Email addresses of Dutch politicians are easy to spoof, as journalists in the Netherlands showed earlier this month.
What followed was a heated debate about the responsibilities of reporters in revealing security flaws, and the implementation of common security practices on email servers.
By submitting your personal information, you agree that TechTarget and its partners may contact you regarding relevant content, products and special offers.
The news broke after Dutch investigative journalists from Follow The Money (FTM) – a website that specialises mostly in financial news stories – posted an article on the possibility of spoofing emails sent in the name of Dutch MPs. Reporters discovered the possibility of sending emails that appeared to come from @tweedekamer.nl, the domain used by Dutch parliament.
FTM worked with ethical hacker Maarten Boone, who tipped off the reporters about the “leak”. It was later revealed that Boone had recently been laid off from Fox-IT, a security company that advises the Dutch government on cyber security practices and which had revealed the flaw a long time ago.
To corroborate their story, the reporters sent several emails to Dutch MPs that were obviously fake, mostly to do with the recently formed Dutch coalition. “Well guys, looks like we have to start talks all over again,” a fake prime minister joked in a spoof email to other coalition partners.
The story got even more attention when a popular late show called RTL Late Night picked up the story and showed some of the spoof emails during a national broadcast.
Sender policy framework has its pros and cons
The email spoofing is possible due to the lack of a sender policy framework (SPF) on the general network of parliament, a method that’s fairly easy to implement but is often glossed over by systems administrators. According to the reporters, sending an email in the name of prime minister Mark Rutte would make a phishing campaigns pretty effective.
After it was published, a heated debate broke out about the implications of the story, as well as the way it was framed. According to many security experts, Follow The Money made a relatively minor problem bigger.
SPF, though handy in such situations, is not the be-all and end-all solution against spoofing – a problem that can never be truly prevented. Using SPF, a domain can validate whether an email comes from the same domain or is spoofed. In the case of the latter, usually the spoof email is immediately deleted or sent to a spam inbox. However, implementing SPF sometimes brings a risk of marking too many false positives, resulting in unnecessarily deleted emails.
Email security flaws go beyond parliament
Other journalists and security researchers found out more Dutch public authorities that had configured their email settings improperly. The Dutch intelligence service AIVD, the national police force and several energy companies hadn’t configured their servers, though several days after the initial news report fixes had been implemented.
Soon after the news broke, many criticised the reporters for making the news seem bigger than it actually was. It was soon found out that neither Follow The Money nor RTL Late Night had implemented the security measures they scolded the parliament for not having.
There was also criticism about the impact of the shown leak. Many pointed out that spoofing is difficult to prevent in email, and that common security practices – such as not clicking links or attachments that aren’t expected – are always applicable, leading many to claim the story was not really news at all.
Irresponsible disclosure of security bug
But worse was probably that the journalists had not practiced any responsible disclosure, but rather went public with their findings immediately. The role of media in responsible disclosure has always been a complicated topic, but it’s reasonable to expect even journalists to give a company some time to fix any bugs in the system.
Despite all the criticism, several ambitious systems administrators were quick to implement security measures that same night, as some discovered. It seems the publicity, flawed as it might have been, had helped. In an update, the Chamber said “urgent measures” had been taken to fix the vulnerability, which no longer exists. The statement also mentioned “further steps” that would be taken to double-check emails from non-secured domains, and to prevent future misuse of emails, but what these measures are remains unknown.
Several other public instances, including the intelligence services, also made some fixes on the protocol later in the week, though several other domains remained vulnerable.
Earlier warnings brushed aside
It’s not the first time the issue has been brought up in the country. Several security experts mentioned discovering the subject before, but never following up on it because it seemed an unlikely-to-be-exploited problem that was difficult to completely prevent.
However, Dutch Labour Party MP Astrid Oosenbrug asked official questions in parliament as far back as 2015, and did so several times after. According to the reporters, the problem was well known among politicians, but was not deemed important enough to follow up on.
“Politicians lack a sense of urgency in these matters,” Oosenbrug is quoted as saying, by FTM. She referenced an earlier instance in which minister of economic affairs Henk Kamp was found to be using a private Gmail account to conduct government business. And where in the US such an affair might lead to losing a presidential nomination, reactions in the Netherlands were tempered.
It’s also not the first time the IT system of the Dutch parliament has been compromised. Earlier this year, a wave of ransomware encrypted files on the computers of MPs after an infected Microsoft Word document was sent around. In June, news site Binnenlands Bestuur found that practically all Dutch municipalities didn’t follow standard security practices for their email servers, making phishing campaigns easy.