Privacy and technology

Uit de brief:

“Rode draad bij de verbeterpunten is dat digitale veiligheid onze blijvende aandacht moet hebben. Ontwikkelingen in ICT gaan snel. Wat tien jaar geleden state of art was, is nu hopeloos verouderd; wat toen ondenkbaar was, wordt nu algemeen gebruikt. De technische vooruitgang en voortdurende verandering van ICT is zo vanzelfsprekend dat we niet altijd voldoende stil staan bij de veranderingen die dat vraagt van onze organisaties en processen. Het DigiNotar incident heeft duidelijk gemaakt dat veranderingen in de rol van de overheid, met name op het gebied van normering en toezicht noodzakelijk zijn.”

(Source: norea.nl)

From the document:

“DigiNotar, a digital certificate authority (CA), recently suffered a cyber-attack which led to its bankruptcy. In the attack false certificates were created for hundreds of websites, including Google and Skype. Once the incident was made public, the Dutch government and browser vendors took steps to limit the impact of the attack. But Fox-IT suggests in their investigation report that the cyber-attack had already started in mid-June and that for almost two months false certificates were used to eavesdrop on email and web browsing in Iran. […] The Diginotar attack was an attack on the foundations of secure electronic communications (email, web browsing, web services). The above-mentioned issues should be addressed by industry and governments, to guarantee the security of service in the digital society.”

Findings fom paragraph 4.4 of the report:

“The most critical servers contain malicious software that can normally be detected by anti-virus software. The separation of critical components was not functioning or was not in place. We have strong indications that the CA-servers, although physically very securely placed in a tempest proof environment, were accessible over the network from the management LAN.The network has been severely breached. All CA servers were members of one Windows domain, which made it possible to access them all using one obtained user/password combination. The password was not very strong and could easily be brute-forced.The software installed on the public web servers was outdated and not patched.No antivirus protection was present on the investigated servers.An intrusion prevention system is operational. It is not clear at the moment why it didn’t block some of the outside web server attacks. No secure central network logging is in place.”

(Source: webwereld.nl)