[isalist] Re: Failing PCI Compliance tests

• From: Steve Moffat <Steve@xxxxxxxxxx>
• To: "isalist@xxxxxxxxxxxxx" <isalist@xxxxxxxxxxxxx>
• Date: Mon, 4 Jan 2010 18:21:14 +0000

That's not humor...we really are!!

From: isalist-bounce@xxxxxxxxxxxxx [mailto:isalist-bounce@xxxxxxxxxxxxx] On 
Behalf Of Mike Anderson
Sent: Monday, January 04, 2010 2:19 PM
To: isalist@xxxxxxxxxxxxx
Subject: [isalist] Re: Failing PCI Compliance tests

The sense of humor the members of this list possess never ceases to put a smile 
on my face :)

From: isalist-bounce@xxxxxxxxxxxxx [mailto:isalist-bounce@xxxxxxxxxxxxx] On 
Behalf Of Thor (Hammer of God)
Sent: Saturday, January 02, 2010 11:28 AM
To: isalist@xxxxxxxxxxxxx
Subject: [isalist] Re: Failing PCI Compliance tests

We all feel naked Mike.  But that's because many of us really are.

t

From: isalist-bounce@xxxxxxxxxxxxx [mailto:isalist-bounce@xxxxxxxxxxxxx] On 
Behalf Of Mike Anderson
Sent: Saturday, January 02, 2010 9:04 AM
To: isalist@xxxxxxxxxxxxx
Subject: [isalist] Re: Failing PCI Compliance tests

Thank you all SO MUCH for your amazingly quick replies - my boss will be very 
pleased once I put these changes into place.

I can't begin to tell you how naked I felt, diving into this whole area.

Again, thank you and have a great new year everybody!!!

Mike

From: isalist-bounce@xxxxxxxxxxxxx [mailto:isalist-bounce@xxxxxxxxxxxxx] On 
Behalf Of Steven Comeau
Sent: Thursday, December 31, 2009 10:31 AM
To: isalist@xxxxxxxxxxxxx
Subject: [isalist] Re: Failing PCI Compliance tests

Mike, I had the same issues w/PCI compliance even though we technically don't 
take credit cards and use the Ticketmaster application (direct VPN tunnel) for 
the orders.  Jerry's recommendations did the trick for me, but it had to be 
done on the ISA servers - it was NOT an issue with certs, just the SSL settings 
on the ISA boxes.

Steve Comeau
Associate Director of IT  Rutgers Athletics
83 Rockafeller Road
Piscataway, NJ  08854
732-445-7802
732-445-4623 (fax)
www.scarletknights.com<http://www.scarletknights.com>


[rutgers100px.gif]
  [cid:image002.jpg@01CA8D49.2BF906F0]




From: isalist-bounce@xxxxxxxxxxxxx [mailto:isalist-bounce@xxxxxxxxxxxxx] On 
Behalf Of Mike Anderson
Sent: Thursday, December 31, 2009 7:46 AM
To: isalist@xxxxxxxxxxxxx
Subject: [isalist] Failing PCI Compliance tests

Hello All,

We have Win2K3 web server behind an ISA 2004 Server, which hosts our website 
(with a SSL Certificate for doing credit card transactions).

As of 3 months ago, we started getting these warning e-mails from our credit 
card merchant people stating that we failed their PCI Compliance test.  If we 
don't get this fixed, we will start to be penalized and we can't let that 
happen.

SSL Certs are probably one of my weakest areas and I just know enough to get 
by.  The PDF generated from their automated system, outlined the trouble areas 
and offered some websites we could visit that could help remedy the problem.  I 
must say, being a technical person myself, I had a hard time navigating the 
documents in addition to understanding how they applied to our problem.

The next 2 blocks of text are the 2 primary areas that killed our PCI 
Compliance score, and if we can fix this, we should be okay once again.  BTW, 
the following blocks of text, correspond to TCP, Port 443 & HTTPS...

The first one:

Synopsis : The remote service supports the use of weak SSL ciphers. Description 
: The remote
host supports the use of SSL ciphers that offer either weak encryption or no 
encryption at all.
See also : http://www.openssl.org/docs/apps/ciphers.html Solution: Reconfigure 
the affected
application if possible to avoid use of weak ciphers. Risk Factor: Medium / 
CVSS Base Score
: 5.0 (CVSS2#AV:N/AC:L/Au:N/C:P/I:N/A:N) Plugin output : Here is the list of 
weak SSL ciphers
supported by the remote server : Low Strength Ciphers...

The second one:

Synopsis : The remote service encrypts traffic using a protocol with known 
weaknesses.
Description : The remote service accepts connections encrypted using SSL 2.0, 
which
reportedly suffers from several cryptographic flaws and has been deprecated for 
several years.
An attacker may be able to exploit these issues to conduct man-in-the-middle 
attacks or
decrypt communications between the affected service and clients. See also :
http://www.schneier.com/paper-ssl.pdf Solution: Consult the application's 
documentation to
disable SSL 2.0 and use SSL 3.0 or TLS 1.0 instead. Risk Factor: Medium / CVSS 
Base Score
: 2 (AV:R/AC:L/Au:NR/C:P/A:N/I:N/B:N)

Now my question is, does the ISA Server come into play with this whole thing?  
Or is the primary problem relating to our Web Server and how the SSL Cert was 
originally created?  I didn't create the initial key and purchase the original 
certificate, but I know darn sure that the person who did, would have selected 
the strongest encryption available at the time - which would have given us the 
peace of mind secure transactions.

I know that in order to get the SSL to pass through the ISA Server, we had to 
export the SSL Cert from the Web Server and install it on the ISA Server.  Was 
there something different that I should have done during that process?  Do we 
possibly have to trash our existing SSL Cert, and reapply for a newer strong 
one?

Again, I apologize for being so green in this area - I can only be good at so 
many things :)

Thank you all again in advance, for all your wonderful help.

Mike


***  This message contains confidential information and is

intended only for the individual named. If you are not the

named addressee, you should not disseminate, distribute or

copy this e-mail. Please notify the sender immediately by

e-mail if you have received this e-mail by mistake and delete

this e-mail from your system. E-mail transmission cannot be

guaranteed to be secure or error-free as information could be

intercepted, corrupted, lost, destroyed, arrive late or

incomplete, or contain viruses.  The sender therefore does not

accept liability for any errors or omissions in the contents of

this message, which arise as a result of e-mail transmission.

If verification is required please request a hard-copy version.

Rutgers University - DIA

83 Rockafeller Road

Piscataway, NJ 08854

www.scarletknights.com<http://www.scarletknights.com> ***

















































________________________________

avast!/SMTP2000 Antivirus: Inbound message clean.

Virus Database (VPS): 12/31/2009
Tested on: 12/31/2009 10:34:08 -0500
avast! - copyright (c) 1988-2009 ALWIL Software.














________________________________

avast!/SMTP2000 Antivirus: Inbound message clean.

Virus Database (VPS): 1/2/2010
Tested on: 1/2/2010 11:29:35 -0500
avast! - copyright (c) 1988-2010 ALWIL Software.

• Follow-Ups:
  • [isalist] Traffic prioritization/bandwidth control
    • From: Mayo, Bill

• References:
  • [isalist] Re: Failing PCI Compliance tests
    • From: Mike Anderson
  • [isalist] Re: Failing PCI Compliance tests
    • From: Thor (Hammer of God)
  • [isalist] Re: Failing PCI Compliance tests
    • From: Mike Anderson

Other related posts:

• » [isalist] Failing PCI Compliance tests- Mike Anderson
• » [isalist] Re: Failing PCI Compliance tests- Jerry Young
• » [isalist] Re: Failing PCI Compliance tests- Jerry Young
• » [isalist] Re: Failing PCI Compliance tests- Jim Harrison
• » [isalist] Re: Failing PCI Compliance tests- Steven Comeau
• » [isalist] Re: Failing PCI Compliance tests- Thor (Hammer of God)
• » [isalist] Re: Failing PCI Compliance tests- Steven Comeau
• » [isalist] Re: Failing PCI Compliance tests- Thor (Hammer of God)
• » [isalist] Re: Failing PCI Compliance tests- Mike Anderson
• » [isalist] Re: Failing PCI Compliance tests- Thor (Hammer of God)
• » [isalist] Re: Failing PCI Compliance tests- Greg Mulholland
• » [isalist] Re: Failing PCI Compliance tests- Mike Anderson
• » [isalist] Re: Failing PCI Compliance tests - Steve Moffat

1. Home
2. isalist
3. Archive
4. 01-2010

---

• » Previous by Date
• » Next by Date
• » Related Posts
• » View list details
• » Manage your subscription

---