PCI compliance test - scarey!

[salewit]

Our site has one of those "trusted" badge services, and part of that service includes free PCI compliance scans. I ran it and was shocked at what came back. Basically about 15 problems of which most I know zilch about. Many were deemed "Low Risk", but there were about 8 "Medium Risk" items which I listed below. We run a smallish e-commerce site with maybe 10-15 CC transactions per day.

Here's an abbreviated list from the very detailed pdf report:

1) The remote service accepts connections encrypted using SSL 2.0, which reportedly suffers from several cryptographic flaws and has been deprecated for several years.

2) The remote host supports the use of SSL ciphers that offer either weak encryption or no encryption at all.

3) The remote SSH daemon supports connections made using the version 1.33 and/or 1.5 of the SSH protocol. These protocols are not completely cryptographically safe so they should not be used.

4) The remote webserver supports the TRACE and/or TRACK methods. TRACE and TRACK are HTTP methods which are used to debug web server connections. In addition, it has been shown that servers supporting the TRACE method are subject to cross-site scripting attacks, dubbed XST for "Cross-Site Tracing", when used in conjunction with various weaknesses in browsers. An attacker may use this flaw to trick your legitimate web users to give him their credentials.

5) According to its banner, the remote host is using a version of OpenSSL which is older than 0.9.6m / 0.9.7d. There are several bugs in such versions that may allow an attacker to cause a denial of service against the remote host.

[thecoalman]

I don't know anything about this particular service but I'd be leery about any service that does automatic scans. I'm a member of the phpbb team and see this from the other side quite often where some company will do a automated security scan on phpbb the software and find a bunch of false positive results then post them as vulnerabilities and expect the phpbb team to address them. It's akin to blackmail.

[Gwaihir]

Each of these five should be fairly easy to fix (assuming 2 comes with details too), so why the heck not?

[homoludens]

If 2) doesn't come with details, there's a new tool by Ivan Ristić that might help:

https://www.ssllabs.com/ssldb/

[the_ancient]

I don't know anything about this particular service but I'd be leery about any service that does automatic scans. I'm a member of the phpbb team and see this from the other side quite often where some company will do a automated security scan on phpbb the software and find a bunch of false positive results then post them as vulnerabilities and expect the phpbb team to address them. It's akin to blackmail.

That would be fine except more and more Credit Card Companies require these automated network scans.

I am with you on the fact that they are for the most part worthless but that is the price we pay for letting lawyers and bean counters set IT Policies..

[Connie]

If that tool is accurate, my site received a F.

[homoludens]

If that tool is accurate ...

Ivan wrote most of ModSecurity, IIRC, and is a fairly visible player in web app security. He's certainly no fool, but he might be more likely to foam at the mouth at security issues than other people in IT. Personally, I think he's right to, but that's a question of value judgments.

I get a C (64%) for https://secure.conniescoolwebsite.com. You can improve that my removing support for SSl2.0 and some of the older cipher suites.

[homoludens]

That would be fine except more and more Credit Card Companies require these automated network scans.

the price we pay for letting lawyers and bean counters set IT Policies..

My take on that: if a computer is smart enough to reliably pen test IT defences then it's smart enough to pen test legal defences ...

[homoludens]

Eh? How does one click become a double post?

[Connie]

I get a C (64%) for https://secure.conniescoolwebsite.com. You can improve that my removing support for SSl2.0 and some of the older cipher suites.

I searched www.domain.com.

[shine]

4) The remote webserver supports the TRACE and/or TRACK methods. TRACE and TRACK are HTTP methods which are used to debug web server connections. In addition, it has been shown that servers supporting the TRACE method are subject to cross-site scripting attacks, dubbed XST for "Cross-Site Tracing", when used in conjunction with various weaknesses in browsers. An attacker may use this flaw to trick your legitimate web users to give him their credentials.

You can take care of number 4 by adding the following into your htaccess:

Code:

RewriteEngine On
RewriteCond %{REQUEST_METHOD} ^(TRACE|TRACK)
RewriteRule .* - [F]
 
RewriteEngine Off