donderdag 31 januari 2013

Lessons from the Diginotar drama: We need Trust Governance

In the summer of 2011 the Dutch Certificate Service Provider Diginotar collapsed due to a hack of the back-end systems by an Iranian hacker. Since then many analysis were published. Most indicating plenty problems at Diginotar or about the inadequacies of PKI as we know it. But in my opinion the problems are more severe than just technical issues.
In 2012 the Dutch Magazine Informatiebeveiliging published my analysis (I should mention that I am one of the editors of the magazine, so there is no full independency there...). By request I translated the article.

You can find the English language version of article via this link.

(I wish to thank Jacoba for reviewing the translation)

Feel free to react.

vrijdag 11 januari 2013

Responsible Disclosure

These days in The Netherlands several initiatives pop-up around the issues of ethical hacking and Responsible Disclosure.

What's all the fuss about?
Last year a hacker reported a vulnerability and a data leak in a back-up server of a Dutch hospital. He claimed that he found a lot of confidential information on a server that was readily accessible from the internet. The report was made through a Dutch journalist, +Brenno de Winter.
After publishing the incident we learned that the hospital sued the hacker and for us, the security community, this was unheard of: why sue someone who reports a vulnerability? Who are the amateurs responsible for this leak and do they really think they can get away by suing a security researcher?

In the mean time the minister of Internal Affairs published his guidelines for ethical hacking. And in those guidelines a hacker might be exempt from prosecurtion if he acted conform.

So, we, the Dutch security community, were puzzled. Then rumors came in that the hacker had installed malware on the hospital's server. Sentiment changed, but despite the new guidelines, trust of the hacker community in the authorities, like the DA responsible for cyber crime, vanished. Trust was gone and so was the willingness to co-operate. And right after, some critics of the official guidelines raised their voices and it looked like the guidelines were no longer valid for the people that were addressed in the guidelines.

At this moment this is the status:

And that's not all, there is at least one more initiative, but that's not yet ready for prime time yet.

Anyway a lot of activity in interesting times. Please have a look at Floor's site and feel free to react!

I will try to publish some more about all activity and invite you to join the discussion.