ASG
IBM
Zystems
Cressida
Icon
Netflexity
 
  MQSeries.net
Search  Search       Tech Exchange      Education      Certifications      Library      Info Center      SupportPacs      LinkedIn  Search  Search                                                                   FAQ  FAQ   Usergroups  Usergroups
 
Register  ::  Log in Log in to check your private messages
 
RSS Feed - WebSphere MQ Support RSS Feed - Message Broker Support

MQSeries.net Forum Index » General Discussion » Defcon 15 MQ session

Post new topic  Reply to topic
 Defcon 15 MQ session « View previous topic :: View next topic » 
Author Message
RogerLacroix
PostPosted: Fri Jul 20, 2007 11:50 am    Post subject: Defcon 15 MQ session Reply with quote

Jedi Knight

Joined: 15 May 2001
Posts: 3264
Location: London, ON Canada

All,

I just found out that the Defcon 15 Conference will have a session on MQ security holes. The session is called MQ Jumping and will be given by Martyn Ruks.

He is going to be giving the session with a live demo and will be listing the exploits.

Here's the link that describes the session:
http://www.defcon.org/html/defcon-15/dc-15-speakers.html#Ruks


Is anybody going to Defcon 15? If so, can you give us feedback on the session? Which exploits did he list? How was the session? etc...


Regards,
Roger Lacroix
Capitalware Inc.
_________________
Capitalware: Transforming tomorrow into today.
Connected to MQ!
Twitter
Back to top
View user's profile Send private message Visit poster's website
Michael Dag
PostPosted: Sun Aug 05, 2007 1:48 am    Post subject: Re: Defcon 15 MQ session Reply with quote

Jedi Knight

Joined: 13 Jun 2002
Posts: 2607
Location: The Netherlands (Amsterdam)

just relaying a message from T.Rob on the MQSeries Listserver we should all be aware of:

T.Rob wrote:
It worked out that I was able to go to Defcon 15, meet Martyn Ruks and attend his "Jumping MQ" session. The interesting thing is that Martyn is a security consultant and penetration tester and knew very little about WMQ going in. Instead of starting with the IBM-provided tools like the WMQ client code, he sniffed the network packets and reverse-engineered the protocol. He then wrote some Python code to simulate a client channel, including the SSL handshakes. With this Python code he was able to remotely connect to a QMgr, create a WMQ service to execute OS level commands and then put messages onto an initiation queue which also ran OS-level commands.

If you've never been to a Defcon, think of the "Lone Gunmen" guys from X-Files and then multiply by a few hundred. Then add in girls in short skirts, combat boots and pink hair. There were a few suits at the convention but they were the Feds giving the "Meet the Feds" sessions.
Upstairs in the "WiFi Cafe" the intent was not to provide Internet access but rather they were having contests to see who could successfully exploit vulnerabilities in Wireless Equivalent Protocol and other such games of sport. Now that you have a picture of the crowd, know that the session on MQ was in one of two main tent rooms and it was packed. People started showing up 10 minutes prior to the end of the previous session to get seats and by the time Martyn started, they were stacked up along the walls. It was pretty scary to look over this particular crowd with the realization that there was so much interest in WMQ. If your shop has taken a relaxed stance on WMQ security, this would be a good time to assess and remediate.

In his research, Martyn discovered two interesting vulnerabilities working directly with the protocol. First, it was possible to bypass a server-side security exit and second that it was possible to bypass the MCAUSER setting in the channel. These are two things we rely heavily on for WMQ security so this was distressing news. The good news though is that he reported these to IBM and a new fix was released as of last Friday that addresses both issues. Go to...
http://www-1.ibm.com/support/docview.wss?rs=171&context=SSFKSJ&dc=D600&uid=swg21266976&loc=en_US&cs=UTF-8&lang=en

...for details.

There were no other exploits or recommendations that the community here does not already know about. Martyn talked about how the default configuration was vulnerable and advised folks to turn on security. He advised to use SSL, MCAUSER, low-privileged accounts for trigger monitors, not to use channel auto-definition and so forth. Because the target audience has almost no familiarity with WMQ, the session was fairly high-level. But Martyn did post links to the Infocenter, Perl classes and some tools so folks could get up to speed quickly.

Unlike many other products such as many web servers and operating systems, there are no publicly available WMQ security baselines or penetration test tools so security is still more of an art than a science - and a black art at that. Martyn's presentation positioned WMQ as running mission critical applications in large corporations. Outside of people who use it, WMQ has had a very low profile up to now. These three factors combine to make WMQ a very interesting product for this community. From their perspective, large attractive corporate targets use the software, there is a tremendous potential for harm (or gain), security is poorly practiced and unstructured, and the first hackers to publish tools, exploits and hacks in this space can make a name for themselves - and land jobs as security consultants. Who knows...by this time next year, the "WMQ Cafe"?

-- T.Rob

T.Robert Wyatt, Consulting IT Specialist IBM Software Services for WebSphere

_________________
Michael



MQSystems Facebook page
Back to top
View user's profile Send private message Visit poster's website MSN Messenger
T.Rob
PostPosted: Wed Aug 08, 2007 8:13 am    Post subject: Presentations posted Reply with quote

Acolyte

Joined: 16 Oct 2001
Posts: 56
Location: Charlotte, NC

Martyn Ruks' presentation and code samples from Defcon 15 are now posted at:
http://www.mwrinfosecurity.com/news/1668.html
_________________
-- T.Rob
Voice/SMS 704-443-TROB (8762)
https://t-rob.net
https://linkedin.com/in/tdotrob
@tdotrob on Twitter
Back to top
View user's profile Send private message Visit poster's website
T.Rob
PostPosted: Fri Aug 10, 2007 3:56 am    Post subject: Clarification... Reply with quote

Acolyte

Joined: 16 Oct 2001
Posts: 56
Location: Charlotte, NC

In an earlier post I wrote about channel security vulnerabilities that were revealed at Defcon 15 by Martyn Ruks in which I credited him for finding the vulnerability and reporting it. This morning I received an email informing me that National Australia Bank had also found and reported the same or similar problem and that the folks there were planning to speak about it as well. There is some concern about my having given credit to Martyn for the find and apparently some controversy about who should be credited for the find.

Please let me say that I'm sorry if I spoke out of turn. When I wrote my post I was aware only of Martyn's work in this area. I have no knowledge of who reported what or when, and it was not my intention to give official credit to anyone for the find but rather to get the information out that a vulnerability exists and to provide the link to the patch. Martyn's was the only work in this area that I was aware of at the time and I reported the situation as I understood it then.

Unfortunately, I am not in any position to set this to rest. I simply ask that my original post not be taken as IBM's official credit for the find. I leave that up to the folks in Hursley. In the meantime, please let's not let this distract us from the greater discussion about improving the security configurations in our own shops.

Gary Blair of National Australia Bank will be speaking at the Gartner IT Security Summit in Sydney on Tuesday the 14th and discussing their role in finding and reporting vulnerabilities in a number of commercial products, including WebSphere MQ.
Conference page: http://www.gartner.com/2_events/conferences/sec3a.jsp
Gary's session: http://agendabuilder.gartner.com/sec3a/WebPages/SessionDetail.aspx?EventSessionId=930
_________________
-- T.Rob
Voice/SMS 704-443-TROB (8762)
https://t-rob.net
https://linkedin.com/in/tdotrob
@tdotrob on Twitter
Back to top
View user's profile Send private message Visit poster's website
ayhz1ab
PostPosted: Sat Oct 27, 2007 3:29 pm    Post subject: Reply with quote

Newbie

Joined: 27 Oct 2007
Posts: 1

here is the video link for the Defcon 15 - T205 MQ Jumping presentation

http://video.google.co.uk/videoplay?docid=-8419995190349463473

enjoy
Back to top
View user's profile Send private message
tleichen
PostPosted: Mon Oct 29, 2007 11:46 am    Post subject: Reply with quote

Yatiri

Joined: 11 Apr 2005
Posts: 663
Location: Center of the USA

Was sad to see that the video on this was so poor. I suppose it's because they are selling it on dvd (presumably a more decent copy).
_________________
IBM Certified MQSeries Specialist
IBM Certified MQSeries Developer
Back to top
View user's profile Send private message
George Carey
PostPosted: Tue Oct 30, 2007 12:10 pm    Post subject: video not all that bad Reply with quote

Knight

Joined: 29 Jan 2007
Posts: 500
Location: DC

The video was not that bad at all ...

Screen text illegible on some slides but likely the same if there live and speakers audio gave key information anyway...

Very worthwhile overall, IMHO ... !!
_________________
"Truth is ... grasping the virtually unconditioned",
Bernard F. Lonergan S.J.
(from book titled "Insight" subtitled "A Study of Human Understanding")
Back to top
View user's profile Send private message Visit poster's website AIM Address
Display posts from previous:   
Post new topic  Reply to topic Page 1 of 1

MQSeries.net Forum Index » General Discussion » Defcon 15 MQ session
Jump to:  



You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
Protected by Anti-Spam ACP
 
 


Theme by Dustin Baccetti
Powered by phpBB © 2001, 2002 phpBB Group

Copyright © MQSeries.net. All rights reserved.