Yes the PC was scanned externally and even with the best antivirus / security settings I thought possible failed to comply!

edit: ran a second scan and passed

It seems a very vague process and to get two results without change does not inspire confidence

PCI Sscan fails

It,s time to scan again but I an getting vulnerabilities causing a fail related to OPENSSH, has anyone else encountered this?

I run one windows PC and no network..

thanks

I can't see why you should be getting this. Are you running openssh on your PC?

What's the failure message you're getting?

Mike

Have you installed any new software that might use OpenSSH since the last scan.

It is quite strange, I am less than happy with the way the banks force you to go with their wierd portals based abroad for scans. Nothing on the PC but outlook actinic and docs for work use..

The messages are :

OpenSSH GSSAPI Credential Disclosure Vulnerability 4
OpenSSH Signal Handling Vulnerability 4
OpenSSH Local SCP Shell Command Execution Vulnerab...

Who is the bank in question and are you forced to use a particular scanning company or will they accept an alternative company.

Have you tried any of the companies offering a free scan to see if you pass with an alternative scan.

It's odd as from what I can tell these are all related to vulnerabilities on OpenSSH which to quote them:

Mostly this seems to affect servers (including Mac OS x server) so I don't see why it should be on your PC.

I can only think of a few ways this could be showing up:

1) You might have something installed on your PC for secure ftp access.
2) Your router might use Open SSH for secure tunneling / remote access. If so you could see if it can be turned off.
3) Have you any NAS or media server devices on your LAN that could be providing this service?

Mike

I am going to do a scan direct to the box bypassing the router, nothing installed except filezilla for ftp, I am with RBS who insist on using Arsenal Security group in the US.

I am also with RBS/Streamline and although I had to register with Arsenal Security they did not insist on Arsenal perfoming the scan and instead chose Comodo/Hackerguardian which is free for 90 days use. It might be worth re-reading the information again.

Once I had passed the scan and download the compliance cert I just logged into Arsenal Security and uploaded the scan compliance certificate.

cheers Darren, I will take a look, were you happy with the scan? If so do you have to pay for the next quarterly?

I used the Comodo/HackerGuardian free scan offer which allowed me to perform a scan on day 1 for the first quarter, you then get reminder emails alomost daily when the 90 day offer end approaches so I then did a second scan on day 89 which will cover me for another 3 months.

I believe McAfee also offer free PCI scans for 12 months if you search around, but I have not tried them yet myself but will do when my next scan is due.

I was happy with the HackerGuardian scan as I passed first time with no problems and just had to download the compliance certificate and then upload to Arsenal Security along with a completed SAQ-C form.

Now passed the McAfee free one no problem!

Update June 4th - the Arsenal scan failed but I ran six in a row as results differed slightly, the last one passed hmmm. Not exactly confidence inspiring.

We thought we had done everything possible re PCI DSS compliance, i.e using Dedicated Server, Actinic Payments, but no that isn't enough for Security Metrics on 2 counts:#
1. Synops is : The remote name server allows recursive queries to be performed by the host running the test server. Description : It is possible to query the remote name server for third party names . If this is your internal name server, then the attack vector may be limited to employees or guest access if allowed.
2.The remote DNS server is vulnerable to cache snooping attacks .
The remote DNS server is vulnerable to cache snooping attacks .
Description : The remote DNS server res ponds to queries for third-party domains that do not have the recurs ion bit s et. This may allow a remote attacker to determine which domains have recently been resolved via this name server, and therefore which hosts have been recently visited. For instance, if an attacker was interested in whether your company utilizes the online services of a particular financial institution, they would be able to us e this attack to build a statistical model regarding company us age of that financial institution.

Seems to me the more you do the higher the bar is raised. (and we have other sites using Actinic Catalog, not using service like Actinic Payments and they are not being hounded.

Actinic's website says: "If you only take card payments for ecommerce orders using the web page of a compliant PSP, your website does not need a security scan, although it is still good practice to do one. You are SAQ validation type 1, and need to complete SAQ form A." - This appears not to be true.

"This appears not to be true".

I think this is true, it's Security Metrics who seem to have the problem. From other peoples' experiences, the best approach to SM seems to be to stand up to them and make it clear that you know your facts.

We discussed our advice with the PCI DSS Dierctor at Barclays and other banks before issuing it. We absolutely stand by it.

If it gets contradicted, please get the of thename of the "security consultant" and pass it on to me at cbarling ( @ ) actinic.co.uk. I will then raise with the bank.

My experience is that if you refer them to our advice in the light of the fact it's been approved by the banks, then request their name and say if they persist in contrary advice this will be pursued via the banks, the "security consultant" checks their facts and the problem goes away.

The problem seems to arise from people with too little training and too much incentive to find issues.

Chris