Strangely enough the only thing I found to complain about in this incident was the private notifications by phone/email to (in our case and I expect a non-trivial percentage) incorrect management contacts for the corporation on a holiday week. These notifications provided details including APAR numbers and descriptions which by policy IBM does not make visible in IBMLink and resulted in a great deal of stump pounding and wasted time but did not actually tell us anything we did not already get notified of through automated email by previously having followed the documented procedure. The notice which I expect was inconsistent being made by many different IBM'ers and on a holiday week in much of the world generated frustration at some sites including mine.
IBM has been advertising that customers should sign-up for the Security Portal for some time in public including at SHARE and z University. I am signed up and get email notifications when new alerts and files are posted. It works. The recent arrival of an APAR with a higher than previously seen CVSS score triggered activity that was not the expected procedure. My only questions to IBM on this will be what the procedure is and has it changed. My feeling was that someone called an audible. If there is a procedure to proactively contact sites when Alerts with a CVSS score higher than n are posted I would like to know this and have the opportunity to maintain our contact preference for that in ResourceLink. If there is to be a notification I would prefer it to have been simply "IBM has recently posted important security patches for z/OS please verify that your company has signed up for the System z Security Portal and reviewed them". Perhaps the separate approval process for the security portal could be eliminated or streamlined and simply allow any SR/ResourceLink user with access to a current entitlement to view the alerts for those entitlements. I don't know if that is feasible but I do recall that not that many years ago we had nothing there was no way to find out what the APARs/PTFs were other than by bumping into them. So evolution here is possible. The portal provides HOLDDATA/SOURCEID to allow you to check on missing Security and Integrity fixes on a regular basis and to verify that as part of your preventative service you have included all the current fixes if you wish to do so. It works. It insures that only authenticated customers can easily get the list of security and integrity fixes which is an interesting starting point for someone trying to engineer an exploit. Many large companies have weighed in with IBM that given the sometimes slower patch/service cycle on the mainframe and the focus on stability instead of quick patching they don't want any changes by IBM to a full disclosure or a greater level of disclosure than what is already provided. If IBM asked me today what the business wants I would reaffirm that. You need to look hard in the mirror and think as a technical guy I want to know everything but what does my chief security officer want? What does my CIO/CEO want? There may be opportunities to improve but I will say as someone who has opened Integrity APARs and seen IBM methodology discussed and in action to provide OS Integrity I think they do an industry leading job. It would be nice if you could download the security information completely automated on z/OS using a certificate or userid/password so you didn't have to get it as a human using a browser at the portal. There are opportunities to improve. Security and Integrity fixes are not HIPER they are different and weather you want to push them out at the same rate as defects which are potentially impacting availability is best left to the customer. The current process lets you do that by not incorrectly marking them HIPER. IMHO every Security/Integrity Alert should not be a Red Alert, they should not be flagged HIPER, and IBM should never be in the business of stabbing into customer sites calling and emailing the sky is falling when there are documented channels to get this information. In this case a Red Alert might have been a good alternative since they chose to deviate from the normal process at least that would have been likely to reach the right audience in a timely fashion. I agree with you that every site should be signed up for Red Alerts and Security Alerts and of course trumpets there should have been trumpets. That my .02. Best Regards, Sam Knutson, GEICO System z Team Leader mailto:sknut...@geico.com (office) 301.986.3574 (cell) 301.996.1318 "Think big, act bold, start simple, grow fast..." -----Original Message----- From: IBM Mainframe Discussion List [mailto:IBM-MAIN@LISTSERV.UA.EDU] On Behalf Of R.S. Sent: Saturday, January 05, 2013 10:25 AM To: IBM-MAIN@LISTSERV.UA.EDU Subject: Re: Security vulnerability in IBM HTTP Server for z/OS Version 5.3 (PM79239) I agree that every z/OS customer should be signed up for both portals, but... HOW CUSTOMER WOULD LEARN ABOUT IT? Let's imagine: a comany buys mainframe, hire people, the people get some trainigng (JCL, z/OS, SMP/E, many, many more...). Those people are wiling to learn, to they read documentation and start using mainframe. WHO SHOULD TELL THEM ABOUT THOSE PORTALS? I think it is up to IBM to urge every customer to sign up some employees to the portals. I repeat: EVERY customer. Everytime I hear "you should know this" I ask "did I have a chance to know it?". BTW: I'm signed to both portals. Redalert is better, because it notifies me by email about news (no details in the mail AFAIR), but security portal does not send notifications. Maybe this is matter of some personalization? BTW2: We still don't know details about the security hole, but it must be BIG HOLE, because of methods of communication which were used according to notify customers about those holes. Mails, phones, only heralds were not engaged (yet) ;-))) Regards -- Radoslaw Skorupka Lodz, Poland W dniu 2013-01-04 19:35, Peter Relson pisze: > It is somewhat alarming that several posted that they are not signed up > for the security portal. Someone also posted that they are signed up for > red alerts and asked why it was not sent that way. > > As I understand it, a red alert was sent out (perhaps this past July) > stating that the method for sending and alerting about security and > integrity PTFs is via the security portal. Simply, the security portal is > the red alert process for security and integrity PTFs. > > Perhaps I am oversimplifying, but it seems that every customer should make > sure that they > -- are signed up for red alerts > -- pay attention to those red alerts > -- sign up for the security portal. > This should not be new news. > > It should be well understood that z/OS provides few if any details on > integrity APARs. > > The PTFs were available via the security portal on December 20. I have no > information about why they were not found the day after Christmas when > someone looked at www.ibm.com/support. > But I'm glad to hear they are there now. > > Peter Relson > z/OS Core Technology Design > > ---------------------------------------------------------------------- > For IBM-MAIN subscribe / signoff / archive access instructions, > send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN > ==================== This email/fax message is for the sole use of the intended recipient(s) and may contain confidential and privileged information. Any unauthorized review, use, disclosure or distribution of this email/fax is prohibited. If you are not the intended recipient, please destroy all paper and electronic copies of the original message. ---------------------------------------------------------------------- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN
