On Mar 28, 2012, at 4:13 PM, "R.S." <[email protected]> wrote:
> The problem is we don't believe. :-) > > W dniu 2012-03-28 22:45, Ray Overby pisze: >> Yes, I believe I have a way to attack a mainframe system where I don't >> have access. Then would you believe me? In the days before ubiquitous networking you would have been safe not do believe. Today I think you would be foolish not to believe. The proof is a thought experiment that I could walk you through, but I won't because I don't think it is wise to shout out the location of my neighbor's front door keys, even if he is foolish enough to leave them under the mat. It is the reason why I keep harping on about integrity violations. Suffice to say that more sophisticated malware attacks in the real world like Stuxnet have proven conclusively that patience and a broad based approach can pay dividends even in some of the most supposedly secure sites in the world. And if through that slow patient attack, you manage to get some code running on a z/OS system, THEN... even if that code is utterly non-privileged, it is quite easy to find and exploit integrity violations locally. And the world is your oyster. So it really isn't like on TV where the brainiac agents are always cracking firewall encryption in five minutes. But with the right kind of approach, they don't need to. And if they can do some human insider trading, then it is even easier. Bottom line: if you think your systems are really secure, you're probably nuts. Far more likely it's just that nobody has (yet) paid attention. Sorry. CC ---------------------------------------------------------------------- For IBM-MAIN subscribe / signoff / archive access instructions, send email to [email protected] with the message: INFO IBM-MAIN
