Dutch Council of Ministers approves establishment of committee to evaluate the Dutch Intelligence and Security Services Act of 2017 (Wiv2017)

On 9 April 2020 the Dutch government announced (in Dutch) that the Council of Ministers approved the establishment of an independent committee to evaluate the Intelligence and Security Services Act of 2017 (“Wiv2017”). In the legislative process that followed the draft bill — back then referred to as “Wiv20xx” — released in 2015, the House of Representatives and the Senate had requested the government to add an evaluation clause to the law, which the government accepted and was subsequently included in the Coalition Agreement 2017-2021 (.pdf; coalition partners being VVD, CDA, D66 & CU).

The announcement states that the committee’s task is broad: it evaluates the entire law. Based on prior official documents it can be expected that the committee will also explicitly examine, from a legal perspective, the way of working of the new ex ante oversight committee introduced by the Wiv2017, the “Toetsingscommissie Inzet Bevoegdheden” aka TIB. According to the coalition agreement, specific attention will also be paid to whether “arbitrary mass collection of data of citizens in the Netherlands or abroad” is (not) taking place. Be reminded that the Wiv2017 introduced so-called “OOG interception”, which for the first time ever in the Netherlands laid down explicit legal provisions for bulk-like interception of communications on non-ether links, e.g. optic-fiber & copper cables. Prior to the Wiv2017, legal provisions only existed for bulk interception of ether links, e.g. HF radio & satcom. Also, the prohibition of so-called “sigint search” on domestic-domestic communication was removed per the Wiv2017 (“sigint search” is that phase that precedes “sigint select”. “Sigint search” is, roughly speaking, browsing/searching network links that can be intercepted to identify channels/links/places of possible interest to the legal tasks of the intelligence services. Data can be intercepted in bulk from there for subsequent querying in the “sigint select” phase to obtain communication matching specific persons, organizations and/or keywords as part of an ongoing investigation). Depending on outcome of the evaluation it is possible that changes will be proposed to the current law, for instance the addition of new legal safeguards and improvements to the oversight mechanisms.

The remainder of this post consists of an (unofficial) translation of the announcement that the government released yesterday.

Evaluation Committee for the Intelligence and Security Services Act

News release | 09-04-2020 | 14:45

The Council of Ministers has approved the establishment of an independent committee to evaluate the Intelligence and Security Services Act of 2017. This implements the decision, laid down in the coalition agreement, to evaluate the Act no later than two years after its entry into force on 1 May 2018.

The evaluation committee is chaired by Mrs R.V.M. (Renee) Jones-Bos and will start its work as of 1 May 2020 insofar the measures to combat the Coronavirus allow. In addition to the chairperson, six other members will be appointed. Their appointment will take place as soon as the AIVD has concluded their security screening procedure with positive results. The composition of the committee will take into account the knowledge and expertise required for the evaluation in the areas of legislation, operational knowledge of the work of intelligence and security services, digital security and data analysis, human rights and privacy.

The committee is charged with evaluating the law itself, not with evaluating the proper functioning of the services. The evaluation has a broad scope. An important research question is whether the objectives of the law, i.e., modernisation of the powers of the intelligence services and strengthening of the safeguards, are being achieved. The committee must also examine whether the new law has proved to be a workable instrument in practice for the performance of the services’ tasks and what bottlenecks and points for attention exist in the application of the law.

The committee will release its findings in a public evaluation report. The date of delivery of the report will be determined after consultation with the chairperson and will depend on the impact that the Corona measures have on the progress of the committee’s work. For the time being, publication is expected before the end of this year.

Outlines of priorities and focus for the Dutch General & Military Intelligence and Security Service in 2020 (AIVD & MIVD)

On 19 December 2019, the Dutch government sent the outlines of the 2020 year plan (in Dutch) of the General Intelligence & Security Service (AIVD) — here — and the Military Intelligence & Security Service (MIVD) — here — to the parliament. In Dutch it is referred to as “Jaarplanbrief”, which literally translates to “Year Plan Letter”.

The remainder of this post consists of a translation of the section “Priorities and focus” in both letters, ±1000 words in total.

AIVD Priorities and focus 2020

Jihadist terrorism

The jihadist-terrorist threat picture is generally unchanged and is an important priority for the AIVD. The situation is still characterised by a threat of attacks in the West emanating from both globally active jihadist organisations and local networks and individuals. Islamic State in Iraq and al-Sham (ISIS) and al-Qaeda (AQ) have been the main exogenous jihadist threats for some time. Both organisations are still focused on carrying out attacks in the West. In addition, ISIS and AQ encourage their jihadist supporters in the West to carry out attacks independently.

The threat picture is also determined by returnees. In general, returnees have a higher threat profile than jihadists who have never travelled to a combat zone). Among the men in particular there is evidence of combat and explosion training, combat experience, tenacity and transnational jihadist contacts. When they return they can use these experiences and contacts to strengthen and/or mobilise local networks into violent action. The AIVD continues to deploy a substantial part of the available resources and capabilities to investigate terrorist threats by maintaining its intelligence positions at the desired level. In this context, the (inter)national cooperation with partner organisations, including the Counter Terrorism Group (CTG), is also being shaped.


Radicalisation of various population groups In the Netherlands, the AIVD is concerned about and prompted to intensify its investigations into this issue. In its investigations into radicalisation from an Islamic perspective, the AIVD focuses on non-violent radical Islam in the Netherlands in general. Extra focus is placed on the drivers of non-violent radical Islam. The AIVD also investigates Salafist institutions in the Netherlands. The focus here is on the funding itself and its influence and interference.


The research efforts in the field of extremism will be continued. The focus of research remains on the, sometimes violent, hard core of left-wing and right-wing extremists.

Anti-Islam feelings, fear of loss of national identity and ethnonationalism are the most important motives within the current right-wing extremist movement. An increasingly violent discourse is visible among right-wing extremists on social media in particular. In addition, right-wing terrorist attacks abroad can lead to copying behaviour. This broadens the AIVD’s field of attention from a right-wing extremist to (potentially) a right-wing terrorist threat. Clarification of the potential threat is essential if we are to offer our chain partners and authorities the prospect of action at national and local level.

Left-wing extremism in the Netherlands is characterised by individual or group activities in areas such as anti-fascism, asylum and immigration policy and anarchism. Dutch left-wing extremists/activists are often active on several themes.


Weapons of mass destruction pose a major threat to international peace and security. The Netherlands has signed treaties aimed at countering the proliferation of such weapons. The AIVD and the MIVD jointly investigate countries suspected of developing or already possessing weapons of mass destruction and their means of delivery in violation of these treaties.

Investigations on countries

The AIVD conducts investigations in other countries in order to provide the Dutch government with background information and prospects for action. This information can be used in consultations on subjects affecting Dutch national and international political interests. Geo-political and other developments around the world determine which countries are investigated by the AIVD.

Espionage and undesirable foreign interference

States often use digital means to gain access to vital parts of Dutch society, such as the energy or telecom sector, in order to be able to commit sabotage in this way. Russia, China and Iran, among others, show excessive interest in information from the Netherlands and companies operating in the Netherlands. All these activities can damage Dutch national security, sovereignty and economic interests. In 2020 the AIVD will expand its investigative capabilities against the use of digital resources by other countries.

In addition to the deployment of digital means of spying, in 2020 foreign powers will also continue to carry out traditional intelligence activities in the Netherlands or against Dutch interests. The main objective of espionage activities is the gathering of (secret) information in the fields of politics, defence, science and economics. In addition, they develop activities to surreptitiously influence political and economic decision-making or public opinion.

Information security

High-quality digital attacks, by Russia, China and Iran among others, aimed at espionage, influence, sabotage or terrorism pose a major and increasing threat to the integrity and confidentiality of the Dutch government. The AIVD provides (external) stakeholders with information security advice. This is done by the National Communications Security Agency (NBV), which also develops and evaluates security products for securing state secret and sensitive information.

Unprecedented threat

The AIVD’s investigations are aimed not only at providing an insight into all aspects of existing, already known threats, but also at the timely identification and identification of as yet unknown threats, both within and outside the GAI&V.

MIVD Priorities and focus 2020

Investigations on countries and mission areas

In 2020, the MIVD will conduct research into Afghanistan, Syria and Iraq, among other things. It also supports the deployment of Dutch military personnel in the context of enhanced forward presence (eFP). Together with the AIVD, the MIVD also investigates developments in the Kingdom’s overseas territories.


The MIVD and the AIVD jointly investigate countries suspected of developing or already possessing weapons of mass destruction and their means of delivery in violation of treaties. This investigation will be continued in 2020.

Military technological developments and proliferation

The MIVD also conducts research into military technological developments and the proliferation of high-grade military technology and weapon systems to crisis areas, so that the Dutch armed forces can be properly equipped against existing and future threats. This research will also be continued in 2020.

Espionage and influence

Espionage, influence and sabotage are a constant threat to the Netherlands and its allies. States with great geopolitical ambitions are looking for information to modernise their armed forces, strengthen their economies or influence political decision-making. This can be classic espionage, digital espionage or a combination of both. Hacking offers opportunities for sabotage and influencing political and administrative decision-making or public opinion. By means of takeovers or investments, states also try to obtain information or create strategic dependencies. The MIVD investigates these themes from a military perspective. In 2020, the MIVD will increase its commitment to these themes.

Radicalisation and extremism

Research into possible forms of radicalisation among defence personnel will be continued in 2020. The aim of this research is to identify undesirable behaviour in good time. The MIVD advises on the measures to be taken to identify and deal with these threats. Promoting awareness and understanding requires permanent attention.

20 December: Russian state security officers’ annual professional holiday (since 1995)

In April 1995, KGB-successor FSB was born under president Boris Yeltsin. In a presidential decree that Yeltsin issued that same year, 20 December aka Chekist Day was appointed as annual professional holiday for Russian state security officers.

The choice for that date can be traced back to 20 December 1917: the day Cheka agency was born, “the first of a succession of Soviet secret-police organizations”. The UK government has a short piece on it: What’s the Context? 20 December 1917: formation of the Cheka, the first Soviet security and intelligence agency. Also, on 20 December 1920, the Cheka’s Foreign Department was born — a predecessor of the KGB’s First Chief Directorate.

From a layman’s perspective I’m curious what meaning that day holds to present-day officers, considering that the date also bears an association with historical political persecutions by Cheka. I have no answer that question; but did find a relevant interview with FSB director Nikolai Patrushev that was published in daily tabloid Komsomolskaya Pravda on 20 December 2000 (a few months after Vladimir Putin was elected).

The remainder of this post consists of an automated translation (using DeepL) of that interview; some 2800 words. The translation is legible, but beware non-obvious inaccuracies. That being said, I found it worth taking note of.


Nikolai Patrushev

“Komsomolskaya Pravda”, December 20, 2000.


  • Mykola Platonovych, you always emphasize that the FSB is a new domestic intelligence service. And at the same time, the Day of Chekist is celebrated on December 20 – on this day in 1917 the Chekist Committee was created. Is there no contradiction here, which gives the ill-wishers an excuse to claim that “the spirit of nostalgia for the former omnipotence of the Soviet intelligence services is hovering on Lubyanka”?
  • We’re not sneaking around, calling the FSB a new security service. It was created in April 1995 on the basis of the Federal Counterintelligence Service. That year, laws were adopted that opened a new stage in the development of domestic security agencies – “On Bodies of the Federal Security Service” and “On the Operational and Search Activities”. For the first time in the history of the country, including the Tsarist period, the legislator regulated the activities (including tacit) of intelligence services, outlined the tasks and functions of the FSB, defined its rights and powers, prescribed mechanisms of state and public control over its activities. This is a qualitative difference from those times when the activities of state security agencies were dominated by the principle of partyhood, i.e. the supremacy of interests of the ruling party (or, more precisely, its top). Loyalty to the law, not to anybody, work only in the legal field – a guarantee of not repeating the tragic pages of the past. This is a sensible position of today’s generation of Lubyanka employees.

We have not given up our past, honestly said: “The history of Lubyanka of the passing century is our history, no matter how bitter and tragic it may be”. Everything in it that works for the benefit of Russian statehood, serves the interests of development and prosperity of Russia, its national security, should be preserved and multiplied.

It was December 20 that was unofficially celebrated for many decades as “the day of the Chekist” in the teams of state security officers. The decree on this, signed exactly five years ago, demonstrated demand for and social significance of the work of security service employees. And the departmental sign of the FSB combines the two-headed eagle of Tsarist Russia and “shield and sword” – a traditional symbol of the Soviet era security services.

  • What toast, by tradition, will be the first in the circle of counterintelligence on the day of professional holiday?
  • You must be impressed by movies like “National Security Agent” and think that the whole FSB will be “buzzing” in the morning. No, of course not. The units will hold personnel meetings, hand out certificates and departmental insignia, congratulate the veterans, visit the families of the victims. And when we gather at the festive tables in the evening, we will definitely wish good luck to our colleagues who are currently on a mission: in Chechnya, at checkpoints, in operations – to get out of the fight alive. And a third toast to those who haven’t returned – that stack will be very bitter… After all, the FSB is a fighting organization. We honor the memory of our fallen comrades, constantly taking care of their families, helping widows to solve domestic problems, raising children. This is one side of our corporate brotherhood, our best traditions.


  • What tasks were a priority for your department in the past year?
  • First of all, it’s the fight against terrorism. We should not have allowed a repetition of the terrible tragedies of “black September” last year, when 305 people died. I would like to note at once that in 2000 law enforcement agencies prevented another 13 explosions of powerful explosive devices, including six in Moscow, five in Pyatigorsk, one each in Buynaksk and Vladikavkaz.

Investigations into the September bombings of residential buildings clearly showed that the traces of the crime were in Chechnya, which during the years of the Dudayev and Maskhadov regimes became a springboard for the forces of international terrorism. It would have been impossible to protect the population of Chechnya from terror without defeating the militant groups, depriving them of their training bases and resources, and freeing the republic from the criminal and terrorist clique that had seized it.

Modern terrorism is a complex social and political phenomenon, and Chechnya is only one of the nodal points on its map. The ability of our people to defend themselves is being tested there. If we break down, leave the Caucasus, the process of irreversible collapse of the country will begin. The state will expressed in 1999 – for the first time in recent years – is the guarantee that this will not happen.

  • “Komsomolka” has repeatedly written about the threat of pseudo-Islamic Muslim extremism. Does the FSB share this concern?
  • To the fullest extent, and you are right to raise this issue. The threat is really great, but you can only fight it in the legal field. For example, Wahhabism is prohibited by law in the Republic of Dagestan.
  • According to your estimates, in what condition are the leaders of Chechen fighters currently in? Have the military, border guards, the Interior Ministry and the Federal Security Service managed to seriously impede the inflow of mercenaries into gangs, limit the flow of money and arms of the terrorist?
  • One of the tasks is to uncover and cut off the channels of resource supply for the militants. But we are also responsible for investigation and prevention of terrorist attacks, search for the leaders of the separatists, participants in the attacks on Budennovsk, Kizlyar and Pervomaiskoye and armed invasion of the Republic of Dagestan. Recently our officers detained former chief of the so-called “special service of the Chechen Republic of Ichkeria” Atgeriev. Work on the leaders of the militants continues…

I will highlight the problem of mercenarism in particular. Recently FSB officers detained in Chechnya a native of Iraq, Abd al-Aziz Mohammed Abd al-Wahhab. This adherent of “Wahhabism ideas” not only took part in illegal armed formation, conducted ideological processing of its members, but also kidnapped, tortured and raped 4 women, turning them into slaves.

In the passing year illegal activities of foreign security services in the North Caucasus that were carried out under the cover of international organization Khalo-Trust were revealed. Its activists assisted Chechen militants in training local subversives.

The separatists continue their attempts to stir up tension in the neighbouring Russian regions of Chechnya – Ingushetia, Dagestan, Karachay-Cherkessia, Kabardino-Balkaria. There is information about attempts by extremist leaders to establish militant bases here and to involve certain ethnic groups and supporters of various Islamic currents in armed conflict with federal forces. Therefore, there will be a long and difficult struggle to preserve the territorial integrity of the country, interfaith harmony and peace and tranquillity of our multi-ethnic people. I am talking about this directly, without hiding anything in front of the million audience of Komsomolka.


  • Coming to the higher echelons of power of people who started their way in special services, generates different conversations – up to categorical statements about “threat to democracy”…
  • This thesis, willingly picked up in some media, is, in my opinion, an attempt to “demonize” the former employees of SVR and FSB who came into power. The aim is understandable – to create an image of some “dark force” defending not the national, but its own narrowly corporate interests, and thus to weaken the resource of people’s trust in the new leadership of the country. The appearance of people in the Old Square, in the Kremlin and in the regions who have completed the school of leadership in the national security structures is a vital necessity to pour “fresh blood” into the Russian management corps, an aspiration to use the potential of responsible and organized people who have preserved, despite everything, the “spirit of public service. I know many of them well. They are modern thinkers, educated people. They are not unwilling idealists, but tough pragmatists who understand the logic of international and domestic political developments, emerging contradictions and threats. At the same time, they understand well the impossibility of returning to the old, the need to develop the country based on a reasonable combination of liberal and traditional values.


  • What other priority lines of work did the FSB have in the past year?
  • These are the fight against the intelligence and subversive activities of foreign intelligence services, work to identify and prevent threats to economic security, fight corruption, illegal export of goods, smuggling of drugs and weapons, cultural values.
  • Can we elaborate on the fight against espionage?
  • Special services of foreign states have made significant efforts to expand operational positions in Russia. One of the main goals was to identify the true plans of the new government of Russia on both domestic and foreign policy issues. The activities of foreign intelligence services in the Russian direction are now more coordinated than ever. Intelligence of the leading NATO countries today is “welcome guests” in most European countries that were formerly part of the Warsaw Pact, as well as in the Baltic States. However, the main danger is that Western intelligence, through its residences, conducts its own intelligence from the territories of these states, including operations of communication with Russian citizens’ agents. Thus, this year counterintelligence arrested a British and Estonian intelligence agent. In the recent past, he was a senior officer of one of the Russian security services and used his connections among the security services, political and business circles to gather information.

The FSB bodies were aimed at protecting our scientific and technical potential, unique breakthrough technologies and developments, without which the country’s revival is impossible. Here too, the case of Edmond Pope, a former career U.S. Naval Intelligence Officer, is landmark. In the muddy waters, foreign intelligence businessmen were very comfortable. For a penny, it was possible to acquire know-how that had been created by thousands of people. In the Pope case, Russia showed that time was running out. The country’s leadership let the international community know that it was defending its national interests strictly and fundamentally. And the president’s decision to pardon Pope, the very time of its adoption, is a demonstration of good will.

In October 1999, Sutyagin, an employee of the US and Canadian Institute of the Russian Academy of Sciences, was detained. The investigation revealed the facts of spying activities of his connection – an American citizen Joshua Handler, a specialist in nuclear safety, who is now in the United States. It has been preliminary established that Handler received from Sutyagin secret information about the Russian Armed Forces and passed it on to U.S. intelligence agencies. Unfortunately, some journalists, unaware of this, show Sutyagin in their publications as “an honest and courageous citizen who advocates democratic freedoms.


  • What does the FSB keep smart people who, as far as we know, work for a modest salary?
  • I do not want to say high words, but our best employees, the honor and pride of the FSB, do not work for money. When I have to hand out government awards to our guys, I look at their faces. High intellectuals-analysts, broad-shouldered weathered Special Forces fighters, silent bomb technicians, strict investigators, discreet opera scouts… Outwardly, they are different, but there is one important quality that unites them – these are serving people, if you like, modern “neophytes”. On the obelisk to an FSB officer, Hero of Russia, who died in the Caucasus, there are lines, it seems to me, accurately conveying the moral “core” of our people: “Service to the Fatherland, friendship to comrades, heart to loved ones, honor to no one. Service gives a sense of involvement in a great state affair, the excitement of struggle, when you defeat an opponent better equipped and “paid”, an enemy brazen and confident, who thinks that there are no real professionals left on Lubyanka. This will not replace even the highest salary of a private guard. He works for his master, and we – for the state. Remember the words of the protagonist in the movie “Brother-2”: “Not in money strength, American, but in truth”? That’s the truth the FSB is fighting for…

Although I do not condemn those who have to leave the service due to the difficult financial situation of their families. It’s only bitter that I can’t do anything… People in epaulets hope that the state, the new leadership of the country, which knows their problems firsthand, will approach with attention the long overdue issue of improving the living standards of soldiers.

  • Tell us about those of your subordinates who did heroic deeds in the passing year.
  • This year six employees of the FSB were awarded the title of Hero of the Russian Federation. Captain Igor Yatskov was posthumously awarded the title of Hero of the Russian Federation. As part of the advanced units of the 136th Motorized Rifle Brigade near the village of Kiri of the Cheberloyevsky district of the Chechen Republic on January 11, 2000, he took part in a battle with superior forces of the militants. Having received several serious wounds, the officer, bleeding out, remained in the ranks. Captain Alexei Gorbunov, Major Andrei Chirikhin, FSB special forces officers Valery Alexandrov, Mikhail Seregin, Nikolai Shchekochikhin, Major Alexander Alimov and others were awarded the Order of Courage (posthumously).
  • You are a man, for obvious reasons, “closed”. And yet, how do you rest? What do you manage to read?
  • I’m the one who really likes the phrase: “My hobby is work” (laughs). Our work needs to be given in its entirety, it requires you everything. How am I resting? I like to play volleyball. I was serious when I was a student. It’s a collective sport. And it’s like our job: defense and assault… It’s a good way to switch hunting. I’ve been into it for a long time, just like fishing.

I start my day by watching fresh newspapers, and of course, “Komsomolka” is one of the first…

  • What would you like to wish your employees today through “Komsomolka”?
  • I wish them and their families, our veterans, everyone who helps us in the difficult task of protecting the homeland, I wish them health and fortitude.

Patrushev Nikolay Platonovich was born in 1951 in Leningrad in the family of a sailor. After graduating from the Leningrad Shipbuilding Institute, he worked there for some time. After joining the state security bodies, he received professional training in Minsk KGB school. Then he worked for a long time on various positions in the KGB in Leningrad region. In 1992 he was appointed Minister of Security of Karelia. In 1994, he was transferred to Moscow. Since August 1999, he has been Director of the FSB of Russia. Colonel-General.

Patrushev’s wife – doctor, specialist in ultrasound. The family has two sons.

At leisure, Nikolai Platonovich manages to read books, but, as he himself admitted, prefers “short forms” – it’s painfully short time. For example, he reads Chekhov and Zoshchenko’s stories in the mood.

Experts have not yet “come to terms” with a specific date on which to count down the history of national security. But its milestones have been established precisely: the Order of Tsar Alexei Mikhailovich’s Secret Affairs, the Preobrazhensky Order, the Secret Search Cases of Peter the Great’s Office, the Secret Expedition to the Senate, the Special Chancellery of the Ministry of Police of Alexander I, the III Division of Emperors Nicholas I and Alexander II’s own Office, the State Police Department, the Special Division of the Police Department of the Ministry of Internal Affairs and a number of other structures. As for counterintelligence itself, its “birthday” in the course of scientific discussions was determined on January 21 (old style) 1903. On this day, Nicholas II decided to create in the structure of the General Staff of the Russian Army, the first in the history of the country, a permanent special unit to fight against espionage – the “Exploration Department”. Its first chief was gendarmerie company minister Vladimir Nikolaevich Lavrov. The Day of the Security Bodies Employee is also a professional holiday of the employees of SVR, FAPSI, FSO, GUSP, FPS – structures that were born in the early 90s on the basis of a number of departments of the USSR KGB. It is a holiday of all those who protect the interests of the Fatherland.


Physical Counter Surveillance – Dry Cleaning and Evading Capture

In a meeting with a former counter-intelligence practitioner I first learned of ‘dry cleaning’ as tradecraft jargon in the realm of countersurveillance. Willam E. Dyson’s book Terrorism – An Investigator’s Handbook, 4th Edition (2015; first edition published in 2011) defines it as follows:

dry cleaning A process by which a subject takes actions that enable him to “lose” anyone who is attempting to follow him. A person may “dry clean” himself by entering a crowded movie theater and leaving soon after through a rear door. Undercover officers and informants should also undertake “dry cleaning” maneuvers before meeting each other.

The Terms & Definitions of Interest for DoD Counterintelligence Professionals (.pdf, 2011) from the U.S. Office of Counterintelligence (DXC), part of the Defense Intelligence Agency (DIA), contains a definition taken from an old manual of the Air Force Office of Special Investigations (AFOSI):

Dry Cleaning. [Tradecraft jargon] Any technique used to elude surveillance. A usual precaution used by intelligence personnel when actively engaged in an operation. (AFOSI Manual 71-142, 9 Jun 2000)

Following the meeting I did a bit of self-study and came across a reposted text apparently once shared at the now-defunct forum at XtremeRoot.net. I’m reposting it here because 1) it is IMO a useful read that covers (a subset of) aspects that also came up in said meeting, and 2) LOCKSS. I could not readily identify whom to contact to ask for permission to re-post it here. If you’re the author, feel free to contact me (see sidebar).

Further reading on this topic (friendly reminder: always apply critical thinking):

Traditional humint tradecraft presumably remains a key aspect of modern intelligence, notwithstanding the tech-heavy era we now live in. And be reminded that technology can fail — for instance by accident, by sabotage or (indirectly) by adversarial interception/surveillance.

NOTE: everything below this line is NOT authored by me, except for one [NOTE: (…)] block that I added.

I recently underwent some counter surveillance training, and it was one of the most exciting things I’ve ever done. As such, I thought I’d write up a short tutorial based on what I was taught and what I went through. This is all related to personal counter surveillance – i.e. preventing people following you.

There are 3 major parts to counter surveillance:
1) Planning
2) Identification – Spotting people who may be following you and verifying their intent.
3) Evasion – Making it difficult to follow you by performing certain maneuvers and following certain rules.

These principles, when put together, form something called a cleaning run. Its objective is to get you to a destination whilst identifying and losing any tail you might have.

The basic rules of a cleaning run are as follows:

  • Give yourself roughly double to triple the amount of time usually needed to get to the destination. A cleaning run can last up to 3 hours!
  • Plan your journey before heading out.
  • Move across a large geographic area.
  • Act naturally.
  • Try to spend at least 50% of your journey in areas that are not covered by CCTV.
  • Vary your transport method. Travel by bus, tram, train and taxi as well as on foot.
  • Be aware of your surroundings and the people nearby.
  • Be prepared! You need a pen, paper, envelope, stamps and enough cash for transport and visits to cafes / coffee shops. If you smoke, take some cigarettes and a lighter too.

The first step is to plan your journey. Start in an arbitrary direction, heading nowhere near your destination. You need to visit a variety of locations including quiet suburbs and busy city centres. Try to make the path you take relatively realistic (e.g. don’t walk round a block twice) and make it look like you have a reason to go to certain places along the way. You need at least two locations that will be almost entirely deserted – large open areas like parks are excellent for spotting someone following you. Make sure that your route crosses a few bridges and goes down some small side streets. You need to be able to stop off frequently at shops and other attractions. Look up timetables for buses, trams and trains, and use these services in your journey. You’ll also want to find places with post boxes and phone boxes, as they can provide some useful distractions.

Before you can shake a tail, you need to identify it. The best way to do this is to spot people you have seen before. A professional team can consist of 10 or more people, of which 2 or 3 at a time will follow you. They do a hand over periodically and try to avoid re-using the same members so that you don’t notice the tail. The “tried and tested” positioning system is to have one person follow directly behind you and another follow on the other side of the road further behind. If a third person is used, they are usually kept further back. If they think you’ve identified an agent, they’ll pull them out and replace them if possible.

The following things about a person can help you identify them as a tail:

  • If there are multiple agents, expect 90% of them to be 30 years old or less.
  • A professional team member usually has a precise watch. You can spot these quite easily if you’re close by.
  • They will change their course when you stop or change your course.
  • They will avoid looking directly at you, or stare.
  • Untrained people in a team might talk into their sleeve or talk to themselves.
  • If there are only one or two agents and they are associated with the police (CID, SOCA, etc), they will usually be wearing a suit (this is true for the UK, at least).
  • When waiting, they will usually loiter aimlessly or appear fascinated by a mundane sign or poster.

When walking down quiet roads it is easy to notice someone following you. However, it is difficult to turn round and get a good look at them without them noticing. One great method to this is to enter a shop and purchase something. As you enter, glance behind you to see if anyone is there. If there is, hold the door for them. When you leave, go back the way you came for a while, then turn off and go another direction. You can usually identify at least one surveillance member this way.

In places with some traffic, cross over at an intersection. If you’re on the left of the street turn right and vice versa. This gives you chance to stop and look around as if you were checking for traffic. If you cross at a pedestrian crossing, pretend to press the button but don’t. This gives you time to stop and look around longer, making anyone following you quite obvious.

Small bridges and alleys can make great choke points. Be aware that isolated areas might be problematic because they might confront you, so try to pick areas with at least a few people around. If you smoke, stop to light up as you walk down a choke point. Stand sideways so that you can see both directions. This means that anyone following you will have to walk straight past, so you can easily identify them. You could also stop to write an SMS message – it’s feasible that you can’t walk and text at the same time. If you do this, start writing it and stop after the 4th or 5th letter. Most people will at least try to write and walk before failing!

In larger shops, stand and browse the magazines. You can use the short periods between picking up each magazine to glance in a direction to look for anyone you remember from before, or anyone looking at you. Untrained people will often behave unusually and can easily give themselves away in certain situations. They may stare intently at you, or completely avoid making eye contact. In the case of the ones who are quite obviously attempting to watch you without directly looking, orchestrate your path so that you walk past them, then stop and ask the time. This usually shocks and disorientates them, and they’ll usually get flustered and stutter their reply.

Use your pen and paper to jot down short descriptions of people that might be following you and anyone that you see twice. You can buy a newspaper and use the crossword to jot things down too. If you see someone twice in two far apart areas, you’re probably being followed. The same applies if you see the same person three times as you’re performing your run.

A clever trick is to scan for Bluetooth devices nearby when sat around. If you see the same name twice, you have a tail. [NOTE: one probably should not carry any electronic device to a secret meeting to begin with, except burners — which still requires tradecraft. Radio emissions — and not only Bluetooth or Wi-Fi — should be assumed to be unique fingerprints.]

Once you’ve spotted the people you want to escape, you need to start doing things to divert their attention from you to thin out the crowd. The text-book stuff like dodging down an alley or switching back on yourself is way too obvious and a professional will be able to handle it easily.

Organise your journey so that you arrive at a train station, get your tickets, then have to wait 10 minutes in the coffee shop before boarding a train. If possible, use the automated ticket machine and jump in just before someone else gets in the queue behind you. This helps stop agents from shoulder-surfing to find out where you’re going, or listening in on your conversation with the ticket office person. Wait until the last minute before moving to the platform, or sit on the wrong platform until your train is announced and then move to the correct one. Sit as close to a door as possible so you can see the entire carriage.

When travelling by bus, pay for a ticket to the furthest destination it goes to, then get off before that stop. This helps divert resources and prevent any surveillance teams from setting up in a target location. If you can sit at the back do so, as you can see where everybody is. On double-decker buses you might want to sit up top to make it more obvious if you’re being followed.

Towards the final quarter of your run, make it look like you’re doing something sinister. Go to a phonebox and call the number of a small computer shop. Ask something like “how much is your cheapest SATA hard drive?” and write down the price and a random postal code that’s near the computer shop. Write a single letter on the bottom of the paper to make it more confusing, then place it on top of the phone unit and leave the box. This will look like you’re trying to perform a dead-drop, so an agent would investigate. This reduces the number of people following you. You can then go into another phone box, fumble around underneath it to make it look like you’re grabbing something that’s taped to the bottom, get out an envelope and pretend to put this non-existent thing inside it, attach a stamp, write an address on there (somewhere around five miles away) and go post it in a postbox. An agent will need to get someone to open the phone box, so this will delay them further.

Strike up a conversation with someone in the street to make it look like that’s who you went to go see. This is best done in a quiet area, so you can watch the people nearby.

You can perform a covert U-turn by walking past a shop and showing some interest in it (stare at it as you walk) and then stopping 20 feet down the road as you very obviously check your watch. Stare at your watch for a second, then turn back and go to that shop. This makes it look like you couldn’t decide if you had time to go to the shop. Some poorly trained agents might just stop still and stare at you gormlessly if you do this.

In extreme circumstances, you can go for certain overt techniques that give away the fact that you know you’re being followed:

  • Do a U-turn whilst walking and check out everyone who looks at you.
  • Do the whole “tying my shoelace” thing. It can mean agents have to be dropped because they have to pass you, but it’s very obvious and you can’t actually identify them easily.
  • Ask someone you think is tailing you for a lighter. Strike up conversation about the weather or contemplate them on their hair, shirt or watch if they have to spend more than 5 seconds fumbling around for it.
  • Dodge down an alleyway quickly or move in a circuitous through a store with multiple exits. These allow you to shake a tail, but make it obvious that you are immediately wary of someone following you.
  • Sit in a coffee shop and wait until you see someone that you know is following you. As you get up to leave, they will look over. Stare directly at them and wave before leaving.
  • Use a payphone to call for three taxis. Book one from your current location (or nearby) to position A, and book the other two from near position A to position B. Take only one of the second taxis, then have them drop you off slightly outside location B. If they’re resourceful enough to be able to pull phone records, they’ll spend resources trying to find out who you called and where you asked to go to. Once they discover you have called 3 taxis, they’ll know something is odd.


[Dutch] Kwetsbare Pulse Connect Secure SSL-VPNs in Nederlandse IP-adresruimte: bevindingen en gedachten

Klik hier om voorbij de updates te skippen en direct naar de oorspronkelijke publicatie te gaan.

  • UPDATE 2020-08-17: Overheid wist wie kwetsbaar was, maar liet bedrijven toch gehackt worden (FD) en ‘Overheid waarschuwt bedrijven niet altijd bij hack’ (NOS).

    Heel zuur. De kern van het verhaal: reeds in augustus 2019 waren bij NCSC lijsten van kwetsbare Pulse-systemen bekend, maar (mede) doordat het NCSC ingevolge hun (beperkte) mandaat niet alle informatie heeft doorgezet zijn sommige Nederlandse systemen in mei/juni 2020 alsnog gecompromitteerd. Informatie over systemen die niet onder rijk/vitaal vallen is door het NCSC niet doorgezet aan de betrokken organisaties.

    Organisaties, vitaal of niet-vitaal, zijn en blijven verantwoordelijk voor hun eigen informatiebeveiliging. Maar dat betekent niet dat áls je informatie hebt over actuele kwetsbaarheden, het acceptabel is dat die informatie niet terechtkomt bij die organisaties. Mij was destijds niet bekend dat het NCSC uit zulke lijsten alleen vitaal & rijk doorzette en niets deed (c.q. mocht doen) met de informatie over andere systemen, waaronder systemen van zorginstellingen en enkele van de nu alsnog gecompromitteerde bedrijven. Dat is me pas duidelijk geworden in de nasleep.

    Herhaling voorkomen eist herziening v/d status quo, waaronder mogelijk het aanpassen v/h mandaat van NCSC zodat zij die informatie wél mogen doorzetten.

    Mijn persoonlijke mening is dat organisaties — ongeacht welke — bij kwetsbaarheden v/d ernst van Pulse/Forti/Palo/Citrix/etc. niet alleen moeten worden gemaild (zoals DIVD normaal gesproken doet, o.a. via het Security Meldpunt) maar dat er ook ‘actief’ 1-op-1 contact moet zijn, bijvoorbeeld telefonisch. Een e-mail belandt nog wel ‘s in een spambox of wordt om andere reden gemist of niet doorgezet. Dat is ook de reden dat de meeste pentestbedrijven bij het aantreffen van hoge en kritieke risico’s hun klant direct bellen en niet alleen per e-mail informeren (en in onversleutelde e-mail ook nooit concrete kwetsbaarheden benoemen).

  • UPDATE 2020-08-04: Hacker leaks passwords for 900+ enterprise VPN servers (ZDNet). Kwaadwillenden lijken in juni/juli aanvallen te hebben uitgevoerd op ~900 Pulse-systemen wereldwijd. Van een grote reeks organisaties zijn o.a. inloggegevens gelekt via webfora. Dit is in omvang/scope het grootste openbaar bekende incident met ongepatchte Pulse-systemen tot nu toe.
  • UPDATE 2020-06-03: Field Note on CVE-2019-11510: Pulse Connect Secure SSL-VPN in the Netherlands, gepubliceerd in ACM DTRAP Vol. 1 Issue 2, mei 2020. Bedoeld als discussiestuk hopende de passiviteit c.q. angst c.q. risicomijdendheid te doorbreken: we moeten m.i. (doorgaan met) proactief scannen bij nieuwe kritieke kwetsbaarheden. Daar zitten juridische, ethische, organisatorische en technische aspecten aan. De Field Note bevat daarover een aantal vragen om de gedachten te prikkelen. Citeren kan als:
    Matthijs Koot. 2020. Field Note on CVE-2019-11510: Pulse Connect Secure SSL-VPN in the Netherlands. Digital Threats: Research and Practice 1, 2, Article 13 (May 2020), 7 pages. DOI:https://doi.org/10.1145/338276
  • UPDATE 2020-02-11: Kamerbrief over resultaten analyse VPN software (mirror .pdf). Het daarin genoemde DTC (van MinEZ) is (nog?) niet operationeel t.a.v. informatiedeling over specifieke kwetsbare systemen/IP-adressen. Het DTC zet algemene adviezen/waarschuwingen van het NCSC door en die worden alleen ter ore genomen door ontvangers die zelf doorhebben gebruiker te zijn van een bepaald IT-product c.q. een bepaalde IT-configuratie. De ervaring leert dat zelfbewustzijn (‘situational awareness’) daarover dikwijls verre van perfect is. En dus gaan we gewoon door met ongevraagd (pro)actief scannen en melden — de belangen zijn te groot om het over te laten aan bureaucratie. Dat zulke scanning zélf strikt genomen computervredebreuk kan inhouden, zoals het geval bij (betrouwbaar) testen op Pulse CVE-2019-11510 en Citrix CVE-2019-19781, is zeer ongemakkelijk: voor mij persoonlijk kan “einde VOG” betekenen “einde carrière”. Noodzaak, proportionaliteit en subsidiariteit van scanactiviteiten zijn dus cruciaal. Maar met kritieke kwetsbaarheden die zo breed in de samenleving blijken te bestaan moeten we wel. Niets doen is geen optie.

    Tot het DTC op het punt van informatiedeling over specifieke kwetsbare systemen/IP-adressen operationeel is blijft het Nederlandse Security Meldpunt (dat tijdens het ad hoc “live gaan” op 13/14 januari informeel is ondergebracht bij DIVD) een nuttige aanvulling op het NCSC voor het (doen) dissemineren van informatie over specifieke kwetsbare systemen aan personen die daar iets mee kunnen/moeten, zoals IT-beveiligers en -beheerders bij de betrokken organisaties en/of hun IT-dienstverleners.

    De kamerbrief benoemt overigens (begrijpelijk) niet alles dat in de praktijk heeft gespeeld c.q. nog speelt. Een voorbeeld daarvan is dat in retrospect bleek dat het NCSC ten tijde van het Pulse-verhaal in augustus 2019 geen kennis had van alle IP-adressen van alle ABDO-bedrijven c.q. -toeleveranciers en dat dáárom systemen van een tiental ABDO-bedrijven c.q. -toeleveranciers door het NCSC in de door derden bij het NCSC aangeleverde lijsten niet als zodanig zijn herkend en geïnformeerd. Informatie over het kwetsbaar zijn van die specifieke systemen is dus bij het NCSC blijven liggen en bij Defensie pas op de radar gekomen nadat ik m’n lijst (ook) beschikbaar maakte aan het Bureau Industrieveiligheid van de MIVD. Zij beschikken in tegenstelling tot het NCSC t.a.v. ABDO-bedrijven over doorzettingsmacht. Dat de betreffende systemen na het contact met Bureau Industrieveiligheid heel snel alsnog gepatcht of (tijdelijk) offline zijn gehaald zal allicht ook aan die doorzettingsmacht te danken zijn.

    De brief vermeldt verder: “De AIVD en de MIVD hebben gesignaleerd dat statelijke actoren misbruik maken van de kwetsbaarheid in de Pulse Secure VPN-software.” Weet daarbij dat het niet gaat om het napraten van NSA & GCHQ.

    Binnenkort verschijnt bij ACM DTRAP een veldnotitie van ondergetekende over de Pulse-casus, incluis enkele gedachten over proactief scannen door CSIRTs in een gefedereerd/decentraal model. Om meerdere redenen, waaronder autonomie/privacy en informatiemacht (geen extra big brother…), ben ik persoonlijk geen voorstander van een gecentraliseerd model waarbij, zeg, het NCSC zelf méér zou scannen dan alleen rijksoverheidorganisaties en infrastructuur die raakt aan vitale processen. Pragmatisch, efficiënt, betrouwbaar en vertrouwelijk zijn m.i. kernwaarden bij proactief scannen.
  • UPDATE 2019-10-07: Mitigating Recent VPN Vulnerabilities (.pdf, advies uitgebracht door de Amerikaanse NSA). Citaat: “Multiple Nation State Advanced Persistent Threat (APT) actors have weaponized CVE-2019-11510, CVE-2019-11539, and CVE-2018-13379 to gain access to vulnerable VPN devices”.
  • UPDATE 2019-10-02: Vulnerabilities exploited in VPN products used worldwide (NCSC-UK, onderdeel van het Britse GCHQ).
  • UPDATE 2019-10-01: de publicaties van Volkskrant en Reporter Radio zijn vandaag besproken in de Tweede Kamer tijdens het vragenuurtje, op initiatief van Ronald van Raak (SP).
  • UPDATE 2019-09-29: als iemand vragen heeft — stel ze vooral en vermijd aannames cq onjuiste interpretaties. Ik ben goed bereikbaar via e-mail en Twitter (zie sidebar) en help graag mee.
  • UPDATE 2019-09-28: Netwerk honderden bedrijven, waaronder KLM, Shell en Schiphol, maandenlang lek (Volkskrant) en ‘Bedrijven en overheid maandenlang kwetsbaar door groot beveiligingslek’ (NOS).

    Qua oplossingsrichting is verdere drang/dwang uit Den Haag misschien niet nodig – er is reeds een wettelijke plicht voor verwerkingsverantwoordelijken tot adequate beveiliging van persoonsgegevens die is vastgelegd in Art 32. AVG; en de bestuursdwang richting vitale sector en digitale dienstverleners die is vastgelegd in Art. 27 Wbni.

    De oplossing zit in het bieden van meer ruimte voor proactief onderzoek (zoals scannen) en handelen: niet alleen aan NCSC, maar ook universiteiten en bedrijfsleven. Ik ben echter geen jurist — en het is nu een politiek vraagstuk. Ik roep politici op zich te laten informeren door de juiste mensen — waaronder inhoudelijk deskundigen, zoals technisch specialisten (o.a. uit CERT-gremia). Er wordt gesproken over doorzettingsmacht voor het NCSC. Laten we daar kalm en met koel hoofd over nadenken — dat vindt ook Jaap-Henk Hoepman — want doorzettingsmacht kan contraproductief zijn. Bijvoorbeeld in de goede/soepele verstandhouding tussen NCSC en haar doelgroepen, waarin drang/dwang vanuit NCSC ongewenste gevolgen kan hebben.

    Opmerking van algemene strekking: in beginsel hoeft niemand zich te schamen voor een kwetsbaarheid en zelfs niet voor compromitering. Techniek is complex en iedereen, ook de deskundige, kan iets over het hoofd zien of een menselijke (inschattings)fout maken. Schamen moet men zich wél als ernstige kwetsbaarheden langdurig onopgemerkt aanwezig zijn en blijven indien dat (mede) wordt veroorzaakt door passiviteit (bijvoorbeeld desinteresse) of risicoaversie (niet durven scannen/testen; terwijl kwaadwillenden dat wél doen). Het beschermen van overheid, bedrijfsleven en individuen op internet is een ‘whole of society’-vraagstuk. Iedereen die kan bijdragen aan verbetering, moet zich vrij voelen dat te doen, zonder te hoeven vrezen voor een strafblad (ervan uitgaande dat men zorgvuldig handelt: noodzaak, proportionaliteit, subsidiariteit), en die bijdragen moeten worden omarmd door ons allemaal. Wie dat doet, hoeft nimmer een promotie te worden ontzegd, verdient het niet om via media reputatieschade te lijden, en kan na onverhoopte compromitering een goed en eerlijk verhaal vertellen. Laat alle organisaties in onze samenleving het idee van Coordinated Vulnerability Disclosure (CVD; voorheen Responsible Disclosure/RD genaamd) omarmen. En laten we wat vergevingsgezinder zijn — ook richting organisaties met kwetsbaarheden — omwille van het hogere gemeenschappelijke doel: een voldoende veilige en vrije informatiesamenleving.

Oorspronkelijke publicatie

[Onderstaand bericht is gepubliceerd in samenwerking met Ralph Moonen, CTO bij Secura. Zie eventueel BNR Nieuwsradio, 2 september 2019: “Interne netwerk van tientallen Nederlandse bedrijven en organisaties staat wagenwijd open”.]

Pulse Secure, een spinoff van Juniper die het Juniper-product Junos Pulse zelfstandig heeft voortgezet onder een nieuw handelsmerk, is één van de grootste leveranciers van producten voor netwerktoegangsbeveiliging: marktonderzoekbedrijf Frost & Sullivan erkende het in oktober 2018 als één van de belangrijkste vier spelers in het marktsegment voor het MKB en grootbedrijven, met wereldwijd 20.000 klanten.

In april 2019 publiceerde Pulse Secure een kritiek beveiligingsadvies voor Pulse Connect Secure en Pulse Policy Secure, respectievelijk een SSL-VPN en NAC/BYOD-oplossing. Klanten van Pulse Secure gebruiken de producten voor beveiligde toegang van (bijvoorbeeld) medewerkers tot een extranet of een intern netwerk.

Het bijschrift in het advies luidt als volgt (markering is origineel):

Multiple vulnerabilities were discovered and have been resolved in Pulse Connect Secure (PCS) and Pulse Policy Secure (PPS). This includes an authentication by-pass vulnerability that can allow an unauthenticated user to perform a remote arbitrary file access on the Pulse Connect Secure gateway. This advisory also includes a remote code execution vulnerability that can allow an authenticated administrator to perform remote code execution on Pulse Connect Secure and Pulse Policy Secure gateways. Many of these vulnerabilities have a critical CVSS score and pose significant risk to your deployment. We strongly recommend to upgrade to the corresponding version with the fix as soon as possible.

De beveiligingspatches, die dus reeds in april 2019 zijn gepubliceerd door de vendor, verhelpen een reeks ernstige kwetsbaarheden. Daarvan had CVE-2019-11510 de hoogst mogelijke (CVSSv3-)kwetsbaarheidscore: 10.

Via die kwetsbaarheid kan een anonieme, niet-ingelogde aanvaller op afstand vanaf internet willekeurige bestanden uitlezen, waaronder de .mdb-database met gebruikersnamen, wachtwoorden (in leesbare en/of ontsleutelbare vorm) en sessie-identifiers van VPN-sessies. Actieve sessies kunnen worden gekaapt (bron); trouwens ook via CVE-2019-11540, een cross-site script inclusion kwetsbaarheid, in combinatie met (bijvoorbeeld) BeEF. Tweefactorauthenticatie is daarmee ook buitenspel gezet. In combinatie met andere kwetsbaarheden kan ook infectie met malware/spionage-software plaatsvinden.

Het is aan systeem- c.q. netwerkbeheerders bij organisaties die deze producten gebruiken om op de hoogte zijn van deze beveiligingspatch(es) en deze vrijwel onmiddelijk installeren (eventueel via een noodprocedure binnen het normale change management-proces). Al dan niet op aanwijzing van hun CISO, naar aanleiding van een beveiligingsadvies van het NCSC, en/of een tip van een derde. De realiteit toont aan dat dat in dit geval bij veel organisaties niet goed is verlopen.

In augustus hebben de Taiwanese ontdekkers van de kwetsbaarheden — Orange Tsai en Meh Chang van DEVCORE, die uitstekend werk hebben geleverd — tijdens Black Hat USA 2019 (slides in .pdf-formaat) en DEF CON 27 (videos) details van hun ontdekkingen gepubliceerd, en vrij snel daarna werd o.a. CVE-2019-11510 being exploited in the wild gezien. Op zaterdagochtend 24 augustus was dat te zien in de logs van dit blog (scroll in het grijze schermpje naar rechts om de rest v/d regel te zien):

/var/log/www.cyberwar.nl-access.bloglog:- - - [24/Aug/2019:10:45:57 +0200] "GET /dana-na/../dana/html5acc/guacamole/../../../../../../etc/passwd?/dana/html5acc/guacamole/ HTTP/1.1" 400 226 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)"

Naar aanleiding daarvan is onderzoek verricht op Nederlandse IP-adressen. Daarover is zaterdagavonds een heads-up gestuurd aan het NCSC (cert@ncsc.nl), die daarop terugbelde met een ontvangstbevestiging. Zondagochtend 25 augustus is het resultaat van het onderzoek(je) — een lijst met 538 kwetsbare Pulse Connect Secure-systemen — aan het NCSC doorgegeven (cert@ncsc.nl). In de communicatie met het NCSC hebben we dat weekend twee gevallen uitgelicht die (volgens ons) in potentie als “ernstig” of “zeer ernstig” zijn te kwalificeren voor nationale veiligheid. Beide systemen zijn vrijwel direct gepatcht.

De afgelopen week is dagelijks opnieuw getest (en dat blijft de komende tijd doorgaan). De uitkomst is als volgt:

Nota bene: het is mogelijk dat er méér kwetsbare systemen bestaan dan tijdens dit onderzoek zijn gevonden. Van de systemen die wél zijn meegeteld is aannemelijk dat die daadwerkelijk kwetsbaar zijn (en dus geen foutpositieve, zoals een honeypot). Niet elk systeem is van een Nederlandse organisatie: er zitten ook buitenlandse organisaties bij die gebruikmaken van de goede internetinfrastructuur die we in Nederland hebben.

Ten tijde van schrijven zijn dus nog ruim 300 Pulse Connect Secure SSL-VPN’s op Nederlandse IP-adresruimte kwetsbaar (*) voor ten minste CVE-2019-11510.

Het initiële lijstje van kwetsbare systemen in Nederlandse IP-adresruimte loog er niet om — het omvatte onder meer:

  • Rijksoverheid
  • lokale overheden
  • luchtvaartsector (zowel flight operators als industrie/onderzoek)
  • beursgenoteerde bedrijven (o.a. met high-tech intellectueel eigendom)
  • defensie-industrie (10 organisaties)
  • onderwijssector (waaronder een universiteit en een hogeschool)
  • financiële sector (meerdere banken, verzekeraars, belasting- en administratiekantoren)
  • ICT-bedrijven (meerdere bekende/grote namen, met o.a. Defensie als klant; en enkele ICT-beveiligingsbedrijven)
  • havenbedrijven
  • petrochemische industrie
  • zorgpartijen (o.a. zorgaanbieders en nationale zorg-ICT)
  • enkele kleinere ISPs en telecomproviders
  • […meer…]

Attributie aan de organisaties is gebaseerd op een combinatie van WHOIS-gegevens van het IP-adres, de systeem-/domeinnamen in het TLS-certificaat, en PTR- en A-records in DNS. Slechts in enkele gevallen ging het — oordelend naar die gegevens — om een test- of ontwikkelsysteem. De rest betreft productieomgevingen of voormalige productieomgevingen. In voormalige productieomgevingen kunnen nog altijd actuele gebruikersnamen/wachtwoorden staan; dus ook dán is er in potentie een ‘echt’ probleem, ook als die omgeving onmiddels is ontkoppeld van de rest van het netwerk.

Organisaties die Pulse Connect Secure gebruiken doen er goed aan hun logs te controleren op aanwezigheid van de volgende waarden (zonder de “[…]”):


Als één of meer hiervan succesvol is gedownload door een onbekende derde dan is het zaak de VPN-gebruikers onmiddellijk hun wachtwoord te laten wijzigen op alle systemen waar zij dat wachtwoord gebruiken. Hopelijk betreft dat niet óók hun privéaccounts bij Facebook, Google, Apple, enzovoorts; hergebruik van wachtwoorden blijft een hardnekkig fenomeen.

Het NCSC heeft meerdere meldingen ontvangen inzake Pulse Secure en verschillende partijen geïnformeerd. Ons (Secura) is niet bekend welke partijen wel en welke niet. Vanwege de ernst van de situatie hebben ook wij direct actie in gang gezet (better safe than sorry): een reeks organisaties is vorige week door ons gebeld en een meerdere kwetsbare systemen zijn inmiddels gepatcht. Ongetwijfeld zullen meer partijen zo’n inspanning hebben ondernomen. We hebben het echter druk genoeg met onze normale werkzaamheden en zouden dit dus liever niet hoeven doen; maar voelen het een beetje als een morele plicht (if not us, then who?).

Dit soort situaties is onacceptabel: het kan niet zo zijn dat honderden systemen — in dit geval ook bij grootbedrijven en in vitale sectoren — na het bekend worden van ernstige kwetsbaarheden nog maandenlang actief zijn als sitting ducks voor kwaadwillenden.

Daarover het volgende.

Zowel het NCSC als private ICT-beveiligingsbedrijven als journalisten als (andere) individuele onderzoekers hebben beperkte mogelijkheden en resources. Het testen van andermans systemen op een kwetsbaarheid kan strafbaar zijn onder de wet computercriminaliteit, ook al zijn de bedoelingen goed en doorstaat de werkwijze de toets aan subsidiariteit/proportionaliteit (zo was ons onderzoek beperkt tot het uitlezen van versie-informatie en een bestand dat op alle Pulse Connect Secure-systemen identitiek is — dus geen gebruikersgegevens verwerven, laat staan code injecteren of commando’s uitvoeren).

Coordinated Vulnerability Disclosure (CVD; voorheen Responsible Disclosure) is voor dit soort cases hooguit een lapmiddel, want te arbeidsintensief gegeven de urgentie en omvang van het aantal kwetsbare organisaties. De verantwoordelijkheid kan niet liggen bij individuele onderzoekers of beveiligingsbedrijven die ongevraagd ad-hoc testen. Maar getuige wat is aangetroffen kan de verantwoordelijkheid vooralsnog óók niet alleen liggen bij de private organisaties zelf. En de vendor heeft gedaan wat deze moest doen: een beveiligingspatch uitbrengen en daarover communiceren aan klanten.

Het NCSC is dan weer met handen en voeten gebonden door wetgeving en ethische overwegingen: misschien wenst de Rijksoverheid zich in beginsel niet wil te mengen in private aangelegenheden. En ICT-beveiliging van private organisaties is en blijft in beginsel een private aangelegenheid.

De situatie rondom CVE-2019-11510 toont echter aan dat die verantwoordelijkheid bij private organisaties nog onvoldoende effectief wordt gedragen, ook bij organisaties die competente IT-beveiligers in dienst hebben (zo weten we beroepshalve). Hoe de huidige situatie zich laat verklaren is niet duidelijk — het zou een onderwerp kunnen zijn voor een (wetenschappelijk?) evaluatieonderzoek.

Het idee is niet nieuw, maar misschien zou het NCSC of een ander (Rijks)overheidsorgaan de ruimte/bevoegdheid moeten krijgen om Nederlandse IP-adresruimte bij (uitsluitend) zeer ernstige kwetsbaarheden in internet-facing producten onder voorwaarden proactief te testen (of laten testen) op kwetsbare systemen. Een centraal contactlijstje met CISOs van MKB en grootbedrijven zou daarbij kunnen helpen, als dat niet reeds bestaat.

Het opent wel een can of worms:

  • Risico’s
    • Wat als een privaat systeem uitvalt door een test die de overheid uitvoert? (of laat uitvoeren)
    • Hoe weet je dat een IP-adres(blok) op het tijdstip van een test nog in gebruik is door organisatie X, en alleen door die organisatie?
    • Hoe om te gaan met blacklisting/whitelisting van IP-adressen waarmee de overheid test?
  • Privacy
    • Wat als grondig/zorgvuldig testen met zich meebrengt dat gebruikersgegevens worden uitgelezen, al is het maar een beetje?
    • In hoeverre is het mogelijk om op een betrouwbare/robuuste manier de IP-adresruimte die door individuele burgers wordt gebruikt (dus niet bedrijfsmatig door een organisatie) buiten de scan te laten?
  • Taakopvatting van de overheid
    • Vinden we dit wel/niet een taak voor de overheid?
    • Is er een minder inbreukmakend middel waarmee hetzelfde doel kan worden bereikt?
    • Zou het voor private organisaties opt-in of opt-out moeten zijn?
    • Hoe om te gaan met gevallen waarbij een private organisatie ook na melding door de overheid een kwetsbaar systeem niet patcht?
    • Welke kwetsbaarheden wel testen, welke niet?
    • Hoe weten we dat de overheid de gevonden kwetsbaarheden niet zelf uitbuit voor (andere) overheidsbelangen zoals opsporings- en inlichtingenwerk? (misschien geen groot punt van zorg; maar het kan niet buiten beschouwing blijven.)

Misschien eist actief testen op kwetsbaarheid door de Rijksoverheid een verandering in wetgeving. Dat is dan een kluif voor juristen en/of politiek.

Tot slot als quick-reference het lijstje met affected en non-affected versies van Pulse Connect Secure en Pulse Policy Secure (bron: SA44101):

SA44101 - 2019-04: Out-of-Cycle Advisory: Multiple vulnerabilities
resolved in Pulse Connect Secure / Pulse Policy Secure 9.0RX

Affected Versions:
Pulse Connect Secure 9.0R1 - 9.0R3.3
Pulse Connect Secure 8.3R1 - 8.3R7
Pulse Connect Secure 8.2R1 - 8.2R12
Pulse Connect Secure 8.1R1 - 8.1R15
Pulse Policy Secure 9.0R1 - 9.0R3.3
Pulse Policy Secure 5.4R1 - 5.4R7
Pulse Policy Secure 5.3R1 - 5.3R12
Pulse Policy Secure 5.2R1 - 5.2R12
Pulse Policy Secure 5.1R1 - 5.1R15

Not Affected:
Pulse Connect Secure 9.1R1 and above
Pulse Connect Secure 9.0R4 & 9.0R3.4
Pulse Connect Secure 8.3R7.1
Pulse Connect Secure 8.2R12.1
Pulse Connect Secure 8.1R15.1 
Pulse Policy Secure 9.1R1 and above
Pulse Policy Secure 9.0R4 & 9.0R3.4
Pulse Policy Secure 5.4R7.1
Pulse Policy Secure 5.3R12.1
Pulse Policy Secure 5.2R12.1
Pulse Policy Secure 5.1R15.1

P.S. 1: wie klant is bij een cyberverzekeraar en vier maanden lang een kritieke beveiligingspatch op een internet-facing systeem niet installeert hoeft bij een compromittering waarschijnlijk niet te rekenen op een uitkering. Lees meer: ‘Vlijt en naarstigheid’ in een digitale wereld: eigen schuld en beredding in de context van de cyberverzekering (.pdf) van mr. N.M. Brouwer in AV&S 2019/23, augustus 2019.

P.S. 2: Pulse Secure-productversies die later kwetsbaar bleken hebben begin 2018 in de VS een Common Criteria-certificering gekregen. Daarmee zijn die versies goedgekeurd voor gebruik in bepaalde gevoelige(re) omgevingen in de VS. Een positieve resultaat van een Common Criteria-certificeringstraject, zoals in Nederland uitgevoerd door het AIVD-NBV en onder het BSPA-programma via geaccrediteerde bedrijven, betekent niet dat een product foutloos is. Het komt vaker voor dat in goedgekeurde producten kwetsbaarheden worden gevonden — ook ernstige. Dat houdt verband met het (EAL-)niveau waarop zekerheid wordt gevraagd, en daaraan gekoppeld de scoping, beschikbare tijd, kennis, vaardigheden, apparatuur, documentatie, en (on)beschikbaarheid van broncode. Iets dat in de nabije toekomst weer ‘s zelfstandig aandacht verdient.

* Het publiceren van deze blogpost — terwijl er nog kwetsbare systemen zijn — gebeurt met gemengde gevoelens. Bad Packets heeft al gepubliceerd dat wereldwijd liefst 14.500 (!) kwetsbare instances actief zijn. Mede daarom lijkt verder wachten ons, en de personen bij wie we een zienswijze hebben gevraagd, méér onverantwoordelijk dan nu naar buiten te treden met de actuele aantallen; zonder daarbij IP-adressen of namen van organisaties te benoemen.