This is a quick note to tell folks a bit about my virtual absence of late, current events and plans for what’s coming up.
Whatever happened to…
I’m not exactly a candidate for VH1’s Where Are They Now but I do feel I need to provide a bit of explanation for the long absence. If you follow me on Facebook you already know I’ve had the Year (and a half) From Hell during which the list of things going wrong never quite stopped growing. Many of these things were solvable with money, such as household appliances, heating/aircon, and roofs failing, trees falling over, etc.
Unfortunately, family health issues have been high on that list and I’ve alternating between providing support and being the patient. It wasn’t severe enough to impair my work but for a while the work was all I had energy to do. We seem to have identified two root cause issues that had been spinning off into a variety of other seemingly unrelated ailments. It came on so slowly I didn’t realize how much I’d been affected but once we identified and resolved the issues it’s like stepping out from thick fog into clear sunshine.
As you might expect, I’m anxious to get back into the swing of things here, on the list server, with the IMWUC and more.
Current events – SWIFT Alliance attacks
If you are in any of the Banking or Financial services industries, you’ve probably heard about a campaign of sophisticated attacks against SWIFT Alliance members. The attacks are of sufficient concern that the SWIFT Alliance have issued an advisory calling on members to “urgently review controls in their payments environments, to all their messaging, payments and ebanking channels.” The Alliance characterizes the attacks as “clearly a highly adaptive campaign targeting banks’ payment endpoints”
There is always a tension between the need to disclose and possible damage of over disclosure and I applaud the Alliance for the level of detail in their advisory. However, it’s an evolving situation and other sources have provided additional background. A Washington Post article reported on interim findings of the post-breach investigation by Cyber security firms FireEye Inc. and World Informatix which described it as “the sort of thorough operation often mounted by nation-state hackers.” The report goes on to explain that “malware was specifically designed for a targeted attack on Bangladesh Bank to operate on SWIFT Alliance Access servers.”
As a consultant, I have a vested interest in whether readers take this seriously and when the stakes are high it can be difficult to distinguish between level-headed analysis versus exaggerated claims meant to sell through fear. For this reason I’ve purposely not injected my own analysis and instead I’ll make a few observations based on the reported facts and let you draw your own conclusions:
Reported facts include:
- The Bangladesh Bank attackers used insider credentials and had sufficient insider knowledge of multiple internal bank systems to tailor malware specifically for that institution’s environment.
- They achieved this level of sophistication before they scored an $81M payday.
- This was the latest in what has been described as a campaign specifically targeting SWIFT Alliance member institutions.
What would you conclude based on this?
- Is it safe to assume the same group with an $81M bankroll will now invest heavily in their attack tools and methods in order to be even more effective with similar high value attacks directed at other SWIFT Alliance members?
- Should we assume that a successful theft of $81M in a single attack will inspire copycats and expect increased malicious activity against payment systems and that originates from many new sources?
- More importantly for readers of this blog, should we assume that whatever bar we’ve set in our organization for MQ security is high enough in light of these developments?
I’ll be posting specific recommendations for MQ and SWIFT over the next few weeks. Obviously, I’m also happy to work with you directly to review, assess, and possibly remediate or enhance the MQ security of your SWIFT Alliance or any other critical systems. I’ve cleared my calendar to focus on MQ security for SWIFT and have availability beginning in a few weeks.
On the whole, the MQ community has improved the level of security as practiced and deployed over the years but we’ve gotten away up to now working with the assumption of a non-hostile environment. MQ hasn’t been battle tested to the level of HTTP or JEE servers. If this is to be MQ’s debut as a primary target, perhaps by working together we can meet that challenge better prepared.
Site migration – Whoops!
Due to recurring email issues, I moved from Siteground hosting to Site5 hosting a while back. The email issues are resolved but Site5 doesn’t support Let’s Encrypt certificates while Siteground does. Perhaps someday I’ll find a web host that provides all of the features I need.
In the meantime, I discovered that the site migration tool I used copied only the contents of the databases and not the directories of static content. Therefore, most of my presentation content, scripts and other assets that were locally hosted are missing. I guess the good part about my absence is that without new content to drive traffic, hits here have gone way down and nobody alerted me with a complaint about the missing files.
I’ll be re-posting all that content as time allows. If there’s anything in particular you need that isn’t there, feel free to ping me and tell me which files you are looking for and I’ll upload them ASAP. All the original URLs should continue to work when the content is re-posted, although I may set up some redirects and move some content to Slideshare or YouTube.
MQTC is fast approaching and, thanks to aforementioned illnesses, I haven’t yet submitted session abstracts. I’ve asked the MQ List server and I’ll pose the question here as well:
What’s your “chronically absent,” most wanted, least offered MQ conference session?
Though MQTC has corporate support from Capitalware, IBM and many sponsors I think of it as our conference. A bunch of us wanted something with more technical content and more focused on MQ than IBM’s brand-wide IMPACT and with Roger’s leadership made it happen. But we’ve picked content for MQTC like any other conference – submit session ideas for selection. True, measurable demand for the selected sessions isn’t really apparent until people show up – or not – in the room. At many conferences this leads to speakers presenting to near-empty rooms.
I do not imagine turning MQTC into an Unconference where the agenda is set each morning but it seems like more community input could make the event even more valuable to attendees.
What do you think? If the content selection process were more open, would you participate? Would you like a slot or two that is filled based entirely on community choice? Add your nomination for “chronically absent,” most wanted, least offered MQ conference session in the comments or send them to me on Twitter and let’s see what happens.
MQ Password/CHLAUTH research – Exec Summary
As of v8.0, MQ now can natively validate user IDs by checking the password against the Operating System or LDAP. Checking against Pluggable Authentication Module (PAM) was added in v188.8.131.52. Prior to v8.0 it was necessary to use a channel security exit to perform password-based authentication over SVRCONN channels. With MQ v8.0 and later, password-based validation is natively supported and integrated with CHLAUTH rules.
This has been a widely anticipated feature so it came as no surprise that implementing it was among the requirements on each of my several most recent consulting engagements. What was surprising however is that over time I noticed that techniques I’d used at one client for combining CHLAUTH with password based authentication didn’t seem to work at the next. The first time I noticed this I wrote it off as having taken poor notes. The second time though led me to undertake a comprehensive analysis on a per-version and per-fix-pack basis.
This post and accompanying materials are an executive overview of the findings and recommendations. More detailed findings will be posted shortly. My priority in this initial publication is to introduce the issues and outline the recommendations for safely using the new features.
Continue reading →