The Dutch government is widening its investigation into an Internet security breach in an effort to learn whether the private data of Dutch citizens, many of whom file income tax returns online, had been compromised.
DigiNotar, the government security contractor at the center of the controversy, has been asked by the Dutch data protection agency to report whether the integrity of special digital certificates that guarantee the authenticity of interactions with government computers had been breached.
In July, DigiNotar suffered the theft of hundreds of certificate codes used to prove a Web site's authenticity to viewers. Armed with these codes, hackers can access security authentication for bogus Web sites, from which they can steal data and personal information entered by users.
The Dutch government believes the perpetrators of the hacking were in Iran, based on information it received from a security consultancy, Fox-IT.
Nearly 300,000 unique IP addresses from Iran requested access to google.com using a rogue certificate issued by Dutch digital certificate authority DigiNotar.
The list of domains for which fraudulent Secure Sockets Layer (SSL) certificates were issued by DigiNotar, a root certificate authority, including sites such as the CIA, MI6, Facebook, Microsoft, Skype, Twitter, and WordPress, among others, according to a list released this weekend by the Dutch Ministry of Justice.
Interior Minister Piet Hein Donner told Parliament on Tuesday that the government so far had no evidence that hackers had used the certificates to obtain personal information of Dutch citizens from government sites.
DigiNotar is one of many companies that sell the security certificates widely used to authenticate Web sites and guarantee that communications between a user’s browser and a site are secure.
In theory, a fraudulent certificate can be used to trick a user into visiting a fake version of a Web site, or to monitor communications with the real sites without the user noticing. But in order to pass off a fake certificate, a hacker must be able to steer his target’s Internet traffic through a server that he controls. That is something only an Internet service provider, or a government that commands one, can do.
DigiNotar, a unit of the American company Vasco Data Security International, has been criticized by Dutch lawmakers for not immediately informing the government of the certificate theft.