Slashdot Mirror

← Back to Stories (view on slashdot.org)

Dutch DigiNotar Servers Were Fully Hacked

Posted by Soulskill on from the they-don't-fool-around dept.

ChristW writes "The final report that was handed to the Dutch government today indicates that all 8 certificate servers of the Dutch company DigiNotar were fully hacked. (Report PDF in English.) Because the access log files were stored on the same servers, they cannot be used to find any evidence for or against intrusion. In fact, blatant falsification has been found in those log files. A series of so-far unused certificates has also been found. It is unknown if and where these certificates have been used."

9 of 83 comments (clear)

  1. Nothing to see here... by Anonymous Coward · · Score: 3, Funny

    This hack never happened.

    - Signed: DigiNotar

  2. Bloody n00bs... by fuzzyfuzzyfungus · · Score: 3, Insightful

    You would think that a company playing at something mildly important(like, oh being a CA for the Dutch government...) could, at very least, do basic things like store logs on WORM tape... Yes, those are overpriced compared to the normal ones; but they aren't that expensive.

    1. Re:Bloody n00bs... by Anonymous Coward · · Score: 3, Insightful

      WORMs cost money... so does all security... I'm sure the contract was awarded to the lowest bidder.

    2. Re:Bloody n00bs... by Opportunist · · Score: 3, Insightful

      *sigh* Most likely, yeah.

      Security is the stepchild of IT. They don't produce. Ok, so does a lot of IT, but at least with the rest of IT, management can somehow hope that eventually they can fire a couple of people. With ITSEC, no such luck. They don't streamline production (worse, they often bog it down), they don't make people redundant, in fact, they make more people necessary. Plus, those pesky, nosey security geeks keep peeking into every computer and might find out that the boss is surfing on pages containing gay llama porn.

      It's sad but true, if you see two people sitting on a huge table in the crowded cafeteria and nobody wants to join them, and they're not talking with each other either, you know where security and controlling are.

      But unlike controlling, it's pretty hard to make your boss understand the dangers of a security breach in IT.

      --
      We used to have a Bill of Rights. Now, with the rights gone, all we have left is the bill.
  3. FULLY hacked? by ilsaloving · · Score: 4, Funny

    As opposed to, what, partially hacked?

    Isn't that like being almost pregnant?

    1. Re:FULLY hacked? by fuzzyfuzzyfungus · · Score: 5, Informative

      It's always a dangerous assumption to make; but architecturally the concept of 'partially hacked' isn't terribly nonsensical. Consider the enormous number of web server setups where OS-level credentials and web application authentication are entirely different things. It happens all the time that kiddies will crack the web component and scribble all over your php forum or CMS or whatnot; but without ever gaining access to the OS.

      You really don't want to work on the assumption that 'eh, I'm sure we were only partially hacked, no need to reinstall the OS'; but it may well often be true.

    2. Re:FULLY hacked? by dutchwhizzman · · Score: 4, Informative

      4 out of 8 CA servers were proven to be tampered with and the hacker got Admin and/or SYSTEM privileges. The only thing he didn't get away with were the actual private keys, since those were stored in hardware that did the actual signing. If Diginotar would have scheduled the signing to a specific time of day and removed the smartcards from the readers for those CAs, he wouldn't even have been able to get his rogue certificates signed. The other 4 servers weren't interesting for the hacker and my interpretation is that he mainly used the CA server that could sign "web site certificates" for MITM purposes. I'd say that qualifies as "fully hacked" as opposed to for instance a single web server where a single web service was not completely secure, so he could manipulate it into signing requests. He got through 3 layers of (obviously lacking) security before he got to the CA servers themselves. Layer 1 was web servers, layer 2 was the office network and layer 3 were the CA servers themselves. He used stacked tunnels to get through firewalls between network segments and used public webservers he already owned as file drop. Out of over 250 investigated machines, he got access on all significant ones in the certificate, web hosting and logging processes, but the actual hardware containing the private keys. In summary, I'd say fully hacked is an accurate description.

      --
      I was promised a flying car. Where is my flying car?
  4. Re:Falsified Logs! by rwa2 · · Score: 3, Interesting

    In other news, it sounds like someone is going to be setting up an authlog blackhole in the near future...

    Did they check their .bash_history ? The silly script kiddie that got into my RH4 box back in the 90s forgot to clean his traces there. I mean, he bothered to run "history -c " , but it didn't actually stop his session from dumping everything there again after he logged out.

  5. Re:Falsified Logs! by rve · · Score: 3, Informative

    quick and dirty: cron jobs that wipe the history file every minute.

    I thought of that in about 5 seconds.

    The more canonical solution is rm ~/.bash_history && ln -s /dev/null ~/.bash_history