Second Dutch security firm hacked, unsecured phpMyAdmin implicated

phpMyAdmin login screenDutch news site webwereld is reporting that another Dutch security company, Gemnet, has been compromised, although it does not appear to have affected certificate issuance.

Gemnet appears to provide security consulting and authentication technologies to nearly all parts of the Dutch government including the Ministry of Security and Justice, Bank of Dutch Municipalities and the police.

The hack appears to have started when someone discovered a publicly accessible instance of phpMyAdmin without a password. phpMyAdmin is a web interface for managing SQL databases that should not be facing the open internet, password required or not.

By manipulating the databases the attacker was allegedly able to gain control over the system and all of the documents contained on it. The parent company, KPN, insists the documents contained on the server were all publicly available.

webwereld reports that the hacker claims to have accessed non-public documents that outlined the secure communication networks and procedures for communication between KPN and governments and customers.

Gemnet CSP, KPN’s certificate authority division, has also suspended access to their website. While KPN believes that Gemnet CSP has not been compromised, it would appear they are taking precautions while they investigate the incident.

The attacker reportedly was able to obtain the password (braTica4) used for administrative tasks on the server as well. This could be the reason KPN has suspended Gemnet CSP’s certificate signing operations while they investigate.

Similar to the attack on Dutch certificate authority DigiNotar the attacker claims there is evidence of previous hacks against the server before he gained access.

To date it would appear 2011 is going to be the year of the data breach. Organizations seemingly have not learned from the news headlines impacting others in their sectors, including RSA, Sony, DigiNotar and others.

Pen testIf the information shared with webwereld by this attacker are true, even the most basic of penetration tests would have discovered major problems with their implementation.

It is critical that organizations who have public facing internet services regularly audit what services are available, rotate passwords for critical systems and regularly test their web applications for SQL and other vulnerabilities.