[0] https://www.rsync.net/resources/regulatory/PCI_usw-s005_repo...
EDIT: It’s marked as "PASS" though, so it’s all fine, just funny.
We sent them back a link of prominent servers that respond to ping.
Including the web server of the expensive agency that had produced the report. And whose web server had an expired SSL certificate.
I do not believe ICMP (ping) is an automatic-fail condition for PCI (at least for certain SAQ levels that I'm familiar with) - however they do show up as warnings, particularly if you can get a timestamp response (to be used in timing-based attacks).
PCI prefers systems that handle CHD be "invisible" to the outside world, in an attempt to hide the systems an attacker might take interest in. Not always feasible (eCommerce, for example), but you gotta jump through the PCI hoops if you don't want to be stuck holding the bag if there's some breach.
And the system by definition could not be invisible - the ip in question was in DNS and was what you'd connect to the web servers on.
When they told me I informed them I stopped using their vulnerability scanner years ago because they would not allow me to chnage anything in it, including exclusions to icmp time stamps or other vulns Ive mitigated while proper fixes were in the works.
So I rolled my own and use that to audit my systems. They don’t care because “policy”. My c levels will just ask and then promptly disregard all future reports, adding to the noise
HPE iLO doesn't support MFA or any form of public key authentication, and its security history is much worse than SSH. It requires several ports open and the old version they had required Java plugins on desktops and all sorts of nonsense. Using it outside of emergency repairs is a terrible experience due to console refresh lag and the fact you can't copy + paste.
The reason I had to do this insecure and annoying process is that a PCI assessor had told them it would be a hard fail to have port 22 open on the Internet, but this would apparently be fine.
("This thing requires a Java applet and is slow as hell. Screw it, let's just pwn the bank across the street")
I'll call it Security by Inconvenience.
The hackers were annoyed by the compromised machine so they installed security updates and did other system administration tasks.
[0] https://groups.google.com/g/alt.sysadmin.recovery/c/ITd7OlMr...
Every time I notice an obscure feature in a Google product or service and go "hm, I wonder if that could be exploited", I then always go "...meh, it'll take too long and require too much concentration to figure it out."
