OT: SCO 5 6.0.0 - cURL Binaries / upgrade

ken white kenwhite at verizon.net
Fri Mar 11 14:23:12 PST 2022 

Jose, I have to agree with Mark on this one.   Every link in the chain must
be PCI complaint,  else the solution is not.   Does the substitution of one
transport with another out of date transport (rsync) make any difference ?
A non-compliant box sending CC information to a compliant one does not make
the solution compliant.   I had a client running a compliant POS solution on
Vmware 5.1.  When 5.1 was EOL the solution was found to be non-compliant,
remediation was not possible, and we migrated the server.

The issue is a bit larger than someone finding out.  If a breach happens, or
if one of your clients goes through an actual pci security audit, you as an
upstream provider better have your ducks in a row.  

>From my understanding of this email chain your SaaS is acting as a middle
man between your client and their provider.  Has your SaaS been
independently vetted?.  Do you provide your clients a PCI - Attestation of
Compliance (AOC) ?

I would believe that if you ran internal and external penetration tests on
any server in the CC data flow, the ability to fall back to early tls would
cause you to fail the pci scan.  On my server(s) I was required to run scans
monthly,  signed quarterly by an independent ASV.   Some scanners flag TLS
1.1 as early TLS.

PCI Security Standards Council mandated that companies that wish to remain
compliant must have transitioned from TLS 1.0 by June 2018 with a recommend
minimum of TLS 1.2, with the exception of POS POI terminals verified as not
susceptible. 

"I was also thinking of a way to hash the CC # and reverse that later so
that the CC # is not in plain text at any time."  -  I do not know how to
properly respond to this statement.  Depending on the solution a PAN scan is
required to verify that CC information is not visible on the system period.

PCI DSS 4.0 is around the corner, it is supposed to be released this
quarter.  I believe that 3.2 compliant solutions which are not validated
under 4.0 will be considered non-compliant once the transition period
expires.    You may want to prepare for TLS 1.3 which is required on Govt
servers Jan 2024.


-----Original Message-----
From: Filepro-list
<filepro-list-bounces+kenwhite=verizon.net at lists.celestial.com> On Behalf Of
Fairlight via Filepro-list
Sent: Friday, March 11, 2022 11:09 AM
To: filepro-list at lists.celestial.com
Subject: Re: OT: SCO 5 6.0.0 - cURL Binaries / upgrade

Honestly, based on what you just said, and what Bill suggested, I'm not
convinced that just interjecting a system in the middle is sufficient.

Sure, the gateway company will be satisfied.

You still would have a link in the chain which is not PCI compliant.
That's a problem, legally speaking.  If anyone ever found out, you'd be
boned.  EVERY hop in the chain needs to be compliant.

m->


On Fri, Mar 11, 2022 at 10:30:39AM -0500, Jose Lerebours via Filepro-list
thus spoke:
> The problem as far as non-compliant is at the filePro box - running SCO 5.
> 
> I have a cloud based gateway, if you will, which is par and fully 
> patched, hence the reason SCO box is being rejected.
> 
> As a SaaS, I provide an API that my customers use as a gateway to 
> reach their CC Processing Providers, through this, I make it easier 
> for them to simplify their code and give them the ability to POST 
> requests in a simple form and my API Server deals with the WSDL, CURL, 
> JSON, XML conversion up/down and reply back in a chosen format (json, 
> csv, plain text ...).
> 
> The Processing company in this case has upgraded their TLS to a recent 
> version, I in turn followed thru made changes in my end to make sure 
> my SaaS reaches them in the required version/encryption - Testing 
> within my local server works well - testing my development box (which 
> is also up to date) works just fine but from the SCO box is where we 
> are having issues.
> 
> They have so much stuff going on in the SCO box that they are 
> reluctant to even change a file name on it!   I can totally understand 
> that, their store runs on this box and it goes well beyond their 
> filePro application.
> 
> I have been suggested to look into using rsync as means to POST to my 
> SaaS Server having the source file encrypted locally (@ the SCO box) 
> and then decrypting the file prior to POST up to Processing Company.
> 
> This suggestion may be a viable solution and data can be safely moved 
> UP/DOWN the process - I was also thinking of a way to hash the CC # 
> and reverse that later so that the CC # is not in plain text at any time.
> This may present another problem, given the different OSes, versions, 
> and everything else, I may not be able to siphon the hashed CC #.
> 
> 
> 
> 
> On 3/11/22 10:03 AM, ken white via Filepro-list wrote:
> > I wonder what version of openssl is installed.   According to
openssl.org
> > all versions prior to 1.1.1 are out of date and no longer supported.
> > Therefore if your software is dependent on openssl, I believe that 
> > versions prior to 1.1.1 would be no longer be considered as PCI 
> > compliant.  Version
> > 0.9.8 installed as a supplement for SCO 6.0.0  was EOL 2016.  Even 
> > version
> > 1.1.1 has a few high severity CVE's listed which require patching.
> > Depending on the flavor of their PCI SAQ, the responsible party 
> > signing their annual PCI SAQ should be very concerned.
> > -----Original Message-----
> > From: Filepro-list
> > <filepro-list-bounces+kenwhite=verizon.net at lists.celestial.com> On 
> > Behalf Of Fairlight via Filepro-list
> > Sent: Thursday, March 10, 2022 2:00 PM
> > To: filepro-list at lists.celestial.com
> > Subject: Re: OT: SCO 5 6.0.0 - cURL Binaries / upgrade
> > 
> > They don't have to jump for joy.  Is it a business requirement, or 
> > is it someone's pet wishlist item?  If the former, it is what it is.  
> > If the latter, it's optional and can be given a pass.
> > 
> > Places can either afford to play ball in their industries, or not.  
> > It's not negotiable, any more than us needing internet service, and 
> > not wantiing to pay for it, for instance.  It's not optional if you 
> > want the specified result.  If it's what's required of the business, 
> > it's required.  That's how 'required' works.  Happiness doesn't enter
into it.
> > 
> > God forbid someone need an ISO or SOX audit.  Those cost a mint, and 
> > I've never known anyone who was 'happy' to absorb the price.
> > "Choiceless" is the best fitting adjective for situations like these.
> > 
> > Nobody should be on SCO these days, if they want to take advantage 
> > of any open source software. libopenssl/libssl2 versions features vs 
> > restrictions
> > -alone- are a compelling case for getting off of SCO, nevermind the 
> > bigger picture.  It's not a sustainable platform in today's security 
> > landscape,
> > -especially- the way Xinuous likes to do things.  You will almost 
> > always be at least half a year to two years behind the curve, and 
> > God help you if a zero day exploit is discovered, because -they're- 
> > certainly not going to jump right on that.
> > 
> > m->
> > 
> > 
> > On Thu, Mar 10, 2022 at 12:07:20PM -0500, Jose Lerebours via 
> > Filepro-list thus spoke:
> > > Thanks Mark!
> > > 
> > > Migrating to LINUX may be the next best thing - based on your 
> > > reply, it is the ONLY best thing.  ;-)
> > > 
> > > Not exactly what I was hoping to hear - I am sure they are not 
> > > going to jump of joy either!
> > > 
> > > Regards,
> > > 
> > > 
> > > On 3/10/22 11:26 AM, Fairlight via Filepro-list wrote:
> > > > The problem isn't curl itself.  The problem is that you need a 
> > > > sufficiently high OpenSSL version on the system against which 
> > > > curl can be compiled.
> > > > 
> > > > The only people who can truly help with this are Xinuous.  At 
> > > > one point a few years back, they were recommending an upgrade to 
> > > > their latest combo Unix platform, and had forward-looking plans 
> > > > to release just such an OpenSSL version (which by the time they 
> > > > would have gotten done would have been over six months behind 
> > > > reality).  They were only going to offer it for their latest version
of OpenServer.
> > > > 
> > > > It was a bad bet to wait on them.
> > > > 
> > > > If you're serious about eCommerce, get them off SCO.  It's a 
> > > > dying platform for anything to do with security and
interoperability.
> > > > 
> > > > OpenSSL is also notoriously bitchy to compile, especially on SCO.
> > > > 
> > > > Given a system with a usable devkit, I'd be willing to make the 
> > > > attempt, but it would -cost-, and not just a little.  $25k 
> > > > minimum for the attempt, succeed or fail; more on success.  
> > > > That's how bitchy it tends to be, historically, and how much it 
> > > > would need to be made worth my time to even make the attempt in 
> > > > good faith, on a dead platform.  Anyone doing it for less is a 
> > > > fool, especially when you realise that it's going to support a 
> > > > credit card gateway system which will be the cornerstone of 
> > > > someone's business for years to come.  You get your money out of 
> > > > that up-front, because you'll never see another cent out of it 
> > > > afterwards, if you do it correctly.  At least not until the next 
> > > > mandatory TLS bump.  So how much do they
> > > > -actually- want to do their credit card processing on SCO? :)
> > > > 
> > > > They're better off being migrated to Linux.  Barring that, no, 
> > > > it wouldn't (and shouldn't) be inexpensive.
> > > > 
> > > > m->
> > > > 
> > > > 
> > > > On Thu, Mar 10, 2022 at 10:01:01AM -0500, Jose Lerebours via
> > Filepro-list thus spoke:
> > > > > Waaaaay off topic but I have to ask:
> > > > > 
> > > > > I have a customer that is running on SCO 5 v6.0.0 and credit 
> > > > > card processing company will no longer accept TLS lesser than 
> > > > > 1.2; it appears that with that, we need to upgrade cURL from 
> > > > > its current version of 7.2.### to a more recent version.
> > > > > 
> > > > > Do any of you (a) have a copy of cURL that would care to share 
> > > > > (purchasing is an option BTW), (b) know of a link where said 
> > > > > binaries could be found.
> > > > > 
> > > > > Thank you all in advance for your assistance!
> > > > > 
> > > > > 
> > > > > --
> > > > > Jose Lerebours
> > > > > 954-559-7186
> > > > > https://www.asisuites.com
> > > > > Accounting - Retail - Wholesale - Distribution Manufacturing - 
> > > > > Warehousing - Transportation - eCommerce - Web Development
> > > > > 
> > > > > _______________________________________________
> > > > > Filepro-list mailing list
> > > > > Filepro-list at lists.celestial.com 
> > > > > Subscribe/Unsubscribe/Subscription Changes 
> > > > > http://mailman.celestial.com/mailman/listinfo/filepro-list
> > > > > 
> > > --
> > > Jose Lerebours
> > > 954-559-7186
> > > https://www.asisuites.com
> > > Accounting - Retail - Wholesale - Distribution Manufacturing - 
> > > Warehousing - Transportation - eCommerce - Web Development
> > > 
> > > _______________________________________________
> > > Filepro-list mailing list
> > > Filepro-list at lists.celestial.com
> > > Subscribe/Unsubscribe/Subscription Changes 
> > > http://mailman.celestial.com/mailman/listinfo/filepro-list
> > > 
> > --
> > Audi omnia, crede nihil.
> > _______________________________________________
> > Filepro-list mailing list
> > Filepro-list at lists.celestial.com
> > Subscribe/Unsubscribe/Subscription Changes 
> > http://mailman.celestial.com/mailman/listinfo/filepro-list
> > 
> > _______________________________________________
> > Filepro-list mailing list
> > Filepro-list at lists.celestial.com
> > Subscribe/Unsubscribe/Subscription Changes 
> > http://mailman.celestial.com/mailman/listinfo/filepro-list
> 
> --
> Jose Lerebours
> 954-559-7186
> https://www.asisuites.com
> Accounting - Retail - Wholesale - Distribution Manufacturing - 
> Warehousing - Transportation - eCommerce - Web Development
> 
> _______________________________________________
> Filepro-list mailing list
> Filepro-list at lists.celestial.com
> Subscribe/Unsubscribe/Subscription Changes 
> http://mailman.celestial.com/mailman/listinfo/filepro-list
> 

--
Audi omnia, crede nihil.
_______________________________________________
Filepro-list mailing list
Filepro-list at lists.celestial.com
Subscribe/Unsubscribe/Subscription Changes
http://mailman.celestial.com/mailman/listinfo/filepro-list

More information about the Filepro-list mailing list