Slashdot Mirror

← Back to Stories (view on slashdot.org)

Dutch DigiNotar Servers Were Fully Hacked

Posted by Soulskill on from the they-don't-fool-around dept.

ChristW writes "The final report that was handed to the Dutch government today indicates that all 8 certificate servers of the Dutch company DigiNotar were fully hacked. (Report PDF in English.) Because the access log files were stored on the same servers, they cannot be used to find any evidence for or against intrusion. In fact, blatant falsification has been found in those log files. A series of so-far unused certificates has also been found. It is unknown if and where these certificates have been used."

3 of 83 comments (clear)

  1. Re:FULLY hacked? by fuzzyfuzzyfungus · · Score: 5, Informative

    It's always a dangerous assumption to make; but architecturally the concept of 'partially hacked' isn't terribly nonsensical. Consider the enormous number of web server setups where OS-level credentials and web application authentication are entirely different things. It happens all the time that kiddies will crack the web component and scribble all over your php forum or CMS or whatnot; but without ever gaining access to the OS.

    You really don't want to work on the assumption that 'eh, I'm sure we were only partially hacked, no need to reinstall the OS'; but it may well often be true.

  2. Re:FULLY hacked? by dutchwhizzman · · Score: 4, Informative

    4 out of 8 CA servers were proven to be tampered with and the hacker got Admin and/or SYSTEM privileges. The only thing he didn't get away with were the actual private keys, since those were stored in hardware that did the actual signing. If Diginotar would have scheduled the signing to a specific time of day and removed the smartcards from the readers for those CAs, he wouldn't even have been able to get his rogue certificates signed. The other 4 servers weren't interesting for the hacker and my interpretation is that he mainly used the CA server that could sign "web site certificates" for MITM purposes. I'd say that qualifies as "fully hacked" as opposed to for instance a single web server where a single web service was not completely secure, so he could manipulate it into signing requests. He got through 3 layers of (obviously lacking) security before he got to the CA servers themselves. Layer 1 was web servers, layer 2 was the office network and layer 3 were the CA servers themselves. He used stacked tunnels to get through firewalls between network segments and used public webservers he already owned as file drop. Out of over 250 investigated machines, he got access on all significant ones in the certificate, web hosting and logging processes, but the actual hardware containing the private keys. In summary, I'd say fully hacked is an accurate description.

    --
    I was promised a flying car. Where is my flying car?
  3. Re:Falsified Logs! by rve · · Score: 3, Informative

    quick and dirty: cron jobs that wipe the history file every minute.

    I thought of that in about 5 seconds.

    The more canonical solution is rm ~/.bash_history && ln -s /dev/null ~/.bash_history