Press conference
Press conference:
http://www.dumpert.nl/mediabase/1691651/f0bb030b/persconferentie_donner_over_hack_overheidssites.html
Some quick notes on what the minister said, hope it's a good representation of the original:
Items:
- Diginotar has own-branded and* PKIOverheid certs.
- Diginotar was attacked.
- Friday results of investigation by Fox IT security company: PKIOverheid certs managed by Diginotar may be compromised
- Government does not trust Diginotar certs anymore
- Government will switch to other PKI cert supplier
- Phased transition of operational management of all Diginotar [PKI Overheid certs
- Diginotar will cooperate
- monitor improper/fraudulent use during transition phase
- security experts will help in transition
Results: transition without big interruptions of data traffic
Q&A:
Will compromised sites be kept up?
Yes, although this will lead to certificate warning in browser. User should not use site.
How many sites?
We're tracking that down. It involves hundreds of sites.
Why aren't sites taken down?
They're also used for automated traffic, so we're not taking them down. Therefore we're taking over Diginotar [PKI overheid cert] operational management.
Isn't automated process unsafe then?
We immediately see improper use because we're taking over operational management
You're taking over operational management [at Diginotar]. Will this mean a government team will step in, and take over control?
Yes, management/responsibility will be taken over by government. This will ensure any improper use will be immediately detected.
What do you think of this?
These are risks with new technology. It's a break-in, an interruption of reliable traffic.
Does Fox IT research show the Iranian government was behind this?
They can't investigate that. Report only shows hacking has taken place, andcerts have been stolen. We don't know extent of this. We
We cannot see where the certs where used. By taking over management, we will be able to see this.
Investigation of who did this hack is the next step.
PKIOverheid may be compromised. How many government certs/sites are involved?
Diginotar is requested to give list of all government customers , Government initial investigation indicated a lot of sites involved e.g. revenue services, motor vehicle department are involved.
Who will be hit, how long?
Don't know, will take a couple of days. E.g. motor vehicle department site has already taken steps to switch certs and be usable again
=====================================================
* some PKIOverheid certs are managed by DigiNotar, not all as there are other suppliers as well
=====================================================
How will they "monitor" improper use? When people start complaining their personal data has been stolen?
The story that government can track down improper use of certs by taking over Diginotar management seems ridiculous, but Donner may be a bigger PKI/SSL expert than I am...