IBM IHS And IBM WAS: Bash Vulnerability Update

The recently-discovered Bash vulnerability (also known as Shellshock) affects Unix-based operating systems such as Linux and Mac OS X. In some non-default configurations, the vulnerability could allow a remote attacker to execute arbitrary code on an affected system. The weakness lies within the Bash (for Bourne-Again SHell) command prompt.
IBM recently issued a bulletin to clarify that that its IBM HTTP Server (IHS) and WebSphere Application Server (WAS), as shipped out of the box, are not vulnerable to Bash. However, action is required to ensure that no vulnerable scripts have been added to the IHS.
According to IBM, any Bash fixes for its products will come via Unix distribution. IHS does not ship bash nor CGI scripts. IHS does not provide any vulnerable bash-based usage that could be tainted with user-supplied data, but several modules included with IHS could be vulnerable.
Any users with scripts that contain a direct or indirect  bash dependency may be vulnerable to a remote attack if the scripts are configured to be invoked by the following Apache modules: mod_cgi, mod_cgid, mod_fastcgi, mod_include or mod_ext_filter.

  • By default, mod_cgid/mod_cgi will execute any scripts added to $IHSROOT/cgi-bin/ (which is shipped empty) and can be configured to execute scripts from other directories via ScriptAlias or “Options” directives including ExecCGI (including “Options All”)
  • mod_include is loaded but not configured to process any includes (Options +Includes, XbitHack ON)
  • mod_ext_filter is not loaded or configured
  • mod_fastcgi is not loaded or configured

Use of these modules or directives may be via httpd.conf, an “Include”ed configuration file, or in an .htaccess file. You can confirm the list of loaded modules by running apachetcl -M (or httpd.exe -M) with any additional arguments (such as -f) that you normally use.
IBM highly recommends upgrading bash from your operating system vendor. If you cannot apply the fixes for bash, unload the following IBM HTTP Server modules: mod_cgid, mod_cgi, mod_fastcgi, mod_include and mod_ext_filter until you can apply the bash fix or determine that the scripts these modules have been configured to execute do not use bash directly or indirectly.
Not sure if your systems are affected? Contact TxMQ president Chuck Fried for an immediate and confidential consultation: (716) 636-0070 x222, [email protected].
(Photo by zodman under Creative Commons license.)
 

Shellshock / Bash Bug Vulnerability Bulletins And Fixes

Today’s breaking news of the Unix “Shellshock” vulnerability reminds me instantly of the famous auror-turned-Hogwarts-professor Alastor Moody, who preaches that the fight against the dark arts demands “Constant Vigilance.” Same for cybersecurity. Constant Vigilance.
Consider: The Heartbleed issue affected potentially 500,000 machines worldwide. The new Shellshock (or “Bash Bug”) could potentially affect 500 million.
Cures for the Shellshock vulnerability, at the time of this writing, are still being sorted out. It affects Unix-based operating systems such as Linux and Mac OS X, which in some non-default configurations could allow a remote attacker to execute arbitrary code on an affected system. The weakness lies within the Bash (for Bourne-Again Shell) command prompt.
The simplicity of an attack is what scares system admins the most: The vulnerability is truly easy to exploit.
The US Computer Emergency Readiness Team (US-CERT) is tracking the issue (see Bourne Again Shell (Bash) Remote Code Execution Vulnerability.) Following is CERT’s list of vendors that are confirmed to be exposed to the vulnerability. This list is initial and is expected to grow.

US-CERT recommends the following system-specific pages for hardening and patch info:

US-CERT aldo recommends users and administrators review TA14-268AVulnerability Note VU#252743 and the Redhat Security Blog for additional details and to refer to their respective Linux or Unix-based OS vendor(s) for an appropriate patch. A GNU Bash patch is also available for experienced users and administrators to implement.
Not sure where to start, or if your systems are affected? Contact TxMQ president Chuck Fried for an immediate and confidential consultation: (716) 636-0070 x222, [email protected].

Reduce Your Liability Exposure With A Systems Security Health Check

The Home Depot data breach isn’t going away anytime soon. News continues to pour out about the theft of credit card info from Big Orange, and the tally currently sits at 65 million credit and debit cards compromised.
Several credit unions have sued Home Depot under claims that the retailer knew ahead of time that its systems were out of date and that hackers had access to the data for months before the breach came to light – claims that of course would need to be proven in court. Customers that suffered a loss are able to recoup their losses from Home Depot, and the retailer is offering a free year of credit monitoring to affected customers.
Although the breach doesn’t seem to have hurt Home Depot’s valuation and business the way it hurt Target – maybe because Home Depot deals more in necessities whereas Target deals more in frills – the lesson is resonating throughout North America. We certainly hear the chatter in the IT industry.
The big takeaway, and the advice we give clients, is to avoid potential liability exposure by upgrading any out-of-date systems or software. Note the accusation in the lawsuit I referenced above: That Home Depot knew it was using an out-of-date system.
The truth is that all systems are vulnerable to some degree. Passwords aren’t the ultimate protection. And we do trade risk for convenience whenever we use plastic to for online or in-store purchases. But companies that take every step to protect their data are much less exposed should a problem occur.
Sometimes system servers need a new round of hardening. Sometimes fix-packs or version upgrades are mandatory. Sometimes a vulnerable machine needs to be taken out. The first step is always to scope the current state of your security and compliance, then develop a plan from there. And keep in the mind that SMBs are the most vulnerable, because a single, successful liability lawsuit could signal the end of business.
TxMQ specializes in security and security upgrades (click here for our recent Webinar). Initial consultations are free and confidential. Contact vice president Miles Roty: (716) 636-0070 x228, [email protected].
(Photo by Scott Schiller under Creative Commons license.)
 

"iBrute" questions iCloud Security

Even Apple a heretofore breech-less vendor has recently been found responsible for a security breach. It appears that on Sunday August 31, 2014 a number of photos were taken from Apple iCloud.  The vulnerability created the exposure known as “iBrute” and allowed access to the compromising photos, rather than locking the iCloud entry way after numerous attempts left it open.
The vulnerability has been closed by Apple which after five missed attempts has now locked the entry way preventing any further attempts.
There apparently is a python based script, (which was available at GitHub) allowed the would-be attacker  to brute force their way into the “Find My iPhone” service.  The Find My iPhone” service did not lock the gateway after repeated attempts to guess the users password.
The vulnerability allegedly discovered in the Find My iPhone service appears to have let attackers use this method to guess passwords repeatedly without any sort of lockout or alert to the target. Once the password had been matched, the attacker can then use it to access other iCloud functions freely.
Although the Apple breach is the most recent Cloud breach, there have been many others. In April 2011 E-mail services firm Epsilon had a cloud based breach which cost them up to $225 million in total costs as a result of its data breach, a massive event that indicated the often overlooked risk of cloud-based computing systems. In early April Epsilon, the world’s largest permission-based email marketing services company that serves over 40 billion emails annually reported a breach in its security.
Also in 2011 Amazon experienced a disruption to its services to popular sites like Foursquare and Quora. It is another example of a cloud failure that could prove extremely costly in the long run – and a hint of more troubles on the horizon.
With the transition of more and more services to the cloud, it’s imperative that your company secure its cloud infrastructure. There is no one, “right” way to do so. Consult with business experts to ensure that your data is being secured and a sensitive breech like this does not happen to you.
The average cost to a company of a large scale security breech is $3.5 million. If your company is a mid-market size organization, this cost is enough to shut down operations completely. And more and more, hackers are targeting mid-market companies purely because they are aware of the lack of intense focus on cloud security.
Contact your IT experts before this cripples your business entirely. Anytime your company is handling sensitive personal data, whether it’s social security numbers or credit card numbers, it’s imperative that you have a safe security space. Because as you can see, if even the behemoth companies are susceptible, why would your company be any different?
If you have questions about your security infrastructure, contact [email protected] for a consultation. Your first conversation is a free discovery call to assess what your needs may be.
 
Image Provided by Flickr: dekuwa  https://www.flickr.com/photos/dekuwa/
Statistics provided by: Ponemon Institute

Prevent Brand Injury With A Systems Security Check

This week’s speculation (and at this point it truly is only speculation) that Home Depot might be the target of a massive data breach is rocking the retail-confidence boat a bit.
When I heard the news, I chewed on the topic of whether data breaches influence consumer buying habits. Studies claim to say yes. And I think common sense backs that up. It all falls under the banner of brand integrity, and big black eyes like data hacks lead to bad publicity and brand injury.  It can be crippling for SMBs that already toe the line of profitability.
Retail and hospitality firms are the popular targets due to their sheer amount of Electronic Data Interchange (EDI). But banks are right there too, as are insurance companies, healthcare providers and payers – the list goes on.
Any company should ask itself a simple question: What is the cost of brand injury versus the cost of server hardening and best-practice security compliance? If a company does $30 million yearly in sales, brand injury through a major data breach might easily impact sales by 2% or more in the first year. On the other hand, TxMQ can a company get started with scoping, scanning and even systems auditing for a fraction of that cost.
For a confidential and free consultation, contact company president Miles Roty: 716-636-0070 x228, [email protected].

IBM HTTP Server Vulnerabilities: Fixlist, August 2014

IBM recently released a security bulletin with several high-priority fixes for its HTTP Server (APAR PI22070). Multiple vulnerabilities are documented with the following details and actionables:

CVE ID:CVE-2014-0226

Description: The IBM HTTP server is vulnerable to a heap-based buffer overflow, caused by a race condition in the mod_status module when handling the scoreboard. By sending a specially-crafted request, a remote attacker could overflow a buffer and execute arbitrary code on the system or cause the application to crash.
CVSS Base Score: 7.5
CVSS Temporal Score: See http://xforce.iss.net/xforce/xfdb/94678 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:N/AC:L/Au:N/C:P/I:P/A:P)
Workaround or Mitigation: This can be mitigated by limiting mod_status access to trusted IPs

 CVE ID: CVE-2014-0231

Description: The IBM HTTP Server is vulnerable to a denial of service, caused by an error in the mod_cgid module. By sending specially-crafted requests, an attacker could exploit this vulnerability to cause child process to hang.
CVSS Base Score: 5.0
CVSS Temporal Score: See http://xforce.iss.net/xforce/xfdb/94674 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:N/AC:L/Au:N/C:N/I:N/A:P)
Work around or Mitigation: This does not affect Windows platform or if you do not have CGI enabled

CVE ID: CVE-2014-0118

Description: The IBM HTTP Server is vulnerable to HTTP trailers being used to replace HTTP headers late during request processing, potentially confusing modules that examined or modified request headers earlier.
CVSS Base Score: 5.0
CVSS Temporal Score: See http://xforce.iss.net/xforce/xfdb/92235 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:N/AC:L/Au:N/C:N/I:P/A:N)
Workaround or Mitigation: none

Affected Products and Versions

This problem affects the IBM HTTP Server component in all editions of WebSphere Application Server and bundling products:

  • Version 8.5.5
  • Version 8.5
  • Version 8.0
  • Version 7.0
  • Version 6.1
  • Version 6.0

Remediation/Fixes

The recommended solution is to apply the interim fix, Fix Pack or PTF containing APAR PI22070 for each named product as soon as practical.
For affected IBM HTTP Server for WebSphere Application Server:

For V8.5.0.0 through 8.5.5.2 Full Profile:

Upgrade to Fix Pack 8.5.5.2 and then apply Interim Fix PI22070
–OR–
Apply Fix Pack 8.5.5.4 or later (targeted to be available 8 December 2014).

For V8.0 through 8.0.0.9:

Upgrade to Fix Pack 8.0.0.9 and then apply Interim Fix PI22070
–OR–
Apply Fix Pack 8.0.0.10 or later (targeted to be available 16 February 2015).

For V7.0.0.0 through 7.0.0.33:

Upgrade to Fix Pack 7.0.0.33 and then apply Interim Fix PI22070
–OR–
Apply Fix Pack 7.0.0.35 or later (targeted to be available 13 October 2014).

For V6.1.0.0. through 6.1.0.47:

Upgrade to Fix Pack 6.1.0.47 and then apply Interim Fix PI22070

For V6.0.2.0 through 6.0.2.43:

Upgrade to Fix Pack 6.0.2.43 and then apply Interim Fix PI22070 from IBM Support.
Important note: IBM strongly suggests that all System z customers be subscribed to the System z Security Portal to receive the latest critical System z security and integrity service. If you are not subscribed, see the instructions on the System z Security website.
<i>(Photo courtesy of Flickr contributor OpenSource.com.)</i>

Use Asset Management To Control Costs And Create A More Secure Enterprise Environment

Enterprise environments, by nature, are often cluttered with all sorts of licensed, previously licensed and probably some unlicensed applications and tools in various states of use. Think: Does your business maintain an install and uninstall record of all software? How well did your IT department document that project 2 years ago where you brought in all those contractors and software tools you haven’t used since? Did the project closeout include the uninstallation and/or decommissioning of no-longer-needed hardware and software? Based on what we’ve seen in the marketplace, the answers are not always, not well and not at all.
While this is an area that sits squarely under the umbrella of asset management, it also touches on compliance, and process and control.
Gaps in these areas create two very real problems.
1. An audit from a software vendor, say IBM, that reveals unpaid licensed software can generate large and unforeseen charges – especially if your company has grown substantially since the original install date.
2. Hackers are expert at exploiting the sorts of weaknesses these lapses can create. Oftentimes, the hacks come from within the organization, not from the outside.
There are a number of tools to help companies with asset management.
IBM’s License Metric Tool, or ILMT, is a free IBM-specific tool under its new Tivoli-based IBM Endpoint Manager. (The prior version of ILMT was server-based.) ILMT acts like a ferret: Install it, let it out of its cage and it will start digging to find every IBM product running on the servers (there is a bit more to the installation than this, but the author hopes you understand the analogy). Analysts can then easily map the findings to understand locations, history, activity and license agreements.
ILMT is free, hence its limitation: It can only detect and report IBM-related ware. A buy-up to the Software Use Analysis (SUA) tool, which also runs under the IBM Endpoint Manager, can detect non-IBM ware. That means you can quickly and easily map Oracle, Microsoft and other commonly licensed software – whether active, inactive or hidden.
A recent Gartner Report evaluated the new IBM Endpoint Manager for ILMT and SUA against competitors, identified it as a “Leader” and noted:
“Endpoint Manager’s primary differentiator is that the tool’s intelligence is on the endpoint, rather than the server. This allows the agent to actively discover a deviation from policy and execute remediation, rather than rely on a predefined schedule of system scans and subsequent server-side reporting. This enables organizations to maintain higher degrees of configuration compliance. The product’s endpoint-oriented control, along with its relay server architecture, results in a relatively small server footprint to support the Endpoint Manager environment, and makes it a good fit for highly distributed environments.”
But the report cautioned: “Uptake of OS deployment remains low. Organizations cite a lack of documentation and known best practices to use this module effectively. Certain patches (e.g., Microsoft nonsecurity) often require manual configuration prior to deployment. IBM’s packaging, bundling options and pricing of its various management functionality are complex and can be challenging for users to understand.”
As an IBM Premier Partner, TxMQ is uniquely qualified to help your business acquire, install, run and act on the results of IBM Endpoint Manager for ILMT and/or SUA.
To get started, contact TxMQ vice president and middleware specialist Mile Roty: (716) 636-0070 x226, [email protected], LinkedIn.com/In/MilesRoty.
Photo courtesy of Sean MacEntee.

WebSphere MQ v7.5 Security Concerns

Content contributed by Allan Bartleywood – Sr. MQ Subject Matter Expert
WebSphere MQ v7.5 security concerns seemed to be a resounding issue. We heard a lot of concerns regarding it while we were at the IBM Impact 2014 conference last week.

I do not believe it’s actually a concern for security when your organization is doing an upgrade to version 7.5, but more a concern as to whether your organization already has security enabled within your MQ environment.

At a lot of the organizations that I’ve consulted with, I’ve noticed that there is a lack of security actually implemented within the MQ environment.  WebSphere MQ has always had security implemented that was focused at the operating system level where it was running.

With this latest WebSphere MQ v7.5, security concerns, features have been added to meet today’s demands. This includes support for Advanced Message Security where the queue manager actually encrypts and decrypts Messages as they go through the environment on a put an get of an application.

You can actually configure the queue manager down to individual queues so that only certain queues will have messages encrypted.

This feature is providing the capability for messages to now meet compliance requirements like HIPAA and PCI Compliance. While data is in transit, it is in encrypted by the messaging transport without any special requirements being added to the applications.

This will, of course, mean that from the time a message put onto queue to the time a message just gotten off the queue, it has been included. Further security enhancements are provided to ensure that only certain applications will get the message decrypted from a given queue.

Now all of these features are out of the box with no added installs and compatibility issues being encountered.

Going back to whether organizations are actually implementing suitable levels of security within their messaging environment is another matter. What is quite often seen it is that administration and application usage of MQ is left open, that is it has not been unable at all.

This is normally due to a conscious decision or simply a lack of knowledge of the capabilities of the product; or a lack of understanding of the security policies and implications relating to the data that is being sent over the messaging environment.

It is not uncommon to see administrators using client connections to queue managers over the server connection channel with no authentication at all. It is also not uncommon to see the queue manager with channel authority disabled.

So are the security concerns about upgrading to version 7.5 related to a lack of understanding and knowledge of what the security capabilities are within 7.5 and pressure being put on IT for tighter security compliance, rather than whether 7.5 is capable of delivering services to these tighter security compliance requirements.

There are also situations where IT sees the requirement for better security compliance but the business doesn’t understand what is compliance are.

If you’re having WebSphere MQ v7.5 security concerns, please feel free to reach out to Wendy at TxMQ, [email protected] and let us answer your questions and guide your upgrade so all the proper security features are in place.

(Photo: Compliments of Still Burning)

WNY CIO Summit: Register Today!

WNY CIO Summit – Enterprise Data Breach
When: Wednesday, February 12, 2014, 8:00 a.m.
Where: University at Buffalo – Center For Tomorrow
Register Now

How much could an enterprise data breach cost you? Are you prepared to handle the repercussions, potential lawsuits and class action suits that may be included in the fall out?
Join TxMQ selected WNY area CIO’s for a candid conversation about how how you can protect your business from an Enterprise Data Breach.
Have questions about CIO Summit: Enterprise Data Breach? Contact Tom Grimm – TxMQ, Inc

What's Worse Than Being Robbed?

What would you say is worse than being hacked? My answer is “not knowing” who hacked you. Without having any idea of From where, By whom or Why, some companies have trouble even determining what was stolen when today’s pirates only copy the information and leave it in place. I have coined these types of attacks as “in-place attacks!” These are hacks where the target does not even know anything is missing so no security measures are taken after the fact.
For example, someone takes your wallet out of your jacket at a party. They copy your credit card and address from your driver’s license. They then return everything back to your coat pocket without you knowing that it was ever missing. Your account could be wiped out without you even knowing you were robbed.
In the case of Target being hacked, authorities are now still trying to figure out who hacked the large retailer. A 17 year old? The Russian mob? They have figured out the how. They know the why. They almost know the location from which it was done. But there are still many questions that remain. Was that the only intrusion? Are there other access points? Are they safe now? The fact that the Target stock price has yet to regain its strength demonstrates that consumers are wondering the same thing.
As embarrassing as this incident is for Target, it gives businesses today a “heads up.” How secure is your online commerce site? Do you truly have a grasp on your vulnerabilities? When was the last time you had a 3rd party assessment done, end to end?  Have you securely closed all of your “windows and doors” in your infrastructure? How long would it take you to know that you were a victim of an in-place attack?
At TxMQ we have specific skills on governance, security and eCommerce that will allow you to build a new system or “harden” an existing one. We also offer assessment services where we can help you identify current gaps.
What do you think?
TxMQ: Learn more!