News and updates

This is a quick note to tell folks a bit about my virtual absence of late, current events and plans for what’s coming up.

Whatever happened to…

I’m not exactly a candidate for VH1’s Where Are They Now but I do feel I need to provide a bit of explanation for the long absence.  If you follow me on Facebook you already know I’ve had the Year (and a half) From Hell during which the list of things going wrong never quite stopped growing.  Many of these things were solvable with money, such as household appliances, heating/aircon, and roofs failing, trees falling over, etc.

Unfortunately, family health issues have been high on that list and I’ve alternating between providing support and being the patient.  It wasn’t severe enough to impair my work but for a while the work was all I had energy to do.  We seem to have identified two root cause issues that had been spinning off into a variety of other seemingly unrelated ailments.  It came on so slowly I didn’t realize how much I’d been affected but once we identified and resolved the issues it’s like stepping out from thick fog into clear sunshine.

As you might expect, I’m anxious to get back into the swing of things here, on the list server, with the IMWUC and more.

Current events – SWIFT Alliance attacks

If you are in any of the Banking or Financial services industries, you’ve probably heard about a campaign of sophisticated attacks against SWIFT Alliance members.  The attacks are of sufficient concern that the SWIFT Alliance have issued an advisory calling on members to “urgently review controls in their payments environments, to all their messaging, payments and ebanking channels.”  The Alliance characterizes the attacks as “clearly a highly adaptive campaign targeting banks’ payment endpoints”

There is always a tension between the need to disclose and possible damage of over disclosure and I applaud the Alliance for the level of detail in their advisory.  However, it’s an evolving situation and other sources have provided additional background. A Washington Post article reported on interim findings of the post-breach investigation by Cyber security firms FireEye Inc. and World Informatix which described it as “the sort of thorough operation often mounted by nation-state hackers.”  The report goes on to explain that “malware was specifically designed for a targeted attack on Bangladesh Bank to operate on SWIFT Alliance Access servers.”

As a consultant, I have a vested interest in whether readers take this seriously and when the stakes are high it can be difficult to distinguish between level-headed analysis versus exaggerated claims meant to sell through fear.  For this reason I’ve purposely not injected my own analysis and instead I’ll make a few observations based on the reported facts and let you draw your own conclusions:

Reported facts include:

  • The Bangladesh Bank attackers used insider credentials and had sufficient insider knowledge of multiple internal bank systems to tailor malware specifically for that institution’s environment.
  • They achieved this level of sophistication before they scored an $81M payday.
  • This was the latest in what has been described as a campaign specifically targeting SWIFT Alliance member institutions.

What would you conclude based on this?

  • Is it safe to assume the same group with an $81M bankroll will now invest heavily in their attack tools and methods in order to be even more effective with similar high value attacks directed at other SWIFT Alliance members?
  • Should we assume that a successful theft of $81M in a single attack will inspire copycats and expect increased malicious activity against payment systems and that originates from many new sources?
  • More importantly for readers of this blog, should we assume that whatever bar we’ve set in our organization for MQ security is high enough in light of these developments?

I’ll be posting specific recommendations for MQ and SWIFT over the next few weeks.  Obviously, I’m also happy to work with you directly to review, assess, and possibly remediate or enhance the MQ security of your SWIFT Alliance or any other critical systems.  I’ve cleared my calendar to focus on MQ security for SWIFT and have availability beginning in a few weeks.

On the whole, the MQ community has improved the level of security as practiced and deployed over the years but we’ve gotten away up to now working with the assumption of a non-hostile environment.  MQ hasn’t been battle tested to the level of HTTP or JEE servers.  If this is to be MQ’s debut as a primary target, perhaps by working together we can meet that challenge better prepared.

Site migration – Whoops!

Due to recurring email issues,  I moved from Siteground hosting to Site5 hosting a while back.  The email issues are resolved but Site5 doesn’t support Let’s Encrypt certificates while Siteground does.  Perhaps someday I’ll find a web host that provides all of the features I need.

In the meantime, I discovered that the site migration tool I used copied only the contents of the databases and not the directories of static content.  Therefore, most of my presentation content, scripts and other assets that were locally hosted are missing.  I guess the good part about my absence is that without new content to drive traffic, hits here have gone way down and nobody alerted me with a complaint about the missing files.

I’ll be re-posting all that content as time allows.  If there’s anything in particular you need that isn’t there, feel free to ping me and tell me which files you are looking for and I’ll upload them ASAP.  All the original URLs should continue to work when the content is re-posted, although I may set up some redirects and move some content to Slideshare or YouTube.

MQTC sessions

MQTC is fast approaching and, thanks to aforementioned illnesses, I haven’t yet submitted session abstracts.  I’ve asked the MQ List server and I’ll pose the question here as well:

What’s your “chronically absent,” most wanted, least offered MQ conference session?

Though MQTC has corporate support from Capitalware, IBM and many sponsors I think of it as our conference.  A bunch of us wanted something with more technical content and more focused on MQ than IBM’s brand-wide IMPACT and with Roger’s leadership made it happen.  But we’ve picked content for MQTC like any other conference – submit session ideas for selection.  True, measurable demand for the selected sessions isn’t really apparent until people show up – or not – in the room.  At many conferences this leads to speakers presenting to near-empty rooms.

I do not imagine turning MQTC into an Unconference where the agenda is set each morning but it seems like more community input could make the event even more valuable to attendees.

What do you think? If the content selection process were more open, would you participate?  Would you like a slot or two that is filled based entirely on community choice?  Add your nomination for “chronically absent,” most wanted, least offered MQ conference session in the comments or send them to me on Twitter and let’s see what happens.

Posted in Events, News, Security, WMQ, WMQ Security | Tagged , , , , , , , , , , , | Leave a comment

If you can read this…

…we are back up at the new web hosting service, Site5!

Posted in General | 2 Comments

MQTC Sessions and downloads posted

My sessions and downloadable scripts from MQTC 2.0.15 are now up on the Links page.

Posted in Events, MQTC, News, Security, WMQ, WMQ Security | Tagged , , , , , , , | Leave a comment

Meet the Bat-O-Meter!

Bat-O-MeterHeard about the Bats of A Feather contest at MQTC?  If so then you knew contestants get 3 minutes each to talk about their best (worst?) IT story vying for awesome prizes.  But what you didn’t know – until now – is that it won’t be me or Roger sitting there with a stopwatch informally timing contestants.  You deserve some accountability and a fair contest.  That’s why I built the Bat-O-Meter which has a countdown clock on either side so the speaker and the audience can see how much time is left.  These are premium prizes y’all and we’re not taking any chances on mucking up the timing.

Although I suppose I’ll be taking chances trying to get this thing through the TSA checkpoints at two airports.  Ahmed Mohammed built a clock and got suspended from school and arrested but at least it walked like a clock and talked like a clock.  This is a countdown timer that chirps on each of the last 10 seconds and then buzzes when it gets to zero to alert the speaker their turn is up.  For those who cannot tell the difference between bombs and other stuff, a countdown timer probably looks more dangerous than a clock.  It doesn’t help that it has a giant lighted arcade button with which each speaker starts their turn.

After pondering for a while the issues with getting this through the TSA checkpoints, I had one of those ah-ha moments that will, I am completely sure, solve the problem.  I programmed it so that on powering up the device it flashes 12:00 like every other digital clock in the history of digital clocks.  Nothing says “clock” like that annoying 12:00 flashing at you to indicate power loss.  I’m sure I’ll have nothing to worry about.

Guts of the Bat-O-Meter

Unless they want to look inside.  It’s like I totally forgot how to solder since I was a kid and the board has lots of burn marks, cold solder joints and sections I screwed up so badly that I just abandoned them and moved to a different part of the board to start over. See that piezo buzzer toward the center left of the board?  I fried it and rather than desolder it I abandoned it in place.  The gray box at the bottom left of the enclosure is the new buzzer and it is really loud and annoying.  Contestants should be glad the judges do not have their own buzzers.  (Although that would not be hard to do for next year…)

In any case, wow does that look nasty.   But it gets the job done.  Will I be able to get it through the TSA checkpoint in Charlotte?  You will have your answer a week from tonight when you see me – or not – at the Registration & Welcome social from 5PM to 8PM.

Posted in Events, Humor, MQTC | Tagged , , , , | 2 Comments

Time for MQ to get serious about instrumentation and admin. Again.

Outstanding RFEs and feature requests have been a hot topic on the MQ list server of late.  Looking at the RFEs that have been posted and discussed, there’s a general architectural requirement many of them seem to have in common: Better support for administration and auditing.

It’s tough to ding IBM for lack of instrumentation in the product and I remember well a concerted and very public campaign to gather user experience feedback a few years back. There is considerable instrumentation in the product and that’s a Good Thing. Thanks, Hursley team and MQ management!

However, it is only recently that MQ users have been enabling security at scale, and many of the new security features are driving usage pattern changes. Much of the demand for instrumentation stands apart from security, but much of it is directly related and as the security implementations ramp up, previously latent requirements for instrumentation and administration become newly visible and in that light many gaps have emerged.  The need is urgent based on rapidly evolving market requirements and both customers and IBM will need to reevaluate their enhancement priorities.  We can’t assume priorities carry over from the last release.

Just as MQ approached what might be considered a well-developed set of administrative and instrumentation function, the market requirements evolved to make those look anemic. In light of ubiquitous breaches and more stringent security requirements, MQ needs a lot more admin and instrumentation functionality if we want to do things like prove to an auditor that the system wasn’t penetrated and have any confidence whatsoever when we say that.

Given recent developments with breaches, evolving attacks, and vulnerabilities now being discovered in deep infrastructure code like OpenSSL, that is to be expected. Furthermore, I know the MQ management team are aware that these requirements are emerging, and the reasons why, because I campaigned for them during my time as MQ Product Manager.

Continue reading

Posted in Events, IIB, News, Security, WMQ, WMQ Security | Tagged , , , , , , , , , , | 3 Comments

First inaugural Bats of a Feather

We’re trying something new at MQTC this year and if it goes well it may become a regular event.  Let us know what you think by voting and participating in the contest.  It’s conceived as a cross between the Birds of a Feather sessions from IMPACT and the slightly more subversive events that take place at Def Con.  We’re calling it Bats of a Feather and prizes will be awarded.

MQTCBATS_PrizesUpdate 9/14/2015 Prizes announced!

Ever wanted a Pebble Steel watch?  Your own quadcopter?  How about a Smartphone Controlled Paper Airplane?  Grab the mic and tell your MQ horror story and you may go home with one of these.  Save a bit of room in your suitcase!

Registered topics (so far):

  • MQ Lost my message (redux) – Glen Brumbaugh
  • Crazy high CPU usage on Z/OS after MQ clients updated to 7.5 – Linda Foley
  • Look, you can see the DR datacenter from here – AJ Aronoff

Don’t let Glen run off with the top prize uncontested! Tweet your topic title with hashtag #MQTCBATS to register, comment here with a topic, or email me.

Continue reading

Posted in Events, MQTC, News | Tagged , , | 11 Comments

Are messaging hubs an anti-pattern?

I have worked over the last decade with many customers who were consolidating their MQ footprint. It’s a familiar pattern – there are many queue managers, they tend to be lightly loaded, why not consolidate to a central hub? Now that many of the projects with which I have firsthand knowledge have been in Production for a few years some common patterns are emerging and they aren’t good.

Continue reading

Posted in General, WMQ | Tagged , , , , | 4 Comments