August 1, 2011 at 11:21

Our security auditor is an idiot

Original author: Sam Rudge
  • Transfer
Note translator : this is an article (or rather, a question on serverfault.com) of the system administrator of one electronic trading platform that has passed a security audit for the right to use a certain bank card processing system.



The security auditor of our servers demanded the following things for two weeks:
  • List all users with their passwords in clear text
  • The history of password changes for all users over the past 6 months (again, in the clear)
  • A list of all files on our servers that have been uploaded to them from the outside over the past 6 months
  • The public and private parts of all SSH keys
  • A mechanism that sends him an email every time any user changes his password (a new password must be written in plain text)
Our servers run under Red Hat Linux 5/6 and CentOS 5 with LDAP authentication. As far as I know, all of the above is either impossible at all, or very difficult to get on this platform. But if I do not provide the information on time, we will lose access to the payment platform and all potential profit during the migration to another. Any thoughts how to get out?

The only way to get all passwords in clear text is to reset them and set them to some specific ones. But this does not solve the problem of password and file information for the last 6 months.

Getting SSH key pairs is possible, but the procedure is long and tedious - many users, many computers. Is it possible to somehow automate this?

I have many times explained to the auditor the impossibility of fulfilling his requests. He answered with this letter:
I have been working in the field of computer security auditing for more than 10 years and have a full understanding of the security system of the RedHat OS, so I advise you to update your knowledge about what is possible and what is not in this system. You say that your company is not able to provide the required information. But I have already conducted hundreds of such audits and in each of them such information was provided. All clients of our processing company must comply with our new security policies and this audit is designed to verify this compliance.

These same “new security policies” were introduced 2 weeks ago, and information about passwords and uploaded files is required over the past 6 months - cool, right?

In short, I need:
  • A way to fake a password change history for the last 6 months so that it looks believable
  • A way to falsify file download history
  • An easy way to collect SSH keys from a large number of computers
If we fail this audit, we will lose the processing platform and take a good two weeks to move somewhere else. What to do?

Update 1


Thanks to everyone for the answers, I regained the belief that I was not a complete idiot and the required information was not the standard in such audits.

I plan to write another letter to the auditor explaining the situation: many of you indicated that according to the PCI rules ( note translator: payment card security committee, which includes Visa, Mastercard and others), passwords should by no means be stored or transmitted openly form. Not really, however, hoping for common sense, we begin to encourage skiing to switch to PayPal.

Update 2


Draft letters:
Hi, [name],
Unfortunately, there is no way to provide you with some requested information. We are talking about passwords in the clear, the history of password changes, SSH keys and file upload logs. This is not only technically impossible, but also contradicts the PCI standards, which explicitly prohibit the storage and transmission of such data in open form (Section 8.4 - “All passwords should be transmitted and stored only in encrypted form using strong cryptography”).

I can provide you with a list of usernames and hashed passwords of our users, public SSH keys and a list of authorized hosts. (This will give you information on the number of unique users and the encryption algorithms used), information on our password security requirements and LDAP server configs. I strongly advise you to review your security policy, since there is no way to go through a security audit, complying with both it and the laws on the protection of personal data along with PCI requirements.

Regards,
Ya.

I will try to reach out not only to the auditor, but also to his management, as well as to inform the PCI security officers responsible for the security situation.

Update 3


Here is his response to my letter:
As I already wrote, the required information should be easily accessible on any normally configured system to any competent administrator. Your recognition of the impossibility of obtaining such information makes me think of neglecting the security standards on your servers and not being ready for real threats. Our requirements are in full compliance with PCI standards and can be fully implemented together. "Strong cryptography" means only that the password should be encrypted as it is entered by the user, but then it must be transferred and saved in an open format, as it may be needed in the future.
I do not see any security threats in the required behavior - cryptography password protection applies only to users of the system, not the administration, which means that providing this information for audit should be quite possible.


I will even repeat it again:
"Strong cryptography" means only that the password should be encrypted as it is entered by the user, but then it must be transferred and saved in an open format, as it may be needed in the future.

I plan to print this expression and hang it in a frame on the wall.

I decided not to bother with more excessive diplomacy and gave him a link to this topic:
Providing the information you require DIRECTLY CONTRADICTS to the laws and requirements of PCI - I quoted the rules section. In addition, I started a discussion on ServerFault.com (an online community of professional system administrators), which received a huge response, which in general boils down to the fact that this information cannot be provided. Can you somehow read at your leisure:

Our security auditor is an idiot, how can I provide him with the required information?

We have completed the transition of our billing system to a new platform and are breaking the contract with your company from tomorrow. But just for the sake of the triumph of common sense, I would like to let you know how ridiculous and absurd your requirements are. No company can provide you with this information without violating PCI requirements. I highly advise you to think over your security policy once more, since with the current one you simply lose all customers.

(Honestly, I somehow missed the fact that I called him an idiot in the title of the article, but it was already very sideways - we already moved out)

But he still answered me. I think readers will be interested to know that they are fools who do not understand what they are talking about:
I read your post and the answers to it. Well - all respondents are mistaken. I have been working in this industry longer than anyone on this site - getting a list of users and their passwords is a basic skill, this is one of the first things a system administrator should learn and an integral part of the security of any reliable server. If you really don’t have enough mind for such an elementary thing, I think you do not have PCI installed on your system, since such an opportunity is a necessary requirement of this software). And generally speaking, when working with such things as server security, you should not ask questions in public forums without understanding the basic principles of its functioning.

I would also like to inform you that any attempt to disclose my real name or company name will entail the adoption of all necessary legal measures against you.

I will emphasize the key idiocy if you missed them:
  • He works as an auditor longer than anyone else here (He either reads thoughts, or spies on everyone here)
  • Obtaining a clear list of passwords on UNIX is a “basic feature”
  • PCI is now software
  • People should not ask questions on the forum unless they know something about what they are asking.
  • Posting facts confirmed by letters is slander
Sumptuously.

The PCI organization responded adequately and is now closely examining this auditor, his company, and their rules. Our system has successfully moved to PayPal. I will be waiting for information from PCI on the audit results of this auditor - but here's what bothers me. If that company had such external requirements, then their internal ones were in the same spirit. This means that all payments of all our customers can be stored somewhere in the clear without any encryption and protection. I hope the PCI investigation will dot the i and appropriate action will be taken.

I’ll clarify with our lawyer the possibility of publishing the name of the auditor and the name of the company and all of you will be able to communicate with them personally and explain why you do not understand such basic Linux features as receiving a list of passwords in clear text.

Little update


Our lawyer advised not to run up. Well, without giving specific names, I’ll just say that this is not a large processing center, it has about 100 customers and is located in Birmingham, UK.
Tags:

Also popular now: