COFFEE AND DANISH HELL: National ID system cockup forces insecure Java on Danes
A bungled IT upgrade has downed Denmark’s universal NemID login system, forcing people to stay on an insecure version of Java if they want to carry out online banking, check their insurance, or retrieve tax return information.
Problems with NemID were first reported on Tuesday, and on Thursday the NATS IT consultancy behind the system said Danes wouldn’t be able to use both the latest patched version of Java and NemID until Friday.
NemID is a single login for services from private banking and email to insurance services, local council services. It consists of a user ID, a password, and a code card that generates a one-time key.
The system was developed through a collaboration between the state and the banking sector, and reaches into “hundreds” of bank and public IT systems. And, to the no-doubt dismay of Reg readers, it relies on Java.
Java Update 45 was released on Tuesday, bringing with it a whopping 51 security bug fixes for the still widely used platform.
A dozen of these vulnerabilities merited the most severe CVSSv2 score of 10, meaning they could be used “to take full control over the attacked machine over the network without requiring authentication.”
So, the Danes are faced with a conundrum: upgrade and lose access to critical public and private online services, or don’t upgrade and keep their computers open to some potentially very serious security flaws.
Citizens who have already upgraded to Java 7 Update 45 are recommended to fully uninstall Java then reinstall Java 7 Update 40 for the insecure software to let them access their public services.
The problem for this doesn’t lie with Oracle, but rather with the integrator NATS, which seems to have bungled support for the new patch. ®