Another Dutch CA Hacked

An anonymous reader writes "After the fiasco involving DigiNotar, another Dutch CA (Gemnet, a daughter of KPN-Telecom) has been hacked and databases were accessed, webwereld.nl reports (Dutch original). The hack was possible because the website was managed using PHP-MyAdmin, and this application allowed database access without a password. The site has been shut down and security checks were ordered."

Web Admin of the Year

So a CA, holder of the keys for SSL certs, had an externally facing db admin module with no password... Just wow...

Re:Web Admin of the Year

[ledow]

Ignoring that - they had internal documents that were accessible from their web/database server. Everything else defies belief too but really wouldn't have mattered that much if it had been ONLY their web db that was accessed.

Re:Web Admin of the Year

[michelcolman]

But the biggest question is: why has it taken so long for them to be hacked? I suppose nobody suspected that they would be that stupid, so nobody bothered to even try? Talk about hiding information in plain view...

Re:Web Admin of the Year

[John+Hasler]

But the biggest question is: why has it taken so long for them to be hacked?

How do you know it did?

jawdrop

[v1]

website was managed using PHP-MyAdmin, and this application allowed database access without a password.

At what point does this become "criminal negligence"?

And you'd expect there would be some sort of periodic audit process in place for anyone that manages a root certificate? hippa-style something or other? Or will they just set up any idiots with a CA that have good credit?

Re:jawdrop

[Afforess]

Actually, you could make the counter claim that the story title is bad.

After all, it isn't stealing to pick money off the ground, it isn't hacking to visit public web data.

Re:jawdrop

[jon3k]

HIPAA*. It's short for "Health Insurance Portability and Accountability Act". Sorry, pet peeve.

Lets play 'Pass The Blame!....'

[EasyTarget]

this application allowed database access without a password

Nope, it doesn't.. not unless configured by a really clueless person, or (this being Holland) by someone who really couldn't give a f**k while being mis-managed by someone determined to spend as little as possible, or hopefully less.

(disclaimer; I'm a sysadmin who runs, amongst many other things, a MySQL server + PHPmyadmin for my company in the Netherlands, I do it properly but that's only because I care, nobody has ever checked..)

Re:Lets play 'Pass The Blame!....'

[johnkoer]

not unless configured by a really clueless person

I think that is what was being implied by the summary. When I read it, I didn't assume that that was how PHPmyadmin came out of the box. They probably should have used better wording like "nd this application was configured to allow database access without a password", to ensure they got the correct point across.

Re:Lets play 'Pass The Blame!....'

[YeeHaW_Jelte]

I haven't worked with PHPMyAdmin for years (luckily) but even having it accessible from public IP adresses is a serious oversight, password or not.

Re:Lets play 'Pass The Blame!....'

[Gaygirlie]

Atleast to my eye it looks like they're trying to lay blame on PHPMyAdmin. Perhaps it's just poor wording but still, that's how it does come out. And well, everyone knows that anything can be made insecure if they're given in incompetent-enough hands.

Re:Lets play 'Pass The Blame!....'

[arth1]

(disclaimer; I'm a sysadmin who runs, amongst many other things, a MySQL server + PHPmyadmin for my company in the Netherlands, I do it properly but that's only because I care, nobody has ever checked..)

As a long time sysadmin, it has become my opinion that the way to use tools like phpmyadmin "properly" is not at all.

I once thought that they might be okay for home use, but have changed my mind on that too - it breeds a generation of "sysadmins" who don't know exactly what they're doing, or why, and in some cases don't even give a fuck about their ignorance. They may then expect the tools at work too, because they have made themselves dependent on them.
When the undigestables meet the stationary propeller, and they have to investigate what went wrong, they don't know how. When faced with systems where their tools aren't present and can't even be installed, they hit a stumbling block, if not a roadblock.

Re:Lets play 'Pass The Blame!....'

[tbannist]

Your line of reasoning is a little off, you could use the same argument against every labor saving invention in the history of mankind (No spears for you caveman! Lest you forget how to properly kill a deer with your bare hands!). phpMyAdmin is very useful for doing a lot DB work quickly. I use it practically every day. It's an invaluable tool for developers, for examples, who are managing their own local databases and a useful tool for support personnel who can be trusted with some database access but aren't going to learn full SQL and the MySQL CLI interface.

Sysadmins who don't know exactly what they're doing aren't sysadmins, they're "unqualified applicants", and it's the job of the person doing the hiring to reject them and tell them to go learn what they're doing. Whether that's HR or an individual manager, it's their failure if they're hiring incompetent people.

Nothing wrong with PHPMyAdmin

Why blame the tool? It's like blaming the web browser that the people used to access PHPMyAdmin to access the unsecured database. It's the dits who didn't secure the database that are to blame. Put a password on it and PHPMyAdmin won't be able to get in. Unless there's an exploit I'm not aware of, of course.

Re:Nothing wrong with PHPMyAdmin

[ggeens]

Why blame the tool? It's like blaming the web browser that the people used to access PHPMyAdmin to access the unsecured database.

AFAIK, PHPMyAdmin doesn't have its own security. The user/password is passed to the MySQL server. If they were able to create databases without a password, it would seem that MySQL was installed without a password for the mysql admin user. During installation, MySQL asks to set a root password. A long time ago, this was not the case.

This would seem that they had a very old MySQL setup and they never changed the password.

Err, wow - just wow.

[Penguinisto]

"The hack was possible because the website was managed using PHP-MyAdmin, and this application allowed database access without a password."

I honestly don't know what to say. I mean, doing something like this on an internal network would be bone-headed enough, but doing it on an external-facing box? Under conditions where you would think security is paramount? I mean, you have to actually install and set up PHP MyAdmin - that shit isn't on by default.

But, the fault lies elsewhere as well. After all, who the fuck was supposed to be doing the compliance audits, pen-testing, network security, firewall security? You always hire a reputable outside person/company to do those things.

I honestly think the corp got what it deserved at this point... though the victim customers certainly don't deserve what they're about to get (a scramble for new certs, integrity checking, etc).

Re:Err, wow - just wow.

[Pieroxy]

Under conditions where you would think security is paramount?

And this is why you don't know what to say. Security is not paramount. Net revenue is. And security costs money.

CA System - Has Never Worked As Intended.

[VortexCortex]

So, any CA can create a cert for any site (or even EVERY site via *.* -- WHO THOUGHT THIS WAS A GOOD IDEA?!). This means EVERY SINGLE CA must remain 100% secure all the time in order for us to be able to trust the CA system.

Now, this was pointed out from the beginning. "There is not a single point of failure -- No! There are MANY points of failure, any of which means a complete breakdown!"

A web of trust is the only real competing system, and still here we are, not even trying that out on a large scale. Say what you will, but know that all trust tree hierarchies are doomed to fail.

Come at me CA apologists. All your certs aren't belong to you.

Re:CA System - Has Never Worked As Intended.

[ledow]

Personally, I now have more faith in the CA system than before.

When a rogue CA was spotted, within days it had was revoked AND ALL ITS CERTIFICATES FAILED, including ones running in government departments, in every major web browser (totally independently).

That's a pretty damn good response, and caused the collapse of the company and a government investigation - because browsers that have NOTHING to do with the CA's or the government unilaterally revoked a CA certificate in their browsers.

The point of the CA system is trust. At some point you have to trust someone. Web of trust is just trusting the majority of public opinion, statistics or some other automated metric. The CA system is trusting particular institutions and browser makers (who, if you don't trust anyway, you wouldn't be doing business with or using their product).

One CA abused that trust and they disappeared from the web overnight. But I still trust my CA. It's like saying that because one hosting company had a website vandal, everyone should just stop using website hosts.

And now it's in the news, every tiny little breach is going to come to light whereas before, unless you followed the OSCP revocations religiously, you'd never have known.

The CA system did exactly what it was designed to do and it worked much better than I would have ever expected. I don't see the Dutch CA failing as a failure of the system - the system worked and continues to work. It's like the Internet - it just routes around damage and carries on (by revoking the trust - which you can do yourself in any browser - in those who are untrustworthy).

Summary is misleading

[Barefoot+Monkey]

The hack was possible because the website was managed using PHP-MyAdmin, and this application allowed database access without a password.

That's a bit misleading. From what I gather the hack was possible because the database was configured to allow access without a password. Considering that, whether or not PHPMyAdmin is appropriate is a tiny matter by comparison. The summary makes it sound like PHPMyAdmin is to blame.

Damn

[MadKeithV]

And here I thought the Dutch would have the national pride not to make their network security like Swiss Cheese.

Ca subject name?

[qha]

So the first question I expected t.f.a. to answer:

What is the subject name of this Ca so I can remove it from my list of "trusted" Cas?

Re:Ca subject name?

[qha]

Ok, so this Ca is already not included in Debian?

I can't find anything about it in the changelog for the ca-certificates package.

Starting to feel like Uplink...

[dragonhunter21]

I'm kinda getting an Uplink vibe here, with all these "X was hacked" "Another X was hacked, the government is taking it very seriously" on and on and on.

Re:PHP-MyAdmin is a major source of vulnerabilitie

[TheSpoom]

FFS, if you're depending on phpMyAdmin for your database security, you're doing it wrong. If phpMyAdmin, out of the box, can access your MySQL server, it means you haven't given a password to the root user on MySQL. Which means anyone that can connect to your MySQL server at all has full access.

Unless setup in a very specific way, all phpMyAdmin does is pass along your authentication information to MySQL.