Each of Spain’s DNIe ID cards has a chip containing two certificates, one for identification and one for electronic signing.
Each of Spain’s DNIe ID cards has a chip containing two certificates, one for identification and one for electronic signing.Image: Cuerpo Nacional de Polic a
When security researchers discovered last month that secure hardware made by Germany’s Infineon Technologies was not so secure after all1, it was clear that there would be major implications. There are a lot of smartcards and other devices out there with Infineon’s chips in them, and the ‘ROCA’ flaw2 in Infineon’s key pair-generation algorithm made it possible for someone to discover a target’s private key just by knowing what their public key was. Now, in an analogous situation to that recently experienced in Estonia3, Spain seems to be having a tough — and arguably more chaotic — time dealing with the implications for its national identity smartcards. Estonia’s big security flaw only affected around 760,000 cards, although Estonians genuinely use their cards for a great variety of public and private services. Against that figure, there are around 60 million identity smartcards in Spain . However, according to an El Pa s article4, Spaniards were only using theirs in 0.02 percent of public-service engagements when surveyed a few years back. Dan Cvrcek is the CEO at security firm Enigma Bridge, which was co-founded by researchers who identified the ROCA flaw.
He told ZDNet that exploitation of the flaw could allow attackers to revert or invalidate contracts that people have signed, in part because the Spanish don’t use timestamps for very important signatures. “I still don’t think you can do a large-scale attack that would target a lot of people,” Cvrcek said. However, he added, the cost of an individual attack has “rapidly decreased” . The assumption used to be that an attack cost between $20,000 and $40,000, but now it’s “realistically $2,000”. Each card, known as the DNIe, has a chip that contains two certificates, one for identification and one for electronically signing things. According to El Diario5, the authorities responded to Infineon’s October vulnerability disclosure by revoking, on November 6, all certificates issued since April 2015. What’s more, the authorities have stopped letting people sign things with the card at the self-service terminals found at many police stations.
That decision affects every card, not only those that have the flaw . However, people can still digitally sign documents online, using a small card reader that connects to their PCs. The readers are needed to update the affected cards . But there is as yet no indication of when the affected cards will be updated . Indeed, there doesn’t seem to be much official information out there at all, something which has not gone unnoticed in the Spanish tech press. “Neither the police nor other public bodies have given more information through their social media accounts about the impact of the vulnerability and how to act if affected,” said Xataka6. At least the Basque certificate authority Izenpe, which has revoked 30,000 certificates, has given information7 about how to replace them, the blog added. Amid all that chaos, it also seems that some people with recently issued DNIe cards are still able to use them, despite the supposed revocation of their certificates. “I would not mind if it continued like this until there are new certificates,” tweeted8 one user. Toomas Ilves, the former president of Estonia, said earlier this week that he believed millions of people in countries had been affected by the ROCA flaw, but their authorities were remaining “silent”.
Previous and related coverage
Estonia is built on secure state e-systems, so the world was watching when it hit a huge ID-card problem
A new security flaw has placed the security of RSA encryption in jeopardy.
- ^ not so secure after all (www.zdnet.com)
- ^ the ‘ROCA’ flaw (www.infineon.com)
- ^ experienced in Estonia (www.zdnet.com)
- ^ El Pa s article (cincodias.elpais.com)
- ^ El Diario (www.eldiario.es)
- ^ Xataka (www.xataka.com)
- ^ given information (www.izenpe.eus)
- ^ tweeted (twitter.com)
- ^ Estonia’s ID card crisis: How e-state’s poster child got into and out of trouble (www.zdnet.com)
- ^ As devastating as KRACK: New vulnerability undermines RSA encryption keys (www.zdnet.com)
After record setting negotiations, four parties have finally presented a coalition in the Netherlands. There are a fair number of cyber security measures in the preliminary agreement, which will serve as a guideline for the government s term for the coming years.
Following the elections of 15 March1, three of the four larger parties in the Netherlands started coalition talks a task that was viewed as difficult from the start.
With the Liberal Democrats and Christian Democrats as the largest parties, it would be difficult to reach consensus with the biggest winner Green Lefts and the centre-democratic Democrats 66 (D66). After Green Lefts eventually dropped out of the coalition talks, a new attempt was made with the Christian Union, a painfully slow negotiation process that was concluded on 10 October with a coalition agreement.
As opposed to a few years ago, the new agreement has a rather large number of sections on IT security pointed out by many in the industry by counting the use of the term cyber , which appeared eight times in the 70-page document that outlines the new government s plans for the country over the next four years. An important factor for adding so much IT to the agenda would be D66, the centre party with MP Kees Verhoeven2 as a well-known spokesperson for the digital agenda.
Law on intelligence and security-agencies
Of particular interest in the agreement are amendments to the controversial law on intelligence and security agencies3, which will go fully into effect on 1 January 2018. A group of petitioners recently successfully collected enough signatures4 to start a national referendum to try to rescind the law, which would give intelligence agencies the power to use dragnet methods for collecting information on many people in a single area . Most criticism of the law revolves around the supervision of an accountability taskforce, of which some is too vague.
Even though the WiV will go into effect regardless of the outcome of the referendum, the new coalition has decided to evaluate the law within two years . If the supervision is indeed not enough, the law can be altered if necessary.
Use of zero days
Another controversial law, the Computer Criminality Act III, will also be slightly altered . Newly detailed plans in the agreement specifically mention the use of zero-days by law enforcement5, and gives stricter rules for police and intelligence agencies to use these. Specifically, zero-day-technology can only be bought and used if required for very specific cases . Also, vendors of such software will be screened by the Dutch national intelligence agency AIVD to make sure software is not also sold to dubious regimes . As with the WiV, this policy will now also be evaluated every two years, and law enforcement has to release statistics on the use of zero-days on a yearly basis.
A lot of these measures are seen as both good and bad by experts . Good, because a new evaluation clause has been added and several safeguards have been built in to prevent abuse . But privacy activists had hoped for more severe measures like scrapping parts of the laws entirely.
Investing in the country s digital capacity
The coalition plans to spend an extra ‘ 95m to lay out an ambitious cyber security agenda and to increase the country s digital capacity . The new funds will be divided among several departments like the Ministry of Security and Justice, Defence, Foreign Affairs and Interior. An extra investment of ‘ 275m a year will be put into digital forces within the Dutch army, starting 2020, to increase cyber capacity in the armed forces. A particularly increasing role will be designated for the National Cyber Security Center6 (NCSC), which advises the private sector on security practices and will be taking on a bigger role in preventing cyber crime and attacks in the future. Also new is the intention to make revenge porn illegal, or the posting online of pornographic material of an ex as a way of revenge after a bad breakup .
This would probably be broadened to any form of posting nudity online of other persons, though the agreement keeps the terms vague most likely to allow for interpretation. A particularly high-profile case of revenge porn dominated the Dutch technology news earlier this year, as a young girl sued Facebook for refusing to hand over information on who uploaded a video of her . The case got some international attention when Facebook, after a long legal battle, was ordered to hand the information over7 in 2015.
Storing of email addresses
Hidden away somewhere else in the agreement is the addition of email addresses in the Municipal Personal Records (the Basisregistratie Personen), with little more details given other than that email addresses will be stored safely and encrypted . There’s also a small line about increasing the security of DigiD, the digital login system Dutch citizens can use to login to government services to do their tax returns or view their student loans . There have been talks for years about replacing DigiD in favour of a new system called eID8, which has been in an experimental phase for a while but has not been rolled out yet.
Internet of things security standards
For suppliers, the coalition plans to introduce security standards for internet of things appliances9, though how these standards are to be implemented remains to be seen . This had been a longstanding wish of D66. The agreement also mentions a possible import ban for appliances that don t follow security practice, although was not detailed.
The coalition agreement is so far just an agreement the four main parties have set up, but it s far from definite . The new coalition will be small with a majority of only one, with 76 seats in a house of 150. The parties ideals are also far apart, so only a few dissidents in the coalition might mean a law could fail to pass.
However, after more than eight months of negotiations, Dutch MPs will probably not be looking for hard internal clashing.
- ^ the elections of 15 March (www.theguardian.com)
- ^ Kees Verhoeven (twitter.com)
- ^ controversial law on intelligence and security agencies (pilpnjcm.nl)
- ^ successfully collected enough signatures (nltimes.nl)
- ^ the use of zero-days by law enforcement (www.computerweekly.com)
- ^ National Cyber Security Center (www.ncsc.nl)
- ^ was ordered to hand the information over (www.computerweekly.com)
- ^ a new system called eID (joinup.ec.europa.eu)
- ^ introduce security standards for internet of things appliances (searchsecurity.techtarget.com)
Rapidly pressing the Home button five times will bring up an SOS button . This will alert emergency contacts to your whereabouts . This much we knew. However, accessing the SOS screen also disables Touch ID until the user s passcode is entered (via Apple Insider2). The so-called cop button arrives with lingering controversy over law enforcement pressing citizens to unlock their phones using the fingerprint sensors.
Last December Scotland Yard officers snatched a smartphone from a suspect5 while it was unlocked, in order to bypass the security. Police in Michigan even 3D printed a murder victim s fingerprint6 in order to unlock a smart device. Pass codes remain off limits to law enforcement officials, which is what makes the new cop button all the more powerful.
If iPhone users believe they re in a position where they may be asked to unlock their phone with a fingerprint, they can simply press the home button five times in succession to disable it.
iOS 11 is nearly here
iOS 11 is approaching completion with the full release expected around a month from now. Given the latest rumours are pointing towards an iPhone 8 without a Touch ID sensor, it ll be interesting to see whether this new feature will apply to the expected Face ID feature. The new OS will bring a redesigned control centre, the brand new Apple Files directory, peer-to-peer Apple Pay payments, improved Siri and a Do Not Disturb while driving mode.
Will you be downloading iOS 11 when it lands or waiting until it s clear of potential launch bugs ?
Drop us a line @TrustedReviews on Twitter.