third Cyber Security Assessment Netherlands - NCSC
third Cyber Security Assessment Netherlands - NCSC
third Cyber Security Assessment Netherlands - NCSC
Create successful ePaper yourself
Turn your PDF publications into a flip-book with our unique Google optimized e-Paper software.
Leak in the<br />
Humannet website<br />
belonging to the<br />
VCD IT company<br />
published personal<br />
and medical files<br />
belonging to<br />
300,000 employees<br />
The websites of the football<br />
club AZ and the KNVB leak<br />
data from 6,000 users<br />
Break-in at web shop<br />
Replace Direct. Several<br />
account details leaked.<br />
Hack of Simpel.nl leaving<br />
multiple databases accessible<br />
140,000 KPN DSL accounts<br />
use standard password<br />
Leak from Tix.nl<br />
makes details<br />
of 26,000 airline<br />
passengers public<br />
Pharmacy in Rotterdam<br />
puts clients’ medical<br />
details in the garbage<br />
Apr<br />
2012<br />
May<br />
2012<br />
Jun<br />
2012<br />
Jul<br />
2012<br />
Aug<br />
2012<br />
Sep<br />
2012<br />
Oct<br />
2012<br />
Nov<br />
2012<br />
Dec<br />
2012<br />
Jan<br />
2013<br />
Medical research<br />
centre Diagnostiek<br />
voor U leaks highly<br />
sensitive data of<br />
thousands of people<br />
in the Dutch province<br />
of Brabant<br />
95,000 customer details<br />
publicly accessible due to a<br />
leak at Perry Sport website<br />
Break-in at the<br />
development<br />
environment at Far-<br />
Medvisie – personal<br />
details of 8,500<br />
patients of two care<br />
institutions leaked<br />
University of Utrecht learning<br />
system administrative account<br />
uses a weak password<br />
Marketing campaign<br />
bol.com leaks details of 84,000<br />
participants<br />
GGZ Drenthe leaks details of 3000 forum visitors<br />
Hack at ProServe: 800,000 company and web<br />
shop customer details stolen<br />
A computer system at<br />
the Groene Hart<br />
hospital containing<br />
the details of almost<br />
500,000 patients is<br />
revealed to be<br />
insufficiently secured<br />
Bits of<br />
Freedom<br />
stopped after<br />
three years<br />
with the<br />
Data Leaks<br />
Black List<br />
Twente University lending system<br />
proven vulnerable, with customer details<br />
easy to access<br />
The figure above shows the data leaks in the <strong>Netherlands</strong> that the<br />
private organisation Bits of Freedom has updated to 14 January 2013. [208]<br />
8.3 The end-user is left with security problems<br />
The devices which end-users buy (smartphones, laptops, printers,<br />
routers, etc.) are not always securely configured by default or the<br />
user interface is unclear. It is the suppliers themselves who<br />
determine how the device is set up by default and they are not<br />
bound by any rules. As a result, it is difficult for users to configure<br />
devices securely themselves and keep them up-to-date in terms<br />
of security. The consequence may be that data can be viewed or<br />
manipulated by <strong>third</strong> parties.<br />
Vulnerabilities in online devices<br />
In December 2012 the American security company Rapid7<br />
announced (see also a programme broadcast by KRO<br />
Reporter [209] ) that it had found 83 million devices globally that<br />
could be reached by Universal Plug and Play (UPnP) control<br />
commands through the internet. The reason was the insecure<br />
configuration settings, often the default factory settings, from<br />
UPnP. This means that malicious attackers can approach these<br />
devices through the internet and then make them unavailable,<br />
adjust the settings, watch using cameras or read the content of<br />
a network driver. A quarter of these devices are set up in such a<br />
way that they can be maliciously abused.<br />
208 https://www.bof.nl/category/zwartboek-datalekken/<br />
209 https://www.ncsc.nl/actueel/nieuwsberichten/upnp-beperk-het-gebruik.html<br />
http://reporter.kro.nl/seizoenen/2012/afleveringen/07-12-2012<br />
210 http://secunia.com/vulnerability-review/vendor_update.html<br />
End-users are increasingly facing risks from vulnerabilities in software<br />
added to standard software such as <strong>third</strong>-party add-ons and (browser)<br />
plug-ins. According to recent research by Secunia [210] the number of<br />
vulnerabilities in this software, compared with vulnerabilities in the<br />
standard operating system, increased from 57 per cent in 2007 to 86<br />
per cent in 2012. An analysis of unique <strong>NCSC</strong> advisories issued since<br />
2010 confirms this trend.<br />
92