"iBrute" questions iCloud Security

Even Apple a heretofore breech-less vendor has recently been found responsible for a security breach. It appears that on Sunday August 31, 2014 a number of photos were taken from Apple iCloud.  The vulnerability created the exposure known as “iBrute” and allowed access to the compromising photos, rather than locking the iCloud entry way after numerous attempts left it open.
The vulnerability has been closed by Apple which after five missed attempts has now locked the entry way preventing any further attempts.
There apparently is a python based script, (which was available at GitHub) allowed the would-be attacker  to brute force their way into the “Find My iPhone” service.  The Find My iPhone” service did not lock the gateway after repeated attempts to guess the users password.
The vulnerability allegedly discovered in the Find My iPhone service appears to have let attackers use this method to guess passwords repeatedly without any sort of lockout or alert to the target. Once the password had been matched, the attacker can then use it to access other iCloud functions freely.
Although the Apple breach is the most recent Cloud breach, there have been many others. In April 2011 E-mail services firm Epsilon had a cloud based breach which cost them up to $225 million in total costs as a result of its data breach, a massive event that indicated the often overlooked risk of cloud-based computing systems. In early April Epsilon, the world’s largest permission-based email marketing services company that serves over 40 billion emails annually reported a breach in its security.
Also in 2011 Amazon experienced a disruption to its services to popular sites like Foursquare and Quora. It is another example of a cloud failure that could prove extremely costly in the long run – and a hint of more troubles on the horizon.
With the transition of more and more services to the cloud, it’s imperative that your company secure its cloud infrastructure. There is no one, “right” way to do so. Consult with business experts to ensure that your data is being secured and a sensitive breech like this does not happen to you.
The average cost to a company of a large scale security breech is $3.5 million. If your company is a mid-market size organization, this cost is enough to shut down operations completely. And more and more, hackers are targeting mid-market companies purely because they are aware of the lack of intense focus on cloud security.
Contact your IT experts before this cripples your business entirely. Anytime your company is handling sensitive personal data, whether it’s social security numbers or credit card numbers, it’s imperative that you have a safe security space. Because as you can see, if even the behemoth companies are susceptible, why would your company be any different?
If you have questions about your security infrastructure, contact [email protected] for a consultation. Your first conversation is a free discovery call to assess what your needs may be.
 
Image Provided by Flickr: dekuwa  https://www.flickr.com/photos/dekuwa/
Statistics provided by: Ponemon Institute

Prevent Brand Injury With A Systems Security Check

This week’s speculation (and at this point it truly is only speculation) that Home Depot might be the target of a massive data breach is rocking the retail-confidence boat a bit.
When I heard the news, I chewed on the topic of whether data breaches influence consumer buying habits. Studies claim to say yes. And I think common sense backs that up. It all falls under the banner of brand integrity, and big black eyes like data hacks lead to bad publicity and brand injury.  It can be crippling for SMBs that already toe the line of profitability.
Retail and hospitality firms are the popular targets due to their sheer amount of Electronic Data Interchange (EDI). But banks are right there too, as are insurance companies, healthcare providers and payers – the list goes on.
Any company should ask itself a simple question: What is the cost of brand injury versus the cost of server hardening and best-practice security compliance? If a company does $30 million yearly in sales, brand injury through a major data breach might easily impact sales by 2% or more in the first year. On the other hand, TxMQ can a company get started with scoping, scanning and even systems auditing for a fraction of that cost.
For a confidential and free consultation, contact company president Miles Roty: 716-636-0070 x228, [email protected].

IBM HTTP Server Vulnerabilities: Fixlist, August 2014

IBM recently released a security bulletin with several high-priority fixes for its HTTP Server (APAR PI22070). Multiple vulnerabilities are documented with the following details and actionables:

CVE ID:CVE-2014-0226

Description: The IBM HTTP server is vulnerable to a heap-based buffer overflow, caused by a race condition in the mod_status module when handling the scoreboard. By sending a specially-crafted request, a remote attacker could overflow a buffer and execute arbitrary code on the system or cause the application to crash.
CVSS Base Score: 7.5
CVSS Temporal Score: See http://xforce.iss.net/xforce/xfdb/94678 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:N/AC:L/Au:N/C:P/I:P/A:P)
Workaround or Mitigation: This can be mitigated by limiting mod_status access to trusted IPs

 CVE ID: CVE-2014-0231

Description: The IBM HTTP Server is vulnerable to a denial of service, caused by an error in the mod_cgid module. By sending specially-crafted requests, an attacker could exploit this vulnerability to cause child process to hang.
CVSS Base Score: 5.0
CVSS Temporal Score: See http://xforce.iss.net/xforce/xfdb/94674 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:N/AC:L/Au:N/C:N/I:N/A:P)
Work around or Mitigation: This does not affect Windows platform or if you do not have CGI enabled

CVE ID: CVE-2014-0118

Description: The IBM HTTP Server is vulnerable to HTTP trailers being used to replace HTTP headers late during request processing, potentially confusing modules that examined or modified request headers earlier.
CVSS Base Score: 5.0
CVSS Temporal Score: See http://xforce.iss.net/xforce/xfdb/92235 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:N/AC:L/Au:N/C:N/I:P/A:N)
Workaround or Mitigation: none

Affected Products and Versions

This problem affects the IBM HTTP Server component in all editions of WebSphere Application Server and bundling products:

  • Version 8.5.5
  • Version 8.5
  • Version 8.0
  • Version 7.0
  • Version 6.1
  • Version 6.0

Remediation/Fixes

The recommended solution is to apply the interim fix, Fix Pack or PTF containing APAR PI22070 for each named product as soon as practical.
For affected IBM HTTP Server for WebSphere Application Server:

For V8.5.0.0 through 8.5.5.2 Full Profile:

Upgrade to Fix Pack 8.5.5.2 and then apply Interim Fix PI22070
–OR–
Apply Fix Pack 8.5.5.4 or later (targeted to be available 8 December 2014).

For V8.0 through 8.0.0.9:

Upgrade to Fix Pack 8.0.0.9 and then apply Interim Fix PI22070
–OR–
Apply Fix Pack 8.0.0.10 or later (targeted to be available 16 February 2015).

For V7.0.0.0 through 7.0.0.33:

Upgrade to Fix Pack 7.0.0.33 and then apply Interim Fix PI22070
–OR–
Apply Fix Pack 7.0.0.35 or later (targeted to be available 13 October 2014).

For V6.1.0.0. through 6.1.0.47:

Upgrade to Fix Pack 6.1.0.47 and then apply Interim Fix PI22070

For V6.0.2.0 through 6.0.2.43:

Upgrade to Fix Pack 6.0.2.43 and then apply Interim Fix PI22070 from IBM Support.
Important note: IBM strongly suggests that all System z customers be subscribed to the System z Security Portal to receive the latest critical System z security and integrity service. If you are not subscribed, see the instructions on the System z Security website.
<i>(Photo courtesy of Flickr contributor OpenSource.com.)</i>

IBM Watson & Why I Believe In The Goodness Of Technology

Count me as genuinely excited about IBM’s announcement that researchers are now able to use its Watson cognitive computer for medical research.  This is the computer that dusted the all-time human Jeopardy champs in a real-time game. The announcement came a few days after I toured the Museum of Computer History in Palo Alto, Calif. and stood at the podium of the actual Jeopardy set used for the Watson game.
I want to see cancer gone. I have family members surviving it, I’ve lost family members because of it over the past 2 years. And although we’ve improved some treatments, it just seems we’re nowhere nearer a cure. A computer like Watson can help. It can essentially synthesize all the world’s data on the disease. It can fairly quickly scan and distill more than 60,000 or 600,000 journal articles about a single topic, whereas a researcher is lucky to be able to read one or two articles a day.
IBM calls the new cloud-based Watson service “Discovery Advisor” – a nod toward a conviction I share, that technology combined with human curiosity and passion is what drives exploration, discovery and advancement.
The fact that we can all now essentially tap into the most powerful computer in the world – a computer unlike built before – is a comforting light in a world that suddenly seems to be turning darker with armies on the march that want nothing more than to destroy technology and launch a second Dark Ages.
Here’s a great retroactive vid on Watson’s Jeopardy victory, in case you missed it the first time around.

(Photo courtesy of IBM)

TxMQ News Flash – Critical WAS Outage Restored

A leading full service transaction processing business made TxMQ aware of a node synchronization problem after a weekend install had taken down their website and a file restore did not rectify the situation.
TxMQ appointed SME Bob Becktell to an audio bridge for details on the customer’s corrective steps up to the present point. The customer explained that the code change had failed and they backed out, but the website continued to fail. After restoring the entire WebSphere Application Server related file system on both nodes, the website still failed to load.
Bob identified a certification problem by looking at screen shots that the customer sent to him and determined that this was the first order of business to resolve. Upon further study, he uncovered that the self-signed certificate between WAS servers had expired the previous weekend. The customer was instructed to re-generate the certificates stop the WAS instance and node agent for all the nodes, then restart the Deployment Manager, one node agent, then the WAS instance – in that order.

Bob and the customer watched as the log files of each component started and the website loaded properly. The customer was then instructed to complete the same action on the second node and that node loaded properly as well.

With the website working properly, Bob was able to examine  their WAS Admin Console to make sure things were running normally.  The node agents were communicating with the Deployment Manager, but the node synchronization was still broken.  The customer indicated that they had been having synchronization errors for several months now.

Bob uncovered a Tech Note which matched the symptom and error message, but the resolution didn’t fix the synchronization.  The client was running WAS 6.1.0.37 which is out of support and not the most recent 6.1 fixpack, so Bob recommended a short-term fix would be to update to the latest fixpack- 6.1.0.47.  Since the customer is no longer under IBM support for WAS 6.1 Bob recommended that the customer consider extended WAS v6.1 support or upgrading to WAS 8- either of which we could help resolve their ongoing issues.

Photo Provided by SmartSignBrooklyn

WebSphere Cast Iron Hypervisor Delivers Xen Support

WebSphere Cast Iron Hypervisor fix pack version 7.0.0.1 became available on June 30, 2014, and with it came support for the Xen server as hosting environment.
Cast Iron Hypervisor delivers rapid cloud integration for companies that want to harmonize business processes across a hybrid landscape. Cast Iron delivers elegant integration solutions like the ability to:

  • Quickly connect cloud and on-premise applications
  • Chaperone legacy integrations into the cloud
  • Collaborate with IBM Worklight to externalize mobile-app enterprise data and processes

With the 7.0.0.1 fix pack, Hypervisor can now run on one of these following hosting environments:

  • VMware ESX/ESXi 4.1, 5.0 or 5.1
  • IBM PureApplication System W1500 1.0.0.4
  • Xen server 4.1.2 running on Red Hat Enterprise Linux (RHEL) Server release 5.6 and later 6.0

TxMQ offers full Cast Iron service and support. Contact VP Miles Roty for more information: [email protected], 716-636-0070 x228.
 

IBM's Big Spend: $3 Billion To Reach 7 Nanometers

I get excited when I hear about major new R&D, backed by major investment, all for a major goal. Like this one: IBM’s long-term goal to build a neurosynaptic system with ten billion neurons and a hundred trillion synapses, all while consuming only one kilowatt of power and occupying less than two liters of volume.
As a step toward that goal, IBM is committing $3 billion over the next 5 years for R&D to push the limits of chip technology. Cloud computing and big-data systems pose new demands like bandwidth-to-memory, high-speed communication and power consumption, which in turn demand more horsepower. IBM wants to breed the ultimate thoroughbred. So it’s using the $3 billion spend to push the limits of chip technology to smaller and more powerful scales. The R&D teams will include IBM research scientists from Albany and Yorktown, N.Y., Almaden, Calif. and Europe.
What’s really interesting is the semiconductor threshold: IBM says it wants to use the $3 billion to pave the way toward the 7 nanometer plateau (10,000 times thinner than a strand of human hair). IBM researchers and other semiconductor experts predict that while challenging, semiconductors show promise to scale from today’s 22-nanometer standard down to 14 and then 10 nanometers in the next several years. However, scaling to 7 nanometers (and perhaps below) by the end of the decade will require significant investment and innovation in semiconductor architectures as well as invention of new tools and techniques for manufacturing.
What happens beyond 7 nanometers? Then it’s time to ditch silicon and move to potential alternatives like carbon nanotubes or non-traditional computational approaches such as neuromorphic computing, cognitive computing, machine-learning techniques and quantum computing. So the quicker we get to 7 nanometers, the quicker we break into the promise of, say, quantum computing. And the quicker we break into the next computing revolution, the quicker we reach defining milestones of human history like interstellar travel and the end of disease. I firmly believe that.
IBM chip timeline

TxMQ Sponsors Kevin Pollak at World Series of Poker

Social media did it again. Chuck Fried, TxMQ’s President, was scrolling through his Twitter account after an evening workout Tuesday, July 1, 2014, when he saw a tweet from actor, impressionist and comedian, Kevin Pollak. Pollak tweeted that he had lost his sponsor for the World Series of Poker Main Event and was looking for a new corporate sponsor. He promised for a $10,000 sponsorship, a couple hundred thousand dollars in air-time advertisements. Out of 336k followers, Pollak got 1 response…Fried.

This is what transpired:

After a series of conversations with Pollak, Chuck agreed that TxMQ would be Pollak’s sole sponsor for this year’s run at the World Series of Poker.

Because Chuck was heading on vacation early for the Fourth of July holiday, the entire deal was inked and signed within hours and shirts were sent to Pollak overnight.  In 2012, Pollak outlasted celebrities like Ray Romano and Jason Alexander, finishing 134th out of 6,598 entrants. He’s become a huge hit on the World Series of Poker circuit because of his comic relief and social media skills.
We have been having a blast this week with the Twitter comings and goings and chatting with Kevin as he ups his ante and moves forward. There have been some ups and downs, but it looks like (with 2 hours left in yesterday’s Day 2 play), he will be advancing to Day 3. He was up to about 60k chips, having doubled what he started with at the beginning of day 2.

TxMQ is Pollak’s exclusive sponsor and Pollak will be wearing the blue TxMQ polo shirt throughout his run at the 2014 World Series of Poker.

Kevin Pollak at World Series of Poker 2014
Being a social media geek and a believer of all things social, I am loving this exchange. It renews may faith that social media can have SOME impact for businesses. I don’t know if we will get a new client out of this effort, but I do know that it will do wonders for the noise out there about TxMQ as a small company in Buffalo. And if just one more person can recognize our name and think of us down the road, then I would say this is money well spent.
However, if you happen to be reading this and you’re a CIO or even better, a Poker-Playing CIO, then you know what company you want in your corner helping you out with your IT needs 🙂 Call us!

TxMQ helping customers move to IBM IIB

IBM has announced End of Support for several integration products.
Are you invested in WPS, WESB, or other IBM software slated for “sunset”?
End of life is approaching for some popular WebSphere products, now mapped towards IBM Integration Bus, or IIB.
TxMQ is helping customers make the move to IBM IIB.
Whether your migration path is from WebSphere Message Broker, WESB, and/or Process Server – TxMQ has the skills and experience to help you implement IIB, and deploy your workloads over as efficiently as possible.
Call us today for a no obligation, no charge evaluation and consultation.
Photo Provided by Allan English CPA
 

TxMQ Again Named One Of WNY's Fastest Growing Companies

For the third consecutive year, TxMQ has made the top 5 list of Western New York’s fastest growing companies. Last year TxMQ took top honors and this year, we placed 3rd. This rounds out three years of being in the top 5, placing 5th in 2011.
Guess what, folks? I think that’s pretty incredible. When it comes to businesses, it’s hard to maintain steady growth over a three year period. All companies experience ups and downs that reflect a variety of reasons, many times not reflective of the company itself, but extraneous factors controlled by clients’ budgets, economy, etc.
I’m proud to work for this company. I’m proud of the integrity TxMQ shows on a daily basis. I’m proud to represent a company who always puts our clients’ needs before anything else.
It’s a company who rewards its employees for hard work with things like flex time, paid gym memberships and yoga Wednesdays. It’s a company run by a man with a family who understands there’s more to life than working 24×7. However, he creates an atmosphere that makes you want to go above and beyond to make TxMQ just that much more successful.
Having been the one to accept the award on TxMQ’s behalf last night, I was honored to walk up to the front and shake hands with the presenters. I took pride in the applause that was given because the folks attending the reception understand just what an accomplishment it is to make the list even once. We’ve made it three years in a row.
Know why else I am so proud of this company? This growth over the past three years has been completely reflective of our ability to step outside the box and play outside of our comfort zone. The success is solely indicative of a company who has worked hard to tailor our services around what we know our clients need, and not necessarily just the easiest path to make money.
It’s a reflection of our bold foray into new services and taking chances on hiring and retaining the best possible bench talent that the industry can provide. Our subject matter experts, Bob Becktell, Gary Dischner, Allan Bartleywood, Arthur Rodriguez, Cindy Gregoire and others are steeped in talent and have cultivated knowledge for years and years within this industry.
Growth isn’t easy. It requires a CEO who wants to take chances and it requires a team who does doesn’t want to rest at being status quo. Four years ago, when I joined TxMQ, we were an IT staffing company. A body shop, per se. Now, through the strategic planning and efforts of the leadership, sales, recruiting, marketing and technical teams, we are a company built on solutions. We provide one of the largest technology providers in the world, IBM, with our consultants, knowledge and support. We have custom tailored enterprise IBM solutions from software and appliance sale to architecture of the solution.
But what’s even better about TxMQ, and something we look forward to building out and marketing in the latter part of 2014 is that we don’t only support IBM customers. While it’s a legacy skill set, we have the talent, resources and wherewithal to support customers running on any platform. We want to get our hands dirty in any platform our customers need help with. Because of this agnostic approach, I believe you will once again see TxMQ as a Top 5 company in 2014 as well.
Check back in the next year, because great things are continuing to happen here at TxMQ! Follow us on LinkedIn, Twitter and Facebook to stay up to date on all things new at TxMQ.