Alan Renouf has posted a PowerShell Module and a video with instructions on how to install and use it for VMware vShield. He shows clearly how to easily assess and report on current settings (i.e. “Get-vShieldSecurityGroup | Select -ExpandProperty Member”) as well as modify them.

Now I had the Rest API details I knew I could easily write some PowerShell code in the form of an advanced function to work with the API, the first piece of code I wrote was a generic function which allowed me to GET, PUT, DELETE and POST to a Restful API. I know PowerShell v3 will include cmdlets for this but I didn’t want to wait or add a dependency on something which wasn’t available as yet.

With this completed the rest of the advanced functions were easily created, it was just a case of sending the correct parameter to my function and the correct URL and my results would be returned.

vShield PowerShell Module from Alan Renouf on Vimeo.

Visa released to the public just a couple weeks ago a report on common vulnerabilities found in U.S. Small Merchants. Not exactly a short list. The could have at least put it in order of the PCI DSS Requirements:

• SQL injection
• Misconfigured web applications
• Lack of segmentation between cardholder data environment
• No firewall configuration
• Insecure remote management access
• Use of RDP/Terminal services on internal network
• Packet sniffers
• Keyloggers
• Backdoors
• Excessive permissions
• Use of shared, default credentials or common passwords
• Administrative accounts not protected
• Databases not hardened
• Unauthorized user ability to modify applications (troubleshoot, capture full track data, use risky protocols)
• Reliance on 3rd party service providers for POS installation and management

The report also details the U.S. Contact/Contactless Acceleration Plan and the 2012 “PCI validation relief for merchants that adopt dual-interface terminals”.

The end of December 2011 marked a significant milestone for IE6 measurement. The U.S. finally has dropped below 1% usage.

Things even are looking good for bright red China, which still sits over 25% (4% of the world) but has dropped a whopping 10% in under a year.

It is possible that measurement methods may be skewed by proxies and bogus tokens but the more likely story is that China is on a browser support time-line that can’t seem to get past an OS introduction date.

This reminds me of a time years ago when I was called in by a huge software-as-a-service provider and asked how to get SSLv2 through a PCI DSS assessment. “Why would you want to do that” I asked. “We have a lot of IE6 users” was their reply.

My response was twofold. First, I questioned whether IE6 data and SSLv2 data was trusted. Browsers can negotiate down to SSLv2 but that does not mean they were incapable of running SSLv3 or better. Perhaps if they dug into the data they would find a different picture and see far less IE6. Second, I recommend to post a warning banner to any IE6 user to upgrade their browser within a set time-frame or with a count-down clock. Even something like an orange warning banner would be nice.

Their counterpoint was that IE6 came out in 2001, which still was within Microsoft’s threshold of customer support. A little research revealed that Microsoft, despite being forced by government decree to un-bundle the browser, never changed their story on IE6 support as inseparable from the Operating System life-cycle. Since the OS was still supported, and the browser was bundled “as part of”…

Versions of Internet Explorer 6 that shipped as a part of the operating system or its associated service packs will continue to follow the support lifecycle of the operating system.

That certainly complicated the situation. Windows 2000 (Service Pack 4), for example, was still under extended support until 2010.

Support for Windows 2000 ended on July 13, 2010

Windows XP also shipped with IE6. Rather than get pulled into that complex and political issue of the Microsoft antitrust lawsuit, I scaled back and presented a more focused response.

SSL v2.0 was released in early 1995 but was so horribly flawed and subject to MITM that v3.0 was released by 1996. So they were told to remove v2 not just because it is older then 1996, and not just because the PCI SSC DSS says so, but because it was a long-time known risk to their users.

Fortunately, that trisect seemed to convince them and it was then just a matter of creating a redirect and warning for anyone who tried to negotiate only at SSLv2. It would have been far more interesting to tackle the problem of IE6 but that was seen as an issue between Microsoft and their users instead of something content providers could drive.

The map above with a steep drop the year after support officially ended seems to support that theory.

Lesson learned? Depends on how you look at it. As Microsoft says they are in celebration of a decline in IE6 they also are exiting the antitrust agreement with the U.S. Government and going right back to bundling the browser into their OS.

The final remnants of that decree lapsed earlier this year, and now Microsoft is wasting little time in returning to its past strategy: A pre-release version of Windows 8 shows an OS that is deeply intertwined with Internet Explorer 10, with it impossible to uninstall the browser from the OS at this point in Microsoft’s development process.

Perhaps Microsoft is going to push hard to get the Chinese to migrate to Windows 8 so they will record IE 10 usage statistics well into 2022, by which time they can terminate support and campaign for help with a sudden and rapid decline…