The Deep Queue – Episode #3: Ethical Administration

In this episode of The Deep Queue I propose something I’m calling “ethical administration”.  Most people have heard of ethical hacking – doing what the bad guys do on behalf of and in cooperation with the good guys.  Ethical administration as I have imagined it is acting like the good guys on behalf of the good guys in spite of their failure to act or commit resources.

From time to time we hear about employees who, when their warnings fall on deaf ears, hack the system to demonstrate how vulnerable it is.  These people usually end up in jail but the fact that it happens as much as it does speaks to the incredible frustration of knowing the system is wide open and not having resources to do anything about it. I have met through my security consulting a large number of WMQ administrators who are experiencing this exact frustration.  In many cases I have delivered the worst possible findings from an assessment – that the system is open to anonymous administrative access by anyone with an IP route to the queue manager – only to have the client decide that the risk is so low as not to justify any investment in securing the network.  As a customer of some of these companies it makes me want to move my accounts somewhere else.  Some of my acquaintances who are employees of these companies get so frustrated they want to find another employer.  The problem we both have is finding an alternative employer/vendor who is any better.  What I am proposing is a way to take action but doing so completely within the scope of a WMQ administrator’s duties so as not to incur any disciplinary wrath of one’s employer.

That said, nothing here should be construed as legal advice.  If in doubt, seek the advice of an attorney or just don’t take matters into your own hands.

Links from the podcast:

  • Network Security blog and podcast – Martin McKeay’s blog and podcast with co-host Rich Mogull
  • MO04 – WMQ SSL Wizard
  • MO72 – MQSC client and stand-alone tool for making client channel table files
  • setmqaut templates – Templates to use when adding MCAUSER values to your channels.  I need to move these to stand-alone files but for now they are in a blog post.
  • DOJ – Man breaches network of former employer from job application kiosk in lobby
  • DOJ – Man breaches wireless networks of retail chains to steal credit card data

Additional links:

This entry was posted in DeepQueue, Podcast, WMQ Security and tagged , , , . Bookmark the permalink.

2 Responses to The Deep Queue – Episode #3: Ethical Administration

  1. T.Rob says:

    Thanks for the feedback, Andy. When I was at Bank of America, I wrote a web screen front end to the MO72 SupportPac. The screen knew about all of the QMgrs that a user had access to and presented a table of QMgrs and check boxes. If they checked off several boxes and submitted the form, the web server ran it through MO72 and spit out a channel table file straight to the user’s desktop. Unfortunately, I had built it as an add-on to AppWatch and at some point a new AppWatch version broke my screen. I never got ’round to fixing it before I left. It was really slick when it was working, though.

  2. Andy Piper says:

    Really enjoyed this episode – there’s some great practical advice in here. Would you believe that despite my many years of MQ consulting, I’d never looked into the tool for making client channel table files.

    It really has been a frequent experience that folks say “it’s OK, we trust this network, it’s all internal”. Worth making the point that this doesn’t mean that it’s secure.

Leave a Reply to Andy Piper Cancel reply