Inaccurate MQ auths event messages

The security maturity progression in MQ starts with access control.  First we isolate MQ Admin access, then add granular user and application access.  This class of security control is known as intrusion prevention.  After mastering that the next phase includes stronger accountability and intrusion detection. These typically include enabling event messages and archiving security-relevant events from the event queues and the error logs.

In order to detect security-relevant events and hold people strictly accountable within the access roles defined, the product itself must be further along that continuum than the customer is.  In particular, the intrusion detection controls must report all events and do so accurately and these tests show that to not be true in all cases.

The issues reported in this post affect the ability of an administrator or auditor to  accurately detect security-relevant events and enforce accountability.  Since error logs roll over, archiving them is subject to a window within which error logs might roll off and be irretrievably lost.  Many shops rely on event messages to provide a level of assurance acceptable to auditors and security-conscious users and these errors show that reliance may be misplaced.

Continue reading

Posted in News, Security, WMQ, WMQ Security | Tagged , , , , , , , , , | 2 Comments

CHLAUTH research updates

I’ve added a “Versions” tab to the results matrix, corrected some copy/paste errors, and uploaded new copies of the PDF and Excel versions.  Over time as new results are added or corrections made I’ll replace the existing documents so the links do not change.  These are active documents so expect changes frequently.

I won’t post updates to the GitHub documents since these will probably be the most active artifacts of the entire project – and because GitHub shows you the complete history.  Much thanks to fjbsaper and Josh McIver for updates and edits on the tools.

Posted in General | Leave a comment

MQ Password/CHLAUTH research – Exec Summary

As of v8.0, MQ now can natively validate user IDs by checking the password against the Operating System or LDAP.  Checking against Pluggable Authentication Module (PAM) was added in v8.0.0.4.  Prior to v8.0 it was necessary to use a channel security exit to perform password-based authentication over SVRCONN channels.  With MQ v8.0 and later, password-based validation is natively supported and integrated with CHLAUTH rules.

This has been a widely anticipated feature so it came as no surprise that implementing it was among the requirements on each of my several most recent consulting engagements.   What was surprising however is that over time I noticed that techniques I’d used at one client for combining CHLAUTH with password based authentication didn’t seem to work at the next.  The first time I noticed this I wrote it off as having taken poor notes.  The second time though led me to undertake a comprehensive analysis on a per-version and per-fix-pack basis.

This post and accompanying materials are an executive overview of the findings and recommendations.  More detailed findings will be posted shortly.  My priority in this initial publication is to introduce the issues and outline the recommendations for safely using the new features.

Continue reading

Posted in Security, WMQ, WMQ Security | Tagged , , , , , | 4 Comments

Knowledge Center corrections

Keen-eyed observers will have noticed that the MQ and IIB Knowledge Centers now have a floating “Contact Us” overlay at the bottom-right of the page.  There’s a bit of history there but long story short, for a while there was no connection from the KC’s to the tech writer team.

Morag and I have been lobbying behind the scenes to get KC error reporting reinstated.  Not long ago there was a web form that pre-filled the URL of the page being reported.  Then there was per-page commenting online, then nothing at all.  For a brief time Morag and I had confidential internal email addresses with which to report errors and request updates but were advised not to publish them.

So I’m happy that we now have an official means to do so.  The new overlay panel opens an email addressed to ibmkc at ibm dot com when you click it, but the URL is no longer captured for you.  When I tried reporting something to that email address I received back a human-written reply saying my request had been forwarded to the appropriate team, and copying the internal emails I’m not supposed to give out.  Which is what I assume will happen should you submit a report.

Since we are now using a common reporting point for KC updates, I’d recommend a few things to help the routing along:

  • Put the product name in the subject line.
  • Put the URL you are reporting near the top of the email. Unlike previous versions of the IC and KC that were in HTML frames, the URL in the browser address bar is now kept current as you move from page to page.  Copy that and paste into the email.
  • The slug (i.e. the “bq28120_” bit before .htm in the URL) is a lot less reliable across product versions due to significant restructuring of the content. Used to be great as a search key, not so much anymore unless you know which KC version it lives in.  Please don’t send bare slugs.
  • I’m told that it is better to put small, atomic updates in each email rather than combining them. That makes it easier for a tech writer to tackle them than if he or she has to deal with a list of 20 things in a single email.

My lobbying pitch was that the ability of the community to drive improvements back into the docs is essential.  There’s no “Missing Manual” book for MQ in part because we’ve all helped fix the manual. I’m very happy that we can do so once again.

 

 

Posted in IIB, News, WMQ | Tagged , , , | 1 Comment

News and updates

This is a quick note to tell folks a bit about my virtual absence of late, current events and plans for what’s coming up.

Whatever happened to…

I’m not exactly a candidate for VH1’s Where Are They Now but I do feel I need to provide a bit of explanation for the long absence.  If you follow me on Facebook you already know I’ve had the Year (and a half) From Hell during which the list of things going wrong never quite stopped growing.  Many of these things were solvable with money, such as household appliances, heating/aircon, and roofs failing, trees falling over, etc.

Unfortunately, family health issues have been high on that list and I’ve alternating between providing support and being the patient.  It wasn’t severe enough to impair my work but for a while the work was all I had energy to do.  We seem to have identified two root cause issues that had been spinning off into a variety of other seemingly unrelated ailments.  It came on so slowly I didn’t realize how much I’d been affected but once we identified and resolved the issues it’s like stepping out from thick fog into clear sunshine.

As you might expect, I’m anxious to get back into the swing of things here, on the list server, with the IMWUC and more.

Current events – SWIFT Alliance attacks

If you are in any of the Banking or Financial services industries, you’ve probably heard about a campaign of sophisticated attacks against SWIFT Alliance members.  The attacks are of sufficient concern that the SWIFT Alliance have issued an advisory calling on members to “urgently review controls in their payments environments, to all their messaging, payments and ebanking channels.”  The Alliance characterizes the attacks as “clearly a highly adaptive campaign targeting banks’ payment endpoints”

There is always a tension between the need to disclose and possible damage of over disclosure and I applaud the Alliance for the level of detail in their advisory.  However, it’s an evolving situation and other sources have provided additional background. A Washington Post article reported on interim findings of the post-breach investigation by Cyber security firms FireEye Inc. and World Informatix which described it as “the sort of thorough operation often mounted by nation-state hackers.”  The report goes on to explain that “malware was specifically designed for a targeted attack on Bangladesh Bank to operate on SWIFT Alliance Access servers.”

As a consultant, I have a vested interest in whether readers take this seriously and when the stakes are high it can be difficult to distinguish between level-headed analysis versus exaggerated claims meant to sell through fear.  For this reason I’ve purposely not injected my own analysis and instead I’ll make a few observations based on the reported facts and let you draw your own conclusions:

Reported facts include:

  • The Bangladesh Bank attackers used insider credentials and had sufficient insider knowledge of multiple internal bank systems to tailor malware specifically for that institution’s environment.
  • They achieved this level of sophistication before they scored an $81M payday.
  • This was the latest in what has been described as a campaign specifically targeting SWIFT Alliance member institutions.

What would you conclude based on this?

  • Is it safe to assume the same group with an $81M bankroll will now invest heavily in their attack tools and methods in order to be even more effective with similar high value attacks directed at other SWIFT Alliance members?
  • Should we assume that a successful theft of $81M in a single attack will inspire copycats and expect increased malicious activity against payment systems and that originates from many new sources?
  • More importantly for readers of this blog, should we assume that whatever bar we’ve set in our organization for MQ security is high enough in light of these developments?

I’ll be posting specific recommendations for MQ and SWIFT over the next few weeks.  Obviously, I’m also happy to work with you directly to review, assess, and possibly remediate or enhance the MQ security of your SWIFT Alliance or any other critical systems.  I’ve cleared my calendar to focus on MQ security for SWIFT and have availability beginning in a few weeks.

On the whole, the MQ community has improved the level of security as practiced and deployed over the years but we’ve gotten away up to now working with the assumption of a non-hostile environment.  MQ hasn’t been battle tested to the level of HTTP or JEE servers.  If this is to be MQ’s debut as a primary target, perhaps by working together we can meet that challenge better prepared.

Site migration – Whoops!

Due to recurring email issues,  I moved from Siteground hosting to Site5 hosting a while back.  The email issues are resolved but Site5 doesn’t support Let’s Encrypt certificates while Siteground does.  Perhaps someday I’ll find a web host that provides all of the features I need.

In the meantime, I discovered that the site migration tool I used copied only the contents of the databases and not the directories of static content.  Therefore, most of my presentation content, scripts and other assets that were locally hosted are missing.  I guess the good part about my absence is that without new content to drive traffic, hits here have gone way down and nobody alerted me with a complaint about the missing files.

I’ll be re-posting all that content as time allows.  If there’s anything in particular you need that isn’t there, feel free to ping me and tell me which files you are looking for and I’ll upload them ASAP.  All the original URLs should continue to work when the content is re-posted, although I may set up some redirects and move some content to Slideshare or YouTube.

MQTC sessions

MQTC is fast approaching and, thanks to aforementioned illnesses, I haven’t yet submitted session abstracts.  I’ve asked the MQ List server and I’ll pose the question here as well:

What’s your “chronically absent,” most wanted, least offered MQ conference session?

Though MQTC has corporate support from Capitalware, IBM and many sponsors I think of it as our conference.  A bunch of us wanted something with more technical content and more focused on MQ than IBM’s brand-wide IMPACT and with Roger’s leadership made it happen.  But we’ve picked content for MQTC like any other conference – submit session ideas for selection.  True, measurable demand for the selected sessions isn’t really apparent until people show up – or not – in the room.  At many conferences this leads to speakers presenting to near-empty rooms.

I do not imagine turning MQTC into an Unconference where the agenda is set each morning but it seems like more community input could make the event even more valuable to attendees.

What do you think? If the content selection process were more open, would you participate?  Would you like a slot or two that is filled based entirely on community choice?  Add your nomination for “chronically absent,” most wanted, least offered MQ conference session in the comments or send them to me on Twitter and let’s see what happens.

Posted in Events, News, Security, WMQ, WMQ Security | Tagged , , , , , , , , , , , | Leave a comment

If you can read this…

…we are back up at the new web hosting service, Site5!

Posted in General | 2 Comments

MQTC Sessions and downloads posted

My sessions and downloadable scripts from MQTC 2.0.15 are now up on the Links page.

Posted in Events, MQTC, News, Security, WMQ, WMQ Security | Tagged , , , , , , , | Leave a comment