WMQ Security Lab materials posted

Posted on April 29, 2010 by T.Rob

IMPACT speaker bannerAs promised, here are the WMQ Security Lab materials.  These include the lab guide and the scripts.  To run the lab you will need a Linux server with WMQ v7.0 installed, as well as WMQ Explorer with SupportPac MS0P, the SupportPac MA01 Q program, and of course the SSL Wizard SupportPac.

The URL for the download is: http://bit.ly/WMQSecurityLab

Also, here is the Security is a Journey presentation that I wrote up for Guide Share Europe: http://bit.ly/SecurityJourney

Both of these will be posted permanently to the Links page shortly as well.  Please send feedback in the comments below or contact me via email or at the IMPACT 2010 conference to let me know what you think of these.

Remember to register and add the #ibmimpact hashtag to get your posts picked up at the IMPACT social media site!

Posted in Events, IBMMQ, News, WMQ Security | Leave a comment

WMQ SSL & TLS Open Mic

Posted on April 28, 2010 by T.Rob

Regular followers of this blog won’t want to miss tomorrow’s WebSphere Technical Exchange “WMQ SSL & TLS Open Mic“.  Panelists scheduled are Alex Fehners, Andrew Akehurst, Calista Stevens, Jonathan Rumsey, Mike Horan, Rhys Francis, Tameka Woody, Mark Womack and Tiffanie Pearson so it promises to be an extremely informative event blessed by both experience from the trenches and deep knowledge of the code.

Posted in Events, IBMMQ, News, WMQ Security | Leave a comment

Up for air and off to IMPACT

Posted on April 28, 2010 by T.Rob

It’s been far too long since I’ve posted here but I finally came up for air and even managed to take a week off.  I was supposed to be in Germany last week at the Guide Share Europe  WMQ Working Group talking about security but those plans went up in smoke – volcanic ash, to be precise.  I was extremely disappointed because one of the reason’s I dropped out of sight for a while was to prepare a new security slide deck for GSE called Security is not a destination, it’s a journey.  I’ve been wanting to tackle this subject for a while now and the folks at GSE were kind enough to let me run with it.  I just wish I could have been there to deliver it.  Thanks to Hubert Kleinmanns for stepping in at the last minute to do the presentation.  I’ll post the deck here shortly in case anyone is interested.

Next week I’ll be at IMPACT 2010, or #ibmimpact for those of you following the event in the aggregator.  Preparing the new WMQ Hands-On Security Lab materials was the other reason I’ve been out of sight lately.  It was a huge effort which nearly cost me my current client, my marriage and some IRS late filing penalties, but it was totally worth it.  There are several modules in the lab which will walk you through all of the tasks to do basic admin hardening.  These include setting up SSL between two QMgrs, between WMQ Explorer and two QMgrs, and then setting up BlockIP2 to filter connections and dynamically set MCAUSER.  The lab makes good use of several SupportPacs including the Ian Vanstone’s SSL Wizard and Mark Taylor’s WMQ Explorer configuration and Display Plug-In.

Continue reading

Posted in Events, News | 2 Comments

Deep Queue #14 – The Elephant Under the Bed

Posted on November 27, 2009 by T.Rob

This episode of The Deep Queue celebrates the first birthday of the podcast with some discussion of the SSL protocol vulnerability that was recently discovered.  Although there has been no announcement with regard to WebSphere MQ, I try to put the whole discussion into a larger context and ask if this is really the thing we need to worry about considering what else is going on.  More on that in the podcast or transcript.

Continue reading

Posted in DeepQueue, IBMMQ, WMQ Security | 4 Comments

In memorium

Posted on October 29, 2009 by T.Rob

The PCI community has suffered a great loss with the passing of Dave Taylor recently.  Dave had a vision of helping companies achieve not just the letter of PCI compliance, but the spirit of PCI compliance through better understanding and an open dialog amongst practitioners, auditors, users, business leaders and all other stakeholders.  That vision and passion became the PCI Knowledgebase, billed as “the largest PCI research community.”

I first met Dave when I was invited to present a webinar on WebSphere MQ security to the PCI Knowledgebase community.  By Dave’s standards the webinar was barely attended but as a conference speaker the numbers were about what I’m used to.  I presented that webinar twice and have since heard back from many of the attendees that they are now including WebSphere MQ in their PCI assessments and that they are finding – and fixing – configuration issues.  This is exactly the kind of thing Dave was trying to achieve and, although he was initially skeptical about the attendance rates, I know he was happy with the results.

The PCI Knowledgebase has pledged to continue in Dave’s absence and carry on his mission.  If you are a PCI DSS stakeholder, please stop by the PCI Knowledgebase web site and check it out.  It’s a great resource for anyone involved with PCI DSS and your participation is the best way I can think of to honor Dave’s memory.

Posted in News, WMQ Security | Leave a comment

WMQ free tools updated

Posted on October 29, 2009 by T.Rob

Michael Dag at MQSystems has updated his WMQ 1-Page Quick Reference cards.  Go to his Links page and look at the top two entries.  While you are there, check out the Solutions page where you can find out abour MQ Document and MQ Architect.

Roger Lacroix has updated a few of his free products recently, including MQWhat.  You can find these on his Open Source page at Capitalware.

Posted in IBMMQ, News | Leave a comment

Avoiding insider threat

Posted on October 5, 2009 by T.Rob

Passing along this article from Adam Bosnian of Cyber-Ark Software: Practical advice on avoiding the insider threat.  The whole article is worth reading but one item stood out:

Best Practice #4: Secure Embedded Application Accounts

Up to 80 percent of system breaches are caused by internal users, including privileged administrators and power users, who accidentally or deliberately damage IT systems or release confidential data assets, according to a recent Cyber-Ark survey.

Many times, the accounts leveraged by these users are the application identities embedded within scripts, configuration files, or an application. The identities are used to log into a target database or system and are often overlooked within a traditional security review. Even if located, the account identities are difficult to monitor and log because they appear to a monitoring system as if the application (not the person using the account) is logging in.

These privileged, application identities are being increasingly scrutinized by internal and external auditors, especially during PCI- and SOX-driven audits, and are becoming one of the key reasons that many organizations fail compliance audits. Therefore, organisations must have effective control of all privileged identities, including application identities, to ensure compliance with audit and regulatory requirements.

Wow, 80% of breaches now originating within the “trusted internal network” and the article also mentions insider theft has doubled between 2007 and 2008.  Anybody out there still not treating the internal network as a hostile environment?

Posted in General | 2 Comments

Deep Queue #13: Unlucky number thirteen

Posted on August 28, 2009 by T.Rob

After a month unplanned hiatus, The Deep Queue is back.  This month we are talking about high availability, which is obviously something The Deep Queue lacks.  This may not seem like a security topic at first glance but to my way of thinking it is.  There is no perfect security so, no matter how much you invest in protection, it’s a good idea to assume there will be a breach at some point.  When that happens you need to detect it and recover from it.  For that reason, whenever I perform a security assessment, monitoring and recovery are considered.   The first segment talks about planning for recovery from an adverse security event.

The second segment is all about the new v7.0.1 of WebSphere MQ!  Yes, the long awaited refresh pack is released and you can download it now.  In addition, the product manuals are all updated with the new features.  The v7.0 release was massive and it seems hard to believe it would be followed so quickly by another release with this much functionality but the folks in Hursley apparently don’t sleep.  There’s lots of detail in the podcast and at the links below.

Continue reading

Posted in DeepQueue, IBMMQ, Podcast, WMQ Security | Leave a comment

WebSphere MQ – Coming soon to an audit near you!

Posted on July 4, 2009 by T.Rob

The June 29 episode of The Deep Queue is finally up!  Sorry about the delay, I was on an engagement last week that had me staying over the weekend in Boston to perform a production implementation on Saturday.  Although I’ve got a great recording setup at home, I’m afraid I don’t have decent equipment to do the podcast on the road.  Instead, I flew my wife up to Boston and we spent Sunday at the aquarium and then went to see Blue Man Group.

The week delay worked out great though, because last week a friend contacted me to tell me his shop needs to remediate for PCI compliance.  He has a hundred days to create a segmented MQ network within which to isolate his PCI applications.  The time limit is due to having found out about the problems in the course of an audit rather than through independent research or assessment.  Since this is likely to be a growing problem, it turned out to be my topic for this month’s episode.

Continue reading

Posted in DeepQueue, Podcast, WMQ Security | Tagged , , , , , , , , , | Leave a comment

New WMQ Channel vulnerability and interim fix announced

Posted on June 5, 2009 by T.Rob

The IBM Internet Security Systems XForce team recently announced a buffer overflow vulnerability in WebSphere MQ client channels.  According to the release, the vulnerability includes the possibility of remotely executing arbitrary code or “causing the application to crash.”  It is not clear whether “application” in this case refers to the channel agent, channel pooling process or something else.

I’ve already fielded some questions on this alert.  In particular, the following:

Note: This vulnerability can not be exploited on queue managers secured with security exits or authentication through SSL, unless an attacker has valid authentication credentials or a valid SSL certificate.

First, I think that the words “queue managers” here should be “channels”.  A queue manager does not have SSL or security exits, channels do.  And Ihave no reason to believe that enabling a security exit or SSL on one channel solves the problem for the entire queue manager so I think the scope is wrong.  I’ve sent in a suggestion to fix that but haven’t heard back yet.

The second question I received was about how authentication prevents the exploit and whether it is necessary to apply the interim fix.  The SSL handshake must be completed before the channel agent ever sees the connection so any connection rejected by SSL does not get deep enough into the MCA to hit the vulnerability.  Similarly, the security exit is invoked fairly early on in the channel negotiation.  If an attacker’s connection is rejected by either SSL or a security exit, the vulnerability cannot be exploited.

On the other hand, anyone who can complete the connection can execute the exploit.  But is this dangerous and do I need to apply the fix?  If the channel has a blank MCAUSER and the command server is running, then a legitimately connected connected user already has the same level of access by gaining administrative access and defining services.  There are two conditions in which the fix could be important:

  1. The channel has no SSL or exits and relies on a low-privileged MCAUSER value for security.  In this case, anonymous users are allowed connect but will ordinarily not have administrative access.
  2. The channel has SSL and/or exits to authenticate users and a low-privileged MCAUSER that would ordinarily limit the connected user from gaining administrative access and the legitimate users are not trusted.  For example, when allowing client connections from outside the enterprise or when in a regulated environment in which application controls must be strictly enforced.

For now the fix is available separately but it will be incorporated into 6.0.2.6 and 7.0.1.0 releases of WebSphere MQ.   Additional information may be found at APAR IZ50784.

Posted in IBMMQ, News, WMQ Security | Tagged , , , , | Leave a comment