Failed Barclaycard security scan

brightside229

brightside229

brightside229

Associate
Joined
10 Mar 2009
Posts
1,338
Location
Newark
I work for a small company, and we have 3 terminals for card payments, every now and again terminal provider ask for IP address and they do a scan, they are saying that the scan has failed on security on ports 61115 and 51119 and are asking to install a SSL security certificate. The terminals are wireless.

bearing in mind we have never failed a scan before, and nothing network wise has changed since the last one a few months ago.

We have no idea how to install the security certificate, is this something that can be done on the router itself? it is a linksys WRT.

Any help would be appreciated.

Barclaycard are not really being any help, other than saying we need to install thes certificates to pass.



General remote servicesSecure Sockets Layer/Transport Layer Security (SSL/TLS) Server supports Transport Layer Security (TLSv1.0)61116 / tcp over ssl

Secure Sockets Layer/Transport Layer Security (SSL/TLS) Server supports Transport Layer Security (TLSv1.0)51119 / tcp over ssl

General remote servicesSSL Certificate - Signature Verification Failed Vulnerability51119 / tcp over ssl

General remote servicesSSL Certificate - Signature Verification Failed Vulnerability61115 / tcp over ssl


just to clarify these are port numbers that we do use for remote access on 2 machines. But we also have other port numbers used that are scanning fine? So would the issue be on these two machines that have the open ports?
 
Last edited:
Ok, not to be deliberately harsh here but from your own words and scan results it's clear that your company does not have the skills required to maintain a secure environment. You should request to swap your card terminals for 4G/5G connected devices that do not touch your network in any way.
 
Last edited:
Caged said:
Ok, not to be deliberately harsh here but from your own words and scan results it's clear that your company does not have the skills required to maintain a secure environment. You should request to swap your card terminals for 4G/5G connected devices that do not touch your network in any way.
Click to expand...

the RDP has been set up like this by an "it professional" many years ago, i guess this is not a good approach these days?
 
Last edited:
If you have no IT staff and no ongoing arrangement with a company who provides you IT management then you are always going to have the same problem of whatever was deemed acceptable at a point in time rapidly becoming insecure. The easiest (and probably cheapest) way to resolve the problems highlighted by the scan is to remove the card terminals from a network that is your responsibility.
 
brightside229 said:
the RDP has been set up like this by an "it professional" many years ago, i guess this is not a good approach these days?
Click to expand...
Opting for a third party, TeamViewer/HelpWire, or VPN (your Linksys may support OpenVPN which could be a solution) solution would be the typical setup for SMB environments. Exposing RDP directly to the internet isn't particularly the best of ideas unless it's properly secured.

Given your current situation, the easiest solution is as @Caged says and opt for mobile network variants of the terminals as it removes the burden of securing your network. Alternatively, disable RDP/stop exposing the ports to the internet.
 
visibleman said:
Opting for a third party, TeamViewer/HelpWire, or VPN (your Linksys may support OpenVPN which could be a solution) solution would be the typical setup for SMB environments. Exposing RDP directly to the internet isn't particularly the best of ideas unless it's properly secured.

Given your current situation, the easiest solution is as @Caged says and opt for mobile network variants of the terminals as it removes the burden of securing your network. Alternatively, disable RDP/stop exposing the ports to the internet.
Click to expand...

Router does support open vpn yes
 
Ordinarily, this would be the post where I tell you how to bypass your issue with minimal effort because it has flagged something minor and largely irrelevant, however, in this case you appear to be the textbook example of why PCI compliance is a thing, and I am just left sitting here shaking my head in disbelief. If this is your area of responsibility, then getting all card data off your network is probably a very good idea, you lack the awareness and knowledge to make appropriate choices about security, or the willingness to hire people who can make those choices for you. Also, as it seems to have been overlooked so far, what model of router is that? The reason I ask is I am pretty sure the WRT branded lines were EoL'd a good few years back, if so then realistically it shouldn't be in a business environment.

Let's all hope your LoB isn't something actually important.
 
Well, thanks for the help, or lack of...

Anyway, Ports have been closed for the RDP connections, and have now set up cloudconnexa for remote access on the machiens that require it, so the PCI has now been passed.
 
Caged said:
Not having this attitude, you came here for advice and you got it. Your issue is that you weren't pampered.
Click to expand...
I did not start with an attitude. It changed with the "help" i received.

Again, i never initially set up this RDP this way, I only needed to fix the issue. I should have just googled it first i suppose rather than asking a question on here.
 
I'm not saying you did start with an attitude. Nobody here has accused you of being at fault and setting things up wrong, they gave you advice based on your own stated position of:
brightside229 said:
We have no idea how to install the security certificate
Click to expand...
This advice was given free of charge even with the knowledge that it was to a business and not a hobbyist of home user asking for guidance. You came back this morning to be snarky about the lack of help you had received (despite following the advice in one of the posts and setting up OpenVPN), and that is what I'm judging you on.
 
i assume all of your traffic is going through a centralized server for active directory, dns and dhcp and not just the rotuer. tls 1.0 is a very old insecure mechanism and at minimum you need to update to 1.2, you can use an app like iiscrypto on the server running these services or multiple servers without much knowledge to achieve what everyone here is saying, you do have to have some understanding that if you do use it, it will improve your server security but will also break things that are reliant on tls 1.0. the app has templates built into it that are based on specific security standard.
 
Last edited:
brightside229 said:
Well, thanks for the help, or lack of...

Anyway, Ports have been closed for the RDP connections, and have now set up cloudconnexa for remote access on the machiens that require it, so the PCI has now been passed.
Click to expand...
A reasonable solution and you're securer for it :)

To add, and i'm happily to be proven wrong by someone that deals with Windows networks on the daily, getting SSL certificates assigned to individual Windows systems for RDP isn't particularly straightforward and, iirc, limits you to Pro/Enterprise variants. Typically you would have a RDP gateway where it's a lot easier to manage it all.
 
Last edited:
Correct me if I am wrong but closing these ports firewall side closes the issue for what barclaycard have noted but still leaves a big old hole for you to deal with. If the servers were patched accordingly open TLS 1.0 ports just shouldnt be an issue. TLS 1.0 was disabled/deprecated via windows update back in August last year.

Well worth checking the patch status on your estate and also checking that you are on supported OS versions :) It is also worth just referencing this post on technet in terms of further work to close what is essentially a two and a half decade old hole in a creaking protocol:

techcommunity.microsoft.com

TLS 1.0 and TLS 1.1 soon to be disabled in Windows

While there will be an option to re-enable these protocols, we encourage the move to newer TLS versions.
techcommunity.microsoft.com
 
Last edited:
Have you looked into the router situation yet? The last WRT branded Linksys router was EoL nearly 4 years ago, since then no CVE patching has taken place and that's not OK either.
 
You must log in or register to reply here.
Back
Top Bottom