This news article hit today...
http://www.startribune.com/business/242688511.html
It says that a default password in a BMC ITSM product may have contributed
to the target attack.
Jeff
Jeff Lockemy
Lead Engineer, NAVY 311
Enterprise Service Management PMW-240
ITIL V3 Foundation Certified
QMX
Jeff,
Interesting article. Thanks.
Stan
w. 310-230-1722.
c. 310-428-5748.
-Original Message-
From: Action Request System discussion list(ARSList)
[mailto:arslist@ARSLIST.ORG] On Behalf Of Jeff Lockemy
Sent: Thursday, January 30, 2014 5:23 AM
To: arslist@ARSLIST.ORG
Subject: OT: Target
I read the article and clicked on the link to the Krebs on security site.
Based on that site, which may or may not be correct, it's saying that the
potential BMC product is BMC Performance Assurance Agent. Since this isn't a
part of Remedy I really have no idea how it works and if there is a
It looks like it wasn't Remedy at least, it was Performance Assurance for
Microsoft Servers (see below). But good to know if anyone is using this in
their environment.
That Best1_user account name seems an odd one for the attackers to have
picked at random, but there is a better explanation:
Totally... It would be nice if they were a little more specific in the
articles. My stress level went up for a bit. LOL
-Original Message-
From: Action Request System discussion list(ARSList)
[mailto:arslist@ARSLIST.ORG] On Behalf Of Pierson, Shawn
Sent: Thursday, January 30, 2014 8:31
Upon further reading, this is a part of their Bladelogic Automation Suite, and
that BMC has documented how to remove that account once you have it up and
running. I think the Remedy equivalent would be if you installed AR System and
left the Demo account out there as it.
Thanks,
Shawn
Wait - so you're not supposed to use Demo after you install? ;)
This does give me enough reason to go back and double check to made sure those
are turned off in all the environments. You can never be too careful.
-Original Message-
From: Action Request System discussion list(ARSList)
So how many never changed ARAdmin account from the default?
Dave
-Original Message-
From: Action Request System discussion list(ARSList)
[mailto:arslist@ARSLIST.ORG] On Behalf Of William Rentfrow
Sent: Thursday, January 30, 2014 9:10 AM
To: arslist@ARSLIST.ORG
Subject: Re: Target Attack
Yesterday, I had to hunt down all the system/admin accounts and assure my
boss they're all changed. This is the list:: appadmin, Demo, KD_WEBUSER,
aradmin, Orchestration, EscalationUser, admin
Ben Cantatore
Remedy Architect
Bed Bath Beyond
650 Liberty Avenue
Union NJ 07083-8130
Office:
With my main gig we had the opposite problem with ARAdmin. We'd hand the
manual create directions off to the DBA's and they'd do the initial work in
Oracle, but change the password to something like Id0ntHav32Te11U (usually
longer - I think the non-prod one were 15 characters and the prod ones
Keep in mind that the Base Element view will only provide those attributes on
that class. To get the additional attributes that are specific to a class you
will need to query that view directly.
BMC_CORE_BMC_ is the prefix for all the class views in the database. Use the
views that do not
Alternatively, you can leave it as a default, remove all permissions, set a
custom homepage form for it in the preferences that automatically redirects it
to a Youtube video of the singing Trololo guy. Obviously they could still get
into other areas of Remedy that have Public access if they
The funny part about that is that most IT Security departments would freak out
about the embedded YouTube link and not the rest of it...
-Original Message-
From: Action Request System discussion list(ARSList)
[mailto:arslist@ARSLIST.ORG] On Behalf Of Pierson, Shawn
Sent: Thursday,
I wonder what the default passwords are for AR_ESCALATOR, DSO, plugin user,
etc. You can see evidence of these accounts in the api logs, user logs,
etc. For some of the accounts there is no way to change any aspect of the
authentication information. In versions long ago (5.x and earlier?), the
One of the features we introduced in SSO Plugin 4 was heavy warnings on
the SSO Plugin status page if the user had not changed the default
'arsystem' Mid Tier configuration password. You can google and find a
number of Mid Tiers with it still running on the default password.
Also, we recently
I will bet changes will be coming.
Maybe they will change the disabled status to actually disable the user.
-John
On Thu, Jan 30, 2014 at 9:31 AM, John Baker
jba...@javasystemsolutions.comwrote:
One of the features we introduced in SSO Plugin 4 was heavy warnings on
the SSO Plugin status
Team,
Recently, one CRQ Hold for the approver. cant see that approver signature
from CHG:Infrastructure change form.Can u pls guide where i can get this
info. Remedy environment 8.1.
Regards,
Suresh L
___
UNSUBSCRIBE or
I think what you are looking for is in AP:Signature
Sent from my iPhone
On Jan 30, 2014, at 10:47 AM, Suresh Loganathan ersures...@gmail.com wrote:
**
Team,
Recently, one CRQ Hold for the approver. cant see that approver signature
from CHG:Infrastructure change form.Can u pls guide
Hi Tauf,
Thanks for ur quick reply. Let me chk. Normally , it vl capture change
signature form. but, it,s not listed. anyway vl follow ur way:)
R,
Suresh L
On Jan 30, 2014 9:24 PM, Tauf Chowdhury taufc...@gmail.com wrote:
**
I think what you are looking for is in AP:Signature
Sent from my
Youtube can be a bandwidth hog under circumstances where people goof off, but
from a business perspective it's not a bad way to get videos of your company
out there for the public. It's also kind of the only place you can go to learn
about BMC's Process Designer since BMC hadn't begun offering
Everyone,
Just to be clear about the Remedy environment and passwords:
1) There are absolutely NO backdoor passwords that are used for system access
that
are not visible and under the control of the Administrator.
2) Since about 7.0, we have REQUIRED that you supply a password for the system
User 7.6 Dev 8.1
Got a question. How would I ask for a report to spit out records that have only
been modified with in the last 2 weeks.
This is the statement below that I am using and it works but it pulls up all
files even ones that were say modnified today or yesterday. I only need items
Hi All,
I have two servers in a server group. I stopped one of the servers and then
restarted. Came up fine except for the email engine. Connection refused, to
host. Currently the second server is handling the email and connects to the
mailbox on a Linux server. Could this be normal? Only one
Mark,
As I understand it, the Email Engine should connect to its own associated
app server, so that when app 1 goes offline, app2 should signal its email
engine to take over operations, and if email engine 1 should still be
connected...it would stop operationsbut that's just a theoretical
Yes, and the service does NOT auto-start if the other one stops, Doug
From: Action Request System discussion list(ARSList)
[mailto:arslist@ARSLIST.ORG] On Behalf Of Brittain, Mark
Sent: Thursday, January 30, 2014 3:02 PM
To: arslist@ARSLIST.ORG
Subject: Email engine is a server group
**
Hi
Sorry about that...I may have confused you...I am looking for records that have
been modified more than 2 weeks ago...not with in the 2 weeks. 1st sentence was
backwards...
Thanks,
Ron Young
Believe you can and you’re halfway there.
~Theodore Roosevelt
-Original Message-
From: Ron
Doug
And you don't force administrators to change the default Mid Tier
password, which is the most relevant starting point for abuse given
everything else is basically hidden from a web client.
And you haven't made the disable User radio do what it says on the
tin, ie disable a user, which will
Ron,
To get records NOT modified in the last 2 weeks, put something like this in
your search:
'Modified Time' ( $TIMESTAMP$ - (60*60*24*14))
Or better, from the current day's date (at midnight):
'Modified Time' ( $DATE$ - (60*60*24*14))
That's sixty (seconds) * sixty (minutes) * 24
An update on this
Actually, a feature change that I knew was in the works has already been done in
the shipping product (I was a bit behind).
Everything is still the same from the original message... EXCEPT for the Demo
user.
In the current release (and going forward of course), we DO NOT
You could add a filter to the User form
If TR.Status is disabled Set the password to something + the servers date and
time
So only if a person knows exactly when (to the second) the user was disabled
could that account be accessed
Fred
-Original Message-
From: Action Request System
Also - if you are going to tinker with security settings/rules:
I think it would be a good idea to enforce the password rules at the
server. Either via filters (probably bad idea) ... or in the actual arserver
code (better idea).
Last time I checked - they were enforced via active links ...
Fred: Sadly, setting a predictable password isn't going to stop a slow
'drip drip' process enumerating passwords.
John: The core problem, as is the case with much of AR System, is an
unwillingness to tackle design changes in the correct place. You are
correct that security should happen in the
Hi Doug LJ,
On Linux 5. Did a ps -ef|grep 'mail' and got this. Any idea what it means?
root 27974 5433 0 14:15 ? 00:00:00 sendmail: server server name [server ip]
cmd read
thanks
Mark
From: Action Request System discussion list(ARSList)
[mailto:arslist@ARSLIST.ORG] On Behalf Of Tanner, Doug
That means the server's sendmail daemon is running
The ARS Email Engine would show up as a java process running emaildaemon.jar
Fred
-Original Message-
From: Action Request System discussion list(ARSList)
[mailto:arslist@ARSLIST.ORG] On Behalf Of Brittain, Mark
Sent: Thursday,
I guess I don't know why someone *wouldn't* be using AREA for the bulk of their
users in Remedy to begin with. It's a waste of money for an organization to
have dedicated Remedy people (which we all know aren't cheap) sitting around
resetting passwords and dealing with credentials. It also
John,
You tend to 'crap' on the product line on a regular basis...and I don't
typically respond, because you are usually 'correct'...if a bit mean
spirited about most of the comments you make...but on this one, I can't
agree.
While it might only take 10 min's with a single if statement to check
Hi Fred,
I can see the emaildaemon.jar but would that confirm the email engine is
running? When I started the AR Server it displayed the following
BMC Remedy Email Engine has started
AR System Plugin Version 7.6.04 SP3
Remote Exception
java.rm1.ConnectException: Connection refused to host: local
LJ
I think that disabled means disabled. It doesn't mean anything else. :)
You make a good point about the error message, but that's easy to solve
- re-use the existing user/password error. But actually, I think it's
fairly well accepted that it's safe to tell a user their account is
disabled
I tend to agree that Disabled means they shouldn't be able to gain access
to the systembut yes, there is a veritable spiderweb of considerations
to take into account to consider it a 'quick 10 min fix'. :)
On Thu, Jan 30, 2014 at 2:55 PM, John Baker
jba...@javasystemsolutions.comwrote:
LJ
LJ
I guess my point is, it really should be a ten minute fix. If it's not,
there's a problem to address given the sensitivity of the code in
question (ie authentication).
John
___
UNSUBSCRIBE or access ARSlist Archives
The emaild.sh script in the directory has the following options
usage: emaild.sh { start | stop | status }
The status option gives something like
./emaild.sh status
checking BMC Remedy Email Engine ...
BMC Remedy Email Engine is running on port xx
-Original
I guess it's good that BMC is private now or else their stock price would have
started tanking after this news. Good move, BMC.
-Original Message-
From: Action Request System discussion list(ARSList)
[mailto:arslist@ARSLIST.ORG] On Behalf Of Jeff Lockemy
Sent: Thursday, January 30, 2014
This article states it was a user from the Performance Assurance suite, not
ITSM.
http://krebsonsecurity.com/2014/01/new-clues-in-the-target-breach/
Nathan Aker
IT Service Management
-Original Message-
From: Action Request System discussion list(ARSList)
[mailto:arslist@ARSLIST.ORG]
Hi, Nate:
Thank you for pointing that out for everyone. The original Star Tribune
article never specifically mentions ITSM. It says, ..an IT management
software product.
Also, BMC has placed a statement on the home page of the bmc.com/support. I
read it, yesterday. It should still be
That bs. I know every inch of itsm and no back door exists. Even if some
knuckle head left demo open you couldn't use it to do this type of attack.
It's just political finger pointing!
Sincerly,
David Charters
Charters Technologies
317-331-8985
Original message
From: Nathan
Team,
Is it possible to create parameterized macro from remedy to pull the remedy
report. tried with user tool. i can using macro icon. but, can't see that
option into remedy web url. How to do that. can you please advise.
Regards,
Suresh L
Hi Doug!
Thank You! Thank You! Thank You! Thank You! Thank You! Thank You!
For finally phasing out the dreaded Demo account!
I have lost count on how many times I had to defend Remedy's honour about
the Demo account and countless more times having to either delete the
account or set a password
47 matches
Mail list logo
