Hannaford Breach and WebSphere MQ

focusing on middleware as the likely attack vector.   It is an area that up until recently has not been audited properly for regulatory compliance, yet based on recent breaches is now under scrutiny.  The link below refers to the how the attacker may have exploited mis-configuration within middleware such as WebSphere MQ.


Put simply, data could be exposed through mis-configuration issues during installation and maintenance of WebSphere MQ.   IBM and our security team have found that most WebSphere MQ networks have some exposure attributable to mis-configuration. In a joint effort with the IBM WebSphere Sales and Client Executive teams, we at Evans Resource Group are reaching out to raise awareness about the risks* of WebSphere MQ networks that have not been fully configured to enable security. 

Our whitepaper outlines the issue for you and your team to understand the risks*.  NOTE:  Evans Resource Group has the only Payment Card Industry (PCI), Sarbanes Oxley (SOX), Healthcare Insurance Portability and Accountability Act (HIPAA) and Federal Information Security Management Act (FISMA) of 2002 Public Law 107-347 “E-Government Act of 2002” developed in conjunction with IBM’s WebSphere MQ Security team.  We are the only company working in lockstep with IBM to secure the WebSphere MQ environment and we look forward to answering your questions on this important issue.

* Data Security Risks

Mis-configuration and non-configuration of security in middleware networks is a growing problem that poses a bigger threat than the software vulnerabilities such as viruses and  malware that typically gain all the attention. The scope of the problems run from Denial of Service, Man in the Middle attacks, Insertion of Rogue Messages  due to non-configuration or mis-configuration of WMQ systems that by default are insecure and not regularly maintained to wide-open administrative access.  Stepped up compliance regulations are now impacting system owners of WMQ and CISOs who are impacted as a direct result of these exposures.  Below are a list of the typical data security problems that lead to non-compliance, discovered by ERG:

Traffic Sniffing

By default, WebSphere MQ traffic is unencrypted and exposed just like plaintext protocols to the threat of traffic sniffing; allowing an attacker to passively read sensitive data (PCI and PII sensitive data that includes healthcare, personal identifiable information, financial transactions, etc.) and the transaction details.  In addition, they have access to view the authorization and authentication information allowing them to perform any remote administrative commands such as PCF, Telenet sessions and any 3rd party code execution.

Denial of Service

Downtime is expensive; real-time data users like traders and others rely on availability of data and expect applications to deliver them with up to date business intelligence in a timely fashion.  They required the completion of sensitive transactions in order to do their jobs.  The vast majority of WMQ shops do not have a production environment, never mind a UAT environment configured properly for security.  This potential to severely degrade the availability service for production users is a violation of data security requirements for availability.  Furthermore, the software exposures identified by ERG can be exploited by a malicious employee to invoke a DoS attack on a WebSphere MQ server, or the theft of sensitive data without leaving a footprint. ERG reports all security related software items noted in WebSphere MQ configurations to IBM’s WebSphere Teams including development in Hursley, Global Sales and provides responsible disclosure,.  We are working closely with the WebSphere Sales, Marketing and Business Development Teams in their efforts to improve quality of service and best practices regarding this issue by training IBM Reps in data security issues that impact WMQ.

Unauthorized Queue Manager Access

Even secured Queue Managers have configuration breaches that allow unauthorized users to read and write messages to queues. This impacts the integrity of the WMQ systems.  Reading messages from the application’s message queue exposes customer data (PCI and PII including healthcare, personal identifiable information, financial transactions, etc) and non securing these gaps provides the ability to arbitrarily write to message queues and anonymously trigger unauthorized executables (PCF, Telenet and others) that compromises the entire integrity of the firm and corrupts the audit trail, violating the standards for SOX, HIPAA, PCI and FISMA compliance governance models. As a result, without strong authentication it is possible to spoof the administrative identifier allowing for the remote issuing of commands to a queue manager.  This creates severity one findings on security assessments that should not pass PCI or any other security standard.  Violation of PCI may result in fines that could go up to $500,000 per incident if data is compromised and PCI merchants are found to be non-compliant.  Visa recently fined Heartland ove $60M for PCI violations.  In the worst case scenario, PCI merchants could also risk losing the ability to process customers’ credit card transactions.  In the case of SOX, HIPAA and FISMA the consequences take on an even graver meaning.

Unauthorized Decryption

The use of cryptographically weak cipher suites unwittingly may expose data to the risk of ‘store and decrypt’ type of attacks and does nothing to security proof the WebSphere MQ environment.  Be aware tha even strong decryption can be defeated if mis-configuration exposes the cryptographic keys to an attacker.  It is critical that all points of ingress to WebSphere MQ are secured in order to restrict access to the  private cryptographic keys.

Application Design Flaws

When development teams function without security configuration standards and best practice guidance the impact undermines the entire WebSphere MQ environment.  Trying to retrofit security can be costly and technically challenging unless best practices are enforced asap.  A clear and accoutable WebSphere MQ security policy will deliver a long term return on investment.

We, along with IBM are requesting that organizations utilizing WMQ recieve an Internal Penetration Assessment (IPA) form ERG or their PCI Vendor partners.  This assessment will not require any cost and minimal time of your WMQ support staff.  It will ensure you are fully aware of the issue, and have conducted the proper due diligence to establish that your data both meets applicable regulatory requirements and isensruing availability, confidentiality and integrity. See the url below and contact us at 212.937.8443 for more details.



Leave a comment

No comments yet.

Comments RSS TrackBack Identifier URI

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )


Connecting to %s

  • Calendar

    • July 2018
      M T W T F S S
      « Jan    
  • Search