Looks like there is going to be a very interesting session on WebSphere MQ security at Defcon. The presenter is Martyn Ruks who has a history of investigating IBM protocols. As WMQ and WMQ security in particular is of great interest to me, this session sounds like something really worth visiting. Too bad I won’t be anywhere near Vegas at the time, and I’m assuming Defcon won’t publish any video of the presentations. However, Martyn has published a presentation he held at Defcon 14 so I keep my hopes high.
Based on the published abstract, it doesn’t sound like any real new attack will be shown, but rather that Martyn will go through the usual, poor ways that WMQ are set up from a security standpoint. Fact is that at most places I’ve seen WMQ installed it has been wide open to any attacker. Most companies seems to think that it’s used internally and therefore is safe. Besides, it’s pretty invisible to most people, just humming along doing its work. Hackers on the other hand most surely know about it and how to attack it. And those of us consulting on WMQ really needs to learn the best ways of protecting an installation. And, I do think that IBM needs to do a better job of securing WMQ out of the box, currently it’s unsecure by default, something which should not be acceptable these days.
Update: this presentation is now available over at Google Video.