A security auditor for our servers has demanded the following within two weeks: As far as I'm aware, everything on that list is either impossible or incredibly difficult to get, but if I don't provide this information we face losing access to our payments platform and losing income during a transition period as we move to a new service. Any suggestions for how I can solve or fake this information? The only way I can think to get all the plain text passwords, is to get everyone to reset their password and make a note of what they set it to.
A security auditor for our servers has demanded the following within two weeks: Any suggestions for how I can solve or fake this information? The only way I can think to get all the plain text passwords, is to get everyone to reset their password and make a note of what they set it to. Getting all of the public and private SSH keys is possible though annoyingsince we have just a few users and computers.
In response to my concerns, he responded with the following email: You say no company could possibly have this information but I have performed hundreds of audits where this information has been readily available. In short, I need; A way to "fake" six months worth of password changes and make it look valid A way to "fake" six months of inbound file transfers An easy way to collect all the SSH public and private keys being used If we fail the security audit we lose access to our card processing platform a critical part of our system and it would take a good two weeks to move somewhere else.
How screwed am I? I have, however, set the wheels in motion to move away from them and onto PayPal for the time being. Hi [name], Unfortunately there is no way for us to provide you with some of the information requested, mainly plain-text passwords, password history, SSH keys and remote file logs.
Not only are these things technically impossible, but also being able to provide this information would be both a against PCI Standards, and a breach of the data protection act.
To quote the PCI requirements, 8. I can provide you with a list of usernames and hashed passwords used on our system, copies of the SSH public keys and authorized hosts file This will give you enough information to determine the number of unique users can connect to our servers, and the encryption methods usedinformation about our password security requirements and our LDAP server but this information may not be taken off site.
I strongly suggest you review your audit requirements as there is currently no way for us to pass this audit while remaining in compliance of PCI and the Data Protection act. Update 3 26th Here are some emails we exchanged; RE: Your failure to be able to provide this information leads me to believe you are aware of security flaws in your system and are not prepared to reveal them.
Our requests line up with the PCI guidelines and both can be met. Strong cryptography only means the passwords must be encrypted while the user is inputting them but then they should be moved to a recoverable format for later use. I see no data protection issues for these requests, data protection only applies to consumers not businesses so there should be no issues with this information.
I got fed up being diplomatic and directed him to this thread to show him the response I got: The section I quoted even says storage Implying to where we store the data on the disk. I started a discussion on ServerFault.
I strongly suggest you re-think your security requirements as none of your customers should be able to conform to this. I read in detail through those responses and your original post, the responders all need to get their facts right.
I have been in this industry longer than anyone on that site, getting a list of user account passwords is incredibly basic, it should be one of the first things you do when learning how to secure your system and is essential to the operation of any secure server.
When dealing with something such as security you should not be asking these questions on a public forum if you have no basic knowledge of how it works. I would also like to suggest that any attempt to reveal me, or [company name] will be considered libel and appropriate legal action will be taken Key idiotic points if you missed them: If so, I think it is a major concern for us as all our card processing ran through them.
If they were doing this internally I think the only responsible thing to do would be to inform our customers. My "legal guy" has suggested revealing the company would probably cause more problems than needed.
I can say though, this is not a major provider, they have less clients using this service.Required Homework For You To Become My Next Millionaire - Free Educational Trading Videos on Stock Market from World Class Traders and Investors.
It’s back-to-school time. Time to write THAT letter again. The letter to my child’s new teacher that explains why our family bans homework.. That’s right. I care about my children’s learning. That’s why I believe tree forts win over homework.
Some days ago I posted information about a Southwest Airlines engine failure at iridis-photo-restoration.com FAA reported the Boeing returned because of some vibration in the number 2 engine. Apparently those information was wrong.
iridis-photo-restoration.com is the place to go to get the answers you need and to ask the questions you want. Even the most ardent of environmentalists would admit that the Clean Air Act and Clean Water Act do not have a good statutory framework to deal with the environmental issue of our time, climate.
Use a Secret Weapon to Type Your Essay Faster. There are days when you can finish writing an essay within a couple of hours and there are days when it can take you more than 2 days to do it.