How to break into a Tandem System and how to prevent it! Carl - - PowerPoint PPT Presentation

1234 Carl Weber GreenHouse Software & Consulting

Security SIG of ETUG, 25. September 2012

How to break into a Tandem System… …and how to prevent it!

1234

This This is is what what you you have have to to secure secure

1234

The security The security advice advice (PCI) (PCI)

1234

The security The security mechanism mechanism

1234

… nad … nad this this is is how how it it looks looks like like - BUT… BUT…

1234

… this … this is your your environment! nvironment!

1234

And you And you still still believe believe you you are are secure? secure?

1234

Currently… Currently…

The government of Nordrhein-Westfalen bought and still buys tax related data, stolen from Swiss banks. All these banks for sure successfully passed a PCI audit! What does this mean in terms of being PCI compliant?

1234

What What you you really really need! need!

1234

Brief Brief intro Carl Weber intro Carl Weber

Started with Tandem(*) Germany in October 1978. ‘In security’ since 1985, when SAFEGUARD was introduced in Cupertino by Tim Chou. Leading the German system evaluation at GISA and participating in the NCSC evaluation (1989-1993). Started GreenHouse 1994 as a Tandem Alliance Partner. www.GreenHouse.de Specialized in security consulting and security reviews, security product and tool development, PRIV system code, and code specialties.

(*) to me it still is Tandem …

1234

Session overview Session overview

How secure is a Tandem system? Can be broken in? Easily? Is there an easy way to detect and prevent it? Solutions! This presentation is related to the GUARDIAN side only: There is OSS and the network (LAN) as well!

1234

Ignorance doesn’t solve the problem … it just lets you sleep better… Once you lost your integrity … the rest is easy … Good judgment comes from experience. Experience comes from bad judgment.

Well known truths Well known truths

1234

Everybody has his price … trust me … In theory, there is no difference between theory and practice; in practice, there is.

Chuck Reid

Well known truths Well known truths

1234

Security people do have a good heart … but a sick mind …

What you possibly think about me … What you possibly think about me …

1234

Hackers do have a sick heart AND a sick mind!

… but … … but …

1234

SAFEGUARD does not introduce a better security, but a better granularity as well as auditing.

(an error 48 in GUARDIAN is as solid as in SAFEGUARD)

Automated security checks are nice to watch – but it is better to understand, what they do, and what they do NOT do! Train yourself , and/or hire a trustworthy expert. Test your system before intruders or POIEs(*) do. Have OSS and LAN on your radar as well!

(*) POIE = pissed off internal expert [not politically correct, but precise]

Keep in Mind Keep in Mind

1234

NonStop Systems are considered to be FailSafe – but what about their security? Does/can GUARDIAN and SAFEGUARD protect all system assets? OK - GUARDIAN/SAFEGUARD does have two (outdated) certificates:

• NCSC (C2) and
• GISA (F2 @Q3 and F7 @Q3)

So what … ???

Questions Questions

1234

Can be broken into the system, or an application? Is it possible to gain access to ID’s without the knowledge

• f the password?

In case there are real threats - are there effective countermeasures?

Questions Questions

1234

General General

All my attacks start from a NON PRIV logged on TACL with the ID of SA.CARL = 100,5

• NO SUPER.SUPER (255,255)
• NO SUPER group (255,n)
• NO group Manager (n,255)

and available system I have access to, e.g.:

• PATHCOM, SQLCI, SCF etc.

Sounds like a first hurdle – but all your administrators,

• perators, developers, and system users do have

interactive access to your system!

1234

General General

Demos run on \GINKGO of GreenHouse.

(NS1002, H06.24.01)

Connection by VPN through the Internet.

1234

General General

Used system software:

• MyLogin

(single sign on TO the system)

• SECOM

(single sign on ON the system; command level security, ID hopping)

• GreenHouse tools
• Special demo programs (TAL/native TAL)
• TACL macros
• GreenHouse developed hack code using well

documented GUARDIAN procedure calls … and here we go …

1234

PATHWAY-Threat PATHWAY-Threat

Getting access to the application ID. Getting access to application data. Worst case: Getting interactive access to SUPER.SUPER. This is my classic way to break into a system!

1234

PATHWAY-Threat PATHWAY-Threat

Weak point is insufficient default security of PATHWAY monitor. Unknown security mechanism. System applications are often started from SUPER.SUPER (do you use SUPER.SUPER in the day-to-day business?). Requirement to succeed an attack: Interactive access to the system with possibly ANY ID!

1234

PATHWAY-Threat PATHWAY-Threat

PATHWAY system (PATHMON)

• PAID

Is the ID of the starting user.

• Owner

By default the starting user; can be configured differently!

• Security

By default “N”; can be configured differently! This has changed with TS/MP 2.3 from N to O. It is available starting H06.14, but can be installed on any system beginning H06.06 or later(*). *** BUT NOT IN PATHWAY ***

*18. December 2008, Evans, Keith B (NonStop) [keith.b.evans@hp.com],

HP Product manager for PATHWAY

1234

PATHWAY-Threat PATHWAY-Threat

PAID (Process Access ID)

• Derived from the starting user
• Propagated to all programs

(= Servers), started from PATHMON

• A PRIV ID even gives management users access

rights they should not get to

1234

PATHWAY-Threat PATHWAY-Threat

Owner

• Set to PAID by default.
• Can easily be changed to any other user ID.
• Is used to manage the system via PATHMON.

1234

PATHWAY-Threat PATHWAY-Threat

Security

• Set to “N” by default – still!
• Allows ALL system users to manage this

PATHWAY system (e.g. to stop it!)

• Can easily be changed to any other (more secure)

GUARDIAN security vector

• Related to PATHWAY “Owner”

1234

PATHWAY-Attack PATHWAY-Attack

Search for PATHMON’s, running SUPER.SUPER,

• r any other interesting application owner ID

$GHS1 ARROW 23> status *,user super.super,prog $system.sys*.pathmon Process Pri PFR %WT Userid Program file Hometerm $GHS 0,46 167 005 255,255 $SYSTEM.SYSTEM.PATHMON $ZHOME $S600 0,54 180 005 255,255 $SYSTEM.SYSTEM.PATHMON $ZHOME $GHS B 1,58 167 001 255,255 $SYSTEM.SYSTEM.PATHMON $ZHOME $S600 B 1,74 180 001 255,255 $SYSTEM.SYSTEM.PATHMON $ZHOME $GHS1 ARROW 24>

1234

PATHWAY-Attack PATHWAY-Attack

Check PATHMON security setting

$GHS1 ARROW 24>pathcom $ghs;info pathway PATHWAY MAXASSIGNS 100 [CURRENTLY 63] MAXDEFINES 0 [CURRENTLY 0] . . MAXTERMS 60 [CURRENTLY 0] MAXTMFRESTARTS 5 OWNER \GINKGO.255,255 SECURITY “N" $GHS1 ARROW 25>

1234

PATHWAY-Attack PATHWAY-Attack

… and how does it work? Introduce a new server, such as SQLCI, FUP, BACKUP etc. SUPER.SUPER even gives access to ANY other system ID WITHOUT the need to know a password, AND: This break in is NOT audited in SAFEGUARD!

1234

PATHWAY-Showtime PATHWAY-Showtime

Showtime … (\GINKGO.$GHS1.ETUG)

• starting an insecure SUPER.SUPER PATHMON
• demonstrating interactive access to SUPER.SUPER
• starting a correct secured SUPER.SUPER PATHMON
• demonstrating its robustness

1234

PATHWAY - PATHWAY - Solution

• lution

Prevent starting a PATHWAY application from a privileged system ID such as:

• SUPER.SUPER
• SUPER.xxx
• xxx.MANAGER

Set PATHWAY management security to “O”. Define a real user as PATHMON manager; can be different from the PATHMON PAID!

1234

PATHWAY - PATHWAY - Solution

• lution

Optionally put an ACL on the PATHMON process name (know the consequences!). Activate the PATHWAY log, and check it on a regular basis (does not really help …). Make sure only authorized users can change the configuration files. This is true for ALL configuration files!

1234

PATHWAY - PATHWAY - Solution

• lution

Use the FreeWare tool GetPWSS to check all your pathway applications within seconds. Use command level security products (such as SECOM) to give management access rights on (sub)command level.

(who is allowed to restart which server at what time from which IP address …)

1234

PATHWAY - PATHWAY - Advanced Solution Advanced Solution

Run all PATHWAY-applications in ONE user group: This allows pretty stringent security settings for the PATHWAY environments as well as for the data base! Using non existing IDs to run the applications enforces the best security and access control possible.

1234

SPOOLER-Threat SPOOLER-Threat

My second classic way to break into a system. Same problem as with PATHWAY.

1234

SPOOLER-Threat SPOOLER-Threat

SPOOLERs are often started from SUPER.SUPER at cold load time. Weak point is unknown security mechanism. Requirement: Interactive access to the system with ANY SUPER-Group ID.

1234

SPOOLER-Threat SPOOLER-Threat

Management access is granted to:

• the starting ID
• all SUPER-group members
• SUPER.SUPER
• optional to group managers

1234

SPOOLER-Attack SPOOLER-Attack

Search for SPOOL, running SUPER.SUPER

$GHS1 ARROW 27> status *,prog $system.sys*.spool Process Pri PFR %WT Userid Program file Hometerm $SPLS B 0,43 150 001 255,255 $SYSTEM.SYSTEM.SPOOL $ZTNP0.#PTPAAAA $SPLS 1,38 150 001 255,255 $SYSTEM.SYSTEM.SPOOL $ZTNP0.#PTPAAAA $GHS1 ARROW 28>

1234

SPOOLER-Attack SPOOLER-Attack

… how does it work? Introduce a new print process, which is a normal GUARDIAN program, such as FUP, SCF, SQLCI etc. … yes – it works! A SUPER.SUPER running SPOOL allows even interactive access to SUPER.SUPER!

(same procedure as with PATHWAY: Introduce a print process [= SPOOLER server])

1234

SPOOLER - SPOOLER - Solution

• lution

Do NOT start a SPOOLER from SUPER.SUPER! Consider running different SPOOLER systems, where the starting ID is the owner/manager. Consider using ACLs on supervisor and collector processes. Use command level security products to control access to SPOOLER systems.

1234

USERID/LUSERID-Threat USERID/LUSERID-Threat

Wrong security setting on USERID as well as SAFEGUARD files. Unknown additional alternate file(s). Requirement: Interactive access to the system with ANY ID and READ access to USERID/LUSERID.

1234

USERID/LUSERID-Threat USERID/LUSERID-Threat

READ access allows a FUP COPY which discloses unencrypted passwords. READ/WRITE access allows the injection of a new password for EVERY user, or the modification of password cryptograms (DoS) Additional alternate key copies each entry into a separate file, which can be used for a brute force attack.

1234

USERID/LUSERID-Solution USERID/LUSERID-Solution

All mentioned files have to be secured to: “----”, where the

• wner has to be: SUPER.SUPER.

Check with FUP INFO<fileset>,DETAIL for alternate file entries. Use the FreeWare tool FileTree to display all alternate key files of a given file.

1234

USERID/LUSERID-Solution USERID/LUSERID-Solution

Make use of the PWCONFIG product to configure the password attributes when SAFEGUARD is not used

• r

Use appropriate SAFEGUARD settings.

1234

Alias Users - Alias Users - Threat hreat

Do you know all SUPER.SUPER related Alias users? Tandem engineers often place(d) a SUPER.SUPER Alias

• nto the system, that makes life easier for them…

Insufficient knowledge of SAFEGUARD. Incomplete SAFEGUARD setup.

1234

Alias Users - Alias Users - Threat hreat

Unexpected access to SUPER.SUPER, where SUPER.SUPER is not used to logon, but an Alias. Requirement: Access to SAFECOM and insufficient OBJECTTYPE USER setup. SUPER.SUPER used by a ‘wrong’ person

(just once is enough! Give me your system and SUPER.SUPER for a minute – and it is mine!).

1234

Alias Users - Alias Users - Solution Solution

Check all Alias users. Use the FreeWare tool MyUser to list all GUARDIAN/Alias user relations. Delete/Expire those users, not introduced/known by you. Have OBJECTTYPE USER defined. OK – have SAFEGUARD set-up correctly (next topic)!

1234

SAFEGUARD - SAFEGUARD - Threat hreat

Undefined OBJECTTYPEs. Wrong understanding of ACL evaluation. Wrong object ACLs. Orphaned ACL owners or Access users.

1234

SAFEGUARD - SAFEGUARD - Threat hreat

Each user can introduce a SUBVOL ACL, when OBJECTTYPE SUBVOL is not defined. My classic way: Introduce a non existing ACL for subvol $SYSTEM.SYSTEM or any other interesting collection of files, do a file copy, and delete the ACL … Check ACL evaluation, and find a hole…

(SAFECOM INFO SAFEGUARD)

1234

SAFEGUARD - SAFEGUARD - Attack Attack

Add an ACL e.g. on SUBVOL level. Access the required data. Re-set the ACL. OK – this ends up in the audit trails; BUT I am sure, that the owner of this system does not check these files at all!

1234

SAFEGUARD - SAFEGUARD - Solution

• lution

Understand SAFEGUARD. Understand what you do. Introduce ***ALL*** OBJECTTYPEs. Set up the evaluation rules for an easy understanding, e.g.:

• FILE FIRST
• FIRST ACL
• PATTERN LAST
• CHECK VOLUME OFF
• CHECK SUBVOL ON
• CHECK DISKFILE ON

1234

SAFEGUARD - SAFEGUARD - Solution

• lution

Check ACL evaluation with tools like:

• CRYSTAL
• SECINFO
• ACLClean

1234

xxxCSTM - xxxCSTM - Threat hreat

Insufficient user default security, which is propagated to CSTM-files, especially the files of SUPER.SUPER’s

• FUPCSTM
• TACLCSTM

This is true for TACL Macros (e.g. MYMACS etc.) as well!

1234

xxxCSTM - xxxCSTM - Attack Attack

Insert data into FUPCSTM, such as: LICENSE <mycode> Then visit SUPER.SUPER and ask him, to do ‘something’ that activates the CSTM-file you changed, e.g. to execute FUP. Remove the code from FUPCSTM. Insert data into TACLCSTM. What about a LOGOFF as first statement?

1234

xxxCSTM - xxxCSTM - Solution

• lution

Secure all CSTM files to “OOOO”. No shared default locations. No shared USER IDs. Default security has to be “OOOO”, optionally “UUOO”. Individualize all users. Differentiate between functional and individual users.

1234

TACL Macro - TACL Macro - Threat hreat

Same as CSTM-threat. Hard coded passwords in TACL Macros.

1234

TACL Macro - TACL Macro - Attack Attack

Search for MYMAC files and check for passwords.

1234

TACL Macro - TACL Macro - Solution

• lution

All users TACL Macros should be secured to: “OOOO”. Do NOT have passwords hard coded anywhere; use products which support this, e.g. our Secure FTP client which is based on a repository, where passwords are stored in encoded form.

1234

Library - Library - Threat hreat

Classic Trojan Horse. Not that easy to develop, but Easy to install and Difficult to find. … do you know what I’m talking about??? … I love this method …

1234

Library - Library - Threat hreat

Adds code to an executable. Can easily spoof passwords. Can change the behavior of a program by

• copying data
• changing data
• skipping code
• etc. etc. etc.

Requirement:

• write & execution access on program file (just once)
• execution access on library file

1234

Library - Library - Attack Attack

Add a LIB to

• TACL/FTPSERV to intercept USER_AUTHENTICATE_ :

You get all passwords in the clear

• any Tandem utility, and change the command behavior
• … be creative (or is it subversive?)!

1234

Library-Showtime Library-Showtime

Showtime … ($GHS1.ETUG)

• logging on to a TACL that has a library attached:

The classic Trojan Horse!

1234

Library - Library - Solution

• lution

Check all executables on your system. Use the FreeWare tool: SHOWLIB Remove suspect libraries. Use the FreeWare tool: BINDLIB Set the security of all executables to: “xOxO” to prevent any LIB binding by non file owners. Use the FreeWare Tool SECURE.

1234

Library - Library - Solution

• lution

In general:

• Secure all executables to: “OOxO”
• Secure all system EDIT files to: “xOOO”
• Secure all system files to: “OOOO”
• Secure all application files to: “OOOO”
• make SUPER.SUPER the owner of all system files

1234

Portconf - Portconf - Threat hreat

PORTCONF causes LISTNER to start malicious code.

1234

Portconf - Portconf - Attack Attack

Check security of PORTCONF and add an entry. Because LISTNER normally runs SUPER.SUPER, the defined resource runs SUPER.SUPER!

1234

Portconf - Portconf - Solution

• lution

Check PORTCONF for suspicious entries. Secure PORTCONF that only the system administrator can change it. Do not start LISTNER from SUPER.SUPER – there is no need!

1234

Search Path - Search Path - Threat hreat

Before a resource is executed, TACL tries to find it in the search path. A typo causes an error, but a program, named like a typo, may cause a disaster… Requirement: Create access in a search path.

1234

Search Path - Search Path - Attack Attack

Write a small program, that purges all files of the user, executing it. Place this program in the search path and name it like a typo, e.g. EDOT instead of EDIT. … lean back, relax, and wait …

1234

Search Path - Search Path - Solution

• lution

Introduce SAFEGUARD ACLs for all system wide search path locations: Deny CREATE for unauthorized users. Inform your users to check their search path settings, and add an ACL as well.

1234

Alternate Key File - Alternate Key File - Threat hreat

Alternate key files hold ‘real’ data, up to 256 bytes. They are not displayed by the FUP INFO command, but require FUP INFO,DETAIL! Are easily overlooked. This is true for SQL tables as well!

1234

Alternate Key File - Alternate Key File - Attack Attack

Add an alternate key file to a sensitive file, where the record contains the interesting part!

1234

Alternate Key File - Alternate Key File - Solution

• lution

Use FUP and check all your sensitive data files for unknown alternate key file entries. Use FreeWare program FILETREE to display all alternate key files.

1234

Accessing Purged Data on Disk - Accessing Purged Data on Disk - Threat Threat

A PURGE does not WIPE the data, it updates the Disks Free List Table. Data is still available, and can be retrieved by ANY user who is allowed to create a file.

1234

Accessing Purged Data on Disk - Accessing Purged Data on Disk - Attack Attack

Create a big file. Allocate all extents

(e.g. FUP ALLOCATE <file>, 900)

Position the EOF to the last byte.

(by a small program, or FUP RECLAIMDATA <file>)

Perform a READ/COPY in the file.

1234

Accessing Purged Data on Disk - Accessing Purged Data on Disk - Solution

• lution

Use CLEAR-ON-PURGE option. Know what you do: This as well might be a performance problem for large files. May be there is a solution in the future: The file to be cleaned will be renamed to a temp file, and then cleaned.

1234

Denial of Denial of Service - Service - Threat hreat

Exhaustive use of system resources:

• CPU cycles
• internal tables
• disk and disk directory space

Causes unavailable system and services. Causes the operating people to panic! May even cause a system HALT.

1234

Denial of Denial of Service - Service - Attack Attack

By Intention Corrupting a CPU

?Nolist ?Source $system.system.extdecs0 (alter_priority_) ?List Proc Test Main; Begin While 1 do begin alter_priority_(199); End;

1234

Denial of Denial of Service - Service - Attack Attack

By Intention Corrupting a volume

?Nolist ?Source $system.system.extdecs0 (file_create_) ?List Proc Test Main; Begin String .system[0:35] := „$system“; Int Len := 7; While 1 do begin File_Create_(SYSTEM:36,Len); End;

1234

Denial of Denial of Service - Service - Attack Attack

By Intention Corrupting a CPU by flooding LISTNER with incomplete FTP calls.

1234

Denial of Denial of Service - Service - Attack Attack

By error Wrong and/or no error handling in the error handling.

1234

Denial of Denial of Service - Service - Attack Attack

By Tandem utilities

• DIVER
• TANDUMP

1234

Denial of Denial of Service - Service - Solution

• lution

Code reading. Exhaustive logic and error debugging.

(Kindergarten test)

Check error handling in error handling! No compilers on production systems. Test/development isolated from production – not even EXPAND. Check existing objet files with FreeWare tool EProcs.

1234

Denial of Denial of Service - Service - Solution

• lution

Make use of the Authorization SEEP.

(PRCOSEEP)

Use ListnerLib to harden LISTNER. Use PURGETMP FreeWare to keep track of ‘orphaned’ temporary disk files. Revoke LICENSE flag from DIVER and TANDUMP, at least set a tight security vector.

1234

Purge - Purge - Threat Threat

Purge a file’s data WITHOUT having purge access. Really deletes a files content. Requires only WRITE access: PURGE can be set to e.g. SUPER.SUPER! … and how? Perform a PURGEDATA followed by a DEALLOCATE!

1234

Covert Channel - Covert Channel - Threat hreat

Information leakage to listener. Hidden data channel.

1234

Covert Channel - Covert Channel - Attack Attack

Changing the priority.

(ticker channel)

Checking CPU buys values. Relating date, time and events. Checking EOF, files, process creates etc.

1234

Covert Channel - Covert Channel - Solution

• lution

Code reading. Procedure call check against a negative list

(why calling AlterPriority in a server?)

Exhaustive logic (20%) as well as error tests (80%). No production data for tests!

1234

Ghost Processes Ghost Processes

Started from a temporary file. Very difficult to track down. At least you should know about it. When we have time: Showtime!

1234

SCF Thread – SCF Thread – just just discovered discovered

Logon to ANY SUPER-Group user. Get SCF-Access to $ZZKRN. Allow all errors. Add a small program to $ZZKRN and define SUPER.SUPER as the PAID. The program introduced to $ZZKRN sets the ‘already logged on’ flag, and creates a TACL. This TACL then is started logged on with the SUPER.SUPER ID. Solution: Get rid of individual SUPER-Group users! Fixed at least in H06.24.01

1234

LINKMON Thread – LINKMON Thread – just discovered just discovered

Start a PATHMON under user A.B. Add a associative server class C with security “N" and with the process name $ZNET. Then send the SPI-command to add a process $ZZKRN to this server class; you can still do this as user A.B. Now the LINKMON (which runs under SUPER.SUPER) is able to open $ZNET. $ZNET thinks that a SUPER.SUPER user is the user. Add a process to $ZZKRN and since SUPER.SUPER is the boss .....: Voila

1234

LINKMON Thread – LINKMON Thread – just discovered just discovered

The real problem here is that LINKMON's run under SUPER.SUPER. According to Wendy Bartlett, these two problems are fixed in: T1084H01^AAV and T1085H01^ABB

1234

Social Engineering Social Engineering

Works on ANY platform at any site. Misuse of helpfulness. Use of unthoughtfulness.

(do not think about what you do…)

Most efficient non technical method. Cheap!

1234

Best practice Best practice

No code licensing - except you know what you license. No PROGID – use ID hopping products instead. No orphaned files and orphaned IDs in ACLs. No shared IDs. Tight user default security (OOOO). Tight system file security. Control of functional users by e.g. session I/O tracing

(GUARDIAN as well as OSS).

Management support for system operators.

1234

Tools Tools

All mentioned tools are Free- or ShareWare from GreenHouse and can be found at: www.GreenHouse.de For GreenHouse products please contact: Carl.Weber@GreenHouse.de

1234

Third Parties Third Parties*

Bowden Systems CAIL comForte21 Crystal Point CSP GreenHouse Insession Technologies Unlimited Software Associates XYPRO

*This list might be incomplete.

1234

Questions Questions

1234

Thank Thank you you for for listening! listening!