POODLE Vulnerability In SSLv3 Affects IBM WebSphere MQ

Secure Socket Layer version 3 (SSLv3) is largely obsolete, but some software does occasionally fall back to this version of SSL protocol. The bad news is that SSLv3 contains a vulnerability that exposes systems to a potential attack. The vulnerability is nicknamed POODLE, which stands for Padding Oracle On Downgraded Legacy Encryption.

The vulnerability does affect IBM WebSphere MQ because SSLv3 is enabled by default in MQ.
IBM describes the vulnerability like this: IBM WebSphere MQ could allow a remote attacker to obtain sensitive information, caused by a design error when using the SSLv3 protocol. A remote user with the ability to conduct a man-in-the-middle attack could exploit this vulnerability via a POODLE (Padding Oracle On Downgraded Legacy Encryption) attack to decrypt SSL sessions and access the plaintext of encrypted connections.”

The vulnerability affects all versions and releases of IBM WebSphere MQ, IBM WebSphere MQ Internet Pass-Thru and IBM Mobile Messaging and M2M Client Pack.

To harden against the vulnerability, users should disable SSLv3 on all WebSphere MQ servers and clients and instead use the TLS protocol. More specifically, WebSphere MQ channels select either SSL or TLS protocol from the channel cipherspec. The following cipherspecs are associated with the SSLv3 protocol and channels that use these should be changed to use a TLS cipherspec:
AES_SHA_US
RC4_SHA_US
RC4_MD5_US
TRIPLE_DES_SHA_US
DES_SHA_EXPORT1024
RC4_56_SHA_EXPORT1024
RC4_MD5_EXPORT
RC2_MD5_EXPORT
DES_SHA_EXPORT
NULL_SHA
NULL_MD5
FIPS_WITH_DES_CBC_SHA
FIPS_WITH_3DES_EDE_CBC_SHA

On UNIX, Linux, Windows and z/OS platforms, FIPS 140-2 compliance mode enforces the use of TLS protocol. A summary of MQ cipherspecs, protocols and FIPS compliance status can be found here.

On the IBM i platform, use of the SSLv3 protocol can be disabled at a system level by altering the QSSLPCL system value. Use Change System Value (CHGSYSVAL) to modify the QSSLPCL value, changing the default value of *OPSYS to a list that excludes *SSLV3. For example: *TLSV1.2, *TLSV1.1, TLSV1.

TxMQ is an IBM Premier Business Partner and “MQ” is part of our name. For additional information about this vulnerability and all WebSphere-related matters, contact president Chuck Fried: 716-636-0070 x222, chuck@TxMQ.com.

TxMQ recently introduced its MQ Capacity Planner – a new solution developed for performance-metrics analysis of enterprise-wide WebSphere MQ (now IBM MQ) infrastructure. TxMQ’s innovative technology enables MQ administrators to measure usage and capacity of an entire MQ infrastructure with one comprehensive tool.
(Photo from J Jongsma)

DataPower Security Bulletin from IBM

I received an email from IBM today and I’d like to pass along the security information. This came directly from IBM.

While this issue is not specifically with DataPower, DataPower can leverage SSLv3, so please ensure you’re assessing all of your security infrastructure leveraging SSLv3. Please take appropriate actions.

http://www-01.ibm.com/support/docview.wss?uid=swg21687189

Security Bulletin: Vulnerability in SSLv3 affects DataPower (CVE-2014-3566)

Security Bulletin Summary SSLv3 contains a vulnerability that has been referred to as the Padding Oracle On Downgraded Legacy Encryption (POODLE) attack. SSLv3 is enabled by default in DataPower.Vulnerability Details:CVE-IDCVE-2014-3566

DESCRIPTION: Product could allow a remote attacker to obtain sensitive information, caused by a design error when using the SSLv3 protocol. A remote user with the ability to conduct a man-in-the-middle attack could exploit this vulnerability via a POODLE (Padding Oracle On Downgraded Legacy Encryption) attack to decrypt SSL sessions and access the plaintext of encrypted connections.
CVSS Base Score: 4.3 CVSS Temporal Score: See http://xforce.iss.net/xforce/xfdb/97013 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:N/AC:M/Au:N/C:P/I:N/A:N)
Affected Products and Versions All DataPower products and versions that have configured a DataPower Crypto Profile object for SSL communication.
Remediation/Fixes None
Workarounds and Mitigations Disable SSL v3 in DataPower configuration.
First make sure to Quiesce all domains and services to stop traffic to the appliance. System quiesce and unquiesce commands can be invoked by navigating to Administration –> Main –> System Control.
Next, select Objects –> Crypto Configuration –> Crypto Profile in the left navigation pane. For all the crypto profile objects that are configured, in the “Configure Crypto Profile” page, “Options” parameter, select the checkbox “Disable SSL version 3”. Click Apply.
Note that SSL v3 must be disabled in all the Crypto Profile objects configured in all the domains. IBM recommends that you review your entire environment to identify other areas that enable the SSLv3 protocol and take appropriate mitigation such as disabling SSLv3 and remediation actions.

WebSphere DataPower not affected by "Shellshock" Virus

IBM released a notice this morning stating that the IBM DataPower appliance is not vulnerable to the Shellshock vulnerabilities, also referred to as the Bash Bug and the two memory corruption vulnerabilities.
DataPower doesn’t use Bash anywhere and therefore it is not impacted by any of the Bash vulnerabilities.
Inparticular, dataPower in all editions and all platforms is NOT vulnerable to the Bash vulnerabilities: CVE-2014-6271, CVE-2014-7169, CVE-2014-7186, CVE-2014-7187, CVE-2014-6277, and CVE-2014-6278.
However, it is recommended that you review your entire environment to identify vulnerable releases of Bash ad take appropriate action where needed.
Source: http://www-01.ibm.com/support/docview.wss?uid=swg21685435&myns=swgws&mynp=OCSS9H2Y&mync=E

How Big Data Crowdsource Strategies Aim To Improve Navigation Charts

Some might be quick to poo-poo the industry of fishing and outdoor recreation – especially when it comes to technology. Too bad, because this vertical’s a ripe testbed for technological innovation and application. I’ll repeat an axiom I put forth a few days ago: Major technological advances are driven by two factors – war and entertainment. It’s no surprise to me that cartography has undergone a recent revolution, led by the manufactures of recreational fishing and boating electronics and their customers.
The new buzzword in this vertical is crowdsource charting. It’s a big-data project where the public supplies the sonar charting data, which is then uploaded and integrated into a master map, which is then served back to the public as a sum of the different community edits and adds.
It’s been done before in other forms – Yelp, Google, iTunes and so many other apps and platforms crowdsource reviews, tips, photos and public/government data. But crowdsource cartography is different because it deals with water depths and features – stuff that’s just as rare and valuable and malleable today as it was 300 years ago when Blackbeard had to pick his way through to Ocracoke Inlet.
The power of the crowdsource strategy lies in its promise to develop pinpoint depth accuracy fed by near-real-time updates to changing water depths, sandbars and hazards. Most navigation charts were sounded decades ago. In the case of reservoirs, the navigation charts may have simply been created using topographic maps that were surveyed years prior to fill.
The first marine electronics company to embrace crowdsource technology was Navionics, which manufactures third-party upgrades and add-ons for all popular electronics platforms. The Navionics app has been downloaded more than 1.5 million times. And now, the Navionics SonarCharts project allows boaters and anglers to record soundings throughout their day, then upload them to a central server for more accurate charts.
Lowrance, a division of Navico, recently launched its Insight Genesis project, which follows a similar strategy, with the difference that Insight Genesis is only compatible with Navico products (Lowrance, Simrad, B&G). Another interesting feature of the Insight Genesis project: Users can upload and use maps for free, but they need to pay a premium to keep them private. That’s a nice bonus option for secretive anglers.
Interestingly, the other major electronics player, Humminbird, hasn’t embraced crowdsource mapping. Its AutoChart program allows users to generate private charts only. But given the fact that Humminbird is geared nearly 100% toward the angling market, the privacy play makes sense.
I think the major takeaway at this point is that crowdsource marine charting is here to stay and the involved companies will soon possess hordes of valuable big data that will grow in worth and equity over the coming decade as new platforms and businesses find new ways to leverage and monetize such data.
Interested in big data? Want to know how to implement big-data architecture and strategy in your enterprise? TxMQ can help. Contact TxMQ president Chuck Fried for a free and confidential consultation: (716) 636-0070 x222, chuck@txmq.com.

New IBM Tivoli OMEGAMON Performance Suite Expands Mainframe Service Management Options

The new availability of a comprehensive Tivoli-based zOS performance suite is big news for mainframe service management. The software, which was released on Sept. 5, is a single orderable product that helps manage IBM zEnterprise performance and availability. IBM has geared several of the suite’s features directly to SMEs, most notably the deep-dive analysis capabilities, which are enabled for the entire zOS platform and middleware.
A good way to describe Tivoli OMEGAMON is to call it a highly integrated solution for sharing information between the different management groups within an organization to help increase effectiveness, better meet Service Level Agreements and reduce costs through efficiency.
The OMEGAMON Performance Management Suite contains the following component-products:

  • IBM Tivoli OMEGAMON Dashboard Edition on z/OS V5.3.0 (new)
  • IBM Tivoli OMEGAMON XE on z/OS V5.3.0 (new)
  • IBM Tivoli OMEGAMON XE for Mainframe Networks V5.1.1
  • IBM Tivoli OMEGAMON XE for Storage on z/OS V5.3.0 (new)
  • IBM Tivoli OMEGAMON XE for CICS on z/OS V5.3.0 (new)
  • IBM Tivoli OMEGAMON XE for DB2 Performance Expert on z/OS V5.2.0
  • IBM Tivoli OMEGAMON XE for IMS on z/OS V5.1.0
  • IBM Tivoli OMEGAMON XE for Messaging for z/OS V7.3.0
  • IBM Tivoli Composite Application Manager for Web Resources V7.1.0

If your enterprise already owns any of the above components, you can upgrade to the performance suite.
The suite also contains Tivoli Monitoring Agent, which provides visibility into the zEnterprise hybrid infrastructure including hardware resources, hypervisors, virtual servers, virtual networks, and workload resource groups that span heterogeneous platforms as defined by IBM zEnterprise Unified Resource Manager. The Agent offers proactive monitoring of zEnterprise workload resource groups to help them meet the service level objectives you’ve defined for the enterprise.
TxMQ is an IBM Premier Partner and can assist you with software purchases and deployments. Contact TxMQ president Chuck Fried for an immediate and confidential consultation: (716) 636-0070 x222, mailto:chuck@txmq.com.

Why WebSphere? Five Factors For Your Business To Consider

One of the biggest decisions a company will ever face centers on enterprise software. Fail to scale and you’re doomed.
IBM WebSphere has been available to the general public since 1998 (16 years as of this writing), with a vibrant and gigantic suite of software and services supporting it. For anyone business planning its next half-decade of software deployment, WebSphere must at least be a consideration. Why? Following are five reasons.
1. This is the age of the application and you need application infrastructure.
WebSphere provides software for SOA environments that enables dynamic, interconnected business processes and delivers highly effective application infrastructures for all business situations. WebSphere is IBM’s application and integration software platform, and includes the entire middleware infrastructure including the servers, services, and tools needed to create, deploy, run, and monitor round-the-clock, enterprise-wide web applications and cross-platform, cross-product solutions.
2. WebSphere includes all the tools to maintain an agile business model.
An agile business is one whose business processes, integrated end-to-end across the company and with key partners, suppliers, and customers, can respond rapidly and flexibly to customer demands, market opportunities, or external threats. You can use WebSphere to build and monitor an agile business infrastructure and to develop and extend applications that run on that infrastructure. Among the dozens of famous native tools are killer apps like Business Process Manager and WebSphere Application Server.
3. WebSphere offers the ultimate in application integration.
WebSphere application integration and connectivity are part of a Smart SOA approach that enables information to flow freely within and across applications, business processes, and different organizations. WebSphere application integration products provide a wide variety of services to support this reliable and flexible flow of information to increase collaboration, business insight, and cost-effective reuse of data and knowledge within your enterprise. Just a few examples of the deep and rich product suite to support an integration environment: MQ, Enterprise Service Bus and Sterling B2B Integrator.
4. Business process married to IT infrastructure represents the current business revolution. Let WebSphere lead your army.
IBM Business Process Manager is a comprehensive BPM platform that gives you visibility and insight to manage your business processes. It scales smoothly and easily from an initial project to a full enterprise-wide program.
5. Easily convert current deployment to a cloud or hybrid-cloud model.
Hypervisor editions of popular WebSphere products like WebSphere Application Server and Message Broker provide broad-based premium support for cloud solutions, and WebSphere Cast Iron remains the go-to solution for cloud-application integration. The WebSphere cloud effort rests upon  the industry-leading SoftLayer cloud services.
TxMQ is ready to help you with all your WebSphere-related services. Contact TxMQ president Chuck Fried for an immediate and confidential consultation: (716) 636-0070 x222, chuck@txmq.com.
 

IBM IHS And IBM WAS: Bash Vulnerability Update

The recently-discovered Bash vulnerability (also known as Shellshock) affects Unix-based operating systems such as Linux and Mac OS X. In some non-default configurations, the vulnerability could allow a remote attacker to execute arbitrary code on an affected system. The weakness lies within the Bash (for Bourne-Again SHell) command prompt.
IBM recently issued a bulletin to clarify that that its IBM HTTP Server (IHS) and WebSphere Application Server (WAS), as shipped out of the box, are not vulnerable to Bash. However, action is required to ensure that no vulnerable scripts have been added to the IHS.
According to IBM, any Bash fixes for its products will come via Unix distribution. IHS does not ship bash nor CGI scripts. IHS does not provide any vulnerable bash-based usage that could be tainted with user-supplied data, but several modules included with IHS could be vulnerable.
Any users with scripts that contain a direct or indirect  bash dependency may be vulnerable to a remote attack if the scripts are configured to be invoked by the following Apache modules: mod_cgi, mod_cgid, mod_fastcgi, mod_include or mod_ext_filter.

  • By default, mod_cgid/mod_cgi will execute any scripts added to $IHSROOT/cgi-bin/ (which is shipped empty) and can be configured to execute scripts from other directories via ScriptAlias or “Options” directives including ExecCGI (including “Options All”)
  • mod_include is loaded but not configured to process any includes (Options +Includes, XbitHack ON)
  • mod_ext_filter is not loaded or configured
  • mod_fastcgi is not loaded or configured

Use of these modules or directives may be via httpd.conf, an “Include”ed configuration file, or in an .htaccess file. You can confirm the list of loaded modules by running apachetcl -M (or httpd.exe -M) with any additional arguments (such as -f) that you normally use.
IBM highly recommends upgrading bash from your operating system vendor. If you cannot apply the fixes for bash, unload the following IBM HTTP Server modules: mod_cgid, mod_cgi, mod_fastcgi, mod_include and mod_ext_filter until you can apply the bash fix or determine that the scripts these modules have been configured to execute do not use bash directly or indirectly.
Not sure if your systems are affected? Contact TxMQ president Chuck Fried for an immediate and confidential consultation: (716) 636-0070 x222, chuck@txmq.com.
(Photo by zodman under Creative Commons license.)
 

IBM Worklight Foundation Now Available In Cloud Version

IBM Worklight Foundation is a tool that helps users easily extend their business to mobile devices. It’s best-known known for its open, comprehensive platform that allows users to build, test, run and manage native, hybrid and mobile web apps. It reduces both development time and maintenance overhead (hence the “light” name).
If you’re competing against other businesses to bring an app or use case to mobile, Worklight slices the time-to-market and helps beat the competition.
IBM recently announced the availability of a new Worklight Foundation Cloud Edition V6.2. With this new option for deployment, current Worklight Foundation customers can leverage their existing Worklight investment by deploying their applications in the cloud.
The Worklight Cloud edition also helps clients to:

  • Accelerate web, hybrid, and native mobile development
  • Engage users by integrating applications with existing enterprise data
  • Facilitate application security and trustworthiness
  • Provide support for mobile IT operations

In terms of platforms, Worklight Cloud simplifies the development of mobile web, hybrid, and native applications across iOS, Android, BlackBerry, WindowsTM, Windows RT, Windows Phone, and JavaTM ME.
Also of note: It provides visual-development capabilities and source-code enhancements to help developers accelerate the development, test, and deployment of mobile applications in the cloud.
Interested in mobile development, deployment or integration? TxMQ can help. Initial consultations are free and communications are always confidential. Contact vice president Miles Roty for more information: (716) 636-0070 x228, miles@txmq.com.

How Videogames Drive Technology

For good or bad, I think this can be said as true: Major technological advances are driven by two factors – war and entertainment.
On the one hand is the practical military necessity for a nation to continue to advance at breakneck speeds to better defend itself in an uncertain world. It’s one of the darker sides of technology: That some of the most peacefully brilliant minds in history have developed some of the deadliest weapons.
On the other hand we have entertainment, and the necessity for businesses to continue to advance at breakneck speeds to develop the next trillion-dollar content genre or delivery platform.
My love affair with technology decidedly stems from the latter, when I was a one of those bleary-eyed kids standing in dimly lit arcades pushing quarter after quarter into vector-graphic, analog-controlled standup videogames. I don’t think it’s any coincidence that all the branches of modern computing stem from the original video-game tree. To have been alive and to have gamed during those formative years of the computing industry was a privilege because it was the time when some of our most fundamental theories were developed.
Games gave us the idea of a balanced input and output – that a computer can do no more than what the user actually asks it to do, and that great advancements in computing will only stem from equally great advancements in input.Wargames_Jim_Melvin
Games also showed us the legend of the backdoor – a principal made famous by Jim and Melvin in Wargames (clip can be viewed here). Tempest (1981) was the first arcade game I knew of with a significant built-in developer code to skip levels. It reminded us that as long as a human programmed a computer, there would always be a hidden shortcut. A vulnerability. A cheat.
Games painted worlds with the beauty of random and gave us a lasting respect for analog. What happened on the screen wasn’t just a function of a pre-scripted if>then argument. Just as in life, our movement affected the computations and no two games were ever the same. It allowed us to shake that nagging Protestant new-world mentality that everything is pre-determined – that we’re all part of some grand design.
Games delivered artificial intelligence – tens then hundreds then thousands of vectors and sprites reacting to an input and forcing adjustments. Games with the best AI were the best games. We believed in the Ghost in the Machine.
It continues and gaming still drives advancement. It’s the fuel that feeds the beast. Microsoft just paid over $2 billion for the free-form Minecraft. Games are a child’s first introduction to technology. Games like Angry Birds and Words With Friends drove social-media networking and mobile use through the roof and created billions in new revenue from age groups otherwise ignored.
Fact is, gaming has always driven technology and has always brought people together within that technology. The human need to game trumps our need to read and our need to know. Games were the seed that sprung the silicon revolution, and I believe that seminal relationship will continue.

Mobile Data: What It Means To 'Engage Customers In Context'

Here’s a stat to get you thinking:
Only 21% of marketers actively use mobile, but 81% of mobile leaders say that mobile fundamentally changed their businesses
Bottom line: If your business touches the public, and you’re not using mobile, then your business is immobile.
The world of mobile-data analytics and marketing is undergoing a revolution. It’s driving new revenue and forging new connections to the public. And it allows businesses to engage customers in context.
What does it mean to engage customers in context? In the simplest terms, it means the ability to serve customers content and experiences that they want within certain surroundings or as events or experiences unfold.
Wimbledon’s a great example. Only a few hundred thousand people can attend the event. And television coverage is often limited to choice matches at inconvenient viewing times. IBM developed the Wimbledon app and crunched streaming analytics and big data to deliver real-time info on every point in every match on every one of Wimbledon’s 19 courts.
The data involved 101,778 tennis points across 660 matches, corresponding to 852,752 data points. A team of 48 statisticians – all of them high-quality tennis players – provided contextual data (like speed of the serve) to enrich the machine-collected data. All data was combined with historical performance data and live data from the web and social networks, then fed into an advanced set of analytical tools to provide real-time insight to sports analysts, TV presenters and the global audience.
Impressive? Absolutely. But the same tools can be employed within any business that engages customers. Instead of data about serves and historical matches and points totals, businesses can directly engage customers in the act of shopping, or searching, or traveling, or vacationing with information that incorporates social-media activity, preferred brands, coupons, recent purchases, weather forecasts and so on. Businesses that provide value, or important information, or community – in other words, businesses that engage their customers in context – realize a much greater ROI on their marketing spends.
That’s what is means to engage customers in context, and that’s why it’s so important.
It’s not automatic though. Efforts to engage in context take foresight, solid application integration and a business climate ready to embrace change within the new mobile landscape.
Interested in mobile development, deployment or integration? TxMQ can help. Initial consultations are free and communications are always confidential. Contact vice president Miles Roty for more information: (716) 636-0070 x228, miles@txmq.com.