An update on this.... Actually, a feature change that I knew was in the works has already been done in the shipping product (I was a bit behind).
Everything is still the same from the original message... EXCEPT for the Demo user. In the current release (and going forward of course), we DO NOT create a user named Demo -- you specify the user to create at installation for that initial user. So, there is no longer a Demo user to worry about. That is unless you have an older install and that user is still hanging around from that previous version -- and it is safe to remove them. So, the only known password is if WE create the DB (and again, you can do that create if you want to control even that) and we strongly recommend you change that after the initial installation. Doug Mueller -----Original Message----- From: Action Request System discussion list(ARSList) [mailto:[email protected]] On Behalf Of Mueller, Doug Sent: Thursday, January 30, 2014 9:19 AM To: [email protected] Subject: Re: Target Attack and BMC Software ITSM? Everyone, Just to be clear about the Remedy environment and passwords: 1) There are absolutely NO backdoor passwords that are used for system access that are not visible and under the control of the Administrator. 2) Since about 7.0, we have REQUIRED that you supply a password for the system users -- Remedy Application Password, DSO (there is no password for Escalator) 3) Yes, there is a default Database password to get started -- and you are encouraged to change it immediately. 4) Yes, there is a default user installed (Demo) to give a starting point -- and you are encouraged to change it or delete this user immediately (and all of the installers have been corrected for several years now to not look for a user named Demo) So, there are no secret back doors to the system that would provide access and there are only two cases where there is even a temporary default password -- if WE create the DB, we need to do something and then you change it and this can be worked around if you create the DB and give us the information AND the Demo user that is loaded to give you initial access into the system (you have to get in somehow the first time). Again, if you have not changed either of the two passwords noted here, you should do that immediately and on every system. Otherwise, there is no issue within the product around this topic. Now, there are a bunch of other security settings that I encourage you to use -- -- restrict where run processes can run processes -- control the shell under which processes can run -- use the password management feature to enforce password rules -- use the feature that disables an account after x bad password attempts (and make x a relatively small number like 5 or at most 10) -- disallow blank passwords (except for AREA cross-reference situations) -- and a number of other things We encrypt passwords on the wire. We in fact default encrypt the entire traffic on the wire (with higher levels of encryption than the default available if desired). We use a connectionless protocol with user validation at every call to ensure that you are who you say you are to prevent piggybacking connections. Remedy should not be vulnerable to attack of the kind described unless you have opened your systems to the outside and have not followed suggestions of changing the to key initial passwords (I would consider changing the DB name from ARAdmin as well just to make it that much harder to find -- and that is fully supported). Doug Mueller -----Original Message----- From: Action Request System discussion list(ARSList) [mailto:[email protected]] On Behalf Of Pierson, Shawn Sent: Thursday, January 30, 2014 5:31 AM To: [email protected] Subject: Re: Target Attack and BMC Software ITSM? I read the article and clicked on the link to the Krebs on security site. Based on that site, which may or may not be correct, it's saying that the potential BMC product is BMC Performance Assurance Agent. Since this isn't a part of Remedy I really have no idea how it works and if there is a back door or if it was installed and they forgot to change a default password. In any case, it's not Remedy, so that's a good thing. Thanks, Shawn Pierson Remedy Developer | Energy Transfer -----Original Message----- From: Action Request System discussion list(ARSList) [mailto:[email protected]] On Behalf Of Jeff Lockemy Sent: Thursday, January 30, 2014 7:23 AM To: [email protected] Subject: OT: Target Attack and BMC Software ITSM? This news article hit today... http://www.startribune.com/business/242688511.html It says that a default password in a BMC ITSM product may have contributed to the target attack. Jeff Jeff Lockemy Lead Engineer, NAVY 311 Enterprise Service Management PMW-240 ITIL V3 Foundation Certified QMX Support Services Inc. _______________________________________________________________________________ UNSUBSCRIBE or access ARSlist Archives at www.arslist.org "Where the Answers Are, and have been for 20 years" Private and confidential as detailed here: http://www.energytransfer.com/mail_disclaimer.aspx . If you cannot access the link, please e-mail sender. _______________________________________________________________________________ UNSUBSCRIBE or access ARSlist Archives at www.arslist.org "Where the Answers Are, and have been for 20 years" _______________________________________________________________________________ UNSUBSCRIBE or access ARSlist Archives at www.arslist.org "Where the Answers Are, and have been for 20 years" _______________________________________________________________________________ UNSUBSCRIBE or access ARSlist Archives at www.arslist.org "Where the Answers Are, and have been for 20 years"
