My SellerDeck Account | Newsletter | Free Trial

Community and Knowledge Base

  #31  
Old 18-Feb-2010, 09:40 AM
EdHarrison's Avatar
EdHarrison EdHarrison is offline
Registered User
Join Date: Jan 2009
Full Name: Ed Harrison
Posts: 528
Thanks: 92
Thanked 18 Times in 18 Posts
Yes the PC was scanned externally and even with the best antivirus / security settings I thought possible failed to comply!

edit: ran a second scan and passed

It seems a very vague process and to get two results without change does not inspire confidence
__________________
https://www.harrisontelescopes.co.uk/

Ed Harrison
Reply With Quote
  #32  
Old 24-Apr-2010, 01:05 PM
EdHarrison's Avatar
EdHarrison EdHarrison is offline
Registered User
Join Date: Jan 2009
Full Name: Ed Harrison
Posts: 528
Thanks: 92
Thanked 18 Times in 18 Posts
PCI Sscan fails

It,s time to scan again but I an getting vulnerabilities causing a fail related to OPENSSH, has anyone else encountered this?

I run one windows PC and no network..

thanks
__________________
https://www.harrisontelescopes.co.uk/

Ed Harrison
Reply With Quote
  #33  
Old 24-Apr-2010, 01:16 PM
Mike Hughes Mike Hughes is offline
Registered User
Join Date: Jan 2003
Full Name: Mike Hughes
Posts: 7,979
Thanks: 258
Thanked 448 Times in 396 Posts
I can't see why you should be getting this. Are you running openssh on your PC?

What's the failure message you're getting?

Mike
Reply With Quote
  #34  
Old 24-Apr-2010, 01:27 PM
Golf Tee Warehouse's Avatar
Golf Tee Warehouse Golf Tee Warehouse is offline
Registered User
Join Date: Jun 2006
Full Name: Darren
Posts: 1,146
Thanks: 42
Thanked 73 Times in 43 Posts
Have you installed any new software that might use OpenSSH since the last scan.
__________________
Darren Guppy
Golf Tee Warehouse
Golf Tees and Golf Accessories.
Reply With Quote
  #35  
Old 24-Apr-2010, 02:30 PM
EdHarrison's Avatar
EdHarrison EdHarrison is offline
Registered User
Join Date: Jan 2009
Full Name: Ed Harrison
Posts: 528
Thanks: 92
Thanked 18 Times in 18 Posts
It is quite strange, I am less than happy with the way the banks force you to go with their wierd portals based abroad for scans. Nothing on the PC but outlook actinic and docs for work use..

The messages are :

OpenSSH GSSAPI Credential Disclosure Vulnerability 4
OpenSSH Signal Handling Vulnerability 4
OpenSSH Local SCP Shell Command Execution Vulnerab...
__________________
https://www.harrisontelescopes.co.uk/

Ed Harrison
Reply With Quote
  #36  
Old 24-Apr-2010, 02:34 PM
Golf Tee Warehouse's Avatar
Golf Tee Warehouse Golf Tee Warehouse is offline
Registered User
Join Date: Jun 2006
Full Name: Darren
Posts: 1,146
Thanks: 42
Thanked 73 Times in 43 Posts
Who is the bank in question and are you forced to use a particular scanning company or will they accept an alternative company.

Have you tried any of the companies offering a free scan to see if you pass with an alternative scan.
__________________
Darren Guppy
Golf Tee Warehouse
Golf Tees and Golf Accessories.
Reply With Quote
  #37  
Old 24-Apr-2010, 03:05 PM
Mike Hughes Mike Hughes is offline
Registered User
Join Date: Jan 2003
Full Name: Mike Hughes
Posts: 7,979
Thanks: 258
Thanked 448 Times in 396 Posts
It's odd as from what I can tell these are all related to vulnerabilities on OpenSSH which to quote them:

Quote:
OpenSSH encrypts all traffic (including passwords) to effectively eliminate eavesdropping, connection hijacking, and other attacks. Additionally, OpenSSH provides secure tunneling capabilities and several authentication methods, and supports all SSH protocol versions.
Mostly this seems to affect servers (including Mac OS x server) so I don't see why it should be on your PC.

I can only think of a few ways this could be showing up:

1) You might have something installed on your PC for secure ftp access.
2) Your router might use Open SSH for secure tunneling / remote access. If so you could see if it can be turned off.
3) Have you any NAS or media server devices on your LAN that could be providing this service?

Mike
Reply With Quote
  #38  
Old 24-Apr-2010, 06:34 PM
EdHarrison's Avatar
EdHarrison EdHarrison is offline
Registered User
Join Date: Jan 2009
Full Name: Ed Harrison
Posts: 528
Thanks: 92
Thanked 18 Times in 18 Posts
I am going to do a scan direct to the box bypassing the router, nothing installed except filezilla for ftp, I am with RBS who insist on using Arsenal Security group in the US.
__________________
https://www.harrisontelescopes.co.uk/

Ed Harrison
Reply With Quote
  #39  
Old 24-Apr-2010, 07:04 PM
Golf Tee Warehouse's Avatar
Golf Tee Warehouse Golf Tee Warehouse is offline
Registered User
Join Date: Jun 2006
Full Name: Darren
Posts: 1,146
Thanks: 42
Thanked 73 Times in 43 Posts
I am also with RBS/Streamline and although I had to register with Arsenal Security they did not insist on Arsenal perfoming the scan and instead chose Comodo/Hackerguardian which is free for 90 days use. It might be worth re-reading the information again.

Once I had passed the scan and download the compliance cert I just logged into Arsenal Security and uploaded the scan compliance certificate.
__________________
Darren Guppy
Golf Tee Warehouse
Golf Tees and Golf Accessories.
Reply With Quote
  #40  
Old 24-Apr-2010, 07:29 PM
EdHarrison's Avatar
EdHarrison EdHarrison is offline
Registered User
Join Date: Jan 2009
Full Name: Ed Harrison
Posts: 528
Thanks: 92
Thanked 18 Times in 18 Posts
cheers Darren, I will take a look, were you happy with the scan? If so do you have to pay for the next quarterly?
__________________
https://www.harrisontelescopes.co.uk/

Ed Harrison
Reply With Quote
  #41  
Old 24-Apr-2010, 08:06 PM
Golf Tee Warehouse's Avatar
Golf Tee Warehouse Golf Tee Warehouse is offline
Registered User
Join Date: Jun 2006
Full Name: Darren
Posts: 1,146
Thanks: 42
Thanked 73 Times in 43 Posts
I used the Comodo/HackerGuardian free scan offer which allowed me to perform a scan on day 1 for the first quarter, you then get reminder emails alomost daily when the 90 day offer end approaches so I then did a second scan on day 89 which will cover me for another 3 months.

I believe McAfee also offer free PCI scans for 12 months if you search around, but I have not tried them yet myself but will do when my next scan is due.

I was happy with the HackerGuardian scan as I passed first time with no problems and just had to download the compliance certificate and then upload to Arsenal Security along with a completed SAQ-C form.
__________________
Darren Guppy
Golf Tee Warehouse
Golf Tees and Golf Accessories.
Reply With Quote
  #42  
Old 26-Apr-2010, 06:39 PM
EdHarrison's Avatar
EdHarrison EdHarrison is offline
Registered User
Join Date: Jan 2009
Full Name: Ed Harrison
Posts: 528
Thanks: 92
Thanked 18 Times in 18 Posts
Now passed the McAfee free one no problem!

Update June 4th - the Arsenal scan failed but I ran six in a row as results differed slightly, the last one passed hmmm. Not exactly confidence inspiring.
__________________
https://www.harrisontelescopes.co.uk/

Ed Harrison
Reply With Quote
  #43  
Old 28-Jun-2010, 08:09 AM
oginet's Avatar
oginet oginet is offline
Registered User
Join Date: May 2003
Full Name: John Ogbourne
Posts: 30
Thanks: 0
Thanked 0 Times in 0 Posts
We thought we had done everything possible re PCI DSS compliance, i.e using Dedicated Server, Actinic Payments, but no that isn't enough for Security Metrics on 2 counts:#
1. Synops is : The remote name server allows recursive queries to be performed by the host running the test server. Description : It is possible to query the remote name server for third party names . If this is your internal name server, then the attack vector may be limited to employees or guest access if allowed.
2.The remote DNS server is vulnerable to cache snooping attacks .
The remote DNS server is vulnerable to cache snooping attacks .
Description : The remote DNS server res ponds to queries for third-party domains that do not have the recurs ion bit s et. This may allow a remote attacker to determine which domains have recently been resolved via this name server, and therefore which hosts have been recently visited. For instance, if an attacker was interested in whether your company utilizes the online services of a particular financial institution, they would be able to us e this attack to build a statistical model regarding company us age of that financial institution.

Seems to me the more you do the higher the bar is raised. (and we have other sites using Actinic Catalog, not using service like Actinic Payments and they are not being hounded.

Actinic's website says: "If you only take card payments for ecommerce orders using the web page of a compliant PSP, your website does not need a security scan, although it is still good practice to do one. You are SAQ validation type 1, and need to complete SAQ form A." - This appears not to be true.
Reply With Quote
  #44  
Old 28-Jun-2010, 08:13 AM
Mark H's Avatar
Mark H Mark H is offline
Registered User
Join Date: Mar 2003
Full Name: Mark Hall
Posts: 1,190
Thanks: 0
Thanked 3 Times in 3 Posts
"This appears not to be true".

I think this is true, it's Security Metrics who seem to have the problem. From other peoples' experiences, the best approach to SM seems to be to stand up to them and make it clear that you know your facts.
Reply With Quote
  #45  
Old 28-Jun-2010, 08:45 AM
cbarling's Avatar
cbarling cbarling is offline
Administrator
Join Date: Nov 2002
Full Name: Chris Barling
Posts: 904
Thanks: 7
Thanked 51 Times in 31 Posts
We discussed our advice with the PCI DSS Dierctor at Barclays and other banks before issuing it. We absolutely stand by it.

If it gets contradicted, please get the of thename of the "security consultant" and pass it on to me at cbarling ( @ ) actinic.co.uk. I will then raise with the bank.

My experience is that if you refer them to our advice in the light of the fact it's been approved by the banks, then request their name and say if they persist in contrary advice this will be pursued via the banks, the "security consultant" checks their facts and the problem goes away.

The problem seems to arise from people with too little training and too much incentive to find issues.

Chris
__________________
Co-founder, SellerDeck

Ecommerce web site by SellerDeck
Reply With Quote
Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search
Display Modes Rate This Thread
Rate This Thread:

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off



All times are GMT. The time now is 11:38 AM.


Powered by vBulletin® Version 3.8.4
Copyright ©2000 - 2018, Jelsoft Enterprises Ltd.