The IBM Internet Security Systems XForce team recently announced a buffer overflow vulnerability in WebSphere MQ client channels. According to the release, the vulnerability includes the possibility of remotely executing arbitrary code or “causing the application to crash.” It is not clear whether “application” in this case refers to the channel agent, channel pooling process [...]
Entries Tagged as 'security'
New WMQ Channel vulnerability and interim fix announced
June 5th, 2009 No Comments
Tags: News · security · WebSphere MQ · WMQ · WMQ Security
Deep Queue #11: Security breaches are not news?
May 25th, 2009 No Comments
The subject of the UC Berkeley data breach was discussed on the May 15th Security Squad podcast. The thing that struck me was that the breach itself was not the topic of conversation but rather the debate was about whether the breach was in fact newsworthy. If you are not familiar with it, 160,000 Social [...]
Deep Queue #11: Security breaches are not news? [30:00m]: Play Now | Play in Popup | Download
Deep Queue #11: Transcript: DownloadTags: DeepQueue · Podcast · security · WebSphere MQ · WebSphere MQ Security · WMQ · WMQ Security
WANTED DEAD OR ALIVE: WMQ Security exits
May 15th, 2009 2 Comments
As you know, there are some security functions in WebSphere MQ that require an exit. By now everyone should be familiar with BlockIP2, the well known channel security exit. But there are a couple of other requirements that a channel exit can’t meet. In this post I’ll describe what those are and post some specs [...]
Tags: Best Practices · design · security · WebSphere MQ · WMQ · WMQ Security
Wrapping up IMPACT 2009
May 8th, 2009 No Comments
Well, this is the last day of IMPACT. It’s always lightly attended as many folks take Friday as a travel day. I have one more session this morning though. It’s the WMQ ESE introduction. Overall the WMQ security sessions were well attended. Even the small rooms were large, compared to [...]
Tags: Conferences · Events · General · News · security · WebSphere MQ · WebSphere MQ Security · WMQ · WMQ Security
Update to MQ Security Heats Up comment thread
February 26th, 2009 No Comments
There’s a comment thread going on over at the “WebSphere MQ Security Heats Up” post regarding the script settings as originally published versus the updates I have posted on this site.
RKPowers writes “I am still confused about the +set option on the QMgr. I think what you are saying is that we need to use [...]
Tags: Errata · security · WebSphere MQ · WebSphere MQ Security · WMQ · WMQ Security
The Deep Queue – Episode #7: Reducing your attack surface
February 2nd, 2009 No Comments
This installment of The Deep Queue is about improving security by reducing the number of attack vectors that are exposed. Given two systems with equivalent functionality the one with more exposed attack vectors is said to have a “larger attack surface”. As I explain in the podcast, having a smaller attack surface doesn’t automatically result [...]
Deep Queue #7: Reducing your attack surface [26:05m]: Play Now | Play in Popup | Download Deep Queue #7: Transcript: DownloadTags: DeepQueue · News · Podcast · security · WebSphere MQ · WebSphere MQ Security · WMQ · WMQ Security
Choosing a PCI DSS Auditor? Does WMQ awareness count?
January 26th, 2009 No Comments
James DeLuccia’s post about choosing a PCI DSS QSA auditor has some good advice. I would add to his list a criteria one of my own: the auditor should at least know how to spell WMQ. Or JMS. Or “message oriented middleware”. While I haven’t been involved in any PCI audits, many of my customers [...]
Tags: audit · Best Practices · commentary · PCI-DSS · security · WMQ Security
Must-read article – Secure Software: ‘See No Evil’ is Not a Strategy
January 23rd, 2009 No Comments
Given that software currently enables or imperils most aspects of our buying, selling, and communicating, it is time that responsible people acknowledge that this is a massive problem, and stop looking in the opposite direction. “See No Evil” is not a strategy. [Read the full article on Network World.]
Nice to see this sentiment showing up [...]
Tags: Architecture · design · development · News · security · software · vulnerabilities
Signed C&C messages? What a novel idea!
January 8th, 2009 No Comments
I’ve been saying for a while now that Command and Control messages to be signed. It’s a question of authentication. When you pass a message to perform an administrative action, what assurance do you have that the message got to the destination unchanged? For example, if the message contains credentials such as a user ID, [...]
Tags: crypto · DNS · DNSSEC · News · security · SSL · WMQ · WMQ Security
WebSphere MQ – Coming soon to an audit near you!
July 4th, 2009 No Comments
The June 29 episode of The Deep Queue is finally up! Sorry about the delay, I was on an engagement last week that had me staying over the weekend in Boston to perform a production implementation on Saturday. Although I’ve got a great recording setup at home, I’m afraid I don’t have decent equipment to [...]
Tags: Admin · Best Practices · commentary · DeepQueue · News · Podcast · security · WebSphere MQ · WMQ · WMQ Security