OT: Target Attack and BMC Software ITSM?
This news article hit today... http://www.startribune.com/business/242688511.html It says that a default password in a BMC ITSM product may have contributed to the target attack. Jeff Jeff Lockemy Lead Engineer, NAVY 311 Enterprise Service Management PMW-240 ITIL V3 Foundation Certified QMX Support Services Inc. ___ UNSUBSCRIBE or access ARSlist Archives at www.arslist.org Where the Answers Are, and have been for 20 years
Re: Target Attack and BMC Software ITSM?
Jeff, Interesting article. Thanks. Stan w. 310-230-1722. c. 310-428-5748. -Original Message- From: Action Request System discussion list(ARSList) [mailto:arslist@ARSLIST.ORG] On Behalf Of Jeff Lockemy Sent: Thursday, January 30, 2014 5:23 AM To: arslist@ARSLIST.ORG Subject: OT: Target Attack and BMC Software ITSM? This news article hit today... http://www.startribune.com/business/242688511.html It says that a default password in a BMC ITSM product may have contributed to the target attack. Jeff Jeff Lockemy Lead Engineer, NAVY 311 Enterprise Service Management PMW-240 ITIL V3 Foundation Certified QMX Support Services Inc. ___ UNSUBSCRIBE or access ARSlist Archives at www.arslist.org Where the Answers Are, and have been for 20 years - No virus found in this message. Checked by AVG - www.avg.com Version: 2014.0.4259 / Virus Database: 3684/7044 - Release Date: 01/29/14 - No virus found in this message. Checked by AVG - www.avg.com Version: 2014.0.4259 / Virus Database: 3684/7044 - Release Date: 01/29/14 ___ UNSUBSCRIBE or access ARSlist Archives at www.arslist.org Where the Answers Are, and have been for 20 years
Re: Target Attack and BMC Software ITSM?
I read the article and clicked on the link to the Krebs on security site. Based on that site, which may or may not be correct, it's saying that the potential BMC product is BMC Performance Assurance Agent. Since this isn't a part of Remedy I really have no idea how it works and if there is a back door or if it was installed and they forgot to change a default password. In any case, it's not Remedy, so that's a good thing. Thanks, Shawn Pierson Remedy Developer | Energy Transfer -Original Message- From: Action Request System discussion list(ARSList) [mailto:arslist@ARSLIST.ORG] On Behalf Of Jeff Lockemy Sent: Thursday, January 30, 2014 7:23 AM To: arslist@ARSLIST.ORG Subject: OT: Target Attack and BMC Software ITSM? This news article hit today... http://www.startribune.com/business/242688511.html It says that a default password in a BMC ITSM product may have contributed to the target attack. Jeff Jeff Lockemy Lead Engineer, NAVY 311 Enterprise Service Management PMW-240 ITIL V3 Foundation Certified QMX Support Services Inc. ___ UNSUBSCRIBE or access ARSlist Archives at www.arslist.org Where the Answers Are, and have been for 20 years Private and confidential as detailed here: http://www.energytransfer.com/mail_disclaimer.aspx . If you cannot access the link, please e-mail sender. ___ UNSUBSCRIBE or access ARSlist Archives at www.arslist.org Where the Answers Are, and have been for 20 years
Re: OT: Target Attack and BMC Software ITSM?
It looks like it wasn't Remedy at least, it was Performance Assurance for Microsoft Servers (see below). But good to know if anyone is using this in their environment. That Best1_user account name seems an odd one for the attackers to have picked at random, but there is a better explanation: That username is the same one that gets installed with an IT management software suite called Performance Assurance for Microsoft Servers. This product, according to its maker Houston, Texas base BMC Software includes administrator-level user account called Best1_user. Jeff -Original Message- From: Jeff Lockemy [mailto:jlock...@gmail.com] Sent: Thursday, January 30, 2014 8:23 AM To: 'arslist@arslist.org' Subject: OT: Target Attack and BMC Software ITSM? This news article hit today... http://www.startribune.com/business/242688511.html It says that a default password in a BMC ITSM product may have contributed to the target attack. Jeff Jeff Lockemy Lead Engineer, NAVY 311 Enterprise Service Management PMW-240 ITIL V3 Foundation Certified QMX Support Services Inc. ___ UNSUBSCRIBE or access ARSlist Archives at www.arslist.org Where the Answers Are, and have been for 20 years
Re: Target Attack and BMC Software ITSM?
Totally... It would be nice if they were a little more specific in the articles. My stress level went up for a bit. LOL -Original Message- From: Action Request System discussion list(ARSList) [mailto:arslist@ARSLIST.ORG] On Behalf Of Pierson, Shawn Sent: Thursday, January 30, 2014 8:31 AM To: arslist@ARSLIST.ORG Subject: Re: Target Attack and BMC Software ITSM? I read the article and clicked on the link to the Krebs on security site. Based on that site, which may or may not be correct, it's saying that the potential BMC product is BMC Performance Assurance Agent. Since this isn't a part of Remedy I really have no idea how it works and if there is a back door or if it was installed and they forgot to change a default password. In any case, it's not Remedy, so that's a good thing. Thanks, Shawn Pierson Remedy Developer | Energy Transfer -Original Message- From: Action Request System discussion list(ARSList) [mailto:arslist@ARSLIST.ORG] On Behalf Of Jeff Lockemy Sent: Thursday, January 30, 2014 7:23 AM To: arslist@ARSLIST.ORG Subject: OT: Target Attack and BMC Software ITSM? This news article hit today... http://www.startribune.com/business/242688511.html It says that a default password in a BMC ITSM product may have contributed to the target attack. Jeff Jeff Lockemy Lead Engineer, NAVY 311 Enterprise Service Management PMW-240 ITIL V3 Foundation Certified QMX Support Services Inc. ___ UNSUBSCRIBE or access ARSlist Archives at www.arslist.org Where the Answers Are, and have been for 20 years Private and confidential as detailed here: http://www.energytransfer.com/mail_disclaimer.aspx . If you cannot access the link, please e-mail sender. ___ UNSUBSCRIBE or access ARSlist Archives at www.arslist.org Where the Answers Are, and have been for 20 years ___ UNSUBSCRIBE or access ARSlist Archives at www.arslist.org Where the Answers Are, and have been for 20 years
Re: Target Attack and BMC Software ITSM?
Upon further reading, this is a part of their Bladelogic Automation Suite, and that BMC has documented how to remove that account once you have it up and running. I think the Remedy equivalent would be if you installed AR System and left the Demo account out there as it. Thanks, Shawn Pierson Remedy Developer | Energy Transfer -Original Message- From: Action Request System discussion list(ARSList) [mailto:arslist@ARSLIST.ORG] On Behalf Of Jeff Lockemy Sent: Thursday, January 30, 2014 7:38 AM To: arslist@ARSLIST.ORG Subject: Re: Target Attack and BMC Software ITSM? Totally... It would be nice if they were a little more specific in the articles. My stress level went up for a bit. LOL -Original Message- From: Action Request System discussion list(ARSList) [mailto:arslist@ARSLIST.ORG] On Behalf Of Pierson, Shawn Sent: Thursday, January 30, 2014 8:31 AM To: arslist@ARSLIST.ORG Subject: Re: Target Attack and BMC Software ITSM? I read the article and clicked on the link to the Krebs on security site. Based on that site, which may or may not be correct, it's saying that the potential BMC product is BMC Performance Assurance Agent. Since this isn't a part of Remedy I really have no idea how it works and if there is a back door or if it was installed and they forgot to change a default password. In any case, it's not Remedy, so that's a good thing. Thanks, Shawn Pierson Remedy Developer | Energy Transfer -Original Message- From: Action Request System discussion list(ARSList) [mailto:arslist@ARSLIST.ORG] On Behalf Of Jeff Lockemy Sent: Thursday, January 30, 2014 7:23 AM To: arslist@ARSLIST.ORG Subject: OT: Target Attack and BMC Software ITSM? This news article hit today... http://www.startribune.com/business/242688511.html It says that a default password in a BMC ITSM product may have contributed to the target attack. Jeff Jeff Lockemy Lead Engineer, NAVY 311 Enterprise Service Management PMW-240 ITIL V3 Foundation Certified QMX Support Services Inc. ___ UNSUBSCRIBE or access ARSlist Archives at www.arslist.org Where the Answers Are, and have been for 20 years Private and confidential as detailed here: http://www.energytransfer.com/mail_disclaimer.aspx . If you cannot access the link, please e-mail sender. ___ UNSUBSCRIBE or access ARSlist Archives at www.arslist.org Where the Answers Are, and have been for 20 years ___ UNSUBSCRIBE or access ARSlist Archives at www.arslist.org Where the Answers Are, and have been for 20 years Private and confidential as detailed here: http://www.energytransfer.com/mail_disclaimer.aspx . If you cannot access the link, please e-mail sender. ___ UNSUBSCRIBE or access ARSlist Archives at www.arslist.org Where the Answers Are, and have been for 20 years
Re: Target Attack and BMC Software ITSM?
Wait - so you're not supposed to use Demo after you install? ;) This does give me enough reason to go back and double check to made sure those are turned off in all the environments. You can never be too careful. -Original Message- From: Action Request System discussion list(ARSList) [mailto:arslist@ARSLIST.ORG] On Behalf Of Pierson, Shawn Sent: Thursday, January 30, 2014 7:40 AM To: arslist@ARSLIST.ORG Subject: Re: Target Attack and BMC Software ITSM? Upon further reading, this is a part of their Bladelogic Automation Suite, and that BMC has documented how to remove that account once you have it up and running. I think the Remedy equivalent would be if you installed AR System and left the Demo account out there as it. Thanks, Shawn Pierson Remedy Developer | Energy Transfer -Original Message- From: Action Request System discussion list(ARSList) [mailto:arslist@ARSLIST.ORG] On Behalf Of Jeff Lockemy Sent: Thursday, January 30, 2014 7:38 AM To: arslist@ARSLIST.ORG Subject: Re: Target Attack and BMC Software ITSM? Totally... It would be nice if they were a little more specific in the articles. My stress level went up for a bit. LOL -Original Message- From: Action Request System discussion list(ARSList) [mailto:arslist@ARSLIST.ORG] On Behalf Of Pierson, Shawn Sent: Thursday, January 30, 2014 8:31 AM To: arslist@ARSLIST.ORG Subject: Re: Target Attack and BMC Software ITSM? I read the article and clicked on the link to the Krebs on security site. Based on that site, which may or may not be correct, it's saying that the potential BMC product is BMC Performance Assurance Agent. Since this isn't a part of Remedy I really have no idea how it works and if there is a back door or if it was installed and they forgot to change a default password. In any case, it's not Remedy, so that's a good thing. Thanks, Shawn Pierson Remedy Developer | Energy Transfer -Original Message- From: Action Request System discussion list(ARSList) [mailto:arslist@ARSLIST.ORG] On Behalf Of Jeff Lockemy Sent: Thursday, January 30, 2014 7:23 AM To: arslist@ARSLIST.ORG Subject: OT: Target Attack and BMC Software ITSM? This news article hit today... http://www.startribune.com/business/242688511.html It says that a default password in a BMC ITSM product may have contributed to the target attack. Jeff Jeff Lockemy Lead Engineer, NAVY 311 Enterprise Service Management PMW-240 ITIL V3 Foundation Certified QMX Support Services Inc. ___ UNSUBSCRIBE or access ARSlist Archives at www.arslist.org Where the Answers Are, and have been for 20 years Private and confidential as detailed here: http://www.energytransfer.com/mail_disclaimer.aspx . If you cannot access the link, please e-mail sender. ___ UNSUBSCRIBE or access ARSlist Archives at www.arslist.org Where the Answers Are, and have been for 20 years ___ UNSUBSCRIBE or access ARSlist Archives at www.arslist.org Where the Answers Are, and have been for 20 years Private and confidential as detailed here: http://www.energytransfer.com/mail_disclaimer.aspx . If you cannot access the link, please e-mail sender. ___ UNSUBSCRIBE or access ARSlist Archives at www.arslist.org Where the Answers Are, and have been for 20 years - No virus found in this message. Checked by AVG - www.avg.com Version: 2014.0.4259 / Virus Database: 3658/7001 - Release Date: 01/14/14 Internal Virus Database is out of date. ___ UNSUBSCRIBE or access ARSlist Archives at www.arslist.org Where the Answers Are, and have been for 20 years
Re: Target Attack and BMC Software ITSM?
So how many never changed ARAdmin account from the default? Dave -Original Message- From: Action Request System discussion list(ARSList) [mailto:arslist@ARSLIST.ORG] On Behalf Of William Rentfrow Sent: Thursday, January 30, 2014 9:10 AM To: arslist@ARSLIST.ORG Subject: Re: Target Attack and BMC Software ITSM? Wait - so you're not supposed to use Demo after you install? ;) This does give me enough reason to go back and double check to made sure those are turned off in all the environments. You can never be too careful. -Original Message- From: Action Request System discussion list(ARSList) [mailto:arslist@ARSLIST.ORG] On Behalf Of Pierson, Shawn Sent: Thursday, January 30, 2014 7:40 AM To: arslist@ARSLIST.ORG Subject: Re: Target Attack and BMC Software ITSM? Upon further reading, this is a part of their Bladelogic Automation Suite, and that BMC has documented how to remove that account once you have it up and running. I think the Remedy equivalent would be if you installed AR System and left the Demo account out there as it. Thanks, Shawn Pierson Remedy Developer | Energy Transfer -Original Message- From: Action Request System discussion list(ARSList) [mailto:arslist@ARSLIST.ORG] On Behalf Of Jeff Lockemy Sent: Thursday, January 30, 2014 7:38 AM To: arslist@ARSLIST.ORG Subject: Re: Target Attack and BMC Software ITSM? Totally... It would be nice if they were a little more specific in the articles. My stress level went up for a bit. LOL -Original Message- From: Action Request System discussion list(ARSList) [mailto:arslist@ARSLIST.ORG] On Behalf Of Pierson, Shawn Sent: Thursday, January 30, 2014 8:31 AM To: arslist@ARSLIST.ORG Subject: Re: Target Attack and BMC Software ITSM? I read the article and clicked on the link to the Krebs on security site. Based on that site, which may or may not be correct, it's saying that the potential BMC product is BMC Performance Assurance Agent. Since this isn't a part of Remedy I really have no idea how it works and if there is a back door or if it was installed and they forgot to change a default password. In any case, it's not Remedy, so that's a good thing. Thanks, Shawn Pierson Remedy Developer | Energy Transfer -Original Message- From: Action Request System discussion list(ARSList) [mailto:arslist@ARSLIST.ORG] On Behalf Of Jeff Lockemy Sent: Thursday, January 30, 2014 7:23 AM To: arslist@ARSLIST.ORG Subject: OT: Target Attack and BMC Software ITSM? This news article hit today... http://www.startribune.com/business/242688511.html It says that a default password in a BMC ITSM product may have contributed to the target attack. Jeff Jeff Lockemy Lead Engineer, NAVY 311 Enterprise Service Management PMW-240 ITIL V3 Foundation Certified QMX Support Services Inc. ___ UNSUBSCRIBE or access ARSlist Archives at www.arslist.org Where the Answers Are, and have been for 20 years Private and confidential as detailed here: http://www.energytransfer.com/mail_disclaimer.aspx . If you cannot access the link, please e-mail sender. ___ UNSUBSCRIBE or access ARSlist Archives at www.arslist.org Where the Answers Are, and have been for 20 years ___ UNSUBSCRIBE or access ARSlist Archives at www.arslist.org Where the Answers Are, and have been for 20 years Private and confidential as detailed here: http://www.energytransfer.com/mail_disclaimer.aspx . If you cannot access the link, please e-mail sender. ___ UNSUBSCRIBE or access ARSlist Archives at www.arslist.org Where the Answers Are, and have been for 20 years - No virus found in this message. Checked by AVG - www.avg.com Version: 2014.0.4259 / Virus Database: 3658/7001 - Release Date: 01/14/14 Internal Virus Database is out of date. ___ UNSUBSCRIBE or access ARSlist Archives at www.arslist.org Where the Answers Are, and have been for 20 years ___ UNSUBSCRIBE or access ARSlist Archives at www.arslist.org Where the Answers Are, and have been for 20 years
Re: Target Attack and BMC Software ITSM?
Yesterday, I had to hunt down all the system/admin accounts and assure my boss they're all changed. This is the list:: appadmin, Demo, KD_WEBUSER, aradmin, Orchestration, EscalationUser, admin Ben Cantatore Remedy Architect Bed Bath Beyond 650 Liberty Avenue Union NJ 07083-8130 Office: (908) 613-5769 Cell: (914) 263-6802 From: Shellman, David dave.shell...@te.com To: arslist@ARSLIST.ORG, Date: 01/30/2014 09:28 AM Subject:Re: Target Attack and BMC Software ITSM? Sent by:Action Request System discussion list(ARSList) arslist@ARSLIST.ORG So how many never changed ARAdmin account from the default? Dave -Original Message- From: Action Request System discussion list(ARSList) [ mailto:arslist@ARSLIST.ORG] On Behalf Of William Rentfrow Sent: Thursday, January 30, 2014 9:10 AM To: arslist@ARSLIST.ORG Subject: Re: Target Attack and BMC Software ITSM? Wait - so you're not supposed to use Demo after you install? ;) This does give me enough reason to go back and double check to made sure those are turned off in all the environments. You can never be too careful. -Original Message- From: Action Request System discussion list(ARSList) [ mailto:arslist@ARSLIST.ORG] On Behalf Of Pierson, Shawn Sent: Thursday, January 30, 2014 7:40 AM To: arslist@ARSLIST.ORG Subject: Re: Target Attack and BMC Software ITSM? Upon further reading, this is a part of their Bladelogic Automation Suite, and that BMC has documented how to remove that account once you have it up and running. I think the Remedy equivalent would be if you installed AR System and left the Demo account out there as it. Thanks, Shawn Pierson Remedy Developer | Energy Transfer -Original Message- From: Action Request System discussion list(ARSList) [ mailto:arslist@ARSLIST.ORG] On Behalf Of Jeff Lockemy Sent: Thursday, January 30, 2014 7:38 AM To: arslist@ARSLIST.ORG Subject: Re: Target Attack and BMC Software ITSM? Totally... It would be nice if they were a little more specific in the articles. My stress level went up for a bit. LOL -Original Message- From: Action Request System discussion list(ARSList) [ mailto:arslist@ARSLIST.ORG] On Behalf Of Pierson, Shawn Sent: Thursday, January 30, 2014 8:31 AM To: arslist@ARSLIST.ORG Subject: Re: Target Attack and BMC Software ITSM? I read the article and clicked on the link to the Krebs on security site. Based on that site, which may or may not be correct, it's saying that the potential BMC product is BMC Performance Assurance Agent. Since this isn't a part of Remedy I really have no idea how it works and if there is a back door or if it was installed and they forgot to change a default password. In any case, it's not Remedy, so that's a good thing. Thanks, Shawn Pierson Remedy Developer | Energy Transfer -Original Message- From: Action Request System discussion list(ARSList) [ mailto:arslist@ARSLIST.ORG] On Behalf Of Jeff Lockemy Sent: Thursday, January 30, 2014 7:23 AM To: arslist@ARSLIST.ORG Subject: OT: Target Attack and BMC Software ITSM? This news article hit today... http://www.startribune.com/business/242688511.html It says that a default password in a BMC ITSM product may have contributed to the target attack. Jeff Jeff Lockemy Lead Engineer, NAVY 311 Enterprise Service Management PMW-240 ITIL V3 Foundation Certified QMX Support Services Inc. ___ UNSUBSCRIBE or access ARSlist Archives at www.arslist.org Where the Answers Are, and have been for 20 years Private and confidential as detailed here: http://www.energytransfer.com/mail_disclaimer.aspx . If you cannot access the link, please e-mail sender. ___ UNSUBSCRIBE or access ARSlist Archives at www.arslist.org Where the Answers Are, and have been for 20 years ___ UNSUBSCRIBE or access ARSlist Archives at www.arslist.org Where the Answers Are, and have been for 20 years Private and confidential as detailed here: http://www.energytransfer.com/mail_disclaimer.aspx . If you cannot access the link, please e-mail sender. ___ UNSUBSCRIBE or access ARSlist Archives at www.arslist.org Where the Answers Are, and have been for 20 years - No virus found in this message. Checked by AVG - www.avg.com Version: 2014.0.4259 / Virus Database: 3658/7001 - Release Date: 01/14/14 Internal Virus Database is out of date. ___ UNSUBSCRIBE or access ARSlist Archives at www.arslist.org Where the Answers Are, and have been for 20 years ___ UNSUBSCRIBE or access ARSlist Archives at www.arslist.org Where the
Re: Target Attack and BMC Software ITSM?
With my main gig we had the opposite problem with ARAdmin. We'd hand the manual create directions off to the DBA's and they'd do the initial work in Oracle, but change the password to something like Id0ntHav32Te11U (usually longer - I think the non-prod one were 15 characters and the prod ones were 21+) They would then refuse to give us the password which is pretty much mandatory for installing. We've established a better trust relationship now, but there was a point in time where we'd have to set up a webex for them to type the password in when we were installing, etc. -Original Message- From: Action Request System discussion list(ARSList) [mailto:arslist@ARSLIST.ORG] On Behalf Of Shellman, David Sent: Thursday, January 30, 2014 8:28 AM To: arslist@ARSLIST.ORG Subject: Re: Target Attack and BMC Software ITSM? So how many never changed ARAdmin account from the default? Dave -Original Message- From: Action Request System discussion list(ARSList) [mailto:arslist@ARSLIST.ORG] On Behalf Of William Rentfrow Sent: Thursday, January 30, 2014 9:10 AM To: arslist@ARSLIST.ORG Subject: Re: Target Attack and BMC Software ITSM? Wait - so you're not supposed to use Demo after you install? ;) This does give me enough reason to go back and double check to made sure those are turned off in all the environments. You can never be too careful. -Original Message- From: Action Request System discussion list(ARSList) [mailto:arslist@ARSLIST.ORG] On Behalf Of Pierson, Shawn Sent: Thursday, January 30, 2014 7:40 AM To: arslist@ARSLIST.ORG Subject: Re: Target Attack and BMC Software ITSM? Upon further reading, this is a part of their Bladelogic Automation Suite, and that BMC has documented how to remove that account once you have it up and running. I think the Remedy equivalent would be if you installed AR System and left the Demo account out there as it. Thanks, Shawn Pierson Remedy Developer | Energy Transfer -Original Message- From: Action Request System discussion list(ARSList) [mailto:arslist@ARSLIST.ORG] On Behalf Of Jeff Lockemy Sent: Thursday, January 30, 2014 7:38 AM To: arslist@ARSLIST.ORG Subject: Re: Target Attack and BMC Software ITSM? Totally... It would be nice if they were a little more specific in the articles. My stress level went up for a bit. LOL -Original Message- From: Action Request System discussion list(ARSList) [mailto:arslist@ARSLIST.ORG] On Behalf Of Pierson, Shawn Sent: Thursday, January 30, 2014 8:31 AM To: arslist@ARSLIST.ORG Subject: Re: Target Attack and BMC Software ITSM? I read the article and clicked on the link to the Krebs on security site. Based on that site, which may or may not be correct, it's saying that the potential BMC product is BMC Performance Assurance Agent. Since this isn't a part of Remedy I really have no idea how it works and if there is a back door or if it was installed and they forgot to change a default password. In any case, it's not Remedy, so that's a good thing. Thanks, Shawn Pierson Remedy Developer | Energy Transfer -Original Message- From: Action Request System discussion list(ARSList) [mailto:arslist@ARSLIST.ORG] On Behalf Of Jeff Lockemy Sent: Thursday, January 30, 2014 7:23 AM To: arslist@ARSLIST.ORG Subject: OT: Target Attack and BMC Software ITSM? This news article hit today... http://www.startribune.com/business/242688511.html It says that a default password in a BMC ITSM product may have contributed to the target attack. Jeff Jeff Lockemy Lead Engineer, NAVY 311 Enterprise Service Management PMW-240 ITIL V3 Foundation Certified QMX Support Services Inc. ___ UNSUBSCRIBE or access ARSlist Archives at www.arslist.org Where the Answers Are, and have been for 20 years Private and confidential as detailed here: http://www.energytransfer.com/mail_disclaimer.aspx . If you cannot access the link, please e-mail sender. ___ UNSUBSCRIBE or access ARSlist Archives at www.arslist.org Where the Answers Are, and have been for 20 years ___ UNSUBSCRIBE or access ARSlist Archives at www.arslist.org Where the Answers Are, and have been for 20 years Private and confidential as detailed here: http://www.energytransfer.com/mail_disclaimer.aspx . If you cannot access the link, please e-mail sender. ___ UNSUBSCRIBE or access ARSlist Archives at www.arslist.org Where the Answers Are, and have been for 20 years - No virus found in this message. Checked by AVG - www.avg.com Version: 2014.0.4259 / Virus Database: 3658/7001 - Release Date: 01/14/14 Internal Virus Database is out of date.
Re: Pull data from CMDB
Keep in mind that the Base Element view will only provide those attributes on that class. To get the additional attributes that are specific to a class you will need to query that view directly. BMC_CORE_BMC_ is the prefix for all the class views in the database. Use the views that do not have the trailing underscore. For Asset data the prefix is AST_ with the same class name as the CMDB class that underlies it. Jim Coryat x34655 From: shambo maitra [mailto:shamb...@gmail.com] Sent: Wednesday, January 29, 2014 9:08 AM Subject: Re: Pull data from CMDB ** Hi Rasmus, Login to database with aradmin. Use the class form as table name but replace all white spaces and special character with '_'. Eg-BMC.CORE:BaseElement is BMC_CORE_BASEELEMENT and same way use attributes as columns but use where clause as data_set_id=BMC.ASSET if your production dataset is same else if you have created some other production /golden dataset use that one where clause. Rrgds Shambo. On Wednesday, January 29, 2014, Rasmus JORGENSEN rasmus.jorgen...@steria.dkmailto:rasmus.jorgen...@steria.dk wrote: ** Hi all Does any of you know which tables in the SQL database contains information from the CMDB classes (Base.Element, ComputerSystem etc.) ? I have to know the sources for exporting the data to Qlikview. Best regards R Oplev Steria: www.steria.dkhttp://www.steria.dk www.steria.comhttp://www.steria.com Steria leverer IT-baserede forretningsydelser til offentlige og private virksomheder over hele verden. Vi arbejder typisk som en Trusted Transformation Partner, der i tæt samarbejde med kunderne videreudvikler deres IT systemer på grundlag af vores forretningsforståelse og førende IT-ekspertise. Vi tager kundernes udfordringer op og bistår dem med innovative IT-løsninger, så de bliver i stand til at optimere deres forretning. Vores 20.000 medarbejdere arbejder på tværs af 16 lande for at støtte kundernes processer og systemer, der får hverdagen til at fungere for millioner af mennesker over hele kloden. This message is intended exclusively for the designated addressee. It may contain confidential material. If you are not the correct addressee, please notify the sender immediately and destroy the message. The content of this message will engage the responsibility of Steria only if it has been sent by an authorized person acting in the strict scope of his functions and for purposes that are related to his competence. Although reasonable efforts have been made to keep this transmission free from viruses, the sender will not be liable for damages caused by a transmitted virus. _ARSlist: Where the Answers Are and have been for 20 years_ _ARSlist: Where the Answers Are and have been for 20 years_ ___ UNSUBSCRIBE or access ARSlist Archives at www.arslist.org Where the Answers Are, and have been for 20 years
Re: Target Attack and BMC Software ITSM?
Alternatively, you can leave it as a default, remove all permissions, set a custom homepage form for it in the preferences that automatically redirects it to a Youtube video of the singing Trololo guy. Obviously they could still get into other areas of Remedy that have Public access if they knew how, but this sounds like a more fun solution than getting rid of that account. Thanks, Shawn Pierson Remedy Developer | Energy Transfer -Original Message- From: Action Request System discussion list(ARSList) [mailto:arslist@ARSLIST.ORG] On Behalf Of William Rentfrow Sent: Thursday, January 30, 2014 8:10 AM To: arslist@ARSLIST.ORG Subject: Re: Target Attack and BMC Software ITSM? Wait - so you're not supposed to use Demo after you install? ;) This does give me enough reason to go back and double check to made sure those are turned off in all the environments. You can never be too careful. -Original Message- From: Action Request System discussion list(ARSList) [mailto:arslist@ARSLIST.ORG] On Behalf Of Pierson, Shawn Sent: Thursday, January 30, 2014 7:40 AM To: arslist@ARSLIST.ORG Subject: Re: Target Attack and BMC Software ITSM? Upon further reading, this is a part of their Bladelogic Automation Suite, and that BMC has documented how to remove that account once you have it up and running. I think the Remedy equivalent would be if you installed AR System and left the Demo account out there as it. Thanks, Shawn Pierson Remedy Developer | Energy Transfer -Original Message- From: Action Request System discussion list(ARSList) [mailto:arslist@ARSLIST.ORG] On Behalf Of Jeff Lockemy Sent: Thursday, January 30, 2014 7:38 AM To: arslist@ARSLIST.ORG Subject: Re: Target Attack and BMC Software ITSM? Totally... It would be nice if they were a little more specific in the articles. My stress level went up for a bit. LOL -Original Message- From: Action Request System discussion list(ARSList) [mailto:arslist@ARSLIST.ORG] On Behalf Of Pierson, Shawn Sent: Thursday, January 30, 2014 8:31 AM To: arslist@ARSLIST.ORG Subject: Re: Target Attack and BMC Software ITSM? I read the article and clicked on the link to the Krebs on security site. Based on that site, which may or may not be correct, it's saying that the potential BMC product is BMC Performance Assurance Agent. Since this isn't a part of Remedy I really have no idea how it works and if there is a back door or if it was installed and they forgot to change a default password. In any case, it's not Remedy, so that's a good thing. Thanks, Shawn Pierson Remedy Developer | Energy Transfer -Original Message- From: Action Request System discussion list(ARSList) [mailto:arslist@ARSLIST.ORG] On Behalf Of Jeff Lockemy Sent: Thursday, January 30, 2014 7:23 AM To: arslist@ARSLIST.ORG Subject: OT: Target Attack and BMC Software ITSM? This news article hit today... http://www.startribune.com/business/242688511.html It says that a default password in a BMC ITSM product may have contributed to the target attack. Jeff Jeff Lockemy Lead Engineer, NAVY 311 Enterprise Service Management PMW-240 ITIL V3 Foundation Certified QMX Support Services Inc. ___ UNSUBSCRIBE or access ARSlist Archives at www.arslist.org Where the Answers Are, and have been for 20 years Private and confidential as detailed here: http://www.energytransfer.com/mail_disclaimer.aspx . If you cannot access the link, please e-mail sender. ___ UNSUBSCRIBE or access ARSlist Archives at www.arslist.org Where the Answers Are, and have been for 20 years ___ UNSUBSCRIBE or access ARSlist Archives at www.arslist.org Where the Answers Are, and have been for 20 years Private and confidential as detailed here: http://www.energytransfer.com/mail_disclaimer.aspx . If you cannot access the link, please e-mail sender. ___ UNSUBSCRIBE or access ARSlist Archives at www.arslist.org Where the Answers Are, and have been for 20 years - No virus found in this message. Checked by AVG - www.avg.com Version: 2014.0.4259 / Virus Database: 3658/7001 - Release Date: 01/14/14 Internal Virus Database is out of date. ___ UNSUBSCRIBE or access ARSlist Archives at www.arslist.org Where the Answers Are, and have been for 20 years Private and confidential as detailed here: http://www.energytransfer.com/mail_disclaimer.aspx . If you cannot access the link, please e-mail sender. ___ UNSUBSCRIBE or access ARSlist Archives at www.arslist.org Where the Answers Are, and have been for 20 years
Re: Target Attack and BMC Software ITSM?
The funny part about that is that most IT Security departments would freak out about the embedded YouTube link and not the rest of it... -Original Message- From: Action Request System discussion list(ARSList) [mailto:arslist@ARSLIST.ORG] On Behalf Of Pierson, Shawn Sent: Thursday, January 30, 2014 9:05 AM To: arslist@ARSLIST.ORG Subject: Re: Target Attack and BMC Software ITSM? Alternatively, you can leave it as a default, remove all permissions, set a custom homepage form for it in the preferences that automatically redirects it to a Youtube video of the singing Trololo guy. Obviously they could still get into other areas of Remedy that have Public access if they knew how, but this sounds like a more fun solution than getting rid of that account. Thanks, Shawn Pierson Remedy Developer | Energy Transfer -Original Message- From: Action Request System discussion list(ARSList) [mailto:arslist@ARSLIST.ORG] On Behalf Of William Rentfrow Sent: Thursday, January 30, 2014 8:10 AM To: arslist@ARSLIST.ORG Subject: Re: Target Attack and BMC Software ITSM? Wait - so you're not supposed to use Demo after you install? ;) This does give me enough reason to go back and double check to made sure those are turned off in all the environments. You can never be too careful. -Original Message- From: Action Request System discussion list(ARSList) [mailto:arslist@ARSLIST.ORG] On Behalf Of Pierson, Shawn Sent: Thursday, January 30, 2014 7:40 AM To: arslist@ARSLIST.ORG Subject: Re: Target Attack and BMC Software ITSM? Upon further reading, this is a part of their Bladelogic Automation Suite, and that BMC has documented how to remove that account once you have it up and running. I think the Remedy equivalent would be if you installed AR System and left the Demo account out there as it. Thanks, Shawn Pierson Remedy Developer | Energy Transfer -Original Message- From: Action Request System discussion list(ARSList) [mailto:arslist@ARSLIST.ORG] On Behalf Of Jeff Lockemy Sent: Thursday, January 30, 2014 7:38 AM To: arslist@ARSLIST.ORG Subject: Re: Target Attack and BMC Software ITSM? Totally... It would be nice if they were a little more specific in the articles. My stress level went up for a bit. LOL -Original Message- From: Action Request System discussion list(ARSList) [mailto:arslist@ARSLIST.ORG] On Behalf Of Pierson, Shawn Sent: Thursday, January 30, 2014 8:31 AM To: arslist@ARSLIST.ORG Subject: Re: Target Attack and BMC Software ITSM? I read the article and clicked on the link to the Krebs on security site. Based on that site, which may or may not be correct, it's saying that the potential BMC product is BMC Performance Assurance Agent. Since this isn't a part of Remedy I really have no idea how it works and if there is a back door or if it was installed and they forgot to change a default password. In any case, it's not Remedy, so that's a good thing. Thanks, Shawn Pierson Remedy Developer | Energy Transfer -Original Message- From: Action Request System discussion list(ARSList) [mailto:arslist@ARSLIST.ORG] On Behalf Of Jeff Lockemy Sent: Thursday, January 30, 2014 7:23 AM To: arslist@ARSLIST.ORG Subject: OT: Target Attack and BMC Software ITSM? This news article hit today... http://www.startribune.com/business/242688511.html It says that a default password in a BMC ITSM product may have contributed to the target attack. Jeff Jeff Lockemy Lead Engineer, NAVY 311 Enterprise Service Management PMW-240 ITIL V3 Foundation Certified QMX Support Services Inc. ___ UNSUBSCRIBE or access ARSlist Archives at www.arslist.org Where the Answers Are, and have been for 20 years Private and confidential as detailed here: http://www.energytransfer.com/mail_disclaimer.aspx . If you cannot access the link, please e-mail sender. ___ UNSUBSCRIBE or access ARSlist Archives at www.arslist.org Where the Answers Are, and have been for 20 years ___ UNSUBSCRIBE or access ARSlist Archives at www.arslist.org Where the Answers Are, and have been for 20 years Private and confidential as detailed here: http://www.energytransfer.com/mail_disclaimer.aspx . If you cannot access the link, please e-mail sender. ___ UNSUBSCRIBE or access ARSlist Archives at www.arslist.org Where the Answers Are, and have been for 20 years - No virus found in this message. Checked by AVG - www.avg.com Version: 2014.0.4259 / Virus Database: 3658/7001 - Release Date: 01/14/14 Internal Virus Database is out of date. ___ UNSUBSCRIBE or access ARSlist Archives at www.arslist.org Where the
Re: Target Attack and BMC Software ITSM?
I wonder what the default passwords are for AR_ESCALATOR, DSO, plugin user, etc. You can see evidence of these accounts in the api logs, user logs, etc. For some of the accounts there is no way to change any aspect of the authentication information. In versions long ago (5.x and earlier?), the Remedy Application Service had a hard coded password that could optionally be configured. It has since been made a requirement to define the password for that account. On Thu, Jan 30, 2014 at 9:04 AM, Pierson, Shawn shawn.pier...@energytransfer.com wrote: Alternatively, you can leave it as a default, remove all permissions, set a custom homepage form for it in the preferences that automatically redirects it to a Youtube video of the singing Trololo guy. Obviously they could still get into other areas of Remedy that have Public access if they knew how, but this sounds like a more fun solution than getting rid of that account. Thanks, Shawn Pierson Remedy Developer | Energy Transfer -Original Message- From: Action Request System discussion list(ARSList) [mailto: arslist@ARSLIST.ORG] On Behalf Of William Rentfrow Sent: Thursday, January 30, 2014 8:10 AM To: arslist@ARSLIST.ORG Subject: Re: Target Attack and BMC Software ITSM? Wait - so you're not supposed to use Demo after you install? ;) This does give me enough reason to go back and double check to made sure those are turned off in all the environments. You can never be too careful. -Original Message- From: Action Request System discussion list(ARSList) [mailto: arslist@ARSLIST.ORG] On Behalf Of Pierson, Shawn Sent: Thursday, January 30, 2014 7:40 AM To: arslist@ARSLIST.ORG Subject: Re: Target Attack and BMC Software ITSM? Upon further reading, this is a part of their Bladelogic Automation Suite, and that BMC has documented how to remove that account once you have it up and running. I think the Remedy equivalent would be if you installed AR System and left the Demo account out there as it. Thanks, Shawn Pierson Remedy Developer | Energy Transfer -Original Message- From: Action Request System discussion list(ARSList) [mailto: arslist@ARSLIST.ORG] On Behalf Of Jeff Lockemy Sent: Thursday, January 30, 2014 7:38 AM To: arslist@ARSLIST.ORG Subject: Re: Target Attack and BMC Software ITSM? Totally... It would be nice if they were a little more specific in the articles. My stress level went up for a bit. LOL -Original Message- From: Action Request System discussion list(ARSList) [mailto: arslist@ARSLIST.ORG] On Behalf Of Pierson, Shawn Sent: Thursday, January 30, 2014 8:31 AM To: arslist@ARSLIST.ORG Subject: Re: Target Attack and BMC Software ITSM? I read the article and clicked on the link to the Krebs on security site. Based on that site, which may or may not be correct, it's saying that the potential BMC product is BMC Performance Assurance Agent. Since this isn't a part of Remedy I really have no idea how it works and if there is a back door or if it was installed and they forgot to change a default password. In any case, it's not Remedy, so that's a good thing. Thanks, Shawn Pierson Remedy Developer | Energy Transfer -Original Message- From: Action Request System discussion list(ARSList) [mailto: arslist@ARSLIST.ORG] On Behalf Of Jeff Lockemy Sent: Thursday, January 30, 2014 7:23 AM To: arslist@ARSLIST.ORG Subject: OT: Target Attack and BMC Software ITSM? This news article hit today... http://www.startribune.com/business/242688511.html It says that a default password in a BMC ITSM product may have contributed to the target attack. Jeff Jeff Lockemy Lead Engineer, NAVY 311 Enterprise Service Management PMW-240 ITIL V3 Foundation Certified QMX Support Services Inc. ___ UNSUBSCRIBE or access ARSlist Archives at www.arslist.org Where the Answers Are, and have been for 20 years Private and confidential as detailed here: http://www.energytransfer.com/mail_disclaimer.aspx . If you cannot access the link, please e-mail sender. ___ UNSUBSCRIBE or access ARSlist Archives at www.arslist.org Where the Answers Are, and have been for 20 years ___ UNSUBSCRIBE or access ARSlist Archives at www.arslist.org Where the Answers Are, and have been for 20 years Private and confidential as detailed here: http://www.energytransfer.com/mail_disclaimer.aspx . If you cannot access the link, please e-mail sender. ___ UNSUBSCRIBE or access ARSlist Archives at www.arslist.org Where the Answers Are, and have been for 20 years - No virus found in this message. Checked by AVG - www.avg.com Version: 2014.0.4259 /
Target Attack and BMC Software ITSM?
One of the features we introduced in SSO Plugin 4 was heavy warnings on the SSO Plugin status page if the user had not changed the default 'arsystem' Mid Tier configuration password. You can google and find a number of Mid Tiers with it still running on the default password. Also, we recently picked up another customer who'd spent six months trying to make AtriumSSO work. During the evaluation installation webex, we were horrified to find someone at BMC had changed the file ownership of AR System and the Tomcat running Mid Tier to root, and told the customer that AtriumSSO required everything to run as root (which is hopefully complete nonsense). An installation of SSO Plugin lasted 2 hours - with 1.5 hours spent cleaning up the mess, securing the installation etc. So none of this surprises me :) ___ UNSUBSCRIBE or access ARSlist Archives at www.arslist.org Where the Answers Are, and have been for 20 years
Re: Target Attack and BMC Software ITSM?
I will bet changes will be coming. Maybe they will change the disabled status to actually disable the user. -John On Thu, Jan 30, 2014 at 9:31 AM, John Baker jba...@javasystemsolutions.comwrote: One of the features we introduced in SSO Plugin 4 was heavy warnings on the SSO Plugin status page if the user had not changed the default 'arsystem' Mid Tier configuration password. You can google and find a number of Mid Tiers with it still running on the default password. Also, we recently picked up another customer who'd spent six months trying to make AtriumSSO work. During the evaluation installation webex, we were horrified to find someone at BMC had changed the file ownership of AR System and the Tomcat running Mid Tier to root, and told the customer that AtriumSSO required everything to run as root (which is hopefully complete nonsense). An installation of SSO Plugin lasted 2 hours - with 1.5 hours spent cleaning up the mess, securing the installation etc. So none of this surprises me :) ___ UNSUBSCRIBE or access ARSlist Archives at www.arslist.org Where the Answers Are, and have been for 20 years -- *John Sundberg* Kinetic Data, Inc. Your Business. Your Process. Save the date! *KEG14* February 24-25, 2014 *For more information, click here * - KEGhttp://www.kineticdata.com/Events/KEG.html 651-556-0930 I john.sundb...@kineticdata.com www.kineticdata.com I community.kineticdata.com ___ UNSUBSCRIBE or access ARSlist Archives at www.arslist.org Where the Answers Are, and have been for 20 years
How find CRQ Hold person signature.
Team, Recently, one CRQ Hold for the approver. cant see that approver signature from CHG:Infrastructure change form.Can u pls guide where i can get this info. Remedy environment 8.1. Regards, Suresh L ___ UNSUBSCRIBE or access ARSlist Archives at www.arslist.org Where the Answers Are, and have been for 20 years
Re: How find CRQ Hold person signature.
I think what you are looking for is in AP:Signature Sent from my iPhone On Jan 30, 2014, at 10:47 AM, Suresh Loganathan ersures...@gmail.com wrote: ** Team, Recently, one CRQ Hold for the approver. cant see that approver signature from CHG:Infrastructure change form.Can u pls guide where i can get this info. Remedy environment 8.1. Regards, Suresh L _ARSlist: Where the Answers Are and have been for 20 years_ ___ UNSUBSCRIBE or access ARSlist Archives at www.arslist.org Where the Answers Are, and have been for 20 years
Re: How find CRQ Hold person signature.
Hi Tauf, Thanks for ur quick reply. Let me chk. Normally , it vl capture change signature form. but, it,s not listed. anyway vl follow ur way:) R, Suresh L On Jan 30, 2014 9:24 PM, Tauf Chowdhury taufc...@gmail.com wrote: ** I think what you are looking for is in AP:Signature Sent from my iPhone On Jan 30, 2014, at 10:47 AM, Suresh Loganathan ersures...@gmail.com wrote: ** Team, Recently, one CRQ Hold for the approver. cant see that approver signature from CHG:Infrastructure change form.Can u pls guide where i can get this info. Remedy environment 8.1. Regards, Suresh L _ARSlist: Where the Answers Are and have been for 20 years_ _ARSlist: Where the Answers Are and have been for 20 years_ ___ UNSUBSCRIBE or access ARSlist Archives at www.arslist.org Where the Answers Are, and have been for 20 years
Re: Target Attack and BMC Software ITSM?
Youtube can be a bandwidth hog under circumstances where people goof off, but from a business perspective it's not a bad way to get videos of your company out there for the public. It's also kind of the only place you can go to learn about BMC's Process Designer since BMC hadn't begun offering classes or real examples when I last looked into it (although I have temporarily abandoned the idea of using that tool because it creates a lot of defects in ITSM.) Thanks, Shawn Pierson Remedy Developer | Energy Transfer -Original Message- From: Action Request System discussion list(ARSList) [mailto:arslist@ARSLIST.ORG] On Behalf Of William Rentfrow Sent: Thursday, January 30, 2014 9:13 AM To: arslist@ARSLIST.ORG Subject: Re: Target Attack and BMC Software ITSM? The funny part about that is that most IT Security departments would freak out about the embedded YouTube link and not the rest of it... -Original Message- From: Action Request System discussion list(ARSList) [mailto:arslist@ARSLIST.ORG] On Behalf Of Pierson, Shawn Sent: Thursday, January 30, 2014 9:05 AM To: arslist@ARSLIST.ORG Subject: Re: Target Attack and BMC Software ITSM? Alternatively, you can leave it as a default, remove all permissions, set a custom homepage form for it in the preferences that automatically redirects it to a Youtube video of the singing Trololo guy. Obviously they could still get into other areas of Remedy that have Public access if they knew how, but this sounds like a more fun solution than getting rid of that account. Thanks, Shawn Pierson Remedy Developer | Energy Transfer -Original Message- From: Action Request System discussion list(ARSList) [mailto:arslist@ARSLIST.ORG] On Behalf Of William Rentfrow Sent: Thursday, January 30, 2014 8:10 AM To: arslist@ARSLIST.ORG Subject: Re: Target Attack and BMC Software ITSM? Wait - so you're not supposed to use Demo after you install? ;) This does give me enough reason to go back and double check to made sure those are turned off in all the environments. You can never be too careful. -Original Message- From: Action Request System discussion list(ARSList) [mailto:arslist@ARSLIST.ORG] On Behalf Of Pierson, Shawn Sent: Thursday, January 30, 2014 7:40 AM To: arslist@ARSLIST.ORG Subject: Re: Target Attack and BMC Software ITSM? Upon further reading, this is a part of their Bladelogic Automation Suite, and that BMC has documented how to remove that account once you have it up and running. I think the Remedy equivalent would be if you installed AR System and left the Demo account out there as it. Thanks, Shawn Pierson Remedy Developer | Energy Transfer -Original Message- From: Action Request System discussion list(ARSList) [mailto:arslist@ARSLIST.ORG] On Behalf Of Jeff Lockemy Sent: Thursday, January 30, 2014 7:38 AM To: arslist@ARSLIST.ORG Subject: Re: Target Attack and BMC Software ITSM? Totally... It would be nice if they were a little more specific in the articles. My stress level went up for a bit. LOL -Original Message- From: Action Request System discussion list(ARSList) [mailto:arslist@ARSLIST.ORG] On Behalf Of Pierson, Shawn Sent: Thursday, January 30, 2014 8:31 AM To: arslist@ARSLIST.ORG Subject: Re: Target Attack and BMC Software ITSM? I read the article and clicked on the link to the Krebs on security site. Based on that site, which may or may not be correct, it's saying that the potential BMC product is BMC Performance Assurance Agent. Since this isn't a part of Remedy I really have no idea how it works and if there is a back door or if it was installed and they forgot to change a default password. In any case, it's not Remedy, so that's a good thing. Thanks, Shawn Pierson Remedy Developer | Energy Transfer -Original Message- From: Action Request System discussion list(ARSList) [mailto:arslist@ARSLIST.ORG] On Behalf Of Jeff Lockemy Sent: Thursday, January 30, 2014 7:23 AM To: arslist@ARSLIST.ORG Subject: OT: Target Attack and BMC Software ITSM? This news article hit today... http://www.startribune.com/business/242688511.html It says that a default password in a BMC ITSM product may have contributed to the target attack. Jeff Jeff Lockemy Lead Engineer, NAVY 311 Enterprise Service Management PMW-240 ITIL V3 Foundation Certified QMX Support Services Inc. ___ UNSUBSCRIBE or access ARSlist Archives at www.arslist.org Where the Answers Are, and have been for 20 years Private and confidential as detailed here: http://www.energytransfer.com/mail_disclaimer.aspx . If you cannot access the link, please e-mail sender. ___ UNSUBSCRIBE or access ARSlist Archives at www.arslist.org Where the Answers Are, and have been for 20 years ___
Re: Target Attack and BMC Software ITSM?
Everyone, Just to be clear about the Remedy environment and passwords: 1) There are absolutely NO backdoor passwords that are used for system access that are not visible and under the control of the Administrator. 2) Since about 7.0, we have REQUIRED that you supply a password for the system users -- Remedy Application Password, DSO (there is no password for Escalator) 3) Yes, there is a default Database password to get started -- and you are encouraged to change it immediately. 4) Yes, there is a default user installed (Demo) to give a starting point -- and you are encouraged to change it or delete this user immediately (and all of the installers have been corrected for several years now to not look for a user named Demo) So, there are no secret back doors to the system that would provide access and there are only two cases where there is even a temporary default password -- if WE create the DB, we need to do something and then you change it and this can be worked around if you create the DB and give us the information AND the Demo user that is loaded to give you initial access into the system (you have to get in somehow the first time). Again, if you have not changed either of the two passwords noted here, you should do that immediately and on every system. Otherwise, there is no issue within the product around this topic. Now, there are a bunch of other security settings that I encourage you to use -- -- restrict where run processes can run processes -- control the shell under which processes can run -- use the password management feature to enforce password rules -- use the feature that disables an account after x bad password attempts (and make x a relatively small number like 5 or at most 10) -- disallow blank passwords (except for AREA cross-reference situations) -- and a number of other things We encrypt passwords on the wire. We in fact default encrypt the entire traffic on the wire (with higher levels of encryption than the default available if desired). We use a connectionless protocol with user validation at every call to ensure that you are who you say you are to prevent piggybacking connections. Remedy should not be vulnerable to attack of the kind described unless you have opened your systems to the outside and have not followed suggestions of changing the to key initial passwords (I would consider changing the DB name from ARAdmin as well just to make it that much harder to find -- and that is fully supported). Doug Mueller -Original Message- From: Action Request System discussion list(ARSList) [mailto:arslist@ARSLIST.ORG] On Behalf Of Pierson, Shawn Sent: Thursday, January 30, 2014 5:31 AM To: arslist@ARSLIST.ORG Subject: Re: Target Attack and BMC Software ITSM? I read the article and clicked on the link to the Krebs on security site. Based on that site, which may or may not be correct, it's saying that the potential BMC product is BMC Performance Assurance Agent. Since this isn't a part of Remedy I really have no idea how it works and if there is a back door or if it was installed and they forgot to change a default password. In any case, it's not Remedy, so that's a good thing. Thanks, Shawn Pierson Remedy Developer | Energy Transfer -Original Message- From: Action Request System discussion list(ARSList) [mailto:arslist@ARSLIST.ORG] On Behalf Of Jeff Lockemy Sent: Thursday, January 30, 2014 7:23 AM To: arslist@ARSLIST.ORG Subject: OT: Target Attack and BMC Software ITSM? This news article hit today... http://www.startribune.com/business/242688511.html It says that a default password in a BMC ITSM product may have contributed to the target attack. Jeff Jeff Lockemy Lead Engineer, NAVY 311 Enterprise Service Management PMW-240 ITIL V3 Foundation Certified QMX Support Services Inc. ___ UNSUBSCRIBE or access ARSlist Archives at www.arslist.org Where the Answers Are, and have been for 20 years Private and confidential as detailed here: http://www.energytransfer.com/mail_disclaimer.aspx . If you cannot access the link, please e-mail sender. ___ UNSUBSCRIBE or access ARSlist Archives at www.arslist.org Where the Answers Are, and have been for 20 years ___ UNSUBSCRIBE or access ARSlist Archives at www.arslist.org Where the Answers Are, and have been for 20 years
Date question
User 7.6 Dev 8.1
Got a question. How would I ask for a report to spit out records that have only
been modified with in the last 2 weeks.
This is the statement below that I am using and it works but it pulls up all
files even ones that were say modnified today or yesterday. I only need items
that haven't been updated or modified with in the 2 weeks.
('*Assigned Group' = SIA_Field_MOB OR '*Assigned Group' = SIA_Field OR
'*Assigned Group' = SIA_Field_North OR '*Assigned Group' = SIA_Field_SEA OR
'*Assigned Group' = SIA_Field_SOU OR '*Assigned Group' = SCADA-Subs OR
'*Assigned Group' = SCADA-Lines) AND ('*Status' =Hold OR
'*Status'=Assigned)
___
UNSUBSCRIBE or access ARSlist Archives at www.arslist.org
Where the Answers Are, and have been for 20 years
Email engine is a server group
Hi All, I have two servers in a server group. I stopped one of the servers and then restarted. Came up fine except for the email engine. Connection refused, to host. Currently the second server is handling the email and connects to the mailbox on a Linux server. Could this be normal? Only one server can connect to the mailbox at a time? ARS 7.6.04 SP3 Thanks Mark Mark Brittain Remedy Developer ITILv3 Foundation, Continual Service Improvement NaviSite, Inc. - A Time Warner Cable Company mbritt...@navisite.commailto:mbritt...@navisite.com Office: 315.634.9337 Mobile: 315.882.5360 [cid:image001.gif@01CF1DCC.3FF63E30] This E-mail and any of its attachments may contain Time Warner Cable proprietary information, which is privileged, confidential, or subject to copyright belonging to Time Warner Cable. This E-mail is intended solely for the use of the individual or entity to which it is addressed. If you are not the intended recipient of this E-mail, you are hereby notified that any dissemination, distribution, copying, or action taken in relation to the contents of and attachments to this E-mail is strictly prohibited and may be unlawful. If you have received this E-mail in error, please notify the sender immediately and permanently delete the original and any copy of this E-mail and any printout. ___ UNSUBSCRIBE or access ARSlist Archives at www.arslist.org Where the Answers Are, and have been for 20 years inline: image001.gif
Re: Email engine is a server group
Mark, As I understand it, the Email Engine should connect to its own associated app server, so that when app 1 goes offline, app2 should signal its email engine to take over operations, and if email engine 1 should still be connected...it would stop operationsbut that's just a theoretical understanding.. On Thu, Jan 30, 2014 at 1:02 PM, Brittain, Mark mbritt...@navisite.comwrote: ** Hi All, I have two servers in a server group. I stopped one of the servers and then restarted. Came up fine except for the email engine. Connection refused, to host. Currently the second server is handling the email and connects to the mailbox on a Linux server. Could this be normal? Only one server can connect to the mailbox at a time? ARS 7.6.04 SP3 Thanks Mark *Mark Brittain* Remedy Developer ITILv3 Foundation, Continual Service Improvement *NaviSite, Inc. - A Time Warner Cable Company* mbritt...@navisite.com Office: 315.634.9337 Mobile: 315.882.5360 [image: navsig] -- This E-mail and any of its attachments may contain Time Warner Cable proprietary information, which is privileged, confidential, or subject to copyright belonging to Time Warner Cable. This E-mail is intended solely for the use of the individual or entity to which it is addressed. If you are not the intended recipient of this E-mail, you are hereby notified that any dissemination, distribution, copying, or action taken in relation to the contents of and attachments to this E-mail is strictly prohibited and may be unlawful. If you have received this E-mail in error, please notify the sender immediately and permanently delete the original and any copy of this E-mail and any printout. _ARSlist: Where the Answers Are and have been for 20 years_ ___ UNSUBSCRIBE or access ARSlist Archives at www.arslist.org Where the Answers Are, and have been for 20 years image001.gif
Re: Email engine is a server group
Yes, and the service does NOT auto-start if the other one stops, Doug From: Action Request System discussion list(ARSList) [mailto:arslist@ARSLIST.ORG] On Behalf Of Brittain, Mark Sent: Thursday, January 30, 2014 3:02 PM To: arslist@ARSLIST.ORG Subject: Email engine is a server group ** Hi All, I have two servers in a server group. I stopped one of the servers and then restarted. Came up fine except for the email engine. Connection refused, to host. Currently the second server is handling the email and connects to the mailbox on a Linux server. Could this be normal? Only one server can connect to the mailbox at a time? ARS 7.6.04 SP3 Thanks Mark Mark Brittain Remedy Developer ITILv3 Foundation, Continual Service Improvement NaviSite, Inc. - A Time Warner Cable Company mbritt...@navisite.commailto:mbritt...@navisite.com Office: 315.634.9337 Mobile: 315.882.5360 [navsig] This E-mail and any of its attachments may contain Time Warner Cable proprietary information, which is privileged, confidential, or subject to copyright belonging to Time Warner Cable. This E-mail is intended solely for the use of the individual or entity to which it is addressed. If you are not the intended recipient of this E-mail, you are hereby notified that any dissemination, distribution, copying, or action taken in relation to the contents of and attachments to this E-mail is strictly prohibited and may be unlawful. If you have received this E-mail in error, please notify the sender immediately and permanently delete the original and any copy of this E-mail and any printout. _ARSlist: Where the Answers Are and have been for 20 years_ This email is subject to certain disclaimers, which may be reviewed via the following link. http://compass-usa.com/Pages/Disclaimer.aspx ___ UNSUBSCRIBE or access ARSlist Archives at www.arslist.org Where the Answers Are, and have been for 20 years inline: image001.gif
Re: Date question
Sorry about that...I may have confused you...I am looking for records that have
been modified more than 2 weeks ago...not with in the 2 weeks. 1st sentence was
backwards...
Thanks,
Ron Young
Believe you can and you’re halfway there.
~Theodore Roosevelt
-Original Message-
From: Ron Young [mailto:rpyo...@southernco.com]
Sent: Thursday, January 30, 2014 1:56 PM
To: arslist@ARSLIST.ORG
Cc: Young, Ronald P.
Subject: Date question
User 7.6 Dev 8.1
Got a question. How would I ask for a report to spit out records that have only
been modified with in the last 2 weeks.
This is the statement below that I am using and it works but it pulls up all
files even ones that were say modnified today or yesterday. I only need items
that haven't been updated or modified with in the 2 weeks.
('*Assigned Group' = SIA_Field_MOB OR '*Assigned Group' = SIA_Field OR
'*Assigned Group' = SIA_Field_North OR '*Assigned Group' = SIA_Field_SEA OR
'*Assigned Group' = SIA_Field_SOU OR '*Assigned Group' = SCADA-Subs OR
'*Assigned Group' = SCADA-Lines) AND ('*Status' =Hold OR
'*Status'=Assigned)
___
UNSUBSCRIBE or access ARSlist Archives at www.arslist.org
Where the Answers Are, and have been for 20 years
Target Attack and BMC Software ITSM?
Doug And you don't force administrators to change the default Mid Tier password, which is the most relevant starting point for abuse given everything else is basically hidden from a web client. And you haven't made the disable User radio do what it says on the tin, ie disable a user, which will leave an administrator scratching their head when they believe that clicking disable will disable a user. And allowing run process to actually run a process is perhaps the craziest thing one would enable on an Internet facing deployment. And the password management stuff is kind of irrelevant if a user has no password, ie when SSO is enabled. So there's some improvements for 8.2. John ___ UNSUBSCRIBE or access ARSlist Archives at www.arslist.org Where the Answers Are, and have been for 20 years
Re: Date question
Ron,
To get records NOT modified in the last 2 weeks, put something like this in
your search:
'Modified Time' ( $TIMESTAMP$ - (60*60*24*14))
Or better, from the current day's date (at midnight):
'Modified Time' ( $DATE$ - (60*60*24*14))
That's sixty (seconds) * sixty (minutes) * 24 (hours) * 14 (days).
David
David Durling
University of Georgia
-Original Message-
From: Action Request System discussion list(ARSList)
[mailto:arslist@ARSLIST.ORG] On Behalf Of Young, Ronald P.
Sent: Thursday, January 30, 2014 3:17 PM
To: arslist@ARSLIST.ORG
Subject: Re: Date question
Sorry about that...I may have confused you...I am looking for records that
have been modified more than 2 weeks ago...not with in the 2 weeks. 1st
sentence was backwards...
Thanks,
Ron Young
Believe you can and you’re halfway there.
~Theodore Roosevelt
-Original Message-
From: Ron Young [mailto:rpyo...@southernco.com]
Sent: Thursday, January 30, 2014 1:56 PM
To: arslist@ARSLIST.ORG
Cc: Young, Ronald P.
Subject: Date question
User 7.6 Dev 8.1
Got a question. How would I ask for a report to spit out records that have
only been modified with in the last 2 weeks.
This is the statement below that I am using and it works but it pulls up all
files
even ones that were say modnified today or yesterday. I only need items
that haven't been updated or modified with in the 2 weeks.
('*Assigned Group' = SIA_Field_MOB OR '*Assigned Group' = SIA_Field
OR '*Assigned Group' = SIA_Field_North OR '*Assigned Group' =
SIA_Field_SEA OR '*Assigned Group' = SIA_Field_SOU OR '*Assigned
Group' = SCADA-Subs OR '*Assigned Group' = SCADA-Lines) AND
('*Status' =Hold OR '*Status'=Assigned)
__
_
UNSUBSCRIBE or access ARSlist Archives at www.arslist.org Where the
Answers Are, and have been for 20 years
___
UNSUBSCRIBE or access ARSlist Archives at www.arslist.org
Where the Answers Are, and have been for 20 years
Re: Target Attack and BMC Software ITSM?
An update on this Actually, a feature change that I knew was in the works has already been done in the shipping product (I was a bit behind). Everything is still the same from the original message... EXCEPT for the Demo user. In the current release (and going forward of course), we DO NOT create a user named Demo -- you specify the user to create at installation for that initial user. So, there is no longer a Demo user to worry about. That is unless you have an older install and that user is still hanging around from that previous version -- and it is safe to remove them. So, the only known password is if WE create the DB (and again, you can do that create if you want to control even that) and we strongly recommend you change that after the initial installation. Doug Mueller -Original Message- From: Action Request System discussion list(ARSList) [mailto:arslist@ARSLIST.ORG] On Behalf Of Mueller, Doug Sent: Thursday, January 30, 2014 9:19 AM To: arslist@ARSLIST.ORG Subject: Re: Target Attack and BMC Software ITSM? Everyone, Just to be clear about the Remedy environment and passwords: 1) There are absolutely NO backdoor passwords that are used for system access that are not visible and under the control of the Administrator. 2) Since about 7.0, we have REQUIRED that you supply a password for the system users -- Remedy Application Password, DSO (there is no password for Escalator) 3) Yes, there is a default Database password to get started -- and you are encouraged to change it immediately. 4) Yes, there is a default user installed (Demo) to give a starting point -- and you are encouraged to change it or delete this user immediately (and all of the installers have been corrected for several years now to not look for a user named Demo) So, there are no secret back doors to the system that would provide access and there are only two cases where there is even a temporary default password -- if WE create the DB, we need to do something and then you change it and this can be worked around if you create the DB and give us the information AND the Demo user that is loaded to give you initial access into the system (you have to get in somehow the first time). Again, if you have not changed either of the two passwords noted here, you should do that immediately and on every system. Otherwise, there is no issue within the product around this topic. Now, there are a bunch of other security settings that I encourage you to use -- -- restrict where run processes can run processes -- control the shell under which processes can run -- use the password management feature to enforce password rules -- use the feature that disables an account after x bad password attempts (and make x a relatively small number like 5 or at most 10) -- disallow blank passwords (except for AREA cross-reference situations) -- and a number of other things We encrypt passwords on the wire. We in fact default encrypt the entire traffic on the wire (with higher levels of encryption than the default available if desired). We use a connectionless protocol with user validation at every call to ensure that you are who you say you are to prevent piggybacking connections. Remedy should not be vulnerable to attack of the kind described unless you have opened your systems to the outside and have not followed suggestions of changing the to key initial passwords (I would consider changing the DB name from ARAdmin as well just to make it that much harder to find -- and that is fully supported). Doug Mueller -Original Message- From: Action Request System discussion list(ARSList) [mailto:arslist@ARSLIST.ORG] On Behalf Of Pierson, Shawn Sent: Thursday, January 30, 2014 5:31 AM To: arslist@ARSLIST.ORG Subject: Re: Target Attack and BMC Software ITSM? I read the article and clicked on the link to the Krebs on security site. Based on that site, which may or may not be correct, it's saying that the potential BMC product is BMC Performance Assurance Agent. Since this isn't a part of Remedy I really have no idea how it works and if there is a back door or if it was installed and they forgot to change a default password. In any case, it's not Remedy, so that's a good thing. Thanks, Shawn Pierson Remedy Developer | Energy Transfer -Original Message- From: Action Request System discussion list(ARSList) [mailto:arslist@ARSLIST.ORG] On Behalf Of Jeff Lockemy Sent: Thursday, January 30, 2014 7:23 AM To: arslist@ARSLIST.ORG Subject: OT: Target Attack and BMC Software ITSM? This news article hit today... http://www.startribune.com/business/242688511.html It says that a default password in a BMC ITSM product may have contributed to the target attack. Jeff Jeff Lockemy Lead Engineer, NAVY 311 Enterprise Service Management PMW-240 ITIL V3 Foundation Certified QMX Support Services Inc.
Re: Target Attack and BMC Software ITSM?
You could add a filter to the User form If TR.Status is disabled Set the password to something + the servers date and time So only if a person knows exactly when (to the second) the user was disabled could that account be accessed Fred -Original Message- From: Action Request System discussion list(ARSList) [mailto:arslist@ARSLIST.ORG] On Behalf Of John Baker Sent: Thursday, January 30, 2014 2:17 PM To: arslist@ARSLIST.ORG Subject: Target Attack and BMC Software ITSM? Doug And you don't force administrators to change the default Mid Tier password, which is the most relevant starting point for abuse given everything else is basically hidden from a web client. And you haven't made the disable User radio do what it says on the tin, ie disable a user, which will leave an administrator scratching their head when they believe that clicking disable will disable a user. And allowing run process to actually run a process is perhaps the craziest thing one would enable on an Internet facing deployment. And the password management stuff is kind of irrelevant if a user has no password, ie when SSO is enabled. So there's some improvements for 8.2. John ___ UNSUBSCRIBE or access ARSlist Archives at www.arslist.org Where the Answers Are, and have been for 20 years
Re: Target Attack and BMC Software ITSM?
Also - if you are going to tinker with security settings/rules: I think it would be a good idea to enforce the password rules at the server. Either via filters (probably bad idea) ... or in the actual arserver code (better idea). Last time I checked - they were enforced via active links ... which is pretty easy to bypass. (We reported it ... but it did not seem to be received with the same criticality as we saw). (This was 2 years ago ... so it may have changed in the meantime... we pretty much just use ARS apis ... but - the apis let you change your password to any old thing you want.) -John On Thu, Jan 30, 2014 at 2:17 PM, John Baker jba...@javasystemsolutions.comwrote: Doug And you don't force administrators to change the default Mid Tier password, which is the most relevant starting point for abuse given everything else is basically hidden from a web client. And you haven't made the disable User radio do what it says on the tin, ie disable a user, which will leave an administrator scratching their head when they believe that clicking disable will disable a user. And allowing run process to actually run a process is perhaps the craziest thing one would enable on an Internet facing deployment. And the password management stuff is kind of irrelevant if a user has no password, ie when SSO is enabled. So there's some improvements for 8.2. John ___ UNSUBSCRIBE or access ARSlist Archives at www.arslist.org Where the Answers Are, and have been for 20 years -- *John Sundberg* Kinetic Data, Inc. Your Business. Your Process. Save the date! *KEG14* February 24-25, 2014 *For more information, click here * - KEGhttp://www.kineticdata.com/Events/KEG.html 651-556-0930 I john.sundb...@kineticdata.com www.kineticdata.com I community.kineticdata.com ___ UNSUBSCRIBE or access ARSlist Archives at www.arslist.org Where the Answers Are, and have been for 20 years
Target Attack and BMC Software ITSM?
Fred: Sadly, setting a predictable password isn't going to stop a slow 'drip drip' process enumerating passwords. John: The core problem, as is the case with much of AR System, is an unwillingness to tackle design changes in the correct place. You are correct that security should happen in the server, hence it should check the disabled user radio. How much effort is that - about ten minutes with an if statement? I firmly believe in getting the core product right. I think I'm in a minority. :) ___ UNSUBSCRIBE or access ARSlist Archives at www.arslist.org Where the Answers Are, and have been for 20 years
Re: Email engine is a server group
Hi Doug LJ, On Linux 5. Did a ps -ef|grep 'mail' and got this. Any idea what it means? root 27974 5433 0 14:15 ? 00:00:00 sendmail: server server name [server ip] cmd read thanks Mark From: Action Request System discussion list(ARSList) [mailto:arslist@ARSLIST.ORG] On Behalf Of Tanner, Doug Sent: Thursday, January 30, 2014 3:08 PM To: arslist@ARSLIST.ORG Subject: Re: Email engine is a server group ** Yes, and the service does NOT auto-start if the other one stops, Doug From: Action Request System discussion list(ARSList) [mailto:arslist@ARSLIST.ORG] On Behalf Of Brittain, Mark Sent: Thursday, January 30, 2014 3:02 PM To: arslist@ARSLIST.ORGmailto:arslist@ARSLIST.ORG Subject: Email engine is a server group ** Hi All, I have two servers in a server group. I stopped one of the servers and then restarted. Came up fine except for the email engine. Connection refused, to host. Currently the second server is handling the email and connects to the mailbox on a Linux server. Could this be normal? Only one server can connect to the mailbox at a time? ARS 7.6.04 SP3 Thanks Mark Mark Brittain Remedy Developer ITILv3 Foundation, Continual Service Improvement NaviSite, Inc. - A Time Warner Cable Company mbritt...@navisite.commailto:mbritt...@navisite.com Office: 315.634.9337 Mobile: 315.882.5360 [cid:image001.gif@01CF1DD8.1F301520] This E-mail and any of its attachments may contain Time Warner Cable proprietary information, which is privileged, confidential, or subject to copyright belonging to Time Warner Cable. This E-mail is intended solely for the use of the individual or entity to which it is addressed. If you are not the intended recipient of this E-mail, you are hereby notified that any dissemination, distribution, copying, or action taken in relation to the contents of and attachments to this E-mail is strictly prohibited and may be unlawful. If you have received this E-mail in error, please notify the sender immediately and permanently delete the original and any copy of this E-mail and any printout. _ARSlist: Where the Answers Are and have been for 20 years_ This email is subject to certain disclaimers, which may be reviewed via the following link. http://compass-usa.com/Pages/Disclaimer.aspx _ARSlist: Where the Answers Are and have been for 20 years_ ___ UNSUBSCRIBE or access ARSlist Archives at www.arslist.org Where the Answers Are, and have been for 20 years inline: image001.gif
Re: Email engine is a server group
That means the server's sendmail daemon is running The ARS Email Engine would show up as a java process running emaildaemon.jar Fred -Original Message- From: Action Request System discussion list(ARSList) [mailto:arslist@ARSLIST.ORG] On Behalf Of Brittain, Mark Sent: Thursday, January 30, 2014 3:27 PM To: arslist@ARSLIST.ORG Subject: Re: Email engine is a server group ** Hi Doug LJ, On Linux 5. Did a ps -ef|grep 'mail' and got this. Any idea what it means? root 27974 5433 0 14:15 ? 00:00:00 sendmail: server server name [server ip] cmd read thanks Mark -Original Message- From: Action Request System discussion list(ARSList) [mailto:arslist@ARSLIST.ORG] On Behalf Of Tanner, Doug Sent: Thursday, January 30, 2014 3:08 PM To: arslist@ARSLIST.ORG Subject: Re: Email engine is a server group ** Yes, and the service does NOT auto-start if the other one stops, Doug -Original Message- From: Action Request System discussion list(ARSList) [mailto:arslist@ARSLIST.ORG] On Behalf Of Brittain, Mark Sent: Thursday, January 30, 2014 3:02 PM To: arslist@ARSLIST.ORG Subject: Email engine is a server group ** Hi All, I have two servers in a server group. I stopped one of the servers and then restarted. Came up fine except for the email engine. Connection refused, to host. Currently the second server is handling the email and connects to the mailbox on a Linux server. Could this be normal? Only one server can connect to the mailbox at a time? ARS 7.6.04 SP3 Thanks Mark Mark Brittain Remedy Developer ITILv3 Foundation, Continual Service Improvement NaviSite, Inc. - A Time Warner Cable Company mbritt...@navisite.com Office: 315.634.9337 Mobile: 315.882.5360 ___ UNSUBSCRIBE or access ARSlist Archives at www.arslist.org Where the Answers Are, and have been for 20 years
Re: Target Attack and BMC Software ITSM?
I guess I don't know why someone *wouldn't* be using AREA for the bulk of their users in Remedy to begin with. It's a waste of money for an organization to have dedicated Remedy people (which we all know aren't cheap) sitting around resetting passwords and dealing with credentials. It also closes major security holes by allowing you to have a unified security policy including password strength, bad password attempts, etc. From my perspective, having dedicated passwords in Remedy is not a best practice and not something that should get beyond the proof of concept phase of a Remedy implementation. I'm sure someone has a good reason why they would need to not create an account in AD for each Remedy user, but I haven't heard it yet and I could probably come up with some good arguments against their reasoning. Of course, I exclude accounts used by the Remedy team or integrations and such but those are exceptions rather than the standard. So for me, any enhancements made to enforcing password rules in Remedy or anything like that would serve no value. I don't know if BMC has any statistics on how many of their customers use AREA to authenticate for their Remedy systems but I'd think it's the majority. Thanks, Shawn Pierson Remedy Developer | Energy Transfer -Original Message- From: Action Request System discussion list(ARSList) [mailto:arslist@ARSLIST.ORG] On Behalf Of John Baker Sent: Thursday, January 30, 2014 3:16 PM To: arslist@ARSLIST.ORG Subject: Target Attack and BMC Software ITSM? Fred: Sadly, setting a predictable password isn't going to stop a slow 'drip drip' process enumerating passwords. John: The core problem, as is the case with much of AR System, is an unwillingness to tackle design changes in the correct place. You are correct that security should happen in the server, hence it should check the disabled user radio. How much effort is that - about ten minutes with an if statement? I firmly believe in getting the core product right. I think I'm in a minority. :) ___ UNSUBSCRIBE or access ARSlist Archives at www.arslist.org Where the Answers Are, and have been for 20 years Private and confidential as detailed here: http://www.energytransfer.com/mail_disclaimer.aspx . If you cannot access the link, please e-mail sender. ___ UNSUBSCRIBE or access ARSlist Archives at www.arslist.org Where the Answers Are, and have been for 20 years
Re: Target Attack and BMC Software ITSM?
John, You tend to 'crap' on the product line on a regular basis...and I don't typically respond, because you are usually 'correct'...if a bit mean spirited about most of the comments you make...but on this one, I can't agree. While it might only take 10 min's with a single if statement to check to see if the disabled flag is set...there is WAY more than that to look at in this situation. Lets walk through a scenario: john.doe is a user in the system, has a fixed license, and various permissions to various objects in the system, and is disabled. so...what does Disabled mean...does it mean that the user cannot connect in any way? What if the system allows guest users, even though this user is disabled, should they allow the user 'in', but as a guest? There was a change made a few years back because of security concerns...you used to get a different error message when you provided an incorrect password than you would if you provided an incorrect user, this gave a clue to the person logging on what they did wrong, but it also provided a clue to a hacker as to if they have a good user account, but just a bad password...so it was generalized to protect the integrity of the system. In the case of Disabled, what sort of message do you give? Do you only specify that it's disabled if you provide a valid account name AND password, or do you say the account is disabled before checking a password. What if the system is set to AREA, and the password is blank, thus allowing authentication externally...but the disabled flag is set...do you let them in or stop them. I know what I would answer to some of these questions...but they are all questions that must be asked and considered and answered with proper thought. I'm not saying that these questions shouldn't be discussed, answered, and a strategy put in place regarding the Disabled user...but it's NOT as easy as a 10 minute fix as you suggest. On Thu, Jan 30, 2014 at 2:15 PM, John Baker jba...@javasystemsolutions.comwrote: Fred: Sadly, setting a predictable password isn't going to stop a slow 'drip drip' process enumerating passwords. John: The core problem, as is the case with much of AR System, is an unwillingness to tackle design changes in the correct place. You are correct that security should happen in the server, hence it should check the disabled user radio. How much effort is that - about ten minutes with an if statement? I firmly believe in getting the core product right. I think I'm in a minority. :) ___ UNSUBSCRIBE or access ARSlist Archives at www.arslist.org Where the Answers Are, and have been for 20 years ___ UNSUBSCRIBE or access ARSlist Archives at www.arslist.org Where the Answers Are, and have been for 20 years
Re: Email engine is a server group
Hi Fred, I can see the emaildaemon.jar but would that confirm the email engine is running? When I started the AR Server it displayed the following BMC Remedy Email Engine has started AR System Plugin Version 7.6.04 SP3 Remote Exception java.rm1.ConnectException: Connection refused to host: local host; nested exception is: java.net.ConnectException: Connection refused Email Engine currently is not up Is there another way to verify the email engine is running or not? Thanks Mark -Original Message- From: Action Request System discussion list(ARSList) [mailto:arslist@ARSLIST.ORG] On Behalf Of Grooms, Frederick W Sent: Thursday, January 30, 2014 4:32 PM To: arslist@ARSLIST.ORG Subject: Re: Email engine is a server group That means the server's sendmail daemon is running The ARS Email Engine would show up as a java process running emaildaemon.jar Fred -Original Message- From: Action Request System discussion list(ARSList) [mailto:arslist@ARSLIST.ORG] On Behalf Of Brittain, Mark Sent: Thursday, January 30, 2014 3:27 PM To: arslist@ARSLIST.ORG Subject: Re: Email engine is a server group ** Hi Doug LJ, On Linux 5. Did a ps -ef|grep 'mail' and got this. Any idea what it means? root 27974 5433 0 14:15 ? 00:00:00 sendmail: server server name [server ip] cmd read thanks Mark -Original Message- From: Action Request System discussion list(ARSList) [mailto:arslist@ARSLIST.ORG] On Behalf Of Tanner, Doug Sent: Thursday, January 30, 2014 3:08 PM To: arslist@ARSLIST.ORG Subject: Re: Email engine is a server group ** Yes, and the service does NOT auto-start if the other one stops, Doug -Original Message- From: Action Request System discussion list(ARSList) [mailto:arslist@ARSLIST.ORG] On Behalf Of Brittain, Mark Sent: Thursday, January 30, 2014 3:02 PM To: arslist@ARSLIST.ORG Subject: Email engine is a server group ** Hi All, I have two servers in a server group. I stopped one of the servers and then restarted. Came up fine except for the email engine. Connection refused, to host. Currently the second server is handling the email and connects to the mailbox on a Linux server. Could this be normal? Only one server can connect to the mailbox at a time? ARS 7.6.04 SP3 Thanks Mark Mark Brittain Remedy Developer ITILv3 Foundation, Continual Service Improvement NaviSite, Inc. - A Time Warner Cable Company mbritt...@navisite.com Office: 315.634.9337 Mobile: 315.882.5360 ___ UNSUBSCRIBE or access ARSlist Archives at www.arslist.org Where the Answers Are, and have been for 20 years This E-mail and any of its attachments may contain Time Warner Cable proprietary information, which is privileged, confidential, or subject to copyright belonging to Time Warner Cable. This E-mail is intended solely for the use of the individual or entity to which it is addressed. If you are not the intended recipient of this E-mail, you are hereby notified that any dissemination, distribution, copying, or action taken in relation to the contents of and attachments to this E-mail is strictly prohibited and may be unlawful. If you have received this E-mail in error, please notify the sender immediately and permanently delete the original and any copy of this E-mail and any printout. ___ UNSUBSCRIBE or access ARSlist Archives at www.arslist.org Where the Answers Are, and have been for 20 years
Target Attack and BMC Software ITSM?
LJ I think that disabled means disabled. It doesn't mean anything else. :) You make a good point about the error message, but that's easy to solve - re-use the existing user/password error. But actually, I think it's fairly well accepted that it's safe to tell a user their account is disabled [and please call the service desk]. Once upon a time, I saw a flow chart of all the possible combinations of AR System authentication. The BMC chap presenting it had about four slides of spider diagrams. I suspect the real reason that it's hard to add an if statement is the code for authentication has morphed into something no-one ever wants to touch, with all the edge cases you discuss (guest users, etc). But there's a good solution - remove it all, remove the legacy features, remove chaining, and implement AREA or AR System. I'm not even sure I'd allow guest users to persist, but there are a couple of SSO Plugin customers who use it. John ___ UNSUBSCRIBE or access ARSlist Archives at www.arslist.org Where the Answers Are, and have been for 20 years
Re: Target Attack and BMC Software ITSM?
I tend to agree that Disabled means they shouldn't be able to gain access to the systembut yes, there is a veritable spiderweb of considerations to take into account to consider it a 'quick 10 min fix'. :) On Thu, Jan 30, 2014 at 2:55 PM, John Baker jba...@javasystemsolutions.comwrote: LJ I think that disabled means disabled. It doesn't mean anything else. :) You make a good point about the error message, but that's easy to solve - re-use the existing user/password error. But actually, I think it's fairly well accepted that it's safe to tell a user their account is disabled [and please call the service desk]. Once upon a time, I saw a flow chart of all the possible combinations of AR System authentication. The BMC chap presenting it had about four slides of spider diagrams. I suspect the real reason that it's hard to add an if statement is the code for authentication has morphed into something no-one ever wants to touch, with all the edge cases you discuss (guest users, etc). But there's a good solution - remove it all, remove the legacy features, remove chaining, and implement AREA or AR System. I'm not even sure I'd allow guest users to persist, but there are a couple of SSO Plugin customers who use it. John ___ UNSUBSCRIBE or access ARSlist Archives at www.arslist.org Where the Answers Are, and have been for 20 years ___ UNSUBSCRIBE or access ARSlist Archives at www.arslist.org Where the Answers Are, and have been for 20 years
Target Attack and BMC Software ITSM?
LJ I guess my point is, it really should be a ten minute fix. If it's not, there's a problem to address given the sensitivity of the code in question (ie authentication). John ___ UNSUBSCRIBE or access ARSlist Archives at www.arslist.org Where the Answers Are, and have been for 20 years
Re: Email engine is a server group
The emaild.sh script in the directory has the following options
usage: emaild.sh { start | stop | status }
The status option gives something like
./emaild.sh status
checking BMC Remedy Email Engine ...
BMC Remedy Email Engine is running on port xx
-Original Message-
From: Action Request System discussion list(ARSList)
[mailto:arslist@ARSLIST.ORG] On Behalf Of Brittain, Mark
Sent: Thursday, January 30, 2014 3:49 PM
To: arslist@ARSLIST.ORG
Subject: Re: Email engine is a server group
Hi Fred,
I can see the emaildaemon.jar but would that confirm the email engine is
running? When I started the AR Server it displayed the following
BMC Remedy Email Engine has started
AR System Plugin Version 7.6.04 SP3
Remote Exception
java.rm1.ConnectException: Connection refused to host: local host; nested
exception is:
java.net.ConnectException: Connection refused
Email Engine currently is not up
Is there another way to verify the email engine is running or not?
Thanks
Mark
-Original Message-
From: Action Request System discussion list(ARSList)
[mailto:arslist@ARSLIST.ORG] On Behalf Of Grooms, Frederick W
Sent: Thursday, January 30, 2014 4:32 PM
To: arslist@ARSLIST.ORG
Subject: Re: Email engine is a server group
That means the server's sendmail daemon is running
The ARS Email Engine would show up as a java process running emaildaemon.jar
Fred
-Original Message-
From: Action Request System discussion list(ARSList)
[mailto:arslist@ARSLIST.ORG] On Behalf Of Brittain, Mark
Sent: Thursday, January 30, 2014 3:27 PM
To: arslist@ARSLIST.ORG
Subject: Re: Email engine is a server group
**
Hi Doug LJ,
On Linux 5. Did a ps -ef|grep 'mail' and got this. Any idea what it means?
root 27974 5433 0 14:15 ? 00:00:00 sendmail: server server name [server ip]
cmd read
thanks
Mark
-Original Message-
From: Action Request System discussion list(ARSList)
[mailto:arslist@ARSLIST.ORG] On Behalf Of Tanner, Doug
Sent: Thursday, January 30, 2014 3:08 PM
To: arslist@ARSLIST.ORG
Subject: Re: Email engine is a server group
**
Yes, and the service does NOT auto-start if the other one stops, Doug
-Original Message-
From: Action Request System discussion list(ARSList)
[mailto:arslist@ARSLIST.ORG] On Behalf Of Brittain, Mark
Sent: Thursday, January 30, 2014 3:02 PM
To: arslist@ARSLIST.ORG
Subject: Email engine is a server group
**
Hi All,
I have two servers in a server group. I stopped one of the servers and then
restarted. Came up fine except for the email engine. Connection refused, to
host. Currently the second server is handling the email and connects to the
mailbox on a Linux server. Could this be normal? Only one server can connect to
the mailbox at a time?
ARS 7.6.04 SP3
Thanks
Mark
Mark Brittain
Remedy Developer
ITILv3 Foundation, Continual Service Improvement
NaviSite, Inc. - A Time Warner Cable Company
mbritt...@navisite.com
Office: 315.634.9337
Mobile: 315.882.5360
___
UNSUBSCRIBE or access ARSlist Archives at www.arslist.org
Where the Answers Are, and have been for 20 years
Re: Target Attack and BMC Software ITSM?
I guess it's good that BMC is private now or else their stock price would have started tanking after this news. Good move, BMC. -Original Message- From: Action Request System discussion list(ARSList) [mailto:arslist@ARSLIST.ORG] On Behalf Of Jeff Lockemy Sent: Thursday, January 30, 2014 7:23 AM To: arslist@ARSLIST.ORG Subject: OT: Target Attack and BMC Software ITSM? This news article hit today... http://www.startribune.com/business/242688511.html It says that a default password in a BMC ITSM product may have contributed to the target attack. Jeff Jeff Lockemy Lead Engineer, NAVY 311 Enterprise Service Management PMW-240 ITIL V3 Foundation Certified QMX Support Services Inc. ___ UNSUBSCRIBE or access ARSlist Archives at www.arslist.org Where the Answers Are, and have been for 20 years Information contained in this email is subject to the disclaimer found by clicking on the following link: http://www.lyondellbasell.com/Footer/Disclaimer/ ___ UNSUBSCRIBE or access ARSlist Archives at www.arslist.org Where the Answers Are, and have been for 20 years
Re: Target Attack and BMC Software ITSM?
This article states it was a user from the Performance Assurance suite, not ITSM. http://krebsonsecurity.com/2014/01/new-clues-in-the-target-breach/ Nathan Aker IT Service Management -Original Message- From: Action Request System discussion list(ARSList) [mailto:arslist@ARSLIST.ORG] On Behalf Of Ortega, Jesus A Sent: Thursday, January 30, 2014 4:47 PM To: arslist@ARSLIST.ORG Subject: Re: Target Attack and BMC Software ITSM? I guess it's good that BMC is private now or else their stock price would have started tanking after this news. Good move, BMC. -Original Message- From: Action Request System discussion list(ARSList) [mailto:arslist@ARSLIST.ORG] On Behalf Of Jeff Lockemy Sent: Thursday, January 30, 2014 7:23 AM To: arslist@ARSLIST.ORG Subject: OT: Target Attack and BMC Software ITSM? This news article hit today... http://www.startribune.com/business/242688511.html It says that a default password in a BMC ITSM product may have contributed to the target attack. Jeff Jeff Lockemy Lead Engineer, NAVY 311 Enterprise Service Management PMW-240 ITIL V3 Foundation Certified QMX Support Services Inc. ___ UNSUBSCRIBE or access ARSlist Archives at www.arslist.org Where the Answers Are, and have been for 20 years Information contained in this email is subject to the disclaimer found by clicking on the following link: http://www.lyondellbasell.com/Footer/Disclaimer/ ___ UNSUBSCRIBE or access ARSlist Archives at www.arslist.org Where the Answers Are, and have been for 20 years ___ UNSUBSCRIBE or access ARSlist Archives at www.arslist.org Where the Answers Are, and have been for 20 years
Re: Target Attack and BMC Software ITSM?
Hi, Nate: Thank you for pointing that out for everyone. The original Star Tribune article never specifically mentions ITSM. It says, ..an IT management software product. Also, BMC has placed a statement on the home page of the bmc.com/support. I read it, yesterday. It should still be there today. Thank you, Michelle -Original Message- From: Action Request System discussion list(ARSList) [mailto:arslist@ARSLIST.ORG] On Behalf Of Nathan Aker Sent: Thursday, January 30, 2014 5:22 PM To: arslist@ARSLIST.ORG Subject: Re: Target Attack and BMC Software ITSM? This article states it was a user from the Performance Assurance suite, not ITSM. http://krebsonsecurity.com/2014/01/new-clues-in-the-target-breach/ Nathan Aker IT Service Management -Original Message- From: Action Request System discussion list(ARSList) [mailto:arslist@ARSLIST.ORG] On Behalf Of Ortega, Jesus A Sent: Thursday, January 30, 2014 4:47 PM To: arslist@ARSLIST.ORG Subject: Re: Target Attack and BMC Software ITSM? I guess it's good that BMC is private now or else their stock price would have started tanking after this news. Good move, BMC. -Original Message- From: Action Request System discussion list(ARSList) [mailto:arslist@ARSLIST.ORG] On Behalf Of Jeff Lockemy Sent: Thursday, January 30, 2014 7:23 AM To: arslist@ARSLIST.ORG Subject: OT: Target Attack and BMC Software ITSM? This news article hit today... http://www.startribune.com/business/242688511.html It says that a default password in a BMC ITSM product may have contributed to the target attack. Jeff Jeff Lockemy Lead Engineer, NAVY 311 Enterprise Service Management PMW-240 ITIL V3 Foundation Certified QMX Support Services Inc. ___ UNSUBSCRIBE or access ARSlist Archives at www.arslist.org Where the Answers Are, and have been for 20 years Information contained in this email is subject to the disclaimer found by clicking on the following link: http://www.lyondellbasell.com/Footer/Disclaimer/ ___ UNSUBSCRIBE or access ARSlist Archives at www.arslist.org Where the Answers Are, and have been for 20 years ___ UNSUBSCRIBE or access ARSlist Archives at www.arslist.org Where the Answers Are, and have been for 20 years -- This message, and any attachments, is for the intended recipient(s) only, may contain information that is privileged, confidential and/or proprietary and subject to important terms and conditions available at http://www.bankofamerica.com/emaildisclaimer. If you are not the intended recipient, please delete this message. ___ UNSUBSCRIBE or access ARSlist Archives at www.arslist.org Where the Answers Are, and have been for 20 years
Re: Target Attack and BMC Software ITSM?
That bs. I know every inch of itsm and no back door exists. Even if some knuckle head left demo open you couldn't use it to do this type of attack. It's just political finger pointing! Sincerly, David Charters Charters Technologies 317-331-8985 Original message From: Nathan Aker nathan_a...@mcafee.com Date:01/30/2014 6:21 PM (GMT-05:00) To: arslist@ARSLIST.ORG Subject: Re: Target Attack and BMC Software ITSM? This article states it was a user from the Performance Assurance suite, not ITSM. http://krebsonsecurity.com/2014/01/new-clues-in-the-target-breach/ Nathan Aker IT Service Management -Original Message- From: Action Request System discussion list(ARSList) [mailto:arslist@ARSLIST.ORG] On Behalf Of Ortega, Jesus A Sent: Thursday, January 30, 2014 4:47 PM To: arslist@ARSLIST.ORG Subject: Re: Target Attack and BMC Software ITSM? I guess it's good that BMC is private now or else their stock price would have started tanking after this news. Good move, BMC. -Original Message- From: Action Request System discussion list(ARSList) [mailto:arslist@ARSLIST.ORG] On Behalf Of Jeff Lockemy Sent: Thursday, January 30, 2014 7:23 AM To: arslist@ARSLIST.ORG Subject: OT: Target Attack and BMC Software ITSM? This news article hit today... http://www.startribune.com/business/242688511.html It says that a default password in a BMC ITSM product may have contributed to the target attack. Jeff Jeff Lockemy Lead Engineer, NAVY 311 Enterprise Service Management PMW-240 ITIL V3 Foundation Certified QMX Support Services Inc. ___ UNSUBSCRIBE or access ARSlist Archives at www.arslist.org Where the Answers Are, and have been for 20 years Information contained in this email is subject to the disclaimer found by clicking on the following link: http://www.lyondellbasell.com/Footer/Disclaimer/ ___ UNSUBSCRIBE or access ARSlist Archives at www.arslist.org Where the Answers Are, and have been for 20 years ___ UNSUBSCRIBE or access ARSlist Archives at www.arslist.org Where the Answers Are, and have been for 20 years ___ UNSUBSCRIBE or access ARSlist Archives at www.arslist.org Where the Answers Are, and have been for 20 years
Parameterized Macro...
Team, Is it possible to create parameterized macro from remedy to pull the remedy report. tried with user tool. i can using macro icon. but, can't see that option into remedy web url. How to do that. can you please advise. Regards, Suresh L ___ UNSUBSCRIBE or access ARSlist Archives at www.arslist.org Where the Answers Are, and have been for 20 years
Re: Target Attack and BMC Software ITSM?
Hi Doug! Thank You! Thank You! Thank You! Thank You! Thank You! Thank You! For finally phasing out the dreaded Demo account! I have lost count on how many times I had to defend Remedy's honour about the Demo account and countless more times having to either delete the account or set a password for that account where no one has bothered to give it a password before. Again, Thank you! Best Regards, Theo PS: I feel sorry for whomever is working at the Target IT Dept. That's some serious bad luck they had. They must be facing some tough times now. Hope things turn out OK for them and hopefully the perpetrators are brought to book soon. One can already think about some hacking Target jokes doing the rounds later... On Thu, Jan 30, 2014 at 10:19 PM, Mueller, Doug doug_muel...@bmc.comwrote: An update on this Actually, a feature change that I knew was in the works has already been done in the shipping product (I was a bit behind). Everything is still the same from the original message... EXCEPT for the Demo user. In the current release (and going forward of course), we DO NOT create a user named Demo -- you specify the user to create at installation for that initial user. So, there is no longer a Demo user to worry about. That is unless you have an older install and that user is still hanging around from that previous version -- and it is safe to remove them. So, the only known password is if WE create the DB (and again, you can do that create if you want to control even that) and we strongly recommend you change that after the initial installation. Doug Mueller -Original Message- From: Action Request System discussion list(ARSList) [mailto: arslist@ARSLIST.ORG] On Behalf Of Mueller, Doug Sent: Thursday, January 30, 2014 9:19 AM To: arslist@ARSLIST.ORG Subject: Re: Target Attack and BMC Software ITSM? Everyone, Just to be clear about the Remedy environment and passwords: 1) There are absolutely NO backdoor passwords that are used for system access that are not visible and under the control of the Administrator. 2) Since about 7.0, we have REQUIRED that you supply a password for the system users -- Remedy Application Password, DSO (there is no password for Escalator) 3) Yes, there is a default Database password to get started -- and you are encouraged to change it immediately. 4) Yes, there is a default user installed (Demo) to give a starting point -- and you are encouraged to change it or delete this user immediately (and all of the installers have been corrected for several years now to not look for a user named Demo) So, there are no secret back doors to the system that would provide access and there are only two cases where there is even a temporary default password -- if WE create the DB, we need to do something and then you change it and this can be worked around if you create the DB and give us the information AND the Demo user that is loaded to give you initial access into the system (you have to get in somehow the first time). Again, if you have not changed either of the two passwords noted here, you should do that immediately and on every system. Otherwise, there is no issue within the product around this topic. Now, there are a bunch of other security settings that I encourage you to use -- -- restrict where run processes can run processes -- control the shell under which processes can run -- use the password management feature to enforce password rules -- use the feature that disables an account after x bad password attempts (and make x a relatively small number like 5 or at most 10) -- disallow blank passwords (except for AREA cross-reference situations) -- and a number of other things We encrypt passwords on the wire. We in fact default encrypt the entire traffic on the wire (with higher levels of encryption than the default available if desired). We use a connectionless protocol with user validation at every call to ensure that you are who you say you are to prevent piggybacking connections. Remedy should not be vulnerable to attack of the kind described unless you have opened your systems to the outside and have not followed suggestions of changing the to key initial passwords (I would consider changing the DB name from ARAdmin as well just to make it that much harder to find -- and that is fully supported). Doug Mueller -Original Message- From: Action Request System discussion list(ARSList) [mailto: arslist@ARSLIST.ORG] On Behalf Of Pierson, Shawn Sent: Thursday, January 30, 2014 5:31 AM To: arslist@ARSLIST.ORG Subject: Re: Target Attack and BMC Software ITSM? I read the article and clicked on the link to the Krebs on security site. Based on that site, which may or may not be correct, it's saying that the potential BMC product is BMC Performance Assurance Agent. Since this isn't a part of Remedy I really have no idea how it
