OMG. Now, I don’t use that term lightly, mind you. I’d put other F’s and MF’s in there, too, but that just gets a little lowbrow for this blog (hard to believe, isn’t it?). But this one is right on the cusp of deserving a couple of those extra consanants. Where’s Vanna White when you need her?
I manage web infrastructre for a client that has to be PCI compliant. Part of that is getting a quarterly vulnerability scan from a certified vendor. In order to be a certified vendor, you need to pay a ton of money up front, and send your staff to some expensive training classes in order to represent this program. You’d think that would keep the jokers out of the pile. Nope.
This weekend, I got this love note from my client:
Hey [Jim] – Hope all is well with you these days…
I just got a failed PCI server scan. Wondering if something has changed on the server. The screen shot of issues below. Please let me know if you can login and see if you can fix from your side. Thanks!
Failed?!? My server??? GTFOH*! Never!! Ok, well… maybe. I’ve got it set to auto-update and maybe, just maybe, something got surreptitiously updated that impacted one of the dumb PCI compliance items. Let’s go see what SecurityMetrics has to say:
Vulnerability score of 9!! And 8!! Yipes! Oh, wait… Lookee there – it seems it’s there because I have a firewall or other scan detection software in place. Ya think? A firewall or scan inhibitor install to secure a server subject to PCI compliance? You betcha! So why’d it show up now? Well, I’d recently (since the last quarterly scan) enabled brute force login protection which watches for failed login attempts that come at a reasonbly rapid rate and blocks the source ip using iptables. Simple and effective. So, yes, that report is right – I have a firewall in place that is dynamically configured based on intrusion detection signatures. Plus I’ve got another firewall that shuns portscans when detected. Who doesn’t?
So a little bit of digging on their website and their FAQ yeilds this gem:
It is important to allow SecurityMetrics security scanners to have the same level of network access to your Internet-connected devices that you provide to the rest of the world under normal circumstances.
Umm… they do. Now what?
Well, now they’re asking me to make exceptions to the existing level of network access by disabling security controls so they can tell me where there are security concerns. Then they have the balls to follow that up with this nugget (in bold, just to make sure you see what crap these yokels are selling):
Ensuring that traffic from SecurityMetrics scanners does not get blocked ensures maximum accuracy of the security assessments.
No, SecurityMetrics, it actually doesn’t, it does just the opposite. You’re (also) Doing It Wrong. If this crappy brute-force scan would turn up a crackable password, I’m sure I’d be dinged for it. I don’t know what “level” of a vulnerability it would give for this – if anybody knows please comment with it. But that crackable password would only have been found if the traffic from the scanners does not get blocked. Ugh. It’s crappy services and mis-engineering like this that drives me up a friggin’ wall.
What would un-crappy look like, you ask?
It would do exactly what it does now, but would identify when it gets blocked. Then it would try from a different IP address, but at a significantly slower rate. If blocked again, it would JUST SKIP the brute force attacks SINCE IT’S OBVIOUSLY NOT FREAKIN’ VULNERABLE and move on to a new attack vector. Simple. See? Was that so hard?
In my opinion, this “exception” I have to make means their service kind of sucks.
So what did I do in response to this? Did I pick a fight with them? Did I tell them how hypocritical they are? Did I insult their intelligence and call their mother names? Did I poke them in the eye and tell them they should at least add one freakin’ sentence to that bolded untruth above to say ”We realize that we’re asking you to allow us additional access but we do this in order to keep this service affordable”? Did I? Did I???
Nope. I don’t have time for a pissing match with them over this, so I whitelisted them from the brute-force blocker. Told ’em to try again and they’ll be fine. Arrgh. *sigh*.
Postlog: Scan passed with flying colors.
* – GTFOH: Get The [Heck] Outta Here