PaulDotCom mailing list archives
CVE-2009-3555 and PCI Compliance
From: genesiswave at gmail.com (genesiswave at gmail.com)
Date: Mon, 21 Dec 2009 15:17:00 +0000
The automated scanners have a few problems. Not the least of which is that they are a requirement for being PCI certified (but that is more of my own view) I have had several customers fail their acan based on "open" ports that were not open at all (138 and 139 on a Linux box without Samba installed) The scans can catch things but from my experience and exposure to the scans they are hitting on more false positives than they are hitting actual errors (at least for our hosted clients who we provide management for). If the false positives are as high as my experience leads me to believe, it leads me to question how high a false negative rate these scans have As far as the scan results for this particular issue, I'd recommend going back to the vendor and push for their recommended solution for your platform/OS Sent via BlackBerry from T-Mobile -----Original Message----- From: Jack Daniel <jackadaniel at gmail.com> Date: Mon, 21 Dec 2009 08:27:06 To: PaulDotCom Security Weekly Mailing List<pauldotcom at mail.pauldotcom.com> Subject: Re: [Pauldotcom] CVE-2009-3555 and PCI Compliance AAAAAAAUUUUGGGGHHH! <RANT> If anyone "fails" you on an assessment without providing guidance on resolution/remediation/mitigation, your payment to them should "fail" to appear. Who was this, those (in my personal *opinion*) monkey sodomizing rat bastards at Security Metrics? Or just another Qualys scan pusher without a clue or care? I believe the appropriate questions are things like "what is exposed by this", "what are the likelihood and impacts of compromise", "can we mitigate a fundamental flaw in the protocol with additional processes", etc? I'm still explaining to idiots like this why TCP 587 is listening on mail servers. </RANT> As far as mitigation, maybe a patched proxy in front of the SSL/TLS device(s) could handle it? Or maybe nothing significant is actually exposed by this? <SHAMELESS SELF PROMOTION> This kind of crap is what led me to get involved in an ongoing PCI DSS conversation with a bunch of people- podcasts, articles, and talks to come. I'll be on a panel at Shmoocon with some folks who actually know what they're talking about, we'll be discussing the realities of PCI and its impact on our industry. </SHAMELESS SELF PROMOTION> Who, me, too much caffeine? Nah. Jack -- ______________________________________ Jack Daniel, Reluctant CISSP http://twitter.com/jack_daniel http://www.linkedin.com/in/jackadaniel http://blog.uncommonsensesecurity.com On Mon, Dec 21, 2009 at 5:09 AM, Monkey Daemon <monkeywebdaemon at googlemail.com> wrote:
Hi All, I've been speaking to a family member over the weekend who works in a similar line of work to myself and we got to talking about PCI Compliance. He's just had a quarterly scan performed and he failed it owing to the issues with Session Negotiation when using SSL/TLS. ?The problem he has is that he's running Linux and not only has his distro not released packages for OpenSSL 0.9.8l but the distro vendor is refusing to issue a patch stating that as its an issue with the underlying protocol there is no point. Does anyone have a fix to this other than "compile your own SSL with negotiation switched off and hope nothing breaks"? I'm now concerned that when our scan comes around early next year we will also fail. Cheers, MWD.
_______________________________________________ Pauldotcom mailing list Pauldotcom at mail.pauldotcom.com http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom Main Web Site: http://pauldotcom.com
Current thread:
- CVE-2009-3555 and PCI Compliance Monkey Daemon (Dec 21)
- CVE-2009-3555 and PCI Compliance Jack Daniel (Dec 21)
- CVE-2009-3555 and PCI Compliance genesiswave at gmail.com (Dec 21)
- CVE-2009-3555 and PCI Compliance Tim Krabec (Dec 21)
- CVE-2009-3555 and PCI Compliance Erik Harrison (Dec 21)
- CVE-2009-3555 and PCI Compliance Jack Daniel (Dec 21)