Re: z/OS, OS/390 Pen testing tips/ideas/papers?

[visigoth <visigoth () securitycentric com>]

On Tue, Jan 28, 2003 at 05:24:22AM -0800, Nick Jacobsen wrote:
> Hi all,
>     One of my clients has an IBM OS/390 running on one of their networks I
> am doing some security testing on, and considering I really have not dealt
> with any IBM mainframes before when it comes to security, I was hoping that
> some of you might be able to point me the right direction.  Anything would
> be helpful, but especially from a penetration viewpoint.

I haven't particularly touched any OS/390 boxen, but in testing other "big
iron" systems like OS/400 we often find that the most common security
vulnerability is STILL default passwords and accounts.  I have assessed
banks who still have default accounts in place for accounts ranging from
user template accounts all the way to the QSECOFR account.  If the box
you're assessing seems to have any standard authentication interfaces
available, I would start there....   The next issue after that in frequency
is usually internally developed web based apps with gaping holes.

Cheers (and good luck ;)

-visigoth

-- 
______________________________________________________________________________
        Damieon Stark           | Microsoft: Where do you want to go today?
e: visigoth () securitycentric com      | Linux: Where do you want to go tommorow?
        p: 612.382.6945         | FreeBSD/Sun: Are you guys coming or what?
        pgp: 0xBE5D0C57         | http://www.sun.com/solaris - To the Nth!
        pgp.mit.edu             | http://www.freebsd.org - The power to serve!
------------------------------------------------------------------------------
I'll see your DMCA and raise you a First Amendment.
http://www.anti-dmca.org
------------------------------------------------------------------------------
eot

Attachment: _bin
Description: