Wednesday, March 16, 2016

Verizon Outlines Disturbing AS/400 Breach At Water District

Verizon Outlines Disturbing AS/400 Breach At Water District
Published: March 16, 2016
by Alex Woodie
Cyber intruders who gained access to an AS/400 at a water district were able to manipulate the flow of chemicals into the public water supply, Verizon says in its latest Data Breach Digest. While customers served by the water district were not harmed, the episode shows the potential consequences of failure to properly secure critical systems in an increasingly connected world.
Verizon dedicated five pages to laying out the disturbing breach of a water district that it referred to as Kemuri Water Company (KWC), which is not a real name. The water district had first contacted Verizon's RISK Team to conduct a proactive assessment of its security system. KWC insisted it had never been compromised. However, after just a little probing, the RISK Team found evidence of an actual breach by a "hacktivist" group with ties to Syria.
According to details of the breach, the hacktivists first infiltrated KWC's systems by exploiting known security vulnerabilities in a Web-based payment server application that KWC had set up to allow customers to pay their bills and view water usage information. Unfortunately, that system was directly linked by cable to its backend "AS400" system. Making matters worse, the water district stored login credentials for the AS/400 on that front-end Web server, and the AS/400 was directly connected to the Internet.
KWC's aging AS/400 system (it was more than 10 years old, according to Verizon) served many purposes, as it does for most organizations that run the platform, which has gone through several name changes (iSeries, System i) and is now officially called IBM i for Power Systems by IBM. Among the applications are core financials, billing, and database containing personally identifiable information (PII) about customers.
SCADA Plot
The water district also used the AS/400 as a supervisory control and data acquisition (SCADA) system to directly control hundreds of programmable logic controllers (PLCs) that opened and closed valves that govern the flow of water and chemicals used to treat the water. Verizon's RISK Team found evidence that the hacktivists logged into this operational technology (OT) system and manipulated the valves controlling the flow of chemicals.
"It became clear that KWC management was aware of potential unauthorized access into the OT systems of the water district," Verizon says in its report. "More specifically, an unexplained pattern of valve and duct movements had occurred over the previous 60 days. These movements consisted of manipulating the PLCs that managed the amount of chemicals used to treat the water to make it safe to drink, as well as affecting the water flow rate, causing disruptions with water distribution."
The hackers also stole more than 2.5 million files that contained PII data, according to the report. There was no evidence that the data breach led to any fraudulent activity, Verizon says. That's not surprising, considering the hackers worked out of IP addresses that were used in previous hacktivist activities, the telco and IT giant says. "The typical semantic footprint of a hacktivist attack shows greater interest in denying and disrupting the victim's ability to conduct business than stealing information for financial gain," Verizon says in its report. "That was definitely the case here."
The bad news, of course, is that cyber criminals operating in the Middle East were able to release potentially dangerous chemicals into the public drinking water supply serving several counties in the United States. , KWC had systems in place to detect the chemical release and took immediate steps to fix the problem after being alerted to the problem.
"KWC's breach was serious and could have easily been more critical," Verizon says in its report. "If the threat actors had a little more time, and with a little more knowledge of the ICS/SCADA system, KWC and the local community could have suffered serious consequences."
Lessons Learned
From an IT and IBM i point of view, there are several lessons to be learned from the KWC breach. Some of the lessons are obvious, while others less so.
Among the basic lessons at play here are the need to apply patches and remediate known security vulnerabilities that affect Web applications. It's also not a good idea to store user names and passwords for critical systems like AS/400s in plain text on front-end Windows and Linux servers, or to expose backend servers like the AS/400 to the public Internet. This is the low-hanging fruit of IT security, but all too often, organizations continue to violate these basic tenets of security and rack up the "duh" moments by the dozen.
Having SCADA systems directly connected to front-end billing systems (as KWC had) is not a best practice, but is undoubtedly fairly common. Verizon also took KWC to task for employing a single administrator for the AS/400 system. While having duplicate hardware, software, and network connectivity is standard practice for many shops, having redundancy in personnel is also something worth considering.
But some of the other lessons from the KWC hack are not so obvious.
Not too long ago, OT systems such as SCADA were housed separate from IT systems, such as corporate networks and payment servers. That "air gap" served as a barrier to cyber snoopers and criminals. But as technology matured and data centers grew, organizations recognized there were benefits to grabbing more "real time" data from operational systems, and hence, that air gap disappeared. The problem is compounded by having IT administrators remotely manage OT systems over the Internet.
"This new technology can provide a false sense of security, as operating budgets do not take into account the time to support, maintain and operate the new technology--thus it becomes ineffective," Verizon concludes. "Threat actors have the upper hand when technology is not maintained and they develop ways to circumvent how it works. Continuous operational and security training, coupled with additional staff, are required to stay on the same level playing field as threat actors."
You can download a copy of the Verizon Breach Digest at www.verizonenterprise.com/verizon-insights/data-breach-digest/2016/.

Sunday, March 13, 2016

Zipping / Unzipping IFS Objects in IBM i

Zipping / Unzipping IFS Objects in IBM i

zipped folder
Those of you who know me probably know that I’m a lapsed programmer. These days I spend most of my time working at or below the IBM i Operating System layer but every now and then there is an exception that makes me dust off my coding skills and the recent need to Zip / UnZip files held in the IFS proved to be one such exception.
It started out with a simple request from a client saying that they would really like to be able to send and receive ASCII files stored in the IFS that were compressed and interchangeable with a standard Zip program on a Windows Server.
Initially I thought of cheating and just writing a script to do this from a Windows device that had the IFS folder in question mapped as a network drive. In the same moment I remember the countless times I had stood up in front of clients and user groups and told them just how flexible, open and downright fabulous IBM i is and I so realised there must be a better way. And of course there is!
QZIPUTL Service Program
Back in 2012 IBM added a service program called QZIPUTIL to v7.1 along with a couple of APIs QzipZip and QzipUnzip to IBM i, if you are running IBM i v7.2 or v7.1 with Cumulative level 2279 or higher then you will already have this.
Now, if want to ZIP / UNZIP files but you are about to abandon me as you are not an RPG developer or run on older versions of IBM i, stick around, I promise there are a couple of golden nuggets lurking just a few paragraphs further down.
Back to QZIPUTIL, to give the syntax of these APIs, the following charts are taken from the IBM Knowledge Centre. The links below them take you to those pages where you can get detailed information abouttheir usage, syntax and errors.
QzipZip
QzipUnzip

APIs are great but a command would be more useful.
APIs are of course great but for CL monkeys like myself an IBM i command would be much more useful. Ideally what we would want here are a couple of simple commands like ZIP and UNZIP.
In fact this is so startlingly fundamental, I truly don’t know why IBM did not add them. If you can think of a reason please feel free to enlighten me via the comments option at the bottom of this article. In fact the very lack of these commands was the very reason that I personally did not notice IBM had added this function to IBM i to v7.1 until just a few months ago!
Fortunately, thanks to a very generous and gifted gentleman called Carsten Flensburg, this is now possible in a matter of minutes. Carsten has created both ZIPF and UNZIPF command that you can freely download from the IBM Support website and upload to your server in minutes. Below is a link to the page on the IBM support website:
http://www-01.ibm.com/support/docview.wss?uid=nas8N1010418

Sample ZIPF command
Once created you can simply use the ZIPF command to compress a single file or a whole series of directories, subdirectories and objects. Below is a sample screen shot from this command:
ZIPF

Sample UNZIPF command
The UNZIP command is just as intuitive and like the ZIPF command to decompress a single file or a whole series of directories, subdirectories and objects. Below is a sample screen shot from this command:
UNZIPF

Compatible with Windows ZIP files
I’ve only done limited tests so far but both the APIs and the commands above work flawlessly with their Windows counterparts. Please feel free to share your experiences with this via the post a comment option at the bottom of the article.
PCI Compliance
If you are worried that you cannot use these commands as they are not directly from IBM, the good news is that Carsten included the source to all his programs and it is this source that is compiled as part of the install so you have complete visibility over the code.
Pro Tip: If want a masterclass in how to write an IBM i installer without access to a complier, just check out the script he includes for uploading these commands, it is genius!
I’m sorry to bang on about Carsten, I’ve never met him and have no working relationship with him but this is the perfect example of how to write, deliver and add function to our community. If any of you know Carsten please give him a huge IBM i hug from me!
Zipping files in older versions of IBM i
If you are not yet running v7.x of IBM i, then firstly let me remind you that you’re running on an unsupported version of the operating system but you are not totally out of luck.
If you like QSHELL then you can always use the Java Archive (JAR) command but if you like your command line environment to be a little more normal then just google IBM i Zip commands and it won’t take you long to find functions like the ZIP/UNZIP commands created by Giovanni B. Perotti which run on systems with v5.2 onwards.
Nice to see you
It was great to see so many of you at the i-UG event at the Norton Grange, in Rochdale. We will repeat that event with the same agenda in Central London at Arrow ECS’s offices in the Royal Exchange on Thursday 3rd March. Hope to see you there, more details and registration available at www.i-ug.co.uk


Leave a Reply

Your email address will not be published. Required fields are marked *