Dave Cole REPLY TO: [email protected] > ColeSoft Marketing WEB PAGE: http://www.colesoft.com > 736 Fox Hollow Road VOICE: 540-456-8536 > Afton, VA 22920 FAX: 540-456-6658 > > > > > > > At 3/27/2012 02:21 PM, Pinnacle wrote: >> Replies like this are why I seldom post to IBM-Main anymore. The fact that >> it comes from someone who I respect and consider a friend hurts all the >> more. Bottom line is that I work for a living, and I often don't have time >> to respond in gory detail to everything posted. My primary objective here >> was to stress that the z/OS architecture is inherently hardened against >> viruses. The fact that I did not go into explicit protections for >> APF-authorized programs appears to have been my fatal flaw, according to Mr. >> Cole. Regardless of what comes back, this will be my last post on the >> subject. My comments below. >> >> Regards, >> Tom Conley >> >> >> >> >> On 3/27/2012 1:06 PM, David Cole wrote: >>> At 3/27/2012 11:19 AM, Pinnacle wrote: >>>> There is a mainframe product that protects against malicious software. >>>> It's called SAF, and it interfaces with ESM's like RACF, or ACF2, or >>>> TopSecret. >>> >>> "SAF" is not a product. It stands for "System Access Facility" and it is >>> nothing more than an interface within z/OS into which a security system >>> (such as ACF2, TopSecret and any ryo security system) can plug into to >>> receive and respond to security calls. It really has nothing to do with >>> anti-virus protection. >> >> SAF is not a product, you're right. Please forgive my use of the term >> "product", I should have said "feature". I do take issue with your last >> sentence. SAF and an ESM have everything to do with anti-virus protection, >> provided they are configured to correctly protect APF-authorized resources. >> >>>> It [z/OS] is the only operating system out there with built-in anti-virus >>>> protection. On top of that, the hardware itself actively protects against >>>> damage through storage keys, protected memory, etc. >>>> You have to explain to the auditors that anti-virus software is not needed >>>> on z/OS, because it's intrinsic to the operating system and the hardware. >>> >>> I think you seriously misunderstand what a virus is... >>> >>> Yes, z/OS has exceptional security (and integrity and reliability) features >>> for protecting against non-authorized programs. But I must emphasize... >>> -->NON<--authorized programs! >>> >>> When it comes to AUTHORIZED programs, z/OS's integrity (which is what you >>> are talking about with "storage keys" and such) is very good, but of course >>> not bulletproof. Worse though, when it comes to SECURITY, there are some >>> real problems! Because with the proper knowledge, it is TRIVIALLY EASY FOR >>> AN AUTHORIZED PROGRAM TO SUBVERT SECURITY COMPLETELY! >>> >>> This is what mainframers constantly forget regarding security. For >>> authorized programs there is no security. All that is necessary for a >>> malicious program to do is to Trojan-horse its way (with the AC(1) >>> attribute) into an authorized library, and you're done for! >> >> I've never forgotten this. That's why my APF-authorized libraries are >> severely limited in scope, and audited for any and all updates. >> >>> >>> As far as I know there is no serious anti-virus program for mainframes. I >>> believe strongly that there needs to be one, but I don't know of one. And >>> at this stage of the mainframe culture, I would be seriously suspicious of >>> the efficacy of any program that claimed to be anti-virus. I don't think >>> that a serious mainframe anti-virus program can exist unless and until IBM >>> itself makes a commitment to support an effort to make the mainframe >>> anti-virus proof. >>> >> >> www.zassure.com is the closest thing I've seen to an MVS anti-virus program. >> After seeing a demo, I would have bought it, or recommended it to a client. >> Check it out, you will be surprised, if not shocked. >> >> ---------------------------------------------------------------------- >> For IBM-MAIN subscribe / signoff / archive access instructions, >> send email to [email protected] with the message: INFO IBM-MAIN > > ---------------------------------------------------------------------- > For IBM-MAIN subscribe / signoff / archive access instructions, > send email to [email protected] with the message: INFO IBM-MAIN ---------------------------------------------------------------------- For IBM-MAIN subscribe / signoff / archive access instructions, send email to [email protected] with the message: INFO IBM-MAIN
