From Wikipedia, the free encyclopedia
Jump to: navigation, search
Although both active in IT security Fox-IT isn't related to the Chinese software company Foxit Corp.
Founded 1999
Headquarters Delft, Netherlands

Fox-IT is a Dutch consultancy company based in Delft. Fox-IT is active in the information technology security sector. Their mission-statement is: "Making technical and innovative contributions for a more secure society."[1]


Two Dutchmen with a background in forensic investigations and hacking the infrastructure of the Netherlands Forensic Institute, Ronald Prins and Menno van der Marel, formed the company in 1999. It was one of the first digital investigation agency in Western-Europe.[2]

In 2003 Fox-IT took over some of the activities of Philips Crypto when the electronics-firm saw the revenues of Philips Crypto going down.[3]

Later, in 2005, Fox-IT opened their first international offices in Great Britain and on Aruba (formerly part of the Netherlands Antilles). Other markets, such as the Middle East and the United States are served through local partners.

In December 2007 the company came out as most reliable security company in a survey from Emerce, which was performed by TNS Nipo. The survey was part of the Emerce 100: a survey of the image of e-commerce companies. Overall the company ended on place 11, behind Google but before companies as Ebay and the Boston Consultancy Group.[4][5]

The company has approximately 200 staff who are all screened by the AIVD.[1]

Products and services[edit]

The main activity of Fox-IT is advising companies, governments and other organisations on IT security. Its main customers are national governments and large organisations.

Consultancy services for the implementation of secure e-government systems and performing security-audits are the core-business of Fox-IT. Their audit into CA DigiNotar lead to the Dutch government revoking their trust in that company and declaring that certificates issued by Diginotar under the Dutch government root-certificate were no longer valid.[6] Also permanent security monitoring services and digital forensic investigation services are offered and they also developed complete IT solutions and products such as Fox Replay and encryption-systems.

Encryption systems[edit]

Fox DataDiode is a secure one-way communication system, e.g. to secure datatransfer where no real-time authentication is possible (for example when copying data on a physical medium such as a disc or USB key) but also other applications are possible. The DataDiode is also used in the lawful data interception solution from Fox-IT that prevents any tampering of data from the point where the data is intercepted and the central storage/monitoring systems.

Secure VPN: SINA VPN. Sina VPN solution was developed as the VPN solution to connect to State Secret networks in Germany and is also approved for use in the Netherlands for networks where state secrets are involved.[7]

RedFox Crypto Chip: Fox-IT was awarded a contract from the Dutch government to design a new hardware based encryption system. The clearance level of systems using this chip is still under consideration.[8]

Fox Random Card: hardware based Random Number Generator: many cryptographic solutions depend on the use of true random numbers and this product offers a PCMCIA card to generate true random numbers.[9]

Fox Replay[edit]

Data that is intercepted from lawful interception needs to be analysed. There are two main types of intercepted data: the data from an individual Internet-connection (for example the ADSL access-line of an Internet subscriber) or the email-communication of an email-address. In both cases there will be a large amount of unstructured data. Lawful interception involves several steps: the actual intercepting of data, this is normally done by the Internet service provider based on the IP address of the intercepted party of the (cable or DSL) modem of this party. Then all this data has to be sent securely to a central monitoring and storage system of the (government) agency responsible for this task and finally all this data needs to be monitored and analysed.

Fox Replay is a series of products to analyse data that is intercepted and also includes a covert version where the agency can do the interception themselves.

Fox Replay Covert: For the 'standard' interception there is clear legislation where the ISP needs to intercept traffic and send it to the central processing agency, but there are situation where there is no such friendly environment where the actual interception will be performed by the ISP. This can be the case when an agency wants to intercept traffic in another country or in a country where there is no reliable central government. The Fox Replay Covert is an all-in-one solution where both the actual interception, storage and the analysis is done in one system.[10]

Fox Replay Analyst is an application where the intercepted traffic can be followed in real-time or in streaming-mode where you analyse stored data-steams. All IP datastreams can be analysed, both IPv4 and IPv6 and it is possible to scan the actual content of the data, even if that in itself is sent in compressed form such as ZIP files etc. There are several 'search' options to analyse these datastreams. When not using the 'real-time' datastream you can reconstruct the stored data.

Fox Replay Personal Workstation is a laptop-version of the Replay products where the analysis can be done outside the central monitoring and storage centre.

The combination of above Replay Products and the Datadiode product provides a framework for lawful interception.

On the 26th of September 2011, it was announced[11] that the Replay division would be spun off to NetScout Systems, Inc.

External products[edit]

Fox-IT also delivers products from other companies. It is the company partner of the German company Secusmart.[12]

Clients and cases[edit]

Dutch government[edit]

Fox-IT is a regular partner of the Dutch government on data interception and IT-security. Most Dutch government-departments and security agencies do business with the company.[13] The audit at DigiNotar (see below) was performed on request of the Dutch government.


Main article: DigiNotar

Although already a relatively well established name in the sector, the company became a much heard name due to the security incident with the false certificates issued by DigiNotar. DigiNotar was one of the 4 Certificate Service Providers that could issue certificates under the PKIoverheid root-certificate (Overheid is the Dutch word for Government). National and local governments and their agencies can request certificates under this root-CA and use the Public Key Infrastructure to secure their electronic communications. PKIoverheid certificates are used by the Belastingdienst (tax-collector) and the authentication-platform DigiD. The Dutch government itself does not issue certificates but has assigned a few companies to issue them on their behalf.

One of these companies was DigiNotar, but after a break-in into their systems false certificates were issued to unknown parties such as a wildcard certificate for * which was issued to someone in Iran. Although there were no clear indications that DigiNotar issued false certificates under the PKIoverheid root the Dutch government asked Fox-IT to do an investigation in DigiNotar and audit their systems and procedures to guarantee that certificates under the PKIoverheid root were still 100% secure.[14][15] The outcome of this audit/investigation was that there was no proof that false certificates were issued under the PKIoverheid root but there was also no proof that the DigiNotar issued certificates were safe and the Dutch government decided to end their relationship with DigiNotar and all organisations that used certificates issued by DigiNotar were advised to request a new certificate by one of the remaining three CSP's.[6]

The DigiNotar hack was claimed by ComodoHacker, the hacker responsible for the security breach at Comodo Group. F-Secure has confirmed that ComodoHacker is indeed also responsible for the DigiNotar hack and warns that he targets other CA's as well.[16]


ComodoHacker has claimed that he has also hacked the environment of CA GlobalSign;[17][non-primary source needed] GlobalSign took this claim seriously and temporarily stopped the signing or issuance of certificates to investigate.

They also hired Fox-IT to audit and investigate their environment due to their knowledge and experience of this particular hacker.[18][19]

Yahoo malware attack[edit]

On January 5, 2014 Fox IT reported that some visitors to Yahoo! sites were infected with malware. The cause was reported to be ads that redirect to sites with malicious exploits. Maarten van Dantzig said that the redirection took place even when the ad was not clicked. It was estimated that 50,000 infections per hour happened as a result.

Yahoo said in a statement that European users were affected. Surfright, another Dutch security firm estimated more than 5 million computers were infected. The damage was more than $9.5 million. who the person was is unknown. [20][21]


  1. ^ a b (secure)Website Fox-IT: About Fox-IT, visited 24 may 2014.
  2. ^ Fox-IT history, visited 24 May 2014.
  3. ^ Website Crypto Museum on Philips Crypto, visited 5 September 2011.
  4. ^ Emerce Top10 Security 2008, 17 December 2007, visited 6 September 2011.
  5. ^ Emerce 100 - 2008, 17 December 2007, visited 6 September 2011.
  6. ^ a b Newsrelease Dutch Government: Government revokes trust DigiNotar certificates, 3 September 2011. Visited 5 September 2011.
  7. ^ Product description Sina VPN, visited 6 September 2011.
  8. ^ Redfox Cryptochip, PDF document, retrieved 5 September 2011.
  9. ^ Fox-IT website on FOX Randomcard, visited 5 September 2011.[dead link]
  10. ^ Product folder Fox Replay Covert, retrieved 6 September 2011.[dead link]
  11. ^ Press release announcing spin off of Fox Replay BV
  12. ^ Website Secusmart over Partner Fox-IT, visited 5 September 2011.
  13. ^ Nieuwsarchief juni 2009, retrieved 5 September 2011.
  14. ^ ZDNet UK: False SSL certificates issued for spy-agencies, 5 September 2011.
  15. ^ DigiNotar website Interim audit report Fox-IT, 5 September 2011. Visited 6 September 2011.
  16. ^ F-Secure website Diginotar hacker comes out, 6 September 2011.
  17. ^ PasteBin statement of ComodoHacker, 5 September 2011
  18. ^ GlobalSign statement: Security Response, 6 September 2011.
  19. ^ website GlobalSign stops issuing SSL certificates and hires Fox-IT, 7 September 2011.
  20. ^
  21. ^

External links[edit]