After record setting negotiations, four parties have finally presented a coalition in the Netherlands. There are a fair number of cyber security measures in the preliminary agreement, which will serve as a guideline for the government s term for the coming years.
Following the elections of 15 March1, three of the four larger parties in the Netherlands started coalition talks a task that was viewed as difficult from the start.
With the Liberal Democrats and Christian Democrats as the largest parties, it would be difficult to reach consensus with the biggest winner Green Lefts and the centre-democratic Democrats 66 (D66). After Green Lefts eventually dropped out of the coalition talks, a new attempt was made with the Christian Union, a painfully slow negotiation process that was concluded on 10 October with a coalition agreement.
As opposed to a few years ago, the new agreement has a rather large number of sections on IT security pointed out by many in the industry by counting the use of the term cyber , which appeared eight times in the 70-page document that outlines the new government s plans for the country over the next four years. An important factor for adding so much IT to the agenda would be D66, the centre party with MP Kees Verhoeven2 as a well-known spokesperson for the digital agenda.
Law on intelligence and security-agencies
Of particular interest in the agreement are amendments to the controversial law on intelligence and security agencies3, which will go fully into effect on 1 January 2018. A group of petitioners recently successfully collected enough signatures4 to start a national referendum to try to rescind the law, which would give intelligence agencies the power to use dragnet methods for collecting information on many people in a single area . Most criticism of the law revolves around the supervision of an accountability taskforce, of which some is too vague.
Even though the WiV will go into effect regardless of the outcome of the referendum, the new coalition has decided to evaluate the law within two years . If the supervision is indeed not enough, the law can be altered if necessary.
Use of zero days
Another controversial law, the Computer Criminality Act III, will also be slightly altered . Newly detailed plans in the agreement specifically mention the use of zero-days by law enforcement5, and gives stricter rules for police and intelligence agencies to use these. Specifically, zero-day-technology can only be bought and used if required for very specific cases . Also, vendors of such software will be screened by the Dutch national intelligence agency AIVD to make sure software is not also sold to dubious regimes . As with the WiV, this policy will now also be evaluated every two years, and law enforcement has to release statistics on the use of zero-days on a yearly basis.
A lot of these measures are seen as both good and bad by experts . Good, because a new evaluation clause has been added and several safeguards have been built in to prevent abuse . But privacy activists had hoped for more severe measures like scrapping parts of the laws entirely.
Investing in the country s digital capacity
The coalition plans to spend an extra ‘ 95m to lay out an ambitious cyber security agenda and to increase the country s digital capacity . The new funds will be divided among several departments like the Ministry of Security and Justice, Defence, Foreign Affairs and Interior. An extra investment of ‘ 275m a year will be put into digital forces within the Dutch army, starting 2020, to increase cyber capacity in the armed forces. A particularly increasing role will be designated for the National Cyber Security Center6 (NCSC), which advises the private sector on security practices and will be taking on a bigger role in preventing cyber crime and attacks in the future. Also new is the intention to make revenge porn illegal, or the posting online of pornographic material of an ex as a way of revenge after a bad breakup .
This would probably be broadened to any form of posting nudity online of other persons, though the agreement keeps the terms vague most likely to allow for interpretation. A particularly high-profile case of revenge porn dominated the Dutch technology news earlier this year, as a young girl sued Facebook for refusing to hand over information on who uploaded a video of her . The case got some international attention when Facebook, after a long legal battle, was ordered to hand the information over7 in 2015.
Storing of email addresses
Hidden away somewhere else in the agreement is the addition of email addresses in the Municipal Personal Records (the Basisregistratie Personen), with little more details given other than that email addresses will be stored safely and encrypted . There’s also a small line about increasing the security of DigiD, the digital login system Dutch citizens can use to login to government services to do their tax returns or view their student loans . There have been talks for years about replacing DigiD in favour of a new system called eID8, which has been in an experimental phase for a while but has not been rolled out yet.
Internet of things security standards
For suppliers, the coalition plans to introduce security standards for internet of things appliances9, though how these standards are to be implemented remains to be seen . This had been a longstanding wish of D66. The agreement also mentions a possible import ban for appliances that don t follow security practice, although was not detailed.
The coalition agreement is so far just an agreement the four main parties have set up, but it s far from definite . The new coalition will be small with a majority of only one, with 76 seats in a house of 150. The parties ideals are also far apart, so only a few dissidents in the coalition might mean a law could fail to pass.
However, after more than eight months of negotiations, Dutch MPs will probably not be looking for hard internal clashing.
- ^ the elections of 15 March (www.theguardian.com)
- ^ Kees Verhoeven (twitter.com)
- ^ controversial law on intelligence and security agencies (pilpnjcm.nl)
- ^ successfully collected enough signatures (nltimes.nl)
- ^ the use of zero-days by law enforcement (www.computerweekly.com)
- ^ National Cyber Security Center (www.ncsc.nl)
- ^ was ordered to hand the information over (www.computerweekly.com)
- ^ a new system called eID (joinup.ec.europa.eu)
- ^ introduce security standards for internet of things appliances (searchsecurity.techtarget.com)
Security firms are, understandably, quite sensitive about claims that their products are insecure, so accusations of this sort tend to cause a kerfuffle. On Wednesday, security consultancy DirectDefense published a blog post1 claiming endpoint security vendor Carbon Black’s Cb Response protection software would, once installed for a customer, spew sensitive data to third parties . This included customers’ AWS, Azure and Google Compute private keys, internal usernames and passwords, proprietary internal applications, and two-factor authentication secrets, allegedly. Jim Broome, president of DirectDefense, said the problem stems from the way Cb Response patrols corporate file systems, and transmits data out to third-party malware scanners to check whether files are legit or infected with nasties . If the Cb Response installation doesn’t recognize a document or executable, it can punt it out to multiple scanners to see if they have come across the binaries before, and if they’re safe or need quarantining.
“This means that files uploaded by Cb Response customers first go to Carbon Black (or their local Carbon Black server instance), but then are immediately forwarded to a cloud-based multiscanner, where they are dutifully spread to anyone that wants them and is willing to pay,” he explained.
“Welcome to the world’s largest pay-for-play data exfiltration botnet.”
Broome said that his team had discovered this flow of data while working for a client last year, and have since found multiple organizations using the Cb Response system . He said his team went public with its findings to warn people without informing the vendor and put out a press release2 to highlight the supposed danger. However, Carbon Black has fired back with a blog post of its own, claiming DirectDefense got its facts wrong . It’s not a bug causing the data emissions it’s a feature.
Bug ? Feature?
“This is an optional feature, turned off by default, to allow customers to share information with external sources for additional ability to detect threats,” said3 Michael Viscuso, cofounder of Carbon Black.
“In Cb Response, there is an optional, customer-controlled configuration (disabled by default) that allows the uploading of binaries (executables) to VirusTotal for additional threat analysis .
This option can be enabled by a customer, on a per-sensor group basis . When enabled, executable files will be uploaded to VirusTotal, a public repository and scanning service owned by Google.”
He pointed out that even with the information sharing feature turned on, users can customize exactly what data is sent out of the network . There’s also a popup warning page telling admins that they are sending data outside the company network. He also notes that DirectDefense could have contacted them about this before creating a big fuss about it, and Carbon Black would have explained the issue. A spokeswoman for DirectDefense told The Register that they didn’t tip off Carbon Black about the issue because it didn’t consider the data transmission a vulnerability, instead describing Cb Response as suffering “a function of how the tool is architected” in the original blog.
“However, the recommendations or messaging from Carbon Black’s professional services team during the course of installing the product is to turn this feature on to help accelerate the analysis of the file scans.”
So DirectDefense decided to “educate users” about the issue, albeit in somewhat alarmist terms .
Education or PR stunt that backfired you decide.
BEDMINSTER, N.J. (Reuters) – Three military helicopters hovered over Anne Choi’s backyard, engaged in what appeared to be a drill ahead of President Donald Trump’s visit three weeks ago to this tranquil town of farmland and horse barns in rural New Jersey.
“My sheep were terrified,” Choi, 44, said on Thursday inside her two-story barn a mile east of Trump National Golf Club, as half a dozen Shetland sheep grazed outside. “It’s awful . We don’t have the infrastructure here . We can’t support the weight of his presence.”
As Bedminster prepared this week for the president’s latest trip to the 600-acre (240-hectare) private club, a 17-day stay that is his first extended vacation in office, some of the town’s 8,000 residents expressed frustration at the security protocols, road closures and daily disruption that will begin with his arrival on Friday.
On Wednesday, the U.S .
Secret Service said safety measures would also include a “tethered drone,” equipped with optical and infrared cameras and powered by a wire attached to a ground controller, that could impede on the privacy of nearby residences.
“It’s super creepy,” said Julie Henderson, an artist who lives down the road from Trump National, as two military helicopters roared overhead before circling and heading back towards the golf club.
The Secret Service said the drone would focus primarily on the outer perimeter and would not “physically intrude upon or disturb the use of private property outside the Trump National Golf Course.”
Trump’s movements can also lead to the closure of local roads and highways . Julie Henderson’s husband, Paul Henderson, said he has twice been stuck on an Interstate on his way to work while Trump’s motorcade used the highway.
Not everyone in this town about 40 miles (60 km) west of New York City agrees Trump’s visit will be a nuisance . Steve Desiderio, who owns a restaurant and catering business in Bedminster’s modest downtown, said the influx of federal agents and journalists would be a welcome boost to his business.
Desiderio, a 48-year-old Trump supporter, added that complaints about the disruption were overblown and media-driven.
“It’s just fake news,” he said, echoing one of the president’s favourite phrases. “They try to spin it like it’s gridlock . So there are five more cars at the stoplight?”
FILE PHOTO -U.S . President Donald Trump departs in his motorcade after a weekend at his golf estate in Bedminster, New Jersey, U.S . May 7, 2017.Jonathan Ernst/File Photo
Bedminster’s Republican mayor, Steven Parker, also brushed off the criticism.
“It’s really been a big non-event,” he said.
Some residents said Trump has been a generous neighbour in past years, allowing local events to be hosted at his club . As in previous years, the township committee held its annual reorganization meeting in 2017 at Trump National, where Parker was selected to continue as mayor.
While Trump’s visit may help the town’s eateries, it will shut down the local airport, where 110 private planes and 60 flight school students will be grounded from Aug .
4 to Aug .
“Our summertime is our busiest time,” said Somerset Airport President Chris Walker, as a Coast Guard helicopter landed on the runway in preparation for the weekend. “We’re just rolling with the punches.”
About half of the planes were being moved to other airports outside the 10-mile (16-km) no-fly zone, Stewart said . Some workers will be sent home until Trump returns to Washington.
Trump has also drawn local protesters, both for and against him . Anti-Trump activists have been staging a weekly “People’s Motorcade,” driving slowly down the road past Trump National and honking their horns.
The town’s administrator, Judith Sullivan, said they were more of a distraction for her 16-member police department than the president, though they have largely been well behaved.
She hopes to recoup the $30,000 in overtime for officers working during Trump’s visit from the U.S .
Choi, who moved to Bedminster from Maryland two years ago, said she likely would not have chosen her house had she known the “summer White House” would be only a mile away.
“Even if you agree with his politics, I think we can all agree that this is not what we bargained for,” she said.
Reporting by Joseph Ax; Editing by Jonathan Oatis