Another Dutch certificate authority (CA) has been hacked with access gained to a management database and documents.
According to a story on the Dutch news site Webwereld, Gemnet was compromised, although this does not appear to have affected certificate issuance. A provider of security consultancy and authentication technologies to nearly all parts of the Dutch government, including the Ministry of Security and Justice, Bank of Dutch Municipalities and the police, the company reportedly detected and closed the leak on Wednesday.
The report claimed that the database was managed by PHP MyAdmin and access was gained without a password. The attacker was able to extract information from the database and partially control the network; among the documents was information about the technical design of the trusted network between Dutch telecommunications and ICT service provider KPN and governments or companies. KPN is also the parent company of Gemnet.
KPN shut down the service, but denied that there was a connection between a possible hacking of the Gemnet website and the safety of its certificates, saying "the hack of the site has no connection with the issuance and management of government PKI certificates".
A KPN statement said the Gemnet website was taken offline and it has launched an investigation. It also said that while "security of [their] systems is of paramount importance" for KPN and Gemnet, this "shows that parts of the process should be improved" and "in addition, KPN [would] like to use the knowledge and expertise that this offered".
KPN also insisted that the documents on the server were all publicly available.
Chester Wisniewski, senior security adviser at Sophos Canada, said: “The attacker reportedly was able to obtain the password (braTica4) used for administrative tasks on the server as well. This could be the reason KPN has suspended Gemnet's certificate signing operations while it investigates.
“If the information shared with Webwereld by this attacker are true, even the most basic of penetration tests would have discovered major problems with their implementation.
“It is critical that organisations that have public-facing internet services regularly audit what services are available, rotate passwords for critical systems and regularly test their web applications for SQL and other vulnerabilities.”