Monthly Archive April 2016

PCI DSS, Vulnerability Scans and the Trouble with SSL

With the PCI Council set to release version 3.2 of the PCI DSS imminently, the subject of migration away from weak session encryption protocols is becoming a hot topic. In December of 2015, the council extended the deadline for removal of SSL and TLS 1.0 from June 2016 to June 2018.

One of the potential pitfalls of this change is that the ASV  (Approved Scan Vendor) scans that are being run may identify high level SSL vulnerabilities, resulting in a failing ASV scan…..so where does this leave you?

Fortunately, the nice folks at the PCI Council have already identified that this may cause an issue and have published some guidelines to assist if you find yourself in the middle of the migration.

To help those who want to continue to support SSL and early TLS during the changeover period, (prior to June 30th 2018), the entity may provide their ASV a copy of their Migration Plan and Risk Mitigation measures. The ASV can then review this and enter an ‘exception’ in the appropriate section of the scan report.

After June 30th 2018, supporting SSL and early TLS is still feasible but not if it is a security control for a PCI related component. If the Webserver supports TLS 1.0 but a higher version is used for the payment card capture pages for instance, this could be discussed with the ASV and entered as an exception or False Positive.

In both cases, communication with the ASV is the key here. They have the expertise in identifying vulnerabilities and being able to remediate them too, so make sure that these points are discussed openly.

Vulnerability Scan

If these weak ciphers are supported now, then the risk mitigation and migration plan is a must. It is required for the PCI assessment and will also help greatly with the scanning, so talking to your QSA about how best to achieve this will be beneficial on both counts, (SRM have some templates that you can use to help get you off the ground with this activity).

The PCI council have put together a very informative and interesting supplement covering just this topic and anyone with queries on this subject should use this document for reference.

https://www.pcisecuritystandards.org/documents/Migrating_from_SSL_Early_TLS_Information_Supplement_v1.pdf

As a closing thought, the deadline for supporting weak ciphers has been extended to June 30th 2018 but this does not mean that you should park this issue until then. Updating to a more secure version of TLS now will protect your business and give a greater degree of confidence in the approach.

Information Security Consultant, SRM's Principal PCI DSS QSA and Payment Card Industry expert, Paul B is a regular contributor to the SRM blog.

The Dark Web

Search Engines like Google and Safari only have access to about 4% of the information on the web. The other 96% is what is referred to as the Deep Web. The reason why the Deep Web is undiscoverable via web search engine is because it is unindexed. This generally makes it difficult to find or trace anything; and thus the Deep Web’s infamous relation, the Dark Web was born. The Dark Web is a part of the Deep Web but is notorious for concealing illegal activities and, for this reason, its connection to the US Government-funded browser TOR is creating tensions worldwide.

the-deep-web

The Dark Web allows users to mask their location. This particular feature draws in criminals to offer services such as access to child pornography sites, hit man rental, payment card information vending, human trafficking and illegal drug retail. Ultimately, this is because being caught is near enough impossible.

Access to the Dark Web and location concealment whilst operating online is all made possible by a free, specialist browser called TOR. The platform is designed to conceal the identity of users

It may come as a surprise to many that this platform, which is causing one of the UK’s leading national security threats, is funded by one of the UK’s allies. According to TOR’s 2013 financial statement, the organisation received $1,822,907 in funding from the US government. (US government is still listed as a sponsor for TOR in 2016, however we are unable to obtain the exact amounts for the last 3 years).

Cyber Security was identified as a Tier 1 threat in the UK for the 2010 National Security Strategy, alongside Terrorism, War and Natural Disaster. The UK economy is becoming increasingly dependent on Internet services and retailers. When it comes to ensuring the e-safety of individuals and businesses, the stakes are much higher than ever before; the potential losses, too big to ignore. However, the sheer size of the Deep Web (25 times bigger than the web you know) is too big for law enforcement to police.

This is the case for many developed economies – including the US. So why do they fund TOR?

A glimpse into history tells us that the US government built TOR.  Its primary use was to allow government agents and informants to exchange intelligence anonymously, bypassing censorship laws in certain countries. As a tactic to further anonymise users, they opened up the service to the public – after all, you cannot be anonymous if you use it yourself. Although it is now privatised, it still serves the same purpose which is to cloak the online activity of government agents and informants.

Today, the US government might justify the use of TOR with the defence that the anonymity of TOR provides vulnerable users with protection from government and corporate surveillance. It gives whistle blowers the ability to exercise their freedom of speech. It also allows vulnerable people, under governments with strict scrutiny, to circumvent censorship systems and remain anonymous while reading and writing on the Internet.

While the US government continues to fund TOR, UK intelligence agencies are reported to be completely against the Network. According to an article by the Guardian in 2014, “the National Security Agency and GCHQ were attempting to destroy the network. Documents obtained by the Guardian detailed proof-of-concept attacks designed to either bring down the Tor network entirely, or to de-anonymise users.”

The use of technology to conceal identity makes it difficult for governments to get a hold on cybercrime. WhatsApp’s recent encryption update can be argued to be adding tension to an already difficult relationship between tech firms and governments. The end to end encryption means that WhatsApp couldn’t give the government information even if they wanted to. The firm claims to be “protecting users”- however these users could also be criminals. Does this make WhatsApp an extension of the Dark Web?

Technically it isn’t because it is accessible via normal web search engines. However, the concept of concealment is still the same.

Clearly the Dark Web has uses that are beneficial to many disadvantaged people in the world, but does the good outweigh the bad?

SRM Blog

SRM Blog