DeepQueue – Store and Forward

By T.Rob Wyatt

About this podcast   English    United States

Discussion and news about WebSphere MQ security.
In this podcast




Rob Wyatt

Machine generated. There may be errors. Report errors to us.
Nov. 27, 2009
This episode of The Deep Queue celebrates the first birthday of the podcast with some discussion of the SSL protocol vulnerability that was recently discovered.  Although there has been no announcement with regard to WebSphere MQ, I try to put … Continue reading →
Aug. 28, 2009
No audio available for this episode
After a month unplanned hiatus, The Deep Queue is back.  This month we are talking about high availability, which is obviously something The Deep Queue lacks.  This may not seem like a security topic at first glance but to my way of thinking it is.  There is no perfect security so, no matter how much you invest in protection, it’s a good idea to assume there will be a breach at some point.  When that happens you need to detect it and recover from it.  For that reason, whenever I perform a security assessment, monitoring and recovery are considered.   The first segment talks about planning for recovery from an adverse security event. The second segment is all about the new v7.0.1 of WebSphere MQ!  Yes, the long awaited refresh pack is released and you can download it now.  In addition, the product manuals are all updated with the new features.  The v7.0 release was massive and it seems hard to believe it would be followed so quickly by another release with this much functionality but the folks in Hursley apparently don’t sleep.  There’s lots of detail in the podcast and at the links below. Links for this episode: IBM WebSphere MQ V7.0 is enhanced with increased availability, security, and governance IBM United States Software Announcement 209-245 August 25, 2009 IBM WebSphere MQ for z/OS V7.0.1 delivers storage and memory improvements and increased availability for queue-sharing groups IBM United States Software Announcement 209-248 August 25, 2009 developerWorks: Mission:Messaging: Planning for SSL on the WebSphere MQ network
July 4, 2009
No audio available for this episode
The June 29 episode of The Deep Queue is finally up!  Sorry about the delay, I was on an engagement last week that had me staying over the weekend in Boston to perform a production implementation on Saturday.  Although I’ve got a great recording setup at home, I’m afraid I don’t have decent equipment to do the podcast on the road.  Instead, I flew my wife up to Boston and we spent Sunday at the aquarium and then went to see Blue Man Group. The week delay worked out great though, because last week a friend contacted me to tell me his shop needs to remediate for PCI compliance.  He has a hundred days to create a segmented MQ network within which to isolate his PCI applications.  The time limit is due to having found out about the problems in the course of an audit rather than through independent research or assessment.  Since this is likely to be a growing problem, it turned out to be my topic for this month’s episode. The reason I think this will be a growing problem is that I am among the folks talking with the assessment community about WMQ security, the implementation gaps that are commonly seen and methods for assessment and remediation that are currently available.   Hopefully, the participation of the assessment community will result in refining these existing tools and creating best practices for securing MQ in a regulatory compliance context such as PCI. I’m also excited to be working with some old friends at Evans Resource Group.  ERG is building a business around helping assessors get up to speed with WebSphere MQ.  They are creating a curriculum and tools and are already working with some of their first clients in this space.  Many of the folks at ERG are Reconda alums who I worked with to develop AppWatch so I’m confident they will do a great job.  I’ll be working with them next week to help them develop and fine-tune their content and get the reactions of those initial clients. Lots more about all this in the podcast so please download it or the transcript and let me know your thoughts. Also, don’t forget to sign up for the webinar I’m giving July 10th at noon Eastern, entitled What You Don’t Know About Middleware Vulnerabilities Will Hurt You.  The webinar is structured for assessors and  QSAs and includes my 5-Minute WebSphere MQ Assessment. Links from the podcast: Webinar: What You Don’t Know About Middleware Vulnerabilities Will Hurt You Evans Resource Group home page: Evans Resource group free MQ security check: Prolifics home page: Prolifics free MQ Health and Security Check: Capitalware homepage: Capitalware consulting services: Primeur homepage: Primeur Data Secure for WebSphere MQ:
May 25, 2009
No audio available for this episode
The subject of the UC Berkeley data breach was discussed on the May 15th Security Squad podcast.  The thing that struck me was that the breach itself was not the topic of conversation but rather the debate was about whether the breach was in fact newsworthy.  If you are not familiar with it, 160,000 Social Security numbers and medical information were stolen in the UC Berkeley data breach.  This notion that breaches of the “trusted” internal network are so common that’s possible to discuss with a straight face whether a breach of this magnitude is newsworthy is itself worthy of some discussion. In this episode of The Deep Queue, I tackle this topic as well as the idea of software “never events”.  The term was coined in the medical professions to refer to preventable events with serious or deadly consequences.  The kind of events that should never happen such as operating on the wrong body part or wrong person.  the National Quality Foundation has developed a list of 28 such events which are used to report and track quality of care across the nation.  Bob Charette guested on the CERT Security podcast to campaign for a similar set of events in the software industry.  In this episode of The Deep Queue, I propose my own list of WebSphere MQ never events. Links for this episode: University of California Berkeley Data Breach Security Squad, podcast for May 15, 2009 Chronology of Data Breaches – List of banks reported to have been affected by the Heartland breach tops 600 National Quality Forum – Serious Reportable Events (a.k.a. “Never Events”) CERT Security podcast series for May 5, 2009 WebSphere MQ Security Heats Up – Blog post with downloadable setmqaut scripts to secure administrative access to WebSphere MQ.
May 3, 2009
No audio available for this episode
No, that’s not mortgage risk.  Someone’s already done that and look where it got us.  No,I’m talking about mortgaged risk – the act of saving time or money by accepting risk that is hard to measure but easy to hide or ignore.  The risk is essentially a mortgage on your future.  A hidden cost that will be paid eventually. In this episode of The Deep Queue I consider just how much risk has been stuffed into the closet over the years.  There’s a lot of unsecured MQ out there, after all.  Up to now I’ve focused on what it means to the companies who are exposed.  But this month I propose that this massive amount of deferred investment represents a great opportunity for companies positioned to perform assessments, implement remediations, or provide tools. On the lighter side, listener email this month included a funny cartoon which I hope you enjoy.
April 3, 2009
No audio available for this episode
This episode of The Deep Queue takes its inspiration from the thousandth time I was asked how to “turn on MQ security”.  Yes, that’s right, the thousandth time.  At least since I’ve been counting.  There were perhaps half a thousand instances before I started keeping track.  Unlike being the millionth customer at the local hair salon, you don’t want to be the thousandth person to ask me how to “turn on MQ security”. “What do you mean ‘turn on’ security?” I asked.  “What is it exactly you want security to do for you?” “Well, you know…SECURE THE QUEUE MANAGER!” came the annoyed reply. “What I mean is, are you trying to protect from eavesdropping, denial of service, message injection or what?  And do you want prevention, detection or forensic capabilities?” Since nobody there had thought about it in these terms, the answer back was “I don’t know, we will get back to you.”  My dilemma is that if I have a ready-made answer for “how to turn on MQ security” it is likely not to address the real requirements…but at least I get work.  If I try to drive out the real requirements, I put myself on the bench. [display_podcast] Links for this episode: WMQ Security webinar for QSA’s, internal auditors, security professionals and anyone interested in knowing how to tell if your WebSphere MQ network leaks administrative access: The Black Swan by Nassim Nicholas Taleb:
Feb. 28, 2009
This episode of The Deep Queue contains news about the new MSoT stand-alone WMQ Explorer SupportPac, yet another payment processor data breach, updates to some items we’ve covered in the past and breaking news about a WebSphere MQ interim fix … Continue reading →
Feb. 2, 2009
No audio available for this episode
This installment of The Deep Queue is about improving security by reducing the number of attack vectors that are exposed.  Given two systems with equivalent functionality the one with more exposed attack vectors is said to have a “larger attack surface”.  As I explain in the podcast, having a smaller attack surface doesn’t automatically result in a more secure system, but it sure helps.  There’s a possibility that having a smaller attack surface makes you more likely to be the victim of a hit-and-run driver but you’ll have to listen to the podcast to understand why. This episode also contains an installment of Random MQ Stuff.  Links are below. Subscribe:  Links for this episode: Minimize attack surface area (OWASP) – WebSphere MQ Fix Pack – APAR’s in cited in this podcast: IC56408, IC58577, IC58797, IZ17158, IZ18954, IZ27491, IZ27588, IZ28844 SupportPac MS03 – IBM Consumability Surveys Managing WebSphere Products – WebSphere MQ API Exerciser Survey –
Jan. 1, 2009
No audio available for this episode
In this episode of The Deep Queue I explain why I believe the “trusted internal network” is a myth.  Many of the problems that I see on consulting assignments would have been prevented by the same security measures I recommend to protect against malicious attacks.  Except the incidents in question are not usually malicious, they are just human error.  In most of these cases the fact that there are no secondary firewalls around Production assets, no defense in depth and no checks and balances allows a simple mistake to blossom into a full-scale incident with serious financial, and often reputational, damage. But if companies don’t want to implement security to protect against honest mistakes, perhaps they will if there is a credible outsider threat.  In this episode I argue that such a threat is real and to back that up I cite six US DOJ press releases from just the last two months describing malicious corporate network intrusions.  The press releases also give us some insight into the state of tools available for cybercriminals and the degree to which the tools have been weaponized. Links for this episode: SAN JOSE WOMAN CHARGED WITH FRAUD IN CONNECTION WITH A PROTECTED COMPUTER FORMER IT MANAGER SENTENCED TO PRISON FOR HACKING INTO PREVIOUS EMPLOYER’S COMPUTER SYSTEM AND CAUSING DAMAGE JUVENILE COMPUTER HACKER PLEADS GUILTY Multi-Million Dollar Home Equity Line of Credit, Identity Theft and Computer Intrusion Ring Busted HACKER CHARGED WITH PROVIDING DATA THEFT TOOL IN NATIONAL IDENTITY THEFT CASE FORMER MASSACHUSETTS INMATE ARRESTED FOR HACKING PRISON COMPUTER TO ACCESS PRISON MANAGEMENT PROGRAM Boffins bust web authentication with game consoles
Dec. 2, 2008
The Deep Queue Episode #5 is now online.  In this episode we cover some WMQ security news and introduce a new segment called Random WMQ Stuff which is pretty much what it sounds like.  We also now have an iTunes … Continue reading →
Disclaimer: The podcast and artwork embedded on this page are from T.Rob Wyatt, which is the property of its owner and not affiliated with or endorsed by Listen Notes, Inc.