Slashdot Mirror

← Back to Stories (view on slashdot.org)

German Health Insurance Card CA Loses Secret Key

Posted by timothy on from the your-replacement-papers-please dept.

Christiane writes "The SSL Root CA responsible for issuing the German digital health insurance card lost its secret private key during a test enrollment. After their Hardware Security Module (HSM) dutifully deleted its crypto keys during a power outage, it was all 'Oops, why is there no backup?' All issued cards must be replaced: 'Gematik spokesman Daniel Poeschkens poured scorn on the statement that Gematik had insisted on the service provider carrying out a test without backing up the root CA private keys. "We did not decide against a back-up service. The fact of the matter is that the service provider took over the running of the test system, so it also has to warrant its continuous operation. How it fulfills this obligation is its own responsibility."'"

13 of 174 comments (clear)

  1. Oh c'mon, be fair! by Opportunist · · Score: 4, Funny

    Not even a month ago you chided them because there were too many copies (some of them even offsite, they just didn't know who had them now), now you chew them out for having too few. Make up your effing mind!

    --
    We used to have a Bill of Rights. Now, with the rights gone, all we have left is the bill.
    1. Re:Oh c'mon, be fair! by Vu1turEMaN · · Score: 5, Funny

      My Day 1:

      I actually found the administrator password on a post-it note on the back of the server's CRT monitor while cleaning the server room.

      "Fucking amazing" I said out loud, and as I pulled it off, on the back was the AmEx credit card number, expiration date, and 3digit pin for our organization to order IT stuff.

      Then I noticed on the left underside of the CRT there was another post-it that said Ctrl Shift Alt Num+....so I pressed that and up came a hidden menu of hidden apps running (SysTrayX + a sketchy prog to hide services in TaskManager), 90% of them illegal. Also uTorrent was running, seeding about 50 anime series buried deep within the network and using about half of the T3 connection's throughput.

      And to top it all off, I deduced that the server had never had a fresh install of Windows. It used to have NT Server, then they used software to upgrade it to 2000 Server, and software again to upgrade it to Server 2003. ......

      Day 7:

      I get a call from the old IT guy asking me whats wrong with the connection, and I told him I reinstalled Server 2003, deleted his anime cache, changed the WPA-PSK keys from 1111111111 to something way more secure, reported the AmEx card as stolen to get a new one, changed the admin password and set password age limits on all accounts, and replaced the rootkit infected SCSI drives with new ones that would last longer. Also, I told the managers that his 5000$ quote for network-wide unlimited antivirus was utter bullshit and that he only got a cracked key for Norton 2003 and installed it only on the server, and prolly pocketed the money.

      Damn dude was like "BUT I DIDNT BACK UP THE ANIME TO DVD YET!!!". Now I love anime as much as the next person, but I think he has other stuff to worry about at this point.

      But you know what got me the most mad and prompted all of this? The server was named Odie, and the computers were all garfield characters.

      CALVIN AND HOBBES FTW!!!!

    2. Re:Oh c'mon, be fair! by Vu1turEMaN · · Score: 4, Funny

      Heh...I'm actually just doing a paid internship at a non-profit after their full-time guy left. It was supposed to end on May 1st, but hey I guess they love what I've done.

      Got them a cheap dedicated backup system, updated all the systems and reinstalled an NLite-ed XP on every computer, and moved them from Exchange to Google. Oh, and the lab computers run Ubuntu.

      They also loved it when I found the IT guy's secret paypal business account with 3000$ sitting in it that was supposed to be used for something else (battery backup replacement batteries). Putting passwords in a file on the administrator's desktop called "passwords for everything.txt" is sooooo helpful for when you're trying to be sneaky.

      Seriously, this shit is a soap opera of IT-isms.

  2. NSA/CIA by Anonymous Coward · · Score: 4, Funny

    Maybe they should check with the NSA or CIA? They've got a backdoor into EVERY system, and may still have the key saved on a laptop lying around somewhere.

  3. Re:Wrong Title, Wrong summary by Opportunist · · Score: 5, Funny

    After all, we all know Germans are exact and punctual, Poles are thieves, Russians are drunk and Fins are even more so. Oh, and Mexicans are lazy and US people are simple minded. Any stereotype missing?

    --
    We used to have a Bill of Rights. Now, with the rights gone, all we have left is the bill.
  4. Could be worse by bradgoodman · · Score: 4, Insightful

    I'd rather the key be lost, than stolen, hacked, made-public, etc. At least it didn't breach security in the typical manner.

  5. Re:Wrong Title, Wrong summary by MancunianMaskMan · · Score: 4, Informative

    Any stereotype missing?

    yes.

    we British are all of the above.

  6. Re:Wrong Title, Wrong summary by Opportunist · · Score: 5, Funny

    Not only that, they have really weird tastes, too. In food and bed. Sometimes at the same time.

    --
    We used to have a Bill of Rights. Now, with the rights gone, all we have left is the bill.
  7. I'm confused by Candid88 · · Score: 4, Insightful

    card lost its secret private key during a test enrollment

    I'm confused, isn't this sort of problem exactly why you carry out system tests?

    Sending out new cards to card testers during a systems test is hardly extraordinary.

  8. Place blame by ubrgeek · · Score: 4, Funny

    Poeschkens claimed, "I know nothing! noth-thing!" and proceeded to blame the problem on a man he would only identify as "Hogan."

    --
    Bark less. Wag more.
  9. What is "CA"? by T+Murphy · · Score: 5, Funny

    For those of you who are wondering what CA is, it stands for Certificate Authority. You see, the Germans have a hard time functioning without a constant stream of praise, so they have this authority in place that prints and sends certificates to people. Every day thousands of Germans get congratualted for crossing the street, for finding their car keys or for eating their 1000th potato of the month. You know you've walked into a German household when you see the wallpaper of framed certificates.

    The problem here is that the company deleted the certificate-printing program since they thought someone was trying to hack in and print more certificates for themselves- no one is THAT special so they had to stop him. They forgot to have another program ready to print more certificates, so now Germany is under threat of entering a depression since they no longer get certificates telling them how special they are.

    On a serious note: I don't follow this article very well with all the acronyms being spelled out but not explained, and no background knowledge of anything going on here. If someone would care to explain what is going on here to someone that has never heard the term CA, you should get a +5 informative easily.

    --
    My webcomic
    1. Re:What is "CA"? by Ritorix · · Score: 5, Informative

      I will simplify, but basically a CA (Certificate Authority, that much of the parent wasnt a joke) is a server that creates encryption certificates. In this case, SSL certificates. For example, when you goto https://mail.google.com/ that SSL certificate was created by the Thawte SGC CA. Thawte is one of many companies that you can pay to create you an SSL cert, so your users can communicate with your server via https.

      The CA itself also has an encryption key, which is stored on hardware. In some cases its a PCIe board, others its a removable PCMCIA card, etc. This particular CA used an add-on board which lost power during operation, wiping out its only key. The board seems to have been working as intended, preventing attack (removal of board, which would cause power loss) by wiping itself.

      Without that key, the CA can no longer create revocation lists (CRLs, lists of certs a CA has created that have since been revoked or expired) or any new certs. They are dead in the water, also causing every cert they have ever made to become invalid as they can no longer be checked against a recent CRL. They have to start from scratch, recreating every_single_cert.

      This was only a test system, but if this happened in reality 80 million Germans would have invalid health cards. At least they discovered the value of a backup during testing.

  10. Re:Wrong Title, Wrong summary by JaredOfEuropa · · Score: 4, Insightful

    Even so, this line struck me as all too familiar: "The fact of the matter is that the service provider took over the running of the test system, so it also has to warrant its continuous operation. How it fulfills this obligation is its own responsibility."

    This is why managers (especially the MBA types) love outsourcing of everything. It is also in part because numbers and KPIs are so much more easy to manage than actual people. But mainly, by outsourcing a function you also get to outsource the responsibility for that particular function. If things go tits up, the worst you'll be blamed for is picking the wrong service provider, or perhaps not monitoring a particular KPI properly. Minor stuff.

    I've seen plenty of managers like that, and I have heard a variation of that one line all too often.

    --
    If construction was anything like programming, an incorrectly fitted lock would bring down the entire building...