TU Delft scientists are not surprised that the Dutch government faces major security issues on the web. They stress that there is little awareness of security issues.
Delen
Every year Dutch journalists try to get their hands on the classified budget for next year. This year they received the budget in a very simple way: it was published accidentally in advance on the internet, and on a webpage that wasn’t even encrypted.
This blunder launched a lively discussion about how the government fails to secure important documents. Even more troublesome were the problems involving a company called DigiNotar, which went bankrupt last week. DigiNotar provided secured certificates for the government. DigiNotar was hacked by an Iranian, who then created certificates. Iran allegedly used the certificates to spy on its own people, although this is not yet certain.
Over the past couple of weeks, many people have asked themselves how it is possible that the government does not take IT security more seriously. But TU Delft scientists are not surprised. “There isn’t much awareness about security at the government level. Many people who design websites do not take security seriously enough. There aren’t enough ICT specialists in government service. And the same goes for many big companies,” says Dr Johan Pouwelse (Software Technology section, faculty of Electrical Engineering, Mathematics and Computer Science).
The certificates issued by DigiNotar were being used to digitally identify websites and to encrypt traffic to and from https-websites. It is not yet known officially what went wrong, but human errors seem to have been made. “Strangely enough, it looks like employees at Diginotar had not enough awareness regarding security,” says Dr Jan van den Berg (ICT section of the faculty of Technology, Policy and Management). “But also the monitoring of the company failed tremendously. There should have been better supervision from the government. Hopefully this will change fast.”
The DigiNotar scandal also affects TU Delft, as the company was the delivering party at the TU for certificates. Whoever wanted to sign and send a contract by email and encrypt a confidential email at TU Delft used DigiNotar. “We did not expect at all that security at DigiNotar was this bad, because they were being monitored. We thought they were trustworthy. It seems like all the processes inside the company were good, but human errors were made. This should not have happened. After the hack was known we sent emails to whomever used DigiNotar at the TU, informing them that their certificates could not be used anymore,” adds Alf Moens, corporate information security officer at the TU. Van den Berg also used DigiNotar: “I even taught my students how to send encrypted information by using certificates signed by DigiNotar during my classes.”
According to Van den Berg, a lot of new changes should be made to make the internet safer. “We made up rules that are necessary to drive a car. One needs a driver’s license and to put seatbelts on. Otherwise, it’s not regarded safe to drive. I’m surprised that something similar doesn’t exist yet for the internet.”
The freedom on the internet is great, he says, but is also too good to be true. “Everyone who uses the internet should use certificates for certain applications, to be sure that anyone who says who he or she is, really is that person. Of course this is more inconvenient, but whenever one collects a passport there are also security precautions. No one thinks that is strange, because we know why it’s important. That’s why we should start making people more aware of the necessity to secure computers that are connected to the web.”
Dat heeft de Onderwijsinspectie gisteren laten weten. Sinds 2005 hebben 430 zogenoemde langstudeerders een diploma behaald via een alternatieve afstudeerroute. Is daarbij wel aan de eisen voldaan, vraagt de Inspectie zich af.
Deze zomer heeft de inspectie aan alle bekostigde en particuliere hogescholen en universiteiten vragen gesteld over afstudeertrajecten voor vertraagde studenten. “Dit heeft niet in alle gevallen voldoende duidelijkheid geboden. Ook zijn er punten van zorg.”
De inspectie wil weten of er sprake is van ‘echte risico’s’. Niet alle vermoedens zijn even ernstig, maar er zijn zestien hogescholen waarover ‘signalen van mogelijke misstanden zijn ontvangen’, waaronder vijftien bekostigde hogescholen.
Ook zijn er zestien instellingen die antwoorden hebben gegeven waar de inspectie vraagtekens bij zet, ‘bijvoorbeeld omdat men aangeeft nooit langstuderende studenten te hebben of aangeeft geen verantwoording af te leggen over maatregelen voor langstuderende studenten’.
In het wetenschappelijk onderwijs lijkt het probleem kleiner, hoewel de inspectie toch drie universiteiten onder de loep legt. De inspectie noemt echter geen namen. Slechts één universiteit zegt een speciaal afstudeertraject voor langstudeerders te hebben, tegenover tien hogescholen.
Verder is Inholland nog niet klaar na het rapport van de commissie-Leers, die concludeerde dat er van fraude geen sprake was. De inspectie heeft ‘waardering voor de degelijkheid en de diepgang van het onderzoek’, maar vindt het rapport van de commissie verontrustend. ‘De wet is op een aantal belangrijke punten niet nageleefd.’ Dat is ‘onacceptabel’.
Overigens wijst de inspectie erop dat het probleem naar verhouding klein is: het gaat om een paar honderd langstudeerders, terwijl jaarlijks 65 duizend studenten hun diploma halen.
Comments are closed.