Another Dutch CA Hacked

← Back to Stories (view on slashdot.org)

Posted by timothy on Thursday December 8, 2011 @02:13AM from the need-more-fingers-in-these-holes dept.

An anonymous reader writes "After the fiasco involving DigiNotar, another Dutch CA (Gemnet, a daughter of KPN-Telecom) has been hacked and databases were accessed, webwereld.nl reports (Dutch original). The hack was possible because the website was managed using PHP-MyAdmin, and this application allowed database access without a password. The site has been shut down and security checks were ordered."

5 of 152 comments (clear)

Min score:

Reason:

Sort:

Web Admin of the Year by Anonymous Coward · 2011-12-08 02:19 · Score: 5, Insightful

So a CA, holder of the keys for SSL certs, had an externally facing db admin module with no password... Just wow...
1. Re:Web Admin of the Year by John+Hasler · 2011-12-08 07:39 · Score: 3, Insightful
  
  But the biggest question is: why has it taken so long for them to be hacked?
  How do you know it did?
  
  --
  Warning: this article may contain humor, sarcasm, parody, and perhaps even irony. Read at your own risk.
Nothing wrong with PHPMyAdmin by Anonymous Coward · 2011-12-08 02:26 · Score: 2, Insightful

Why blame the tool? It's like blaming the web browser that the people used to access PHPMyAdmin to access the unsecured database. It's the dits who didn't secure the database that are to blame. Put a password on it and PHPMyAdmin won't be able to get in. Unless there's an exploit I'm not aware of, of course.
Re:Lets play 'Pass The Blame!....' by YeeHaW_Jelte · 2011-12-08 02:40 · Score: 2, Insightful

I haven't worked with PHPMyAdmin for years (luckily) but even having it accessible from public IP adresses is a serious oversight, password or not.

--

---
"The chances of a demonic possession spreading are remote -- relax."
Re:CA System - Has Never Worked As Intended. by ledow · 2011-12-08 02:49 · Score: 4, Insightful

Personally, I now have more faith in the CA system than before.
When a rogue CA was spotted, within days it had was revoked AND ALL ITS CERTIFICATES FAILED, including ones running in government departments, in every major web browser (totally independently).
That's a pretty damn good response, and caused the collapse of the company and a government investigation - because browsers that have NOTHING to do with the CA's or the government unilaterally revoked a CA certificate in their browsers.
The point of the CA system is trust. At some point you have to trust someone. Web of trust is just trusting the majority of public opinion, statistics or some other automated metric. The CA system is trusting particular institutions and browser makers (who, if you don't trust anyway, you wouldn't be doing business with or using their product).
One CA abused that trust and they disappeared from the web overnight. But I still trust my CA. It's like saying that because one hosting company had a website vandal, everyone should just stop using website hosts.
And now it's in the news, every tiny little breach is going to come to light whereas before, unless you followed the OSCP revocations religiously, you'd never have known.
The CA system did exactly what it was designed to do and it worked much better than I would have ever expected. I don't see the Dutch CA failing as a failure of the system - the system worked and continues to work. It's like the Internet - it just routes around damage and carries on (by revoking the trust - which you can do yourself in any browser - in those who are untrustworthy).