Slashdot Mirror

← Back to Stories (view on slashdot.org)

Dutch DigiNotar Servers Were Fully Hacked

Posted by Soulskill on from the they-don't-fool-around dept.

ChristW writes "The final report that was handed to the Dutch government today indicates that all 8 certificate servers of the Dutch company DigiNotar were fully hacked. (Report PDF in English.) Because the access log files were stored on the same servers, they cannot be used to find any evidence for or against intrusion. In fact, blatant falsification has been found in those log files. A series of so-far unused certificates has also been found. It is unknown if and where these certificates have been used."

14 of 83 comments (clear)

  1. Falsified Logs! by Beardydog · · Score: 2

    Color me impressed. Log_Modifier may not fill many gigaquads, but it sure ain't free.

    1. Re:Falsified Logs! by rwa2 · · Score: 3, Interesting

      In other news, it sounds like someone is going to be setting up an authlog blackhole in the near future...

      Did they check their .bash_history ? The silly script kiddie that got into my RH4 box back in the 90s forgot to clean his traces there. I mean, he bothered to run "history -c " , but it didn't actually stop his session from dumping everything there again after he logged out.

    2. Re:Falsified Logs! by rve · · Score: 3, Informative

      quick and dirty: cron jobs that wipe the history file every minute.

      I thought of that in about 5 seconds.

      The more canonical solution is rm ~/.bash_history && ln -s /dev/null ~/.bash_history

  2. Nothing to see here... by Anonymous Coward · · Score: 3, Funny

    This hack never happened.

    - Signed: DigiNotar

  3. Who's to blame? (hint) by ntropia · · Score: 2, Insightful

    You know, for a server being violated is always a matter of probability, same story about hardware failures ("when", not "if"). Some of the variables in this equation is how "interesting" your server could. And a server releasing certificates is quite "interesting", if you ask me. So if you keep the logs of such an important server on the machine itself, there isn't much to say: the administrators of such a server are incompetent.

    1. Re:Who's to blame? (hint) by fluor2 · · Score: 2

      it's not fair to blame the administrators. you should blame the people who hired them.

    2. Re:Who's to blame? (hint) by rahvin112 · · Score: 2

      Yes, because those people are likely the ones that said "We are not buying another machine for log data" or said "we can't afford segregated network segments and secure communication to protect the signing servers". In my experience you can usually trace failures like this back to an unwilligness to spend money, not necessarily blatant incompetence.

      It's just as likely that the management prevented proper security as it is that the IT staff were morons.

    3. Re:Who's to blame? (hint) by Opportunist · · Score: 2

      No, blame the person writing the specs and requirements. Because the admin can't do JACK if his CISO is a dick.

      Blunders like this ain't an admin's fault. This isn't some config switch set improperly or a port in the firewall left unguarded. It's a fault in the security paradigm and the security strategy of the company. This is NOT an administrator's fault. In companies of a certain size (and I guess DigiNotar would be one) the average admin doesn't even have the information to make a decision like that. A watchful admin might notice it, he might even mention it "upstairs", but he cannot DO anything about it if it doesn't get green lighted from above.

      Don't blame the techs for management errors. And this, bluntly, is one.

      --
      We used to have a Bill of Rights. Now, with the rights gone, all we have left is the bill.
  4. Bloody n00bs... by fuzzyfuzzyfungus · · Score: 3, Insightful

    You would think that a company playing at something mildly important(like, oh being a CA for the Dutch government...) could, at very least, do basic things like store logs on WORM tape... Yes, those are overpriced compared to the normal ones; but they aren't that expensive.

    1. Re:Bloody n00bs... by Anonymous Coward · · Score: 3, Insightful

      WORMs cost money... so does all security... I'm sure the contract was awarded to the lowest bidder.

    2. Re:Bloody n00bs... by Opportunist · · Score: 3, Insightful

      *sigh* Most likely, yeah.

      Security is the stepchild of IT. They don't produce. Ok, so does a lot of IT, but at least with the rest of IT, management can somehow hope that eventually they can fire a couple of people. With ITSEC, no such luck. They don't streamline production (worse, they often bog it down), they don't make people redundant, in fact, they make more people necessary. Plus, those pesky, nosey security geeks keep peeking into every computer and might find out that the boss is surfing on pages containing gay llama porn.

      It's sad but true, if you see two people sitting on a huge table in the crowded cafeteria and nobody wants to join them, and they're not talking with each other either, you know where security and controlling are.

      But unlike controlling, it's pretty hard to make your boss understand the dangers of a security breach in IT.

      --
      We used to have a Bill of Rights. Now, with the rights gone, all we have left is the bill.
  5. FULLY hacked? by ilsaloving · · Score: 4, Funny

    As opposed to, what, partially hacked?

    Isn't that like being almost pregnant?

    1. Re:FULLY hacked? by fuzzyfuzzyfungus · · Score: 5, Informative

      It's always a dangerous assumption to make; but architecturally the concept of 'partially hacked' isn't terribly nonsensical. Consider the enormous number of web server setups where OS-level credentials and web application authentication are entirely different things. It happens all the time that kiddies will crack the web component and scribble all over your php forum or CMS or whatnot; but without ever gaining access to the OS.

      You really don't want to work on the assumption that 'eh, I'm sure we were only partially hacked, no need to reinstall the OS'; but it may well often be true.

    2. Re:FULLY hacked? by dutchwhizzman · · Score: 4, Informative

      4 out of 8 CA servers were proven to be tampered with and the hacker got Admin and/or SYSTEM privileges. The only thing he didn't get away with were the actual private keys, since those were stored in hardware that did the actual signing. If Diginotar would have scheduled the signing to a specific time of day and removed the smartcards from the readers for those CAs, he wouldn't even have been able to get his rogue certificates signed. The other 4 servers weren't interesting for the hacker and my interpretation is that he mainly used the CA server that could sign "web site certificates" for MITM purposes. I'd say that qualifies as "fully hacked" as opposed to for instance a single web server where a single web service was not completely secure, so he could manipulate it into signing requests. He got through 3 layers of (obviously lacking) security before he got to the CA servers themselves. Layer 1 was web servers, layer 2 was the office network and layer 3 were the CA servers themselves. He used stacked tunnels to get through firewalls between network segments and used public webservers he already owned as file drop. Out of over 250 investigated machines, he got access on all significant ones in the certificate, web hosting and logging processes, but the actual hardware containing the private keys. In summary, I'd say fully hacked is an accurate description.

      --
      I was promised a flying car. Where is my flying car?