Malware on IBM Power Systems: What You Need to Know Security Boulevard
Welcome to another edition of Talsco Weekly
News: No Plan To Bring .NET To Power, IBM Says.
Career: Developers are burned out.
Leadership: IBM on the Evolving Role of the CIO: Interview with Kathryn Guarini, CIO of IBM.
Modernization: What is the IBM i and is it worth it?
Programming: Code your first React UI app.
Training: How Education Can Save Your Company Money.
“IBM says it currently has no new projects underway to get .NET to run on Power.”
“What’s more, existing efforts to run .NET applications on IBM i that have been backed by Big Blue have apparently drawn very little interest from the vendor community.”
As usual, IT Jungle has put together a fairly comprehensive article detailing the union of .NET on the IBM i.
In summary, “IBM is making headway in helping IBM i and .NET applications come together. It just isn’t likely to be delivered as .NET running directly under IBM i or on Power.
“An overwhelming number of developers believe business leaders need to prioritize simplified development processes, according to the report, with 94% agreeing that internal processes, tools or culture are necessary to their feeling safe about taking risks to deploy updates.”
One report shows that “more than 6 in 10 (61%) say their companies’ cumbersome development processes are barriers to innovation.”
“The chief information officer (CIO) has always balanced a variety of IT and business leadership responsibilities. As more enterprise technologies become enmeshed in customer and employee experiences, though, the role of the CIO is expanding and evolving to meet stakeholder expectations.”
Here is an interview with IBMs CIO, Kathryn Guarini. She has an interesting take on the role of the CIO at IBM and what’s next for the future.
“She also describes the current trends and the projected future of the CIO role, how the CIO can use their influence to affect meaningful organizational change, and how aspiring leaders can start building their skills for the future of IT.”
A reader writes into Nick Litten, asking the following question:
“I have been interested in IBM I for some time now (And Z/os). I even went so far as to buy a Power7+ 2u system for my home lab… only to find out the high pricing of IBM-i licensing. Do you really feel the price is justified?”
Let’s cover some of the basics.
This article will take you through the following steps.
Coding a UI from start to finish
Set up a Proxy
Rendering the function
Web Apps & API’s
Keeping your IBM i Developers up to date is one of the most important things you can do as a manager of an IT organization.
“Just about every business is looking for ways to save money, create resiliency and improve their business processes.”
One of the most cost-effective strategies is to make sure your RPG Developers are taking advantage of modern RPG development practices.
Upskill your seasoned RPG developers
Train your new Developers
“Keeping your employees educated on IBM i will help your company take advantage of IBM i’s modern features, such as the RDi development tool. Your developers will be able to easily modernize your system and improve project completion capabilities. This can save your company money by reducing issues that arise from lack of knowledge, time constraints or staffing. Up-to-date training will arm your employees with everything they need to move your company into the 21st century.”
Sign up for Talsco Weekly to get the latest news, insight and job openings for the IBM i professional.
If you are an RPG programmer looking to explore opportunities or a client who is looking for a talented IBM i professional, please contact us. We look forward to assisting you.
Do you know of someone who could benefit from Talsco Weekly? If so, please use the social media buttons to spread the word. Thank you!
The post Talsco Weekly: IBM i Career, Modernization and RPG Programming appeared first on IBM i (AS/400, RPG) Recruiting, Staffing & Consulting.
In 2021, a company was hit by ransomware every 11 seconds. And there are no signs of the intensity or the frequency of attacks slowing down – these cyber threats are only becoming more sophisticated. Unfortunately, many companies are still not ready to defend against these threats – a recent penetration testing (pen testing) study reveals that cyber criminals can penetrate 93% of company networks. Instead of crossing our fingers and hoping to be in that 7%, we should be focusing on learning as much we can about how to protect our systems better.
Security on the IBM i is a complex topic and it demands the same care that we dedicate to programming it. More than a few companies have found out the hard way that applications are not much good if they are not secure. Making this rather big change in perception can help IT organizations prepare to defend their systems effectively. Nearly 50% of IBM i shops have little to no security knowledge and skills – more often than not, the ‘security guy’ retired 5 years ago and nobody’s been paying attention to it since. “Can my IBM i really be hit with a virus?”, “Can it be hit with ransomware?” – these are the questions that are regularly raised by clients. If that is you, this article will hopefully be able to guide you on where to go from here.
One of the top threats we face today is phishing – over 40% of ransomware attacks are from phishing schemes. Other significant threats include exploitation of remote access (comprising another 40% of all attacks), software vulnerabilities, and an abject lack of internal training. So, how do these relate specifically to the IBM i? Network exposures are valid threats on the IBM i – just because your IBM i is behind a firewall does not mean that it is safe from internal OR external network threats. In many cases, objects and IFS files & directories are overly exposed, leaving valuable data completely unprotected. The tools that IBM i has given the system are not properly implemented and the configuration that’s available to protect the data is usually not set. Many IBM i shops also tend to have multiple (if not all) profiles with all object authority, a permission configuration that should ideally be given to very limited profiles and then very carefully managed.
Viruses can penetrate the IBM i. While the system is an EBCDIC character format and typically, viruses that hit Windows and similar systems are in ASCII format, it is important to consider what “penetrate the IBM i” actually means. If your network layer is not secure, especially your socket exit point, it means that viruses can reside in your IBM i in the Integrated File System (IFS) and infect your corporate network from there.
QSIS.LIB is also a part of the IFS, which is just like a Windows directory structure that is not in EBCIDIC. Data can get corrupted – data that is found in QSYS.LIB is part of that structure and therefore, can be changed, corrupted, damaged, or even deleted. So, if someone has unauthorized access to it, by hand, or via malware, it can cause significant damage – hence, the urgent need to secure the IFS.
There are two basic questions to ask when you’re securing your network:
Do you know who is connecting to your system?
Do you have the ability to block unwanted network connections?
It is very common to see users with unrestricted all object authority and objects, files, programs, data areas. Years ago, this was the only way to sign on through, what we call, the front door. We depended on menus to control access to the files, programs, and data areas – the user would sign on and the access to the files and programs was governed by the initial menu user parameter, and the application had restrictions on what could be accessed at the menu level. However, this is probably a lesser used way of signing onto the system now. There are many remote servers that are active by default, connecting people to applications on IBM i as well as socket connections through web servers and SFTP.
The FTP, the database servers, file servers, and remote command servers continue to run on every day, but, by default, there is no logging or monitoring of these types of access. If you have socket communications enabled, they bypass the exit points of the remote servers. When applications connect through socket APIs (aka the lower layers), it bypasses the traditional exit programs or points that some people may have secured already. It is important to understand that a lot of things can penetrate at this lower level, rather than at the typical or traditional exit point level.
If a user who has all object authority no longer has a menu configuration that restricts access to the system, anybody can still access the data. If there’s no menu to control access, there is nothing preventing this user or the threats that come with it – whether that is J. Smith coming in through a socket connection and accessing the data, or malware that got onto J. Smith’s laptop and is now trying to make a socket connection to the data on the IBM i platform. There are no gatekeepers or checks to monitor and secure these types of access. IBM i does has infrastructure architecture to help with this, but there are no default audit trails or security.
The solution to this is exit programs. Using the FTP remote server as an example, if an exit point is configurable for any remote server, an exit program (user-written programs processed when an exit point is invoked) can be installed on it. When a remote request is made to a server on the IBM i OS, the exit program is processed before the request is executed. In the exit program, you can choose to approve or reject the request to access the data. Essentially, whether it’s J. Smith or ransomware/ malware that got on his system, the request will be evaluated, offering you a chance to audit the request. Additionally, you also have a trail of what is happening and the ability to see who is accessing your system.
Note: You can see a list of exit points available on the IBM i on the registration information.
There are different types of exit points and not every exit point is a remote server exit point or applicable to network traffic. For the ones that are, if you don’t see file server FTP, the socket layer, or an exit program, that means that they aren’t secure. Additionally, if you see an unfamiliar program there, it might be a vulnerability – it is well worth your time to figure out what specifically it does.
They connect through a special type of exit point that are not a remote server. With more open-source system programs and tools on the IBM i platform, a lot more is available through the Pace environment on the IBM i and clients like Putty that use SFTP transactions. They use connections to the IBM i at the socket layer.
To illustrate how this is relevant, let’s consider this hacking attempt. A system administrator had configured TG Detect to send alerts when there was a failed socket transaction – at one point, he got a lot of alerts but couldn’t figure out who was trying to access the IBM i system. We used TG Secure and network security to implement exit programs and see the incoming transactions that show their IP address. Turned out, the IP was his own. A vulnerability scan on his Windows machine revealed malware. The alerts made sure that he had the chance to clean up the malware and prevent the rest of the system & network from being infected. This attempt was through SFTP, which is why it is very important to monitor this traffic.
This is a screenshot of the incoming transactions on TG Secure – lots of data is collected when you have an exit program installed on an exit point. One of them is the database server: when a transaction comes in, you know which IP address it came from, the function that happened, and how many times the transaction occurred. It also shows you that the transaction passed, what object was accessed, and the timestamp of the transaction. With exit programs, you can pass or fail transactions i.e., create rules to allow or deny the traffic that’s collected. It is imperative that you monitor everything that’s coming in. If you’re monitoring socket connections, for these types of connections to be collected, you want to have QOD level system value set to include net CMN, net fail, and net SOC.
It is possible to manually write exit programs, but it can be quite time consuming. In the long run, it is best to automate what you can on such complex systems and exit programs are no exception – automating this can make sure every critical exit point you have is (and remains) protected.
Your IFS can be extremely vulnerable, so ideally you should block or at least monitor and track connections made to your IBM i via all remote access points. Additionally, pay attention to the public authority settings for your IFS’ folders & the permissions on your files within and monitor the IFS for authority changes. It can seem like a massive task for some organizations, but it is not unachievable. Understanding what your permissions are in the IFS is the first step – go to a command line, type WRKLNK, and select option 9 to work with authorities. You should be able to see all the permissions available for the directory that you are in. You can also go into the QSHELL environment and run ls minus l to list the permissions and ownerships, you should be able to see the directory listing. It will tell you what type of item it is – a file directory, symbolic link, et. al. – and the read, write, and execute permissions for the owner of the item, the group, and then others (*PUBLIC). It is important to make sure that *PUBLIC cannot read, write, or execute on your root directory – goes without saying, if there is a ransomware attack on your system and the root is open, then it has complete access to your root and can corrupt your entire IFS.
As discussed before, there are different ways (like socket connections, remote server connections) to access data on the IBM i. Even if you don’t have drives mapped to the IFS, the data can still be accessed – a prime example of how an application can bypass the file server would be SFTP.
Secure Your IFS
One of the most important actions you can take today is to configure the permissions on your IFS carefully – *PUBLIC should not have read, write, execute for sensitive data. Lock down your root directory and spend the time to analyze the permissions available, and then implement that security scheme. To implement strong IFS permissions, you can use the CHANGE AUTH command and set data & object authorities there. You can also use a QSHELL commands to resolve authority issues. To change permissions on a file or directory, use ‘chmod’ or to change its owner, use ‘chown’.
Automation with TG Secure
The resource manager within TG Secure offers the option to configure authority schemas, making it easier for you to set up IFS authorities
You can sort through authority collection data to identify the least privileged model for your system, to know what the minimum required authorities are for operating an application
It can also generate authority compliance reports – it will show you the current value and the expected value of the schema for each item in the schema, in the scope of the schema. It’s a great way to see what the current authority is and what it should be. You can also automatically enforce them through authority schemas as well
In summary, to defend your servers and IBM i against internal and external threats, it is important to monitor and secure your system, especially network access for remote servers and socket connections, with exit point programs. There is no default monitoring for remote connections, so permissions of files and directories in the IFS must be configured to secure and monitored regularly to protect your business data.
For anyone who is just getting started with security, have a free security assessment done on your system to understand the state of security on your IBM i server. If you are a little bit more advanced, download the free trial to all the tools within TG Security Suite for 30 days and run some reports on your system. These tools allow you to collect the least privilege model information for your system and generate you report cards that give you a good idea of where you stand. You can also watch this on-demand session on IFS and Network Security, featuring live demos of TG Security Suite.
The first IBM i software appeared at the end of the last century. However, despite the rapid development of information technology and the creation of modern applications, IBM i software is still quite popular. Companies that use legacy applications should modernize them to meet today’s business needs to make use of benefits like enhanced security. In this article, we will explain what application modernization strategies exist and how they work so that you can choose the ones that are right for you.
What Is IBM i Software?
IBM i is a flexible and stable operation system developed by IBM. It was released in the late 1980s but is still very relevant due to its high security, high performance, and easy deployment and maintenance. Different companies can use IBM i software for a variety of purposes. However, it is very effective for data-intensive tasks such as ERP systems, manufacturing, etc.
Why Do You Need to Modernize IBM i Software?
IBM i software is still widely used and critical to business. Creating equivalent new applications is a very complex and expensive process, which is why companies use legacy applications. However, with ever-growing and changing business needs, as well as the rapid development of new technologies, the use of legacy applications can cause a lot of problems. Among them are:
Lack of skilled professionals who can work with old technologies to support legacy applications.
Difficulties of integration with modern applications.
Lack of an easy way to innovate.
Inability to scale to meet growing business needs.
High maintenance cost.
You can solve all of these problems by modernizing legacy IBM i software.
Which Techniques Can Be Used to Modernize IBM i Software?
Legacy application modernization is the process of transforming an original application into a new one using the latest technology and in response to changing business conditions. There are different techniques for modernization applications, which we can divide into several types. Using several different groups of modernization techniques is more useful than using only one. Below, we will explain app modernization techniques, how they work, and how they change the original applications.
1. What Is Screen Scraping?
This modernization method takes the original screen and presents it in a new graphical format as an application or in a browser. At the same time, the old application works without changes. The screen scraping technique allows you to intercept green screen instructions from legacy applications and adapt them to the new type of display. This method only provides upgrades at the presentation layer though it does offer automation as a possible opportunity as well. The principle of the application does not change.
2. What About Adding A New User Interface?
The method of adding a new user interface allows you to expand the content available on the screen and change the way parts of the screen are displayed. In addition, programmers create scripts that recognize screens, their purpose, and content. This allows you to turn the original screen content into a new presentation. For example, you can turn a green screen into a browser. Scripts can manage the moving process from one screen to another. They can hide and/or add the content of the screen. Although this method allows you to create a modern user interface, the processes and events in the legacy application remain the same.
3. Can Business Functions Be Exposed As Callable Services?
IBM i software performs business functions that are difficult to use by other programs. Exposing legacy applications as callable services solves this problem. Callable services store business functionality and make it available to other applications. Other programs can use these services by calling remote procedures and/or by exchanging messages. This modernization technique examines legacy applications and defines business functionality. After that, web programmers create services using modern software development tools. When other applications need to use a business function, they call a web service that executes the corresponding business function in legacy IBM i software. This allows you to reuse business functions in other applications.
4. Is Migrating The Application An Option?
Migration is a technique that allows you to move blocks of functionality from a legacy application to other applications. Application migration applies the upgrade to business functions, not to the entire application. This method allows you to gradually upgrade the most important functions.
5. What About Re-hosting Or Outsourcing The Application?
Re-hosting allows migrating legacy applications to a different computing platform. At the same time, legacy applications and their environments work without changes, but the main computer equipment and operation systems are new. The re-hosting method allows you to abandon old equipment and operating systems. After applying this method, you can use other modernization techniques to modernize the actual application. The outsourcing method does not change the legacy application. An outsourcing company performs the operation, maintenance, and updates functions. This method is useful when you need your inhouse team to developer a new application. The inhouse developers will not be distracted by the support of the old application, since this is done by an outsourcing company. Re-hosting and outsourcing can be used separately or complement each other.
6. Should We Rewrite The Application?
The rewriting technique allows you to create a new application using modern software development and deployment tools. When you create a new application, you use the features of the legacy one to implement equivalent features using a modern programming language. Rewriting allows you to create a modern application architecture using design patterns. This method provides you the ability to keep the functionality of IBM i software while converting it to modern technologies.
7. Is Replacing The Application A Good Option?
Replacing the application is the creation of a new application instead of using an outdated one. In this method, only the data from the legacy application is used in the new one. The disadvantage of this method is the risk of disrupting business operations during the transition. In addition, new systems are more expensive and take longer to implement. https://www.youtube.com/watch?v=7t6a3ZSdKgg
Why Should You Choose LANSA to Modernize IBM i Software?
LANSA is a powerful and efficient solution for the modernization of IBM i software. It provides several different tools that complement each other.
Visual LANSA is a platform for rapid application development with minimal code. It allows you to create mobile, web, and desktop applications.
RAMP (Rapid Application Modernization Process) is a tool that allows existing functionality to be combined with new capabilities. It lets you build the applications you want without having to throw everything away. Modernization is carried out in stages, and the user interface becomes the same for all applications.
AXes is a tool that automates the process of building IBM i web applications. With aXes, you can easily convert your existing IBM i 5250 applications into web pages without changing the source code.
Using LANSA tools allows you to innovate faster. With them, you can create flexible, efficient, reliable, and modern business applications that support cross-platform or flexible deployment and integration. LANSA tools are easy to learn. They help modernize and streamline the application development process. Install the trial version of LANSA and start using all the possibilities it provides to modernize your applications.
The post Which Techniques Are Used In IBM i Software Modernization? appeared first on LANSA.