[isalist] Re: Failing PCI Compliance tests
- From: Steven Comeau <scomeau@xxxxxxxxxxxxxxxxxx>
- To: "isalist@xxxxxxxxxxxxx" <isalist@xxxxxxxxxxxxx>
- Date: Thu, 31 Dec 2009 12:21:40 -0500
For sure... Why in the world PCI compliancy tests NOW complain of Self Signed
Certs is beyond me (although they won't fail you for such, they will say that
having such raises security issues). We farm out as much as possible,
including using TicketMaster for our Tickets and Barnes and Noble for all our
merchandise and we still have to subject to the battery of CCI compliancy tests
and questionnaires ... I swear, these aren't even technical people that write
the forms...
Steve Comeau
Associate Director of IT Rutgers Athletics
83 Rockafeller Road
Piscataway, NJ 08854
732-445-7802
732-445-4623 (fax)
www.scarletknights.com<http://www.scarletknights.com>
[cid:image001.png@01CA8A13.CE70A160]
[cid:image002.jpg@01CA8A13.CE70A160]
From: isalist-bounce@xxxxxxxxxxxxx [mailto:isalist-bounce@xxxxxxxxxxxxx] On
Behalf Of Thor (Hammer of God)
Sent: Thursday, December 31, 2009 12:09 PM
To: isalist@xxxxxxxxxxxxx
Subject: [isalist] Re: Failing PCI Compliance tests
PCI has nothing to do with security, just compliance to CCI arbitrary rules
they impose upon their customers to make them pay for and implement security
they have to build around their products that were designed for ease of use
based on a what should have been a private identifier (SSN) which originally
belonged to the holder.
Paying the industry for failure to secure their sh**ty system is like paying a
wolf to return the sheep he stole knowing he's going to eat them anyway.
t
From: isalist-bounce@xxxxxxxxxxxxx [mailto:isalist-bounce@xxxxxxxxxxxxx] On
Behalf Of Steven Comeau
Sent: Thursday, December 31, 2009 8:31 AM
To: isalist@xxxxxxxxxxxxx
Subject: [isalist] Re: Failing PCI Compliance tests
Mike, I had the same issues w/PCI compliance even though we technically don't
take credit cards and use the Ticketmaster application (direct VPN tunnel) for
the orders. Jerry's recommendations did the trick for me, but it had to be
done on the ISA servers - it was NOT an issue with certs, just the SSL settings
on the ISA boxes.
Steve Comeau
Associate Director of IT Rutgers Athletics
83 Rockafeller Road
Piscataway, NJ 08854
732-445-7802
732-445-4623 (fax)
www.scarletknights.com<http://www.scarletknights.com>
[cid:image007.png@01CA8A13.867644F0]
[cid:image008.jpg@01CA8A13.867644F0]
From: isalist-bounce@xxxxxxxxxxxxx [mailto:isalist-bounce@xxxxxxxxxxxxx] On
Behalf Of Mike Anderson
Sent: Thursday, December 31, 2009 7:46 AM
To: isalist@xxxxxxxxxxxxx
Subject: [isalist] Failing PCI Compliance tests
Hello All,
We have Win2K3 web server behind an ISA 2004 Server, which hosts our website
(with a SSL Certificate for doing credit card transactions).
As of 3 months ago, we started getting these warning e-mails from our credit
card merchant people stating that we failed their PCI Compliance test. If we
don't get this fixed, we will start to be penalized and we can't let that
happen.
SSL Certs are probably one of my weakest areas and I just know enough to get
by. The PDF generated from their automated system, outlined the trouble areas
and offered some websites we could visit that could help remedy the problem. I
must say, being a technical person myself, I had a hard time navigating the
documents in addition to understanding how they applied to our problem.
The next 2 blocks of text are the 2 primary areas that killed our PCI
Compliance score, and if we can fix this, we should be okay once again. BTW,
the following blocks of text, correspond to TCP, Port 443 & HTTPS...
The first one:
Synopsis : The remote service supports the use of weak SSL ciphers. Description
: The remote
host supports the use of SSL ciphers that offer either weak encryption or no
encryption at all.
See also : http://www.openssl.org/docs/apps/ciphers.html Solution: Reconfigure
the affected
application if possible to avoid use of weak ciphers. Risk Factor: Medium /
CVSS Base Score
: 5.0 (CVSS2#AV:N/AC:L/Au:N/C:P/I:N/A:N) Plugin output : Here is the list of
weak SSL ciphers
supported by the remote server : Low Strength Ciphers...
The second one:
Synopsis : The remote service encrypts traffic using a protocol with known
weaknesses.
Description : The remote service accepts connections encrypted using SSL 2.0,
which
reportedly suffers from several cryptographic flaws and has been deprecated for
several years.
An attacker may be able to exploit these issues to conduct man-in-the-middle
attacks or
decrypt communications between the affected service and clients. See also :
http://www.schneier.com/paper-ssl.pdf Solution: Consult the application's
documentation to
disable SSL 2.0 and use SSL 3.0 or TLS 1.0 instead. Risk Factor: Medium / CVSS
Base Score
: 2 (AV:R/AC:L/Au:NR/C:P/A:N/I:N/B:N)
Now my question is, does the ISA Server come into play with this whole thing?
Or is the primary problem relating to our Web Server and how the SSL Cert was
originally created? I didn't create the initial key and purchase the original
certificate, but I know darn sure that the person who did, would have selected
the strongest encryption available at the time - which would have given us the
peace of mind secure transactions.
I know that in order to get the SSL to pass through the ISA Server, we had to
export the SSL Cert from the Web Server and install it on the ISA Server. Was
there something different that I should have done during that process? Do we
possibly have to trash our existing SSL Cert, and reapply for a newer strong
one?
Again, I apologize for being so green in this area - I can only be good at so
many things :)
Thank you all again in advance, for all your wonderful help.
Mike
*** This message contains confidential information and is
intended only for the individual named. If you are not the
named addressee, you should not disseminate, distribute or
copy this e-mail. Please notify the sender immediately by
e-mail if you have received this e-mail by mistake and delete
this e-mail from your system. E-mail transmission cannot be
guaranteed to be secure or error-free as information could be
intercepted, corrupted, lost, destroyed, arrive late or
incomplete, or contain viruses. The sender therefore does not
accept liability for any errors or omissions in the contents of
this message, which arise as a result of e-mail transmission.
If verification is required please request a hard-copy version.
Rutgers University - DIA
83 Rockafeller Road
Piscataway, NJ 08854
www.scarletknights.com ***
*** This message contains confidential information and is
intended only for the individual named. If you are not the
named addressee, you should not disseminate, distribute or
copy this e-mail. Please notify the sender immediately by
e-mail if you have received this e-mail by mistake and delete
this e-mail from your system. E-mail transmission cannot be
guaranteed to be secure or error-free as information could be
intercepted, corrupted, lost, destroyed, arrive late or
incomplete, or contain viruses. The sender therefore does not
accept liability for any errors or omissions in the contents of
this message, which arise as a result of e-mail transmission.
If verification is required please request a hard-copy version.
Rutgers University - DIA
83 Rockafeller Road
Piscataway, NJ 08854
www.scarletknights.com ***
Other related posts:
