trustwave - your friendly security fail company

[bad_brain]

one of my hosting customers wants to use a CC payment processing gateway, and in the process of signing up to it the provider, Trustwave, ran a highly professional scan to see if the server (mine) is vulnerable to flaws which would disable them for using their CC gateway.
and.....my server failed....17 times.

and now it's getting hilarious, here's an excerpt of the vulnerabilites on my server they "found":

already #1 and #2 are priceless, I hope someone notifies the Debian Project asap about the bind9 (nameserver) package they use in their up to date "stable" branch "not being supported or patched anymore". what?

and so on, they list a bunch of exploits Debian never was vulnerable to (not even in the oldstable branch), others been fixed 2 years ago already. oh, and they found an OpenSSH vulnerability...without even connecting to it (I run SSH on another port, and it was never contacted).

but they give users an opportunity to file a dispute against their "results", I told my customer they can feel free to tell them to contact me...for IT lessons, $120/hour.

I also had a look at the log results their silly scan caused....and gawd....really?


and to make it even more hilarious, a display of their professionalism:
http://www.chicagobusiness.com/article/ ... ata-breach" onclick="window.open(this.href);return false;

[ph0bYx]

From the lawsuit you linked:

By this action, the Banks seek statutory and common-law damages caused by Defendants' failure to prevent the largest retail data breach in U.S. history.

All the plaintiffs dropped their suits later though:

"Contrary to the misstated allegations in the plaintiffs' complaints, Target did not outsource its data security or IT obligations to Trustwave," Robert McCullen, CEO at Trustwave, wrote. "Trustwave did not monitor Target's network, nor did Trustwave process cardholder data for Target."

but this part is interesting:

The suit filed on March 25 in U.S. District Court in Chicago by the two banks, and on behalf of all similarly situated institutions, claims that after Trustwave scanned Target's computer systems in September 2013, it found no vulnerabilities.

So I guess it's a good thing they found "vulnerabilities" on your servers

[bad_brain]

you mean they work with reverse psychology? those sneaky bastards...

and I am sure there were some agreements made behind the scenes before the lawsuits were dropped.

[maboroshi]

It is in my opinion that if the head of a company or someone put in charge of managing others can't do the job of any one of there employees, then they have failed as a business.

This is a proof of concept of that. A company that seemingly lacks most industry knowledge and is in charge of managing 2.7 million clients.

[bad_brain]

they denied the filed "dispute" btw....telling them the system is a fully up to date Debian of the "stable" branch did not convince them....now they say I must provide the exact package versions...
just as example: the BIND version they demand to be installed can not even be realized on Debian by switching to the "experimental" branch.....I'll tell the customer to look for another CC processor, he was pissed off about that one already anyway.

[ph0bYx]

It is in my opinion that if the head of a company or someone put in charge of managing others can't do the job of any one of there employees, then they have failed as a business.

This is a proof of concept of that. A company that seemingly lacks most industry knowledge and is in charge of managing 2.7 million clients.

Out-sourced CEO's. I believe Apple had some trouble with those as well.