Announcement

Collapse
No announcement yet.

PCI/DSS latest moan

Collapse
X
  • Filter
  • Time
  • Show
Clear All
new posts

  • PCI/DSS latest moan

    Just had our compliance scan fail AGAIN! Trying to find the solution but not having much success - can anyone help please?

    Description: PCI DSS Compliance : Insecure Communication Has Been Detected

    Synopsis: An insecure port, protocol or service has been detected.

    Impact: Applications that fail to adequately encrypt network traffic using strong cryptography are at increased risk of being compromised and exposing cardholder data. If an attacker is able to exploit weak cryptographic processes, he/she may be able to gain control of an application or even gain clear-text access to encrypted data.

    Data Received: The SMTP server advertises the following SASL methods over an unencrypted channel :

    All supported methods : LOGIN, CRAM-MD5 Cleartext methods : LOGIN

    Resolution: Properly encrypt all authenticated and sensitive communications.

  • #2
    Re: PCI/DSS latest moan

    Is this to do with Windows Server (if so, which version) or Exchange (hint is SMTP) or something else - let me know and I will move to appropriate forum
    Tom Jones
    MCT, MCSE (2000:Security & 2003), MCSA:Security & Messaging, MCDBA, MCDST, MCITP(EA, EMA, SA, EDA, ES, CS), MCTS, MCP, Sec+
    PhD, MSc, FIAP, MIITT
    IT Trainer / Consultant
    Ossian Ltd
    Scotland

    ** Remember to give credit where credit is due and leave reputation points where appropriate **

    Comment


    • #3
      Re: PCI/DSS latest moan

      Originally posted by Lepra View Post
      Data Received: The SMTP server advertises the following SASL methods over an unencrypted channel :

      All supported methods : LOGIN, CRAM-MD5 Cleartext methods : LOGIN

      Resolution: Properly encrypt all authenticated and sensitive communications.
      You have an SMTP service that supports unencrypted authentication ("LOGIN"), meaning usernames and passwords could be sent as clear text over an unencrypted connection.

      As Ossian said, the procedure for disabling LOGIN support depends on the mail server product in question.

      Comment

      Working...
      X