Deep Queue #11: Security breaches are not news?

Posted on May 25, 2009 by T.Rob

The subject of the UC Berkeley data breach was discussed on the May 15th Security Squad podcast.  The thing that struck me was that the breach itself was not the topic of conversation but rather the debate was about whether the breach was in fact newsworthy.  If you are not familiar with it, 160,000 Social Security numbers and medical information were stolen in the UC Berkeley data breach.  This notion that breaches of the “trusted” internal network are so common that’s possible to discuss with a straight face whether a breach of this magnitude is newsworthy is itself worthy of some discussion.

In this episode of The Deep Queue, I tackle this topic as well as the idea of software “never events”.  The term was coined in the medical professions to refer to preventable events with serious or deadly consequences.  The kind of events that should never happen such as operating on the wrong body part or wrong person.  the National Quality Foundation has developed a list of 28 such events which are used to report and track quality of care across the nation.  Bob Charette guested on the CERT Security podcast to campaign for a similar set of events in the software industry.  In this episode of The Deep Queue, I propose my own list of WebSphere MQ never events.

Continue reading

Posted in DeepQueue, IBMMQ, Podcast, WMQ Security | Tagged , , , , , , | Leave a comment

WANTED DEAD OR ALIVE: WMQ Security exits

Posted on May 15, 2009 by T.Rob

As you know, there are some security functions in WebSphere MQ that require an exit.  By now everyone should be familiar with BlockIP2, the well known channel security exit.  But there are a couple of other requirements that a channel exit can’t meet.  In this post I’ll describe what those are and post some specs for an exit.  I’m not qualified to write an exit but I’m hoping someone who is will do so.  If ever these exits show up on the Internet, you can bet I’ll be posting links to them from my site and referring people to them in presentations…well for at least as long as IBM doesn’t have a solution that I can point to, anyway.
Continue reading

Posted in IBMMQ, WMQ Security | Tagged , , , , , | 2 Comments

Wrapping up IMPACT 2009

Posted on May 8, 2009 by T.Rob

Well, this is the last day of IMPACT. It’s always lightly attended as many folks take Friday as a travel day. I have one more session this morning though. It’s the WMQ ESE introduction. Overall the WMQ security sessions were well attended. Even the small rooms were large, compared to past conferences, so my feeling is that interest in WMQ security seems to be rising. That’s a Good Thing.

I also met with many different folks in one-on-one meetings, Premium Support Zone and just walking around the hallways. It’s great to talk with you in person and is for me the most valuable part of the conference. Thanks so much for talking the time to stop and chat with me.

My theme for the conference has been “your feedback is essential”.  Phil Parry and the rest of the Useability team ran several feedback sessions during the conference, including some for WebSphere MQ.  Morag tells me she heard from many of you during the conference. The plan is coming together! Keep up the good work.

I have a day at home this weekend to wash clothes, pack, do some lawn work and then back on the road to Boston. Monday evening when I finally come up for air I plan to work on a few new postings for the blog and start on the next Mission:Messaging column. So stay tuned, more news and content is coming. One of the things I want to do is post a “security feedback reporting kit” with links to the WMQ requirements form. I hope there will be lots of comments adding to that post with more suggestions and letting us know what response you get from the lab.

That’s it for now – another customer meeting in 15 minutes to get to.

Posted in Events, General, IBMMQ, News | Tagged , , , , , , , , | Leave a comment

The Deep Queue – Episode #10: Cash in on mortgaged risk!

Posted on May 2, 2009 by T.Rob

No, that’s not mortgage risk.  Someone’s already done that and look where it got us.  No,I’m talking about mortgaged risk – the act of saving time or money by accepting risk that is hard to measure but easy to hide or ignore.  The risk is essentially a mortgage on your future.  A hidden cost that will be paid eventually.

WMQ security as practised in the real worldIn this episode of The Deep Queue I consider just how much risk has been stuffed into the closet over the years.  There’s a lot of unsecured MQ out there, after all.  Up to now I’ve focused on what it means to the companies who are exposed.  But this month I propose that this massive amount of deferred investment represents a great opportunity for companies positioned to perform assessments, implement remediations, or provide tools.

On the lighter side, listener email this month included a funny cartoon which I hope you enjoy.

Posted in DeepQueue, Events, IBMMQ, Podcast, WMQ Security | Tagged , , , , , , | Leave a comment

Schedule for IMPACT

Posted on April 28, 2009 by T.Rob

This post is really more for me than anyone else.  I’ll be at IMPACT 2009 next week and need a handy place to track my schedule.

Sunday:    16:00 - 17:00 Premium Support Welcome Reception Venetian's Orchid Restaurant
Monday:    11:00 - 12:15 TMC-1054A Basic WMQ Security      Delfino 4101B
Tuesday:   07:15 - 08:15 Breakfast meeting w/customer      Dining hall
Tuesday:   12:00 - 13:00 Lunch Tweetup http://twtvite.com/8v0k9t
Tuesday:   13:30 - 14:45 TMC-1465A WMQ ESE                 Delfino 4101B
Tuesday:   19:00 - 20:30 Customer dinner                   Table 10
Wednesday: 08:30 - 09:45 TMC-1056A Advanced WMQ Security   Lido 3003
Wednesday: 10:30 - 11:45 TMC-1054B Basic WMQ Security      Delfino 4103
Wednesday: 12:00 - 13:30 Premium Zone Meet the Experts     Veronese 2503
Wednesday: 16:45 - 18:00 TMC-1056B Advanced WMQ Security   Delfino 4101B
Wednesday: 18:15 - 19:15 TMC-1486A WMQ BOF                 Marco Polo 703
Wednesday: 19:30 - 21:00 ISSW Conference team              Sushi Samba
Thursday:  07:00 - 08:00 BPM Consultations                 Bassano 2704
Thursday:  09:00 - 10:00 Customer breakfast                Grand Luxe Cafe
Thursday:  10:00 - 11:00 Customer meeting                  Phone
Thursday:  12:00 - 13:00 Lunch w/Adrian                    Dining hall
Thursday:  15:15 - 16:15 Customer meeting                  Cyber Cafe
Thursday:  16:45 - 18:00 Customer feedback session         Marco Polo 706
Friday:    10:30 - 11:45 TMC-1465B WMQ ESE                 Delfino 4101B

See the IMPACT Tweet-ups at TWTVite by searching on Las Vegas. Join the IMPACT social network at Event Vue here.

Posted in Errata, Events, News | Tagged , , , | Leave a comment

Administering FTE from stand-alone explorer

Posted on April 16, 2009 by T.Rob

Rich Cumbers posted a mini how-to describing the procedure to install the WMQ File Transfer Edition plug-in into the stand-alone WebSphere MQ Explorer.  Should be very useful.

Posted in IBMMQ, MQMFT, News | Tagged , , , , , | Leave a comment

WMQ Humor

Posted on April 14, 2009 by T.Rob

Resurrecting something I wrote back in 2003 over a lunch break:

MQ Message pick-up lines…

Your queue or mine?
What’s your sign-bit?
Is that a COA in your message descriptor, or are you just glad to see me?
What’s a message like you doing in a queue like this?
You look like you’ve got a good message header on your shoulders.
With your payload and my routing information, we could really go places!
Is this buffer taken?
You remind me of my first QMgr.
You make my HBINT go wild!
Does this channel go all the way to Chicago?
I must have expired because I’m looking at an angel!
Your message segments are in all the right places!
I’ll bet our code pages are compatible.
Don’t tell anyone, but I’m a message channel secret-agent.
Wanna be in my cluster?

MQ Message rejections…

I’m GET Disabled.
I could never commit to a message like you.
Come back when you have a higher priority.
Not even if you were the last message in the queue!
Your backout-count is showing.
I’m in a proprietary format and you could never parse me.
You are a Dead Letter entry waiting to happen.
Locked by another process.
Don’t let the message exit hit you on the ass on the way out!
You sure are persistent, aren’t you?
User-defined format? Right! Like I haven’t heard THAT before!
You’re ASCII and I’m EBCDIC. It would never work out.
You’ve expired and don’t even know it.
Sorry, no available BROWSE handles.
You’ve obviously mistaken me for an event message.
GET WAIT forever, buddy!

MQ Message Sour Grapes…

It was probably a poison message anyway.
That “Rules and Format Header” should’ve been my first clue.
Every time I meet a really nice message, it’s addressed to a remote node.
Messages. Give ’em a K and they’ll take a MB.
Ok, new rule – never date a message from a queue-sharing group!
Well, I didn’t really want to convert just for the relationship.
Never trust a message with an alias queue name.
That other message was probably going to expire soon anyway.
That’s the last time I’ll ever bare my context information over a drink!
More like a hair-trigger message if you ask me!
Momma told me never to mix with MSMQ messages.
That message was too old a version for me anyway.
I guess we’ll always be in different units of work.
Seems like and the really good messages are under syncpoint.
Ok, that’s it. I’m giving up message affinities altogether!

Posted in Humor | Tagged , , | 2 Comments

Slides for PCI Knowledgebase webinar posted

Posted on April 13, 2009 by T.Rob

Join me Wednesday April 15th @ Noon Eastern for a webinar hosted by the fine folks at PCI Knowledgebase.com on the topic of WebSphere MQ for QSA’s.  Register for the webinar at this link.  The slides have been posted here.

Posted in Events, IBMMQ, News, WMQ Security | Tagged , , , , , , | 3 Comments

Webinar: WMQ Security for QSA's April 15th

Posted on April 7, 2009 by T.Rob

I will be presenting a webinar on April 15th, hosted by the fine folks at PCI Knowledgebase. The purpose of the webinar will be to introduce Qualified Security Assessors, or QSA’s as they are known, to the concept of WebSphere MQ and give them tools to audit the configurations.

If you have read anything I’ve EVER written you are probably aware that WMQ security is not well implemented in general. But I’ve recently worked with a number of clients who were either card payment processors or merchants, all of whom had been declared PCI compliant but were running WMQ wide open. It became clear to me that the assessment and enforcement folks could benefit from the same WMQ security outreach that has up to now I have directed to administrators and developers.

For more info or to sign up for the webinar, go to PCI Knowledgebase at this link.

Posted in IBMMQ, News, WMQ Security | Tagged , , , , , | 3 Comments

When automatic translators go wrong…very wrong!

Posted on April 7, 2009 by T.Rob

I just found a blog post about WMQ security that has, I believe, been run through an automated translation service with unintentionally hilarious results.   Here’s an excerpt:

WMQ Adventurer authenticating a connexion to a queue director
For both waiter and client hallmark, the queue director demands:

  • The personal credential released to the queue director by it Holds Calcium ( credential authorization )
  • The queue director ‘s private key
  • The Ca ( certification dominance ) credential for WMQ Adventurer, or the personal certification published to WMQ Adventurer by it Holds Calcium

all of which will be comprised in a cardinal deposit file ( frequently key.kdb ), placed by the queue director ‘s SSLKEYR property.

Of course, “waiter” is “server” and “cardinal deposit file” is “key store file” but I’m still trying to figure out which CA company name was translated to become “it Holds Calcium”.  And I kinda like “MQ Adventurer” as an alternative to MQ Explorer.  Conjures up images of Indiana Jones moonlighting as a Sysadmin.

(With apologies to the author because I believe it was written in earnest.)

Posted in General, Humor, IBMMQ, WMQ Security | Tagged , , , | Leave a comment