Dutch government struggles with DigiNotar hack
Replacing SSL certificates will take time
IDG News Service - The Dutch government is trying to minimize the effect of the DigiNotar hack on its IT infrastructure but warned it's a time-consuming process: Not all the SSL certificates can be replaced on the fly.
Piet Hein Donner, minister of the interior, said in a press conference on Tuesday that the government will work as quickly as possible to replace all the DigiNotar SSL certificates in use. However, if the certificates are withdrawn immediately it will be damaging, he warned.
"It particularly concerns the fully automated communication between computers," Donner said. If the certificates are withdrawn right now it would disturb or even block Machine-to-Machine (M2M) communication. That is why the Dutch government chose a "phased and controlled" migration to other certificates. While website certificates should be replaced by Saturday, he said, replacing those involved in M2M communication will take longer.
For the same reason, Microsoft agreed on Tuesday to postpone an automatic software update for the Netherlands that revokes the trust in all DigiNotar certificates for one week. Next week the software update will be rolled out in the Netherlands with an opt-out option. Companies who want to implement the software update this week have to do that themselves. According to Donner this ensures there is no significant disturbance in digital communications in the Netherlands.
On Sept. 2, the Dutch government announced in a night-time press conference, the first in Dutch IT history, that all DigiNotar certificates were to be banned and replaced. According to a report by the security firm Fox-IT published on Monday, 531 fraudulent certificates were issued after DigiNotar was hacked from an Iranian IP address in June. The firm also found proof that the "DigiNotar PKIoverheid CA" certificates the Dutch government uses were compromised. Fox-IT found no evidence that government certificates were misused.
Ronald Prins, CEO of Fox-IT, said on the Dutch television show "Nieuwsuur" on Monday that the real damage for Dutch citizens was limited, but that the implications could have been big. DigiNotar was used for DigiD, an identity management platform used by Dutch government agencies including the Tax and Customs Administration. Hackers could have monitored DigiD traffic and would even be able to manipulate tax filings if they wanted to.
The government replaced the DigiNotar DigiD certificates with PKIoverheid CA certificates from Getronics PinkRoccade, one of the seven (including DigiNotar) SSL certificate providers the government uses. Other problems occurred with the systems of the Rijksdienst voor het Wegverkeer (RDW), which handles vehicle registrations and inspections in the Netherlands. The RDW switched to VeriSign certificates but still has to use DigiNotar for M2M communication, spokesperson Sjoerd Weiland told the Dutch IDG news site Webwereld on Monday.
- 15 Non-Certified IT Skills Growing in Demand
- How 19 Tech Titans Target Healthcare
- Twitter Suffering From Growing Pains (and Facebook Comparisons)
- Agile Comes to Data Integration
- Slideshow: 7 security mistakes people make with their mobile device
- iOS vs. Android: Which is more secure?
- 11 sure signs you've been hacked
Changing the Way Government Works: Four Technology Trends that Drive Down Costs and Increase Productivity
This paper discusses four technology-based approaches to improving processes and increasing
productivity while driving down department and agency costs.
- Accelerating Speed to Market in the Highly Competitive Automotive Industry This White Paper discusses how an Enterprise Project Portfolio Management solution optimizes project analysis, management, reporting and risk mitigation processes to accelerate new...
- Hedge Your Bets This report explains how visibility and increased governance is key to reducing risk.
- In the Firing Line CEOs Are Increasingly Being Held Accountable; How susceptible is the CEO's reputation to poor performance across the project portfolio?
- Make or Break: New Auto Products Must Go To Market On Time This Webcast quantifies the value of time to market for the auto industry and highlights how Primavera Enterprise Portfolio Management can help organizations.
- Mobile Apps and Devices Slash Customer Cycle Time Consolidated Engineering Laboratories' field employees used to collect data on triplicate forms that were sometimes hard to read and difficult to manage. After... All Government/Industries White Papers | Webcasts