Another Dutch CA Hacked

An anonymous reader writes "After the fiasco involving DigiNotar, another Dutch CA (Gemnet, a daughter of KPN-Telecom) has been hacked and databases were accessed, webwereld.nl reports (Dutch original). The hack was possible because the website was managed using PHP-MyAdmin, and this application allowed database access without a password. The site has been shut down and security checks were ordered."

Web Admin of the Year

So a CA, holder of the keys for SSL certs, had an externally facing db admin module with no password... Just wow...

Re:Web Admin of the Year

[ledow]

Ignoring that - they had internal documents that were accessible from their web/database server. Everything else defies belief too but really wouldn't have mattered that much if it had been ONLY their web db that was accessed.

Re:Web Admin of the Year

[John+Hasler]

But the biggest question is: why has it taken so long for them to be hacked?

How do you know it did?

jawdrop

[v1]

website was managed using PHP-MyAdmin, and this application allowed database access without a password.

At what point does this become "criminal negligence"?

And you'd expect there would be some sort of periodic audit process in place for anyone that manages a root certificate? hippa-style something or other? Or will they just set up any idiots with a CA that have good credit?

Re:jawdrop

[Afforess]

Actually, you could make the counter claim that the story title is bad.

After all, it isn't stealing to pick money off the ground, it isn't hacking to visit public web data.

Lets play 'Pass The Blame!....'

[EasyTarget]

this application allowed database access without a password

Nope, it doesn't.. not unless configured by a really clueless person, or (this being Holland) by someone who really couldn't give a f**k while being mis-managed by someone determined to spend as little as possible, or hopefully less.

(disclaimer; I'm a sysadmin who runs, amongst many other things, a MySQL server + PHPmyadmin for my company in the Netherlands, I do it properly but that's only because I care, nobody has ever checked..)

Re:Lets play 'Pass The Blame!....'

[johnkoer]

not unless configured by a really clueless person

I think that is what was being implied by the summary. When I read it, I didn't assume that that was how PHPmyadmin came out of the box. They probably should have used better wording like "nd this application was configured to allow database access without a password", to ensure they got the correct point across.

Re:Lets play 'Pass The Blame!....'

[Gaygirlie]

Atleast to my eye it looks like they're trying to lay blame on PHPMyAdmin. Perhaps it's just poor wording but still, that's how it does come out. And well, everyone knows that anything can be made insecure if they're given in incompetent-enough hands.

CA System - Has Never Worked As Intended.

[VortexCortex]

So, any CA can create a cert for any site (or even EVERY site via *.* -- WHO THOUGHT THIS WAS A GOOD IDEA?!). This means EVERY SINGLE CA must remain 100% secure all the time in order for us to be able to trust the CA system.

Now, this was pointed out from the beginning. "There is not a single point of failure -- No! There are MANY points of failure, any of which means a complete breakdown!"

A web of trust is the only real competing system, and still here we are, not even trying that out on a large scale. Say what you will, but know that all trust tree hierarchies are doomed to fail.

Come at me CA apologists. All your certs aren't belong to you.

Re:CA System - Has Never Worked As Intended.

[ledow]

Personally, I now have more faith in the CA system than before.

When a rogue CA was spotted, within days it had was revoked AND ALL ITS CERTIFICATES FAILED, including ones running in government departments, in every major web browser (totally independently).

That's a pretty damn good response, and caused the collapse of the company and a government investigation - because browsers that have NOTHING to do with the CA's or the government unilaterally revoked a CA certificate in their browsers.

The point of the CA system is trust. At some point you have to trust someone. Web of trust is just trusting the majority of public opinion, statistics or some other automated metric. The CA system is trusting particular institutions and browser makers (who, if you don't trust anyway, you wouldn't be doing business with or using their product).

One CA abused that trust and they disappeared from the web overnight. But I still trust my CA. It's like saying that because one hosting company had a website vandal, everyone should just stop using website hosts.

And now it's in the news, every tiny little breach is going to come to light whereas before, unless you followed the OSCP revocations religiously, you'd never have known.

The CA system did exactly what it was designed to do and it worked much better than I would have ever expected. I don't see the Dutch CA failing as a failure of the system - the system worked and continues to work. It's like the Internet - it just routes around damage and carries on (by revoking the trust - which you can do yourself in any browser - in those who are untrustworthy).

Summary is misleading

[Barefoot+Monkey]

The hack was possible because the website was managed using PHP-MyAdmin, and this application allowed database access without a password.

That's a bit misleading. From what I gather the hack was possible because the database was configured to allow access without a password. Considering that, whether or not PHPMyAdmin is appropriate is a tiny matter by comparison. The summary makes it sound like PHPMyAdmin is to blame.

Ca subject name?

[qha]

So the first question I expected t.f.a. to answer:

What is the subject name of this Ca so I can remove it from my list of "trusted" Cas?