March 7, 2021

Dutch Widen Inquiry Into Hacking of Official Sites

BERLIN — The Dutch government said Tuesday that it was widening its investigation into the hacking of official state Web sites in an attempt to learn whether the private data of Dutch citizens, many of whom file income tax returns online, had also been compromised.

The Dutch data protection agency, OPTA, has asked the government security contractor at the center of the controversy, DigiNotar, to report whether the integrity of a special class of digital certificates known as qualified certificates, which guarantee the authenticity of computer users interacting with government computers, had been breached.

“We are hoping to receive an answer from DigiNotar within a few days,” said Harriet Garvelink, a spokeswoman for OPTA in The Hague, who said the request was made Friday.

The hacking scandal in the Netherlands, one of the most digitally advanced countries in Europe, erupted last week when DigiNotar disclosed that several of its digital certificates — so-called SSL certificates, which guarantee the authenticity of Web sites — had been stolen by an unknown hacker in July. An independent report released Monday by the Dutch government traced the origin of the stolen certificates to a computer user in Iran.

“DigiNotar found evidence on July 28th that rogue certificates were verified by Internet addresses originating from Iran,” said the report prepared by Fox-IT, a company in Delft, the Netherlands, that the Dutch government hired to investigate the breaches. A copy of the report was posted on the site of Vasco Data Security International, DigiNotar’s parent company.

The report appears to link the theft of the certificates from DigiNotar to a security breach reported by Google in the past week. In its security blog on Aug. 29, Google reported that several users “primarily located in Iran” had been targeted by the hacker using a fraudulent certificate issued by DigiNotar.

If a qualified certificate has been breached, a hacker could impersonate the computer identity of another user to try to gain access to their private information.

The Google incident prompted DigiNotar to come forward with the security violation. The Fox-IT report found that DigiNotar discovered 333 fraudulent “rogue certificates” circulating from July 19 to July 28, many of which were for major Internet companies. The company subsequently revoked and invalidated the certificates.

The Dutch interior minister, Piethain Donner, told members of Parliament on Tuesday that the government so far had no evidence that the hackers had used stolen certificates to obtain the personal information on Dutch citizens from government’s Web sites.

Vincent van Steen, a spokesman for Mr. Donner, said the interior ministry was examining the procedures used by the government in overseeing the contractors that issue SSL certificates to learn more about how the intrusion occurred and how to prevent a future attack. “This matter shows us how vulnerable we are,” Mr. van Steen said.

Several security experts have speculated that the Iranian government may have orchestrated the hacking, which would have required the control of an Internet service provider, to spy on its own dissidents. The Iranian government has not commented on the situation.

DigiNotar, a unit of Vasco Data Security International, which is based in Oakbrook Terrace, Illinois, has been criticized by Dutch lawmakers for not immediately informing the government of the certificate theft. Dutch prosecutors told The Associated Press on Tuesday that they were investigating DigiNotar for possible criminal negligence.

Vasco said in a statement that it was cooperating with the Dutch government. In a separate statement issued Sunday, the company sought to reassure its own clients that the verification technology of DigiNotar, which Vasco acquired in January, had not yet been fully integrated into its own digital security products.

DigiNotar’s belated disclosure of the theft prompted OPTA to expand its inquiry into the incident and ask DigiNotar whether qualified certificates had also been breached. The qualified certificates check a computer’s unique I.P. address to verify the identity of the person or body interacting with the Dutch government.

Under Dutch law, OPTA each year hires an outside auditor to monitor the performance of DigiNotar and its verification of qualified certificates for Dutch government Web sites, Ms. Garvelink said. The last audit, which was conducted this year by PriceWaterhouseCoopers, found no irregularities, she said.

Relations between the Netherlands and Iran are strained. Earlier this year, Iran, over the objections of the Dutch government, hanged a Dutch-Iranian woman accused of participating in demonstrations and drug smuggling.

In April, an Iranian asylum seeker who was being extradited to Iran set himself on fire and died in Amsterdam. The Iranian embassy in The Hague criticized the Dutch government over the incident.

Article source:

Speak Your Mind