Category Archives: WMQ Security

WebSphere MQ Security-related posts.

The Deep Queue – Episode #7: Reducing your attack surface

Posted on February 2, 2009 by T.Rob

This installment of The Deep Queue is about improving security by reducing the number of attack vectors that are exposed.  Given two systems with equivalent functionality the one with more exposed attack vectors is said to have a “larger attack … Continue reading

Posted in DeepQueue, IBMMQ, Podcast, WMQ Security | Tagged , , , , , , , | Leave a comment

Choosing a PCI DSS Auditor? Does WMQ awareness count?

Posted on January 26, 2009 by T.Rob

James DeLuccia’s post about choosing a PCI DSS QSA auditor has some good advice.  I would add to his list a criteria one of my own: the auditor should at least know how to spell WMQ.  Or JMS.  Or “message … Continue reading

Posted in General, News, WMQ Security | Tagged , , , , , | Leave a comment

Signed C&C messages? What a novel idea!

Posted on January 8, 2009 by T.Rob

I’ve been saying for a while now that Command and Control messages to be signed.  It’s a question of authentication.  When you pass a message to perform an administrative action, what assurance do you have that the message got to … Continue reading

Posted in IBMMQ, News, WMQ Security | Tagged , , , , , , , | Leave a comment

The Deep Queue – Episode #6: The Myth of the Trusted Internal Network

Posted on January 1, 2009 by T.Rob

In this episode of The Deep Queue I explain why I believe the “trusted internal network” is a myth.  Many of the problems that I see on consulting assignments would have been prevented by the same security measures I recommend … Continue reading

Posted in DeepQueue, IBMMQ, Podcast, WMQ Security | Tagged , , , , , , , | 1 Comment

The Deep Queue – Episode #5: WMQ Security news and Random WMQ Stuff

Posted on December 2, 2008 by T.Rob

The Deep Queue Episode #5 is now online.  In this episode we cover some WMQ security news and introduce a new segment called Random WMQ Stuff which is pretty much what it sounds like.  We also now have an iTunes … Continue reading

Posted in DeepQueue, IBMMQ, Podcast, WMQ Security | Leave a comment

Having fun in Barcelona!

Posted on November 11, 2008 by T.Rob

Well, I made it to Barcelona on Sunday after 20 hours on various planes and in various terminals.  My luggage arrived on Tuesday having seen MUCH more of Europe than I was able to.  Unfortunately, I had the camera and … Continue reading

Posted in Events, IBMMQ, WMQ Security | Tagged , , , , , , | 4 Comments

The Deep Queue – Episode #4: Listener email and why you should care about message types

Posted on November 3, 2008 by T.Rob

In this installment we answer an email from a listener asking about channel authentication.  The requirement is for a channel exit pair that exchanges credentials securely then falls back to a plaintext channel.  In the second segment we talk about … Continue reading

Posted in DeepQueue, IBMMQ, Podcast, WMQ Security | Tagged , , , | 3 Comments

Updated script templates

Posted on October 22, 2008 by T.Rob

The script templates for locking down admin access have been updated for WMQ v7 to include topics. I’ve also added additional comment lines, a change log and fixed a couple of typos. The new versions are an update to the … Continue reading

Posted in Errata, IBMMQ, Publications, WMQ Security | Tagged , , | 4 Comments

Puzzled by WMQ vulnerability advisory

Posted on October 2, 2008 by T.Rob

Well, I knew this one was out there but never looked at the CVE for it – there is a memory corruption vulnerability in the WebSphere MQ ( CVE-2007-6044) that is network exploitable.  What I can’t figure out is why … Continue reading

Posted in General, IBMMQ, WMQ Security | Tagged , , , , , , | Leave a comment

The Deep Queue – Episode #3: Ethical Administration

Posted on September 29, 2008 by T.Rob

In this episode of The Deep Queue I propose something I’m calling “ethical administration”.  Most people have heard of ethical hacking – doing what the bad guys do on behalf of and in cooperation with the good guys.  Ethical administration … Continue reading

Posted in DeepQueue, Podcast, WMQ Security | Tagged , , , | 2 Comments