"Mission Attainable: Rogue Server"

IBM i (OS/400, i5/OS)
Typography
  • Smaller Small Medium Big Bigger
  • Default Helvetica Segoe Georgia Times

A Hollywood Blockbuster Cluster

 

Government agent Heathen Runt slips into his specialized climbing gear, and in a pocket of his magnetic backpack, he stashes the thumb drive he will use to access the server. He then embarks on the long, arduous ascent to the top of the precipice that marks home to the impenetrable data center belonging to the evil organization known as Server People Hampering Integration of New Core Technologies, or SPHINCTer.

 

While many Power Systems servers host applications on the web, the biggest hurdle to connecting to the typical back-end server running IBM i involves accessing the network that hosts it. Of course, the word "biggest" is relative. A quick Google search for "biggest breaches" returns more than 10 million (yes, million!) hits, disclosing the dizzying array of headline-hitting security failures, along with a multitude of experts speculating on how the various security controls were traversed. There's the fairly mundane, such as a misconfigured router or firewall, and then there's the plain gutsy, such as physically swapping out Point of Sale (POS) devices in a retail store in order to introduce malware. The bottom line is that if you're convinced your network could never be compromised, then you've already lost the battle!

 

When he finally reaches the peak of the mountain, Runt observes two heavily-armed guards (or is that heavy, two-armed guards?) patrolling the rear entrance to SPHINCTer's data center. Hiding in the crack between two huge boulders, he unclips his backpack and removes his climbing suit, revealing a uniform identical to those worn by the guards except for the "I'm The Boss" name tag. The plan is daringly simple: walk right past the guards and hope they're intimidated by his senior position. If that doesn't work, the daringly simple plan will be swapped with the Chuck Norris plan.

 

Hackers have realized that humans are the weakest link in the security chain. Exploiting man's unquenchable thirst for love, sex, and money, as well as our natural curiosity and our social training to do as instructed, fraudsters trick us into clicking email links and surrendering personal information over the phone and Internet. Social media has become one of the most bountiful sources of once-private information. We simply can't wait to tweet about new jobs and hairstyles and to Instagram cute photos of Fido celebrating his birthday as if it's breaking news! Do criminals really care about hacking our kids' new VTech-branded toy or breaching our dating preferences on BinaryOnly.com? Of course not! But criminals have discovered that credentials to these websites are often reused on more critical ones, such as our corporate VPN and our banking website. Criminals have also discovered that the better they profile their victims through online public sources, the more targeted and successful the attack will be. And, as mind-boggling as it may seem, it's not unheard of for criminals to dress in a suit and walk into a building acting as if they own the place, easily gaining access to restricted areas. If you're scoffing, think about the last time you stopped and grilled someone who appeared to be a part of the executive team. When I'm handed a visitor pass, I enjoy testing the water by wearing it blank side out—or not wearing it at all—when I walk through office areas on my way to the men's room. I don't remember the last time I was stopped or questioned by anyone. Admittedly, being the size of an NFL linebacker might have something to do with that, but the appearance of authority really is an easy "in" to the trusted perimeter.

 

Access was less challenging than expected, and, having chastised the apologetic guards for their sloppy appearance, Runt strolls nonchalantly into the building. Using the GPS function on his Snapple Watch, he makes his way quickly to the server room, seeking data on all criminals in the SPHINCTer organization. As he opens the door, Runt scans the room and quickly recognizes the glowing front panel of the IBM Power server, reputed by Ripley's Believe It or Not! as one of the most secure server technologies in the world!

 

Reputations can be grossly misleading. In the case of the IBM i operating system—often considered to be virtually impenetrable—the difference between a server being secure versus securable has to be acknowledged. For some inexplicable reason, we expect the security controls to have been preconfigured to their perfect values for every company, application, and industry regulation. Even if magic were truly possible, applications and security configurations are commonly migrated from each generation of the server to the next, negating any attempt by IBM to update the defaults to be more representative of this era of ever-evolving regulatory mandates. Ironically, success of a migration is usually indicated by the fact that the shiny new server mirrors the dusty old one purchased years ago, which, incidentally, was itself a server that was migrated from a system purchased years before that! A popular study reports that the vast majority of servers running IBM i remain in default configurations, or worse, and reflect a 1990s security mindset.

 

Inserting the thumb drive into a nearby PC executes a script that attempts to connect to the server. Runt has done his research and, through reading hair-raising security articles on MC Press Online, he is aware that over 50 percent of Power Servers do not monitor or log powerful services like FTP and DDM. He also knows that profiles are typically created with a matching password and often remain that way until someone discovers them (but never seems to fix them) during a subsequent audit. Other controls, such as disabling only a workstation as a result of too many invalid sign on attempts, will be ineffective against this script! It's not like it really matters anyway as there's only a 77 percent chance that auditing is active. And, even if it is, no one ever checks the logs and would notice an attackat least not until Runt's sipping celebratory champagne up in first class as the final credits roll. The script runs faster than a deer, taking less than 3 seconds to locate a profile with a default password, and connects to the server. Thanks to the unfortunate "allow-all" default configuration, he quickly downloads the SPHNCTRMST master file to the thumb drive. This breach was even easier than Runt expected!

 

Assuming you don't deliberately maintain a policy of permitting everyone in your organization to view, change, and delete data, and assuming you prefer that end users are unable to reboot the server or reconfigure profiles and TCP communications, then it's time to take a new stance. While the genesis of many poor security practices can be traced back to simpler days of Twinax cabling and RPG II code, it's past time to allocate funds and assign resources to first stop the bleeding and then to put this train wreck in reverse and start to clean up erroneous configurations to correct the situation. Within the past year, I have encountered a system that was connected to the Internet with no firewall protection and was operating with an open TELNET port. I won't disclose all of the sordid details, but the IP address was revealed on an underground website in a list of "AS/400" servers that scans had determined were open. If that wasn't bad enough, we then uncovered that the QPGMR profile had a matching password (QPGMR) and had been granted the Holy Grail of IBM i power, *ALLOBJ! This is perhaps an extreme example, but there are many more almost as bad. I've audited systems configured with their minimum password length set all the way down to one character. I have lost count of the number of profiles operating with "root" access levels via *ALLOBJ special authority as well as the systems that were not even using the free auditing capabilities. All of these scenarios may be shocking and dismissed as obvious, but it happens more often than it doesn't, and I don't see folks clambering to resolve the issues.

 

Sadly, in the real world, super-spies are interchangeable with end-users, and Heathen Runt might actually be a warehouse worker or an accounts receivable clerk. If the crimanagers (criminal mangers) at SPHINCTer had attended COMMON and then budgeted for audits and remediation services for this server instead of relying solely upon perimeter controls, then the breach would have been far more difficult. This is no different from the average organization over-confidently putting their security eggs in one proverbial basket by employing only a single security layer: the perimeter. Once Runt got through the one door, nothing else stood in his way. Many of us assume that a server and data can't be accessed outside of the official application and don't implement security in layers as experts recommend, with each layer designed to slow down the perpetrators until they're discovered or they move on to an easier victim.

 

Audits are highly valuable when performed by an auditor who understands that not all worlds are populated exclusively by Microsoft's adorable mischievous minions, and when the auditor's observations and resulting recommendations are acted upon. Audits are intended to validate that established procedures are being followed and that security settings remain correctly configuredon an ongoing basis, not just the day before the auditor arrives. Information abounds about how to correctly configure IBM i security as well as where common mistakes are made. Sadly, often administrators and executives either are unaware of how bad the situation is or choose to ignore the warning signs because of resource constraints or financial implications. After all, we could never be breached, right? WRONG!

 

Tales of government-sponsored breaches, globally coordinated ATM attacks, and the compromising of major corporate networks using an HVAC contractor's credentials might read like Hollywood scripts, but each has occurred in the real world in the past couple of years, all with devastating consequences. Virtually all data has value even if it seems it may not, and not adequately protecting it comes with a price tag: As I wrap up this riveting article, the University of Washington Medicine is the latest to pay after being slapped with a $750,000 fine for a HIPAA violation after falling victim to an email-based phishing attack in 2013. Servers are a target as they contain the data that has financial value to the attacker. Employees are the conduits to the servers and applications, making them targets to be coerced, enticed, tricked, and blackmailed.

 

You don't have to be a Citibank or Sony or eBay to be at risk of a breach. Do you think VTech executives sat in their board room and allocated millions of budget dollars to protecting their online social network that caters to tech-savvy infants? Not according to recent headlines. Sadly, I am pretty sure that's what they're doing now! A data breach can happen to anyone who is not realistic enough to think that it can—and most likely will—happen to them at some point and who thinks their data isn't valuable to anyone but them. While a motivated criminal who has set their sights on your database is probably unstoppable, that doesn't mean you roll over and expose your vulnerable underside to the attacker. Get serious, folks! The first step is an easy one and won't cost anything or require any resources: stop thinking that IBM i comes with a "breach-proof" guarantee! Then contract an audit to reveal weaknesses. And remediate the findings.

 

I leave the ending to this movie open. You are now the director. You have the power to share this doomsday warning—or the hundreds of others written by folks like me—with your management team. Make them aware that Power Servers and the IBM i operating system have a staggering suite of enviable features, many of which are security-related. Then inform them that these features work only if they are correctly configured and used. This is no longer an AS/400 from 1991, so don't secure it like one!

 

Your mission, should you choose to accept it, is to correctly secure an IBM i server. As always, should you or any of your security force be caught (or mention Java), the organization will disavow any knowledge of your existence and you will be forced to spend the rest of your career in a room filled with Windows servers!

 

For more information on configuring IBM i security, including establishing a well-defined audit environment, download the IBM Security Reference manual (SC41-5302-12) from IBM.com, consult IBM's online Knowledge Center, or contract a reputable IBM i security expert.

BLOG COMMENTS POWERED BY DISQUS