Pen Tester Silent Signal Targets IBM i
September 28, 2022 Alex Woodie
If you’re in the market for penetration testing services, you might be interested in hearing about a relatively new player in the market named Silent Signal. The Budapest, Hungary-based outfit has been offering IBM i penetration testing for the past year, and it’s already found security vulnerabilities in its clients’ systems.
Silent Signal has been providing penetration testing, IT security assessments, and training since it was founded by a trio of security experts in 2009. With around a dozen security certifications to their credits, the security experts are well versed in the standard methods companies use to block hackers and cybercriminals from compromising systems. By adding ethical hacking to the mix, Silent Signal looks for non-traditional routes to compromising systems.
According to one of the co-founders, Balint Varga-Perke, the company made the decision to open an IBM i penetration testing specialty last year based on their experience with the booming sub-sector of security services.
“We started the [IBM i] research in 2021, primarily motivated by our pen test project experience,” Varga-Perke tells IT Jungle. “While there are some materials out there about testing the security of these systems, when facing real targets we realized that we can get beyond those quickly just by looking at the official documentation. Since we strongly believe in systematic approaches when it comes to security testing, we decided to create our own IBM i lab and testing methodology.”
The interest among IBM i shops was “immediate,” Varga-Perke says. The company was pleased at the interest in penetration testing services for IBM i, but they were not surprised.
“Our projects focus on what our customers – the users of IBM i – can get wrong,” he says. “This mainly involves identifying configuration issues allowing unauthorized access to data either from the ‘outside’ or across legitimate users.”
The IBM i is an enigma in some ways, as it combines excellent security protections in some respects but falls short in others. Specifically, Varga-Perke hailed the IBM i operating system’s object-oriented architecture, which he says provides “a strong foundation for security, because raw data can’t be accessed in arbitrary ways.”
While this approach enables “a high granularity of access controls, too,” that functions as a double-edge sword.
“Precise declaration of rules is always important, but at the same time, the complexity can make people cut corners,” he says. “We see exploitable vulnerabilities arising from this all the time.”
When Silent Signal engages an IBM i penetration testing customer, the scope is always well-defined, which helps to minimize any risk involved “when using the systems in unexpected ways (which is basically what hacking is),” Varga-Perke says. “We don’t approach anyone saying ‘Hey, we found your green screen on the Internet and logged in with a weak password.’ We need authorization from the system owner to do anything.”
During penetration testing, the company simulates malicious actors with different levels of initial access to the target systems, he says. The goal is typically to obtain unauthorized access to data by discovering and exploiting security vulnerabilities, he says. Based on the information it’s provided, Silent Signal hackers zero in on areas that are most likely to be exploited, Varga-Perke says.
In case of IBM i, we found that due to the complexity of the privilege system, a comprehensive configuration review can be a more suitable approach,” he adds. “In this case, we extract security configuration using a high-privilege user account, and use this data to uncover attack paths at scale which is especially important for systems with high number of users.”
Once the penetration testing is complete, Silent Signal issues a report that documents what it found, including how it exploited vulnerabilities to gain access to the system and what the client should do to remediate the problems, Varga-Perke says. In some cases, there will be an more consulting work to help train the client in security issues.
“Having fixed the issues, we recommend our clients to run a ‘recheck’ where we do an additional round of checks to make sure that countermeasures are implemented correctly,” he says.
In addition to these client engagements, Silent Signal also conducts its own security research into IBM i, including the “low-level implementation of specific controls,” Varga-Perke says.
“We are particularly concerned about this area, as it only took us a couple of days to discover a critical vulnerability in a default service, and we could already confirm that at least some rumored design weaknesses are in fact present in the latest systems,” he says. “Because of the aforementioned secrecy, assessing the true impact of these issues is not trivial, and we are still in the process of preparing this information for sharing.”
The IBM i server is a relatively obscure system that is not found in the wild as often as it previously was. With that said, this “security through obscurity” is not something that should be relied upon, according to Varga-Perke.
“I’d also mention secrecy as a weakness: you can get all your controls right, if you can’t evaluate how these controls are enforced at low level,” he says. “Other vendors learned the hard way that they can’t keep security critical information secret for long, and they realized the benefits of opening up themselves for research. I believe IBM is lagging behind here.”
For more information on Silent Signal’s approach to hacking IBM i, check out its recent blog post.
RELATED STORIES
The Global State of Cybersecurity Is Not Good
