MQ Password/CHLAUTH research – Exec Summary

As of v8.0, MQ now can natively validate user IDs by checking the password against the Operating System or LDAP.  Checking against Pluggable Authentication Module (PAM) was added in v8.0.0.4.  Prior to v8.0 it was necessary to use a channel security exit to perform password-based authentication over SVRCONN channels.  With MQ v8.0 and later, password-based validation is natively supported and integrated with CHLAUTH rules.

This has been a widely anticipated feature so it came as no surprise that implementing it was among the requirements on each of my several most recent consulting engagements.   What was surprising however is that over time I noticed that techniques I’d used at one client for combining CHLAUTH with password based authentication didn’t seem to work at the next.  The first time I noticed this I wrote it off as having taken poor notes.  The second time though led me to undertake a comprehensive analysis on a per-version and per-fix-pack basis.

This post and accompanying materials are an executive overview of the findings and recommendations.  More detailed findings will be posted shortly.  My priority in this initial publication is to introduce the issues and outline the recommendations for safely using the new features.

Continue reading

Posted in Security, WMQ, WMQ Security | Tagged , , , , , | 4 Comments

Knowledge Center corrections

Keen-eyed observers will have noticed that the MQ and IIB Knowledge Centers now have a floating “Contact Us” overlay at the bottom-right of the page.  There’s a bit of history there but long story short, for a while there was no connection from the KC’s to the tech writer team.

Morag and I have been lobbying behind the scenes to get KC error reporting reinstated.  Not long ago there was a web form that pre-filled the URL of the page being reported.  Then there was per-page commenting online, then nothing at all.  For a brief time Morag and I had confidential internal email addresses with which to report errors and request updates but were advised not to publish them.

So I’m happy that we now have an official means to do so.  The new overlay panel opens an email addressed to ibmkc at ibm dot com when you click it, but the URL is no longer captured for you.  When I tried reporting something to that email address I received back a human-written reply saying my request had been forwarded to the appropriate team, and copying the internal emails I’m not supposed to give out.  Which is what I assume will happen should you submit a report.

Since we are now using a common reporting point for KC updates, I’d recommend a few things to help the routing along:

  • Put the product name in the subject line.
  • Put the URL you are reporting near the top of the email. Unlike previous versions of the IC and KC that were in HTML frames, the URL in the browser address bar is now kept current as you move from page to page.  Copy that and paste into the email.
  • The slug (i.e. the “bq28120_” bit before .htm in the URL) is a lot less reliable across product versions due to significant restructuring of the content. Used to be great as a search key, not so much anymore unless you know which KC version it lives in.  Please don’t send bare slugs.
  • I’m told that it is better to put small, atomic updates in each email rather than combining them. That makes it easier for a tech writer to tackle them than if he or she has to deal with a list of 20 things in a single email.

My lobbying pitch was that the ability of the community to drive improvements back into the docs is essential.  There’s no “Missing Manual” book for MQ in part because we’ve all helped fix the manual. I’m very happy that we can do so once again.



Posted in IIB, News, WMQ | Tagged , , , | 1 Comment

News and updates

This is a quick note to tell folks a bit about my virtual absence of late, current events and plans for what’s coming up.

Whatever happened to…

I’m not exactly a candidate for VH1’s Where Are They Now but I do feel I need to provide a bit of explanation for the long absence.  If you follow me on Facebook you already know I’ve had the Year (and a half) From Hell during which the list of things going wrong never quite stopped growing.  Many of these things were solvable with money, such as household appliances, heating/aircon, and roofs failing, trees falling over, etc.

Unfortunately, family health issues have been high on that list and I’ve alternating between providing support and being the patient.  It wasn’t severe enough to impair my work but for a while the work was all I had energy to do.  We seem to have identified two root cause issues that had been spinning off into a variety of other seemingly unrelated ailments.  It came on so slowly I didn’t realize how much I’d been affected but once we identified and resolved the issues it’s like stepping out from thick fog into clear sunshine.

As you might expect, I’m anxious to get back into the swing of things here, on the list server, with the IMWUC and more.

Current events – SWIFT Alliance attacks

If you are in any of the Banking or Financial services industries, you’ve probably heard about a campaign of sophisticated attacks against SWIFT Alliance members.  The attacks are of sufficient concern that the SWIFT Alliance have issued an advisory calling on members to “urgently review controls in their payments environments, to all their messaging, payments and ebanking channels.”  The Alliance characterizes the attacks as “clearly a highly adaptive campaign targeting banks’ payment endpoints”

There is always a tension between the need to disclose and possible damage of over disclosure and I applaud the Alliance for the level of detail in their advisory.  However, it’s an evolving situation and other sources have provided additional background. A Washington Post article reported on interim findings of the post-breach investigation by Cyber security firms FireEye Inc. and World Informatix which described it as “the sort of thorough operation often mounted by nation-state hackers.”  The report goes on to explain that “malware was specifically designed for a targeted attack on Bangladesh Bank to operate on SWIFT Alliance Access servers.”

As a consultant, I have a vested interest in whether readers take this seriously and when the stakes are high it can be difficult to distinguish between level-headed analysis versus exaggerated claims meant to sell through fear.  For this reason I’ve purposely not injected my own analysis and instead I’ll make a few observations based on the reported facts and let you draw your own conclusions:

Reported facts include:

  • The Bangladesh Bank attackers used insider credentials and had sufficient insider knowledge of multiple internal bank systems to tailor malware specifically for that institution’s environment.
  • They achieved this level of sophistication before they scored an $81M payday.
  • This was the latest in what has been described as a campaign specifically targeting SWIFT Alliance member institutions.

What would you conclude based on this?

  • Is it safe to assume the same group with an $81M bankroll will now invest heavily in their attack tools and methods in order to be even more effective with similar high value attacks directed at other SWIFT Alliance members?
  • Should we assume that a successful theft of $81M in a single attack will inspire copycats and expect increased malicious activity against payment systems and that originates from many new sources?
  • More importantly for readers of this blog, should we assume that whatever bar we’ve set in our organization for MQ security is high enough in light of these developments?

I’ll be posting specific recommendations for MQ and SWIFT over the next few weeks.  Obviously, I’m also happy to work with you directly to review, assess, and possibly remediate or enhance the MQ security of your SWIFT Alliance or any other critical systems.  I’ve cleared my calendar to focus on MQ security for SWIFT and have availability beginning in a few weeks.

On the whole, the MQ community has improved the level of security as practiced and deployed over the years but we’ve gotten away up to now working with the assumption of a non-hostile environment.  MQ hasn’t been battle tested to the level of HTTP or JEE servers.  If this is to be MQ’s debut as a primary target, perhaps by working together we can meet that challenge better prepared.

Site migration – Whoops!

Due to recurring email issues,  I moved from Siteground hosting to Site5 hosting a while back.  The email issues are resolved but Site5 doesn’t support Let’s Encrypt certificates while Siteground does.  Perhaps someday I’ll find a web host that provides all of the features I need.

In the meantime, I discovered that the site migration tool I used copied only the contents of the databases and not the directories of static content.  Therefore, most of my presentation content, scripts and other assets that were locally hosted are missing.  I guess the good part about my absence is that without new content to drive traffic, hits here have gone way down and nobody alerted me with a complaint about the missing files.

I’ll be re-posting all that content as time allows.  If there’s anything in particular you need that isn’t there, feel free to ping me and tell me which files you are looking for and I’ll upload them ASAP.  All the original URLs should continue to work when the content is re-posted, although I may set up some redirects and move some content to Slideshare or YouTube.

MQTC sessions

MQTC is fast approaching and, thanks to aforementioned illnesses, I haven’t yet submitted session abstracts.  I’ve asked the MQ List server and I’ll pose the question here as well:

What’s your “chronically absent,” most wanted, least offered MQ conference session?

Though MQTC has corporate support from Capitalware, IBM and many sponsors I think of it as our conference.  A bunch of us wanted something with more technical content and more focused on MQ than IBM’s brand-wide IMPACT and with Roger’s leadership made it happen.  But we’ve picked content for MQTC like any other conference – submit session ideas for selection.  True, measurable demand for the selected sessions isn’t really apparent until people show up – or not – in the room.  At many conferences this leads to speakers presenting to near-empty rooms.

I do not imagine turning MQTC into an Unconference where the agenda is set each morning but it seems like more community input could make the event even more valuable to attendees.

What do you think? If the content selection process were more open, would you participate?  Would you like a slot or two that is filled based entirely on community choice?  Add your nomination for “chronically absent,” most wanted, least offered MQ conference session in the comments or send them to me on Twitter and let’s see what happens.

Posted in Events, News, Security, WMQ, WMQ Security | Tagged , , , , , , , , , , , | Leave a comment

If you can read this…

…we are back up at the new web hosting service, Site5!

Posted in General | 2 Comments

MQTC Sessions and downloads posted

My sessions and downloadable scripts from MQTC 2.0.15 are now up on the Links page.

Posted in Events, MQTC, News, Security, WMQ, WMQ Security | Tagged , , , , , , , | Leave a comment

Meet the Bat-O-Meter!

Bat-O-MeterHeard about the Bats of A Feather contest at MQTC?  If so then you knew contestants get 3 minutes each to talk about their best (worst?) IT story vying for awesome prizes.  But what you didn’t know – until now – is that it won’t be me or Roger sitting there with a stopwatch informally timing contestants.  You deserve some accountability and a fair contest.  That’s why I built the Bat-O-Meter which has a countdown clock on either side so the speaker and the audience can see how much time is left.  These are premium prizes y’all and we’re not taking any chances on mucking up the timing.

Although I suppose I’ll be taking chances trying to get this thing through the TSA checkpoints at two airports.  Ahmed Mohammed built a clock and got suspended from school and arrested but at least it walked like a clock and talked like a clock.  This is a countdown timer that chirps on each of the last 10 seconds and then buzzes when it gets to zero to alert the speaker their turn is up.  For those who cannot tell the difference between bombs and other stuff, a countdown timer probably looks more dangerous than a clock.  It doesn’t help that it has a giant lighted arcade button with which each speaker starts their turn.

After pondering for a while the issues with getting this through the TSA checkpoints, I had one of those ah-ha moments that will, I am completely sure, solve the problem.  I programmed it so that on powering up the device it flashes 12:00 like every other digital clock in the history of digital clocks.  Nothing says “clock” like that annoying 12:00 flashing at you to indicate power loss.  I’m sure I’ll have nothing to worry about.

Guts of the Bat-O-Meter

Unless they want to look inside.  It’s like I totally forgot how to solder since I was a kid and the board has lots of burn marks, cold solder joints and sections I screwed up so badly that I just abandoned them and moved to a different part of the board to start over. See that piezo buzzer toward the center left of the board?  I fried it and rather than desolder it I abandoned it in place.  The gray box at the bottom left of the enclosure is the new buzzer and it is really loud and annoying.  Contestants should be glad the judges do not have their own buzzers.  (Although that would not be hard to do for next year…)

In any case, wow does that look nasty.   But it gets the job done.  Will I be able to get it through the TSA checkpoint in Charlotte?  You will have your answer a week from tonight when you see me – or not – at the Registration & Welcome social from 5PM to 8PM.

Posted in Events, Humor, MQTC | Tagged , , , , | 2 Comments

Time for MQ to get serious about instrumentation and admin. Again.

Outstanding RFEs and feature requests have been a hot topic on the MQ list server of late.  Looking at the RFEs that have been posted and discussed, there’s a general architectural requirement many of them seem to have in common: Better support for administration and auditing.

It’s tough to ding IBM for lack of instrumentation in the product and I remember well a concerted and very public campaign to gather user experience feedback a few years back. There is considerable instrumentation in the product and that’s a Good Thing. Thanks, Hursley team and MQ management!

However, it is only recently that MQ users have been enabling security at scale, and many of the new security features are driving usage pattern changes. Much of the demand for instrumentation stands apart from security, but much of it is directly related and as the security implementations ramp up, previously latent requirements for instrumentation and administration become newly visible and in that light many gaps have emerged.  The need is urgent based on rapidly evolving market requirements and both customers and IBM will need to reevaluate their enhancement priorities.  We can’t assume priorities carry over from the last release.

Just as MQ approached what might be considered a well-developed set of administrative and instrumentation function, the market requirements evolved to make those look anemic. In light of ubiquitous breaches and more stringent security requirements, MQ needs a lot more admin and instrumentation functionality if we want to do things like prove to an auditor that the system wasn’t penetrated and have any confidence whatsoever when we say that.

Given recent developments with breaches, evolving attacks, and vulnerabilities now being discovered in deep infrastructure code like OpenSSL, that is to be expected. Furthermore, I know the MQ management team are aware that these requirements are emerging, and the reasons why, because I campaigned for them during my time as MQ Product Manager.

Continue reading

Posted in Events, IIB, News, Security, WMQ, WMQ Security | Tagged , , , , , , , , , , | 3 Comments