For sure... Why in the world PCI compliancy tests NOW complain of Self Signed Certs is beyond me (although they won't fail you for such, they will say that having such raises security issues). We farm out as much as possible, including using TicketMaster for our Tickets and Barnes and Noble for all our merchandise and we still have to subject to the battery of CCI compliancy tests and questionnaires ... I swear, these aren't even technical people that write the forms... Steve Comeau Associate Director of IT Rutgers Athletics 83 Rockafeller Road Piscataway, NJ 08854 732-445-7802 732-445-4623 (fax) www.scarletknights.com<http://www.scarletknights.com> [cid:image001.png@01CA8A13.CE70A160] [cid:image002.jpg@01CA8A13.CE70A160] From: isalist-bounce@xxxxxxxxxxxxx [mailto:isalist-bounce@xxxxxxxxxxxxx] On Behalf Of Thor (Hammer of God) Sent: Thursday, December 31, 2009 12:09 PM To: isalist@xxxxxxxxxxxxx Subject: [isalist] Re: Failing PCI Compliance tests PCI has nothing to do with security, just compliance to CCI arbitrary rules they impose upon their customers to make them pay for and implement security they have to build around their products that were designed for ease of use based on a what should have been a private identifier (SSN) which originally belonged to the holder. Paying the industry for failure to secure their sh**ty system is like paying a wolf to return the sheep he stole knowing he's going to eat them anyway. t From: isalist-bounce@xxxxxxxxxxxxx [mailto:isalist-bounce@xxxxxxxxxxxxx] On Behalf Of Steven Comeau Sent: Thursday, December 31, 2009 8:31 AM To: isalist@xxxxxxxxxxxxx Subject: [isalist] Re: Failing PCI Compliance tests Mike, I had the same issues w/PCI compliance even though we technically don't take credit cards and use the Ticketmaster application (direct VPN tunnel) for the orders. Jerry's recommendations did the trick for me, but it had to be done on the ISA servers - it was NOT an issue with certs, just the SSL settings on the ISA boxes. Steve Comeau Associate Director of IT Rutgers Athletics 83 Rockafeller Road Piscataway, NJ 08854 732-445-7802 732-445-4623 (fax) www.scarletknights.com<http://www.scarletknights.com> [cid:image007.png@01CA8A13.867644F0] [cid:image008.jpg@01CA8A13.867644F0] From: isalist-bounce@xxxxxxxxxxxxx [mailto:isalist-bounce@xxxxxxxxxxxxx] On Behalf Of Mike Anderson Sent: Thursday, December 31, 2009 7:46 AM To: isalist@xxxxxxxxxxxxx Subject: [isalist] Failing PCI Compliance tests Hello All, We have Win2K3 web server behind an ISA 2004 Server, which hosts our website (with a SSL Certificate for doing credit card transactions). As of 3 months ago, we started getting these warning e-mails from our credit card merchant people stating that we failed their PCI Compliance test. If we don't get this fixed, we will start to be penalized and we can't let that happen. SSL Certs are probably one of my weakest areas and I just know enough to get by. The PDF generated from their automated system, outlined the trouble areas and offered some websites we could visit that could help remedy the problem. I must say, being a technical person myself, I had a hard time navigating the documents in addition to understanding how they applied to our problem. The next 2 blocks of text are the 2 primary areas that killed our PCI Compliance score, and if we can fix this, we should be okay once again. BTW, the following blocks of text, correspond to TCP, Port 443 & HTTPS... The first one: Synopsis : The remote service supports the use of weak SSL ciphers. Description : The remote host supports the use of SSL ciphers that offer either weak encryption or no encryption at all. See also : http://www.openssl.org/docs/apps/ciphers.html Solution: Reconfigure the affected application if possible to avoid use of weak ciphers. Risk Factor: Medium / CVSS Base Score : 5.0 (CVSS2#AV:N/AC:L/Au:N/C:P/I:N/A:N) Plugin output : Here is the list of weak SSL ciphers supported by the remote server : Low Strength Ciphers... The second one: Synopsis : The remote service encrypts traffic using a protocol with known weaknesses. Description : The remote service accepts connections encrypted using SSL 2.0, which reportedly suffers from several cryptographic flaws and has been deprecated for several years. An attacker may be able to exploit these issues to conduct man-in-the-middle attacks or decrypt communications between the affected service and clients. See also : http://www.schneier.com/paper-ssl.pdf Solution: Consult the application's documentation to disable SSL 2.0 and use SSL 3.0 or TLS 1.0 instead. Risk Factor: Medium / CVSS Base Score : 2 (AV:R/AC:L/Au:NR/C:P/A:N/I:N/B:N) Now my question is, does the ISA Server come into play with this whole thing? Or is the primary problem relating to our Web Server and how the SSL Cert was originally created? I didn't create the initial key and purchase the original certificate, but I know darn sure that the person who did, would have selected the strongest encryption available at the time - which would have given us the peace of mind secure transactions. I know that in order to get the SSL to pass through the ISA Server, we had to export the SSL Cert from the Web Server and install it on the ISA Server. Was there something different that I should have done during that process? Do we possibly have to trash our existing SSL Cert, and reapply for a newer strong one? Again, I apologize for being so green in this area - I can only be good at so many things :) Thank you all again in advance, for all your wonderful help. Mike *** This message contains confidential information and is intended only for the individual named. If you are not the named addressee, you should not disseminate, distribute or copy this e-mail. Please notify the sender immediately by e-mail if you have received this e-mail by mistake and delete this e-mail from your system. E-mail transmission cannot be guaranteed to be secure or error-free as information could be intercepted, corrupted, lost, destroyed, arrive late or incomplete, or contain viruses. The sender therefore does not accept liability for any errors or omissions in the contents of this message, which arise as a result of e-mail transmission. If verification is required please request a hard-copy version. Rutgers University - DIA 83 Rockafeller Road Piscataway, NJ 08854 www.scarletknights.com *** *** This message contains confidential information and is intended only for the individual named. If you are not the named addressee, you should not disseminate, distribute or copy this e-mail. Please notify the sender immediately by e-mail if you have received this e-mail by mistake and delete this e-mail from your system. E-mail transmission cannot be guaranteed to be secure or error-free as information could be intercepted, corrupted, lost, destroyed, arrive late or incomplete, or contain viruses. The sender therefore does not accept liability for any errors or omissions in the contents of this message, which arise as a result of e-mail transmission. If verification is required please request a hard-copy version. Rutgers University - DIA 83 Rockafeller Road Piscataway, NJ 08854 www.scarletknights.com ***