German federal finance agency's web server wide open
Having been informed of serious security problems by the Chaos Computer Club (CCC), Germany's federal finance agency has taken its online serviceoffline. According to the CCC, for several years internet users have been able to set up their own quotes for financial transactions from a web browser and to alter, amend and add to quotes provided by the agency. What is not clear is whether or not this has occurred in practice.
Bundesrepublik Deutschland – Finanzagentur GmbH, also known as the Deutsche Finanzagentur, is a financial services company which deals with placing federal borrowing with large customers and managing federal debt. The agency also offers free portfolio management of Federal securities; a service which private investors can also make use of.
The cause of the problem appears to have been a browser based file manager which was accessible to all users and allowed free access to files on the server. This made it possible to change both settings and content. Because the agency's website also includes an entry page to internet banking services, attackers could have intercepted access data entered by customers – this could have been achieved using a PHP script or by reconfiguring the Apache server, for example.
The CCC stumbled on the problem when it looked at the robots.txt file. This included the path to the file manager (http://www.bundeswertpapiere.de/fileadmin/filedfa.php), placed there to prevent Google from including it in its search results. The website is reported to have been constructed by an external agency. The organisation's security officer has told the CCC that the server was subjected to external penetration testing, but that this failed to show up any deficits.