Slashdot Mirror

← Back to Stories (view on slashdot.org)

(Possible) Diginotar Hacker Comes Forward

Posted by timothy on from the have-in-my-hand-a-list-of-names dept.

arglebargle_xiv writes "At the risk of burning people out on the topic of PKI fail, someone claiming to be the Diginotar hacker has come forward to claim responsibility: It's the ComodoGate hacker. He also claims to 0wn four more 'high-profile' CAs, and still has the ability to issue new rogue certificates, presumably from other CAs that he 0wns." Whether this claim turns out to be truthful or not, what led to the breach in the first place? Reader Dr La points to an interim report commissioned by the Dutch government (PDF), according to which "a) No antivirus software was present on Diginotar's servers; b) 'the most critical servers' had malicious software infections; c) The software installed on the public web servers was outdated and not patched; and d) all servers were accessible by one user/password combination, which was 'not very strong and could easily be brute-forced.'"

5 of 215 comments (clear)

  1. Fear the mighty script kiddy by jellomizer · · Score: 3, Insightful

    We need to stop giving these "Hackers" such press. Oh they broke into a insecure system. They must be real Computer Geniuses. There should be far more press about the state of the hacked sites security, and less on those actual hackers. The hackers are just some dumb kids who did some quick searching around and got some silly tools. The real story is that such organizations have such a poor security.

    --
    If something is so important that you feel the need to post it on the internet... It probably isn't that important.
  2. Honest question: by Haedrian · · Score: 5, Insightful

    How DOES one become a trusted CA? Shouldn't there at least be some sort of procedure to check that they can be trusted?

  3. Re:Weakest link by houstonbofh · · Score: 2, Insightful

    And crap like this is why I don't understand why my browser has to go apeshit over self singed cirts. "Oh My God! You may be at risk because this cirt was MADE BY SOMEONE WITH A CLUE!"

  4. Re:Weakest link by drolli · · Score: 3, Insightful

    A good security system is not as weak as the weakest link.

  5. 'Claiming' to be the hacker? by plover · · Score: 5, Insightful

    Hell, if he really hacked it, he'd have signed the message with DigiNotar's key. He's the only person in this whole debaucle I'd trust to actually have a clue as to how to really use their certificates.

    --
    John