Monthly Archives: October 2018

FSSCC releases new tool to streamline compliance efforts

The FSSCC released a new tool that hopes to reduce the number of hours spent answering redundant security control questions. Like the ACAT tool, the new Cybersecurity Profile attempts to determine an institutions risk impact level. The main difference is the ACAT attempts to define the scale of the risk based on organization size, whereas the Cybersecurity Profile attempts to define the impact of the institution on everyone else. Much like how NERC attempts to establish a utility’s impact on the greater grid before applying controls, the FSSCC’s modifies some controls based on the impact assessment results.
Continue reading

Uncover credit card numbers with PANHunt

It’s always good to know where random credit card numbers live on your network, even if PCI compliance isn’t a concern for you. Any unencrypted credit card information should be purged from the network to prevent accidental disclosure. I have used grep and Nessus in the past for these audits, but both where lacking in their functionality. Fortunately, I recently stumbled across the PANhunt repo on GitHub.

What is PANHunt?

PANhunt is a Python-based script which scans text files, Office documents, Outlook files, and even ZIP archives for data resembling a credit card number. PANhunt can also be compiled into a Windows executable, making it extremely useful for these types of test.

Build PANHunt

While there appears to be a per-built EXE version in the repo, it is older than itself. I recommend building it using the rough steps below:

Using PANHunt

If you run PANHunt with no options, it appears to scan C:\ for all files you have permission to. The defaults also scan “text” files and “zip” files, which includes all the major Office formats. It will additionally scan email (.MSG), Outlook (.PST/.OST) and Access (.ACCDB/.MDB).

My initial run picked up on a few test files under the C:\Python27 folder but nothing valid on the build computer. For a better test, I went to getCreditCardNumbers and copied those numbers into a text file, excel file, and possibly a word file on your computer. The site generates invalid test data that conforms to the expected formats used by Amex, Mastercard, Discover, and Visa. This scan picked up all my test files accurately, but it does seem to generate a false positive on a Chrome log file.

PAN Hunt Report - 11:46:18 02/10/2018
Searched c:users
Excluded C:Windows,C:Program Files,C:Program Files (x86)
Command: panhunt -s c:users
Uname: Windows | GOMERS-PC | 10 | 10.0.17134 | AMD64 | Intel64 Family 6 Model 44 Stepping 2, GenuineIntel
Searched 2171 files. Found 52 possible PANs.
FOUND PANs: c:\users\gomer\Desktop\cardnums.txt (401B 02/10/2018)
FOUND PANs: c:\users\gomer\Documents\test-cc-data.xlsx (11KB 02/10/2018)
	xl/sharedStrings.xml AMEX:***********3039
	xl/sharedStrings.xml AMEX:***********7916
	xl/sharedStrings.xml AMEX:***********9168
	xl/sharedStrings.xml AMEX:***********0795
	xl/sharedStrings.xml AMEX:***********3384
	xl/sharedStrings.xml Visa:************0527
	xl/sharedStrings.xml Visa:************1455
	xl/sharedStrings.xml Visa:************4899
	xl/sharedStrings.xml Visa:************6760
	xl/sharedStrings.xml Visa:************5262
	xl/sharedStrings.xml Mastercard:************7492
	xl/sharedStrings.xml Mastercard:************3734
	xl/sharedStrings.xml Mastercard:************8957
	xl/sharedStrings.xml Mastercard:************6043
	xl/sharedStrings.xml Mastercard:************3496
FOUND PANs: c:\users\gomer\Documents\Visa.docx (14KB 02/10/2018)
	word/document.xml AMEX:***********2914
	word/document.xml AMEX:***********5174
	word/document.xml AMEX:***********6675
	word/document.xml AMEX:***********0825
	word/document.xml AMEX:***********1297
	word/document.xml Visa:************5349
	word/document.xml Visa:************7362
	word/document.xml Visa:************7608
	word/document.xml Visa:************3546
	word/document.xml Visa:************8202
	word/document.xml Mastercard:************4025
	word/document.xml Mastercard:************2316
	word/document.xml Mastercard:************9032
	word/document.xml Mastercard:************8105
	word/document.xml Mastercard:************6284

Scanning the network

With a little ingeniutiy and the right permissions, you should be able to scan your entire network for any credit card data. But there are some caveats worth mentioning:

Anti-malware programs will probably intercept your new EXE. Symantec gave me a couple fits before allowing it to run on my computer, and I am unsure how this would impact a network scan. I suspect it trips off the same triggers than ransomware would.

You are going to get more false positives scanning a whole PC. Everything from ClickToRun stream files to random log files contain credit card like information. Consider using the -s switch to limit your search path.

You can scan mapped network drives and UNC paths, so the entire scan can be run from one machine with the right credentials. Coupling PANHunt with PSExec might be useful as well, but you would need to pull the report back to a central location.

Files will need to be manually validated. I encountered a fair number of false positives due to strings of numbers which contained something PANHunt decided was a credit card number. Use your judgement on this – some files I could eliminate just by the names, but others required me to actually look at the offending file. I also recommend validating files that give you the “Invalid ZIP file” error to determine if they are password protected, corrupted, or you simply do not have access to them.

One last thing – Put padding down in the spot where you normally bang your head on the desk. You might need it.