Links for this episode:

IBM e-notifications service
http://www-01.ibm.com/software/websphere/support/einfo.html

Security Now podcast: http://bit.ly/2sLizB
The episode you want is #223 and it should be online this Thursday, November 19th.

Presentation: New Tricks For Defeating SSL In Practice http://bit.ly/NPtwf
from Black Hat 2009 by Moxie Marlinspike

Tools: SSLSTRIP from thoughtcrime.org http://bit.ly/3mu8QB
Provided by Moxie Marlinspike

The second segment is all about the new v7.0.1 of WebSphere MQ!  Yes, the long awaited refresh pack is released and you can download it now.  In addition, the product manuals are all updated with the new features.  The v7.0 release was massive and it seems hard to believe it would be followed so quickly by another release with this much functionality but the folks in Hursley apparently don’t sleep.  There’s lots of detail in the podcast and at the links below.

Links for this episode:

IBM WebSphere MQ V7.0 is enhanced with increased availability, security, and governance
IBM United States Software Announcement 209-245
August 25, 2009
http://bit.ly/1anQmy

IBM WebSphere MQ for z/OS V7.0.1 delivers storage and memory improvements and increased availability for queue-sharing groups
IBM United States Software Announcement 209-248
August 25, 2009
http://bit.ly/3bv4pv

developerWorks: Mission:Messaging: Planning for SSL on the WebSphere MQ network
http://bit.ly/3loir

The week delay worked out great though, because last week a friend contacted me to tell me his shop needs to remediate for PCI compliance.  He has a hundred days to create a segmented MQ network within which to isolate his PCI applications.  The time limit is due to having found out about the problems in the course of an audit rather than through independent research or assessment.  Since this is likely to be a growing problem, it turned out to be my topic for this month’s episode.

The reason I think this will be a growing problem is that I am among the folks talking with the assessment community about WMQ security, the implementation gaps that are commonly seen and methods for assessment and remediation that are currently available.   Hopefully, the participation of the assessment community will result in refining these existing tools and creating best practices for securing MQ in a regulatory compliance context such as PCI.

I’m also excited to be working with some old friends at Evans Resource Group.  ERG is building a business around helping assessors get up to speed with WebSphere MQ.  They are creating a curriculum and tools and are already working with some of their first clients in this space.  Many of the folks at ERG are Reconda alums who I worked with to develop AppWatch so I’m confident they will do a great job.  I’ll be working with them next week to help them develop and fine-tune their content and get the reactions of those initial clients.

Lots more about all this in the podcast so please download it or the transcript and let me know your thoughts.

Also, don’t forget to sign up for the webinar I’m giving July 10th at noon Eastern, entitled What You Don’t Know About Middleware Vulnerabilities Will Hurt You.  The webinar is structured for assessors and  QSAs and includes my 5-Minute WebSphere MQ Assessment.

Links from the podcast:

PCIKnowledgebase.com: http://PCIKnowledgebase.com

Webinar: What You Don’t Know About Middleware Vulnerabilities Will Hurt You
https://www2.gotomeeting.com/register/848961386

Evans Resource Group home page: http://www.evansresourcegroup.com

Evans Resource group free MQ security check:
http://www.evansresourcegroup.com/technologies-6b.html

Prolifics home page: http://www.prolifics.com

Prolifics free MQ Health and Security Check:
http://www.prolifics.com/Collateral/Documents/English-US/service-brochures/Prolifics_WebSphereMQ_HealthSecurityCheck.pdf

Capitalware homepage: http://www.capitalware.biz

Capitalware consulting services: http://www.capitalware.biz/services.html

Primeur homepage: http://www.primeur.com

Primeur Data Secure for WebSphere MQ:
http://www.primeur.com/products/data_security/spazio_data_secure.html#dswmq

In this episode of The Deep Queue, I tackle this topic as well as the idea of software “never events”.  The term was coined in the medical professions to refer to preventable events with serious or deadly consequences.  The kind of events that should never happen such as operating on the wrong body part or wrong person.  the National Quality Foundation has developed a list of 28 such events which are used to report and track quality of care across the nation.  Bob Charette guested on the CERT Security podcast to campaign for a similar set of events in the software industry.  In this episode of The Deep Queue, I propose my own list of WebSphere MQ never events.

Links for this episode:

University of California Berkeley Data Breach
http://datatheft.berkeley.edu/news.shtml
Security Squad, SearchSecurity.com podcast for May 15, 2009
http://itknowledgeexchange.techtarget.com/security-wire-weekly/squad-data-breach-burn-out/

PrivacyRights.org Chronology of Data Breaches
http://www.privacyrights.org/ar/ChronDataBreaches.htm#CP

BankInfoSecurity.com – List of banks reported to have been affected by the Heartland breach tops 600
http://www.bankinfosecurity.com/articles.php?art_id=1200

National Quality Forum – Serious Reportable Events (a.k.a. “Never Events”)
http://www.qualityforum.org/projects/completed/sre/fact-sheet.asp

CERT Security podcast series for May 5, 2009
http://www.cert.org/podcast/

WebSphere MQ Security Heats Up – Blog post with downloadable setmqaut scripts to secure administrative access to WebSphere MQ.
http://t-rob.net/2008/07/08/websphere-mq-security-heats-up/

In this episode of The Deep Queue I consider just how much risk has been stuffed into the closet over the years.  There’s a lot of unsecured MQ out there, after all.  Up to now I’ve focused on what it means to the companies who are exposed.  But this month I propose that this massive amount of deferred investment represents a great opportunity for companies positioned to perform assessments, implement remediations, or provide tools.

On the lighter side, listener email this month included a funny cartoon which I hope you enjoy.

“What do you mean ‘turn on’ security?” I asked.  “What is it exactly you want security to do for you?”

“Well, you know…SECURE THE QUEUE MANAGER!” came the annoyed reply.

“What I mean is, are you trying to protect from eavesdropping, denial of service, message injection or what?  And do you want prevention, detection or forensic capabilities?”

Since nobody there had thought about it in these terms, the answer back was “I don’t know, we will get back to you.”  My dilemma is that if I have a ready-made answer for “how to turn on MQ security” it is likely not to address the real requirements…but at least I get work.  If I try to drive out the real requirements, I put myself on the bench.

[display_podcast]

Links for this episode:
WMQ Security webinar for QSA’s, internal auditors, security professionals and anyone interested in knowing how to tell if your WebSphere MQ network leaks administrative access: PCIKnowledgebase.com http://is.gd/qqOX

The Black Swan by Nassim Nicholas Taleb:  http://is.gd/qqXX

One of the items in the podcast suggests some corrections to scripts listed in the “Using MQ Explorer as a read-only viewer” post over at the Hursley View on WebSphere MQ blog.  I have excerpted a portion of the setmqaut commands from that post here:

setmqaut -m YOUR_QUEUE_MANAGER -t q -n SYSTEM.DEFAULT.MODEL.QUEUE -p YOUR_USER_NAME +get +browse +inq
setmqaut -m YOUR_QUEUE_MANAGER -t q -n 'AMQ.**' -p YOUR_USER_NAME +all
setmqaut -m YOUR_QUEUE_MANAGER -t q -n 'MQAI.**' -p YOUR_USER_NAME +all

My recommendation is to delete the last two lines.  When you create a dynamic queue, MQ grants you complete access to the queue.  There is no need to pre-authorize that access.  The effect of the two commands above is to grant you ALL access to ALL dynamic queues that match the AMQ.** or MQAI.** profiles.

So for example, if you have an application that uses AMQ.** as it’s dynamic queue name prefix, anyone using the rights granted above can read messages from your dynamic queue as they arrive, update them, and write them back to the queue in one transaction.  Your application will never be aware of this man-in-the-middle attack and I have complete control over the responses your application sees.

Of course, the -p should be changed to a -g as well to force the user to explicitly select the group that is authorized. The -p option only works the way you expect on Windows servers, and then only if the principal is fully qualified, such as -p user@domain or -p user@host.

Links for this episode:

MSoT SupportPac – Stand-alone WebSphere MQ Explorer
http://www-01.ibm.com/support/docview.wss?rs=171&uid=swg24021041

Latest payment processor breach coverage from DataBreaches.net

Just weeks after Heartland breach, another payment processor said to be hit
http://www.databreaches.net/?p=1728

And the rumor mills kick into higher gear
http://www.databreaches.net/?p=1756

No, the unnamed processor breach is not another Heartland breach
http://www.databreaches.net/?p=1807

US Department of Justice
Two plead guilty to defrauding trucking companies in multi-million dollar scheme that used Internet site
http://www.usdoj.gov/criminal/cybercrime/lakesPlea.pdf

developerWorks article: Securing WebSphere MQ File Transfer Edition V7
http://www.ibm.com/developerworks/websphere/library/techarticles/0902_wyatt/0902_wyatt.html

Blog: A Hursley View on WebSphere MQ
Using WebSphere MQ Explorer as a read-only viewer
http://hursleyonwmq.wordpress.com/2007/02/08/using-websphere-mq-explorer-as-a-read-only-viewer/

APAR IC58952: INCORRECT C and .NET CLIENT RC WHEN SCYEXIT CLOSES CHANNEL
http://www-01.ibm.com/support/docview.wss?uid=swg1IC58952

APAR IC58878: MANAGED WMQ V7 .NET ERRORS USING SECURITY EXITS
http://www-01.ibm.com/support/docview.wss?uid=swg1IC58878

WebSphere MQ planned maintenance release dates
http://www-01.ibm.com/support/docview.wss?rs=171&uid=swg27006309

Combined interim fix for Data Integrity APAR IC60063 and Security Vulnerability
http://www-01.ibm.com/support/docview.wss?uid=swg24022268

APAR IC60063 – Data integrity exposure for circular logging queue managers
http://www.ibm.com/support/docview.wss?uid=swg1IC60063

APAR IZ40824 – Security vulnerability
http://xforce.iss.net/xforce/xfdb/48529

This episode also contains an installment of Random MQ Stuff.  Links are below.

Subscribe: 

Links for this episode:

Minimize attack surface area (OWASP) –
http://www.owasp.org/index.php/Minimize_attack_surface_area

WebSphere MQ Fix Pack 7.0.0.1 – http://is.gd/i1Da

APAR’s in 7.0.0.1 cited in this podcast: IC56408, IC58577, IC58797, IZ17158, IZ18954, IZ27491, IZ27588, IZ28844

SupportPac MS03 – http://is.gd/i1Da

IBM Consumability Surveys
Managing WebSphere Products – http://is.gd/i1Da
WebSphere MQ API Exerciser Survey – http://is.gd/i1GL

But if companies don’t want to implement security to protect against honest mistakes, perhaps they will if there is a credible outsider threat.  In this episode I argue that such a threat is real and to back that up I cite six US DOJ press releases from just the last two months describing malicious corporate network intrusions.  The press releases also give us some insight into the state of tools available for cybercriminals and the degree to which the tools have been weaponized.

Links for this episode:

SAN JOSE WOMAN CHARGED WITH FRAUD IN CONNECTION WITH A PROTECTED COMPUTER

http://www.usdoj.gov/criminal/cybercrime/leotiotaIndict.pdf

FORMER IT MANAGER SENTENCED TO PRISON FOR HACKING INTO PREVIOUS EMPLOYER’S COMPUTER SYSTEM AND CAUSING DAMAGE

http://www.usdoj.gov/criminal/cybercrime/barnesSent.pdf

JUVENILE COMPUTER HACKER PLEADS GUILTY

http://www.usdoj.gov/criminal/cybercrime/dshockerPlea.pdf

Multi-Million Dollar Home Equity Line of Credit, Identity Theft and Computer Intrusion Ring Busted

http://www.usdoj.gov/criminal/cybercrime/polkCharge.pdf

HACKER CHARGED WITH PROVIDING DATA THEFT TOOL IN NATIONAL IDENTITY THEFT CASE

http://www.usdoj.gov/criminal/cybercrime/wattCharge.pdf

FORMER MASSACHUSETTS INMATE ARRESTED FOR HACKING PRISON COMPUTER TO ACCESS PRISON MANAGEMENT PROGRAM

http://www.usdoj.gov/criminal/cybercrime/janoskoIndict.pdf

Boffins bust web authentication with game consoles

http://www.theregister.co.uk/2008/12/30/ssl_spoofing/

]]> https://t-rob.net/2009/01/01/the-deep-queue-episode-6-the-myth-of-the-trusted-internal-network/feed/ 1 195 dq@t-rob.net (T.Rob Wyatt) https://t-rob.net/2008/12/02/the-deep-queue-episode-5-wmq-security-news-and-random-wmq-stuff/ https://t-rob.net/2008/12/02/the-deep-queue-episode-5-wmq-security-news-and-random-wmq-stuff/#respond Tue, 02 Dec 2008 08:30:09 +0000 http://t-rob.net/?p=171 Continue reading →]]> The Deep Queue Episode #5 is now online.  In this episode we cover some WMQ security news and introduce a new segment called Random WMQ Stuff which is pretty much what it sounds like.  We also now have an iTunes feed.  Please let me know if you have any problems with it.  The link to the iTunes feed and all the other links are posted below.

Links for this episode:

Deep Queue iTunes feed

IMPACT 2009
IMPACT 2009 Call for Speakers

Prolifics presentation WebSphere MQ Enterprise Security: A Series of Defenses to Withstand the Test of Time

MITRE CVE web site
US National Vulnerability Database

Fix list for WMQ 5.3 on HP Non-Stop
Fix list for WMQ 6.0

MWR Infosecurity Events page
MWR Infosecurity Middleware Threats presentation
MWR Infosecurity Labs

WebSphere MQ File Transfer Edition
WMQ FTE Availability