Second Dutch security firm hacked, unsecured phpMyAdmin implicated

Filed Under: Data loss, Featured, Vulnerability

phpMyAdmin login screenDutch news site webwereld is reporting that another Dutch security company, Gemnet, has been compromised, although it does not appear to have affected certificate issuance.

Gemnet appears to provide security consulting and authentication technologies to nearly all parts of the Dutch government including the Ministry of Security and Justice, Bank of Dutch Municipalities and the police.

The hack appears to have started when someone discovered a publicly accessible instance of phpMyAdmin without a password. phpMyAdmin is a web interface for managing SQL databases that should not be facing the open internet, password required or not.

By manipulating the databases the attacker was allegedly able to gain control over the system and all of the documents contained on it. The parent company, KPN, insists the documents contained on the server were all publicly available.

webwereld reports that the hacker claims to have accessed non-public documents that outlined the secure communication networks and procedures for communication between KPN and governments and customers.

Gemnet CSP, KPN's certificate authority division, has also suspended access to their website. While KPN believes that Gemnet CSP has not been compromised, it would appear they are taking precautions while they investigate the incident.

The attacker reportedly was able to obtain the password (braTica4) used for administrative tasks on the server as well. This could be the reason KPN has suspended Gemnet CSP's certificate signing operations while they investigate.

Similar to the attack on Dutch certificate authority DigiNotar the attacker claims there is evidence of previous hacks against the server before he gained access.

To date it would appear 2011 is going to be the year of the data breach. Organizations seemingly have not learned from the news headlines impacting others in their sectors, including RSA, Sony, DigiNotar and others.

Pen testIf the information shared with webwereld by this attacker are true, even the most basic of penetration tests would have discovered major problems with their implementation.

It is critical that organizations who have public facing internet services regularly audit what services are available, rotate passwords for critical systems and regularly test their web applications for SQL and other vulnerabilities.

, , , , , ,

You might like

5 Responses to Second Dutch security firm hacked, unsecured phpMyAdmin implicated

  1. John Baxter · 1052 days ago

    A security firm with a publicly exposed instance of phpMyAdmin with no password? What's next, a hospital drawing its drinking water just downstream from a wastewater treatment plant? (Which isn't that far off the mark given the old saying in Milwaukee, WI USA that "you don't buy beer, you rent it"--although those intakes were farther than "just" downstream.)

  2. Jon Fukumoto · 1052 days ago

    Gee!! When are big companies are going to learn? This is very bad, and they should shut down all access until they can audit their security policy. The PlayStation network was hacked in because there was NO firewall, NO IDS, and what's worse, all the data was stored in PLAIN TEXT WITHOUT ENCRYPTION and they didn't inform anyone for two weeks after the fact. It's things like this that makes me very leery about dealing with Sony. Looks like their IT department needs to be replaced with more competent people who take security seriously.

  3. David Parreira · 1051 days ago

    And another one bites the dust...
    In a week time, or so, we will have news on the Internet that fraudulent certeficates have been issued for *.google.com; *.gmail.com, *etc*

  4. Guest · 1051 days ago

    Does anyone know if Google really uses certificates from Thawte, ZA (South Africa) in addition to Verisign, US?

    On my computer, GoogleUpdate setup, Gmail, Google's SSL search, and a few other programs all have certificates issued by Thawte, ZA

  5. Mark · 1050 days ago

    In my opinion this is maybe just a test, but in fact, I don't really believe in this. It's unacceptable for a security firm to has such a security holes in their IT infrastructure.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

About the author

Chester Wisniewski is a Senior Security Advisor at Sophos Canada. He provides advice and insight into the latest threats for security and IT professionals with the goal of providing clear guidance on complex topics. You can follow Chester on Twitter as @chetwisniewski, on App.net as Chester, Chester Wisniewski on Google Plus or send him an email at chesterw@sophos.com.