Email or username:

Password:

Forgot your password?
Stefano's posts Post Back to profile
Top-level
Steve Hill 🏴󠁧󠁒󠁷󠁬󠁳󠁿πŸ‡ͺπŸ‡Ί

@stefano Ah, we forever have problems with PCI DSS compliance scanner companies. e.g. failure to accept that a "user enumeration bug" in SSH is not really a security problem when:
1. OpenSSH refuse to accept that it is a security problem;
2. RedHat refuse to accept that it is a security problem (and therefore won't release a fix); and
3. The only user with a shell account is root, so even if enumeration is a problem, all you can do is tell that a Linux box has a root account (well, duhh).

22 July at 13:20 | Wall-to-wall | Open on mastodon.nexusuk.org
12 comments
Stefano Marinelli

@steve "Paper" tech world and real tech world are so distant...

22 July at 13:22 | Open on mastodon.bsd.cafe
Steve Hill 🏴󠁧󠁒󠁷󠁬󠁳󠁿πŸ‡ͺπŸ‡Ί

@stefano It actually really winds me up that these companies collect money from our customers and then basically libel us by telling the customer that our products are insecure. And then it's down to us to "prove" that they aren't instead of them having to prove that they aren't talking BS.

22 July at 13:25 | Open on mastodon.nexusuk.org
Stefano Marinelli

@steve Yes, that's a big problem. Some clients (not this one) are really worried by those results and those companies know it. Even if they trust us, they're worried we can have "missed" something as those companies are "specialized" in security.

22 July at 13:27 | Open on mastodon.bsd.cafe
Steve Hill 🏴󠁧󠁒󠁷󠁬󠁳󠁿πŸ‡ͺπŸ‡Ί

@stefano I must admit that most customers seem to think that PCI DSS scans are a waste of time and money and would probably be happy for it to just lie to the certifier (but we don't do that!). Its one of those hoops that people have to jump through if they take card payments (quite why having a card payment machine on your wifi requires any kind of security from your network is a mystery - surely these things should be hardenned?)

22 July at 13:30 | Open on mastodon.nexusuk.org
Neil Brown

@steve @stefano

"Hi! Here's an output of a series of automated scans. False positives? No idea. That's outside the scope of work. Good luck!"

22 July at 13:37 | Open on mastodon.neilzone.co.uk
Steve Hill 🏴󠁧󠁒󠁷󠁬󠁳󠁿πŸ‡ͺπŸ‡Ί

@neil @stefano "Here's an automated scan, if there are any false +vs you need to provide proof for each one individually."

"We're running a fully up to date RHEL 9, please exclude all the known false +vs for that OS"

"We don't do that, you need to provide proof for each individually"

I mean, these people are getting paid to do these scans, surely the least they could do is maintain a database of false +vs for common OSes so they could be automatically excluded?! (spoiler: none of them do!)

22 July at 14:05 | Open on mastodon.nexusuk.org
Steve Hill 🏴󠁧󠁒󠁷󠁬󠁳󠁿πŸ‡ͺπŸ‡Ί

@neil @stefano Basically money for old rope - a not insignificant amount of money paid to just push the "start" button on the scanner, produce an automatic 300 page report and generate a crap-ton of work for someone else!

22 July at 14:05 | Open on mastodon.nexusuk.org
ferricoxide

@steve@mastodon.nexusuk.org @neil@mastodon.neilzone.co.uk @stefano@mastodon.bsd.cafe

To which I respond back with a dump of links to the OS vendors' CVE pages for each finding. Sometimes that's enough. Often times its too "TL;DR" for them.

22 July at 16:01 | Open on evil.social
Amber

@steve@mastodon.nexusuk.org @stefano@mastodon.bsd.cafe Yeah, and as we all know clearly checklist type auditing is the most effective πŸ™„.

22 July at 13:27 | Open on transfem.social
Ben Tasker

@steve @stefano I remember, a good few years back, a customer had engaged one of these companies.

Said company then insisted that we needed to turn all our security off for their scan because the system get blocking their probes....

22 July at 14:27 | Open on mastodon.bentasker.co.uk
Stefano Marinelli
0px auto;

@ben @steve @stefano Same here. Forgot to white list their IP and the system pretty much immediately blocked them… 🀷 oops? πŸ˜…

22 July at 20:44 | Open on mastodon.social
Go Up