0001193125-11-241796.txt : 201109070001193125-11-241796.hdr.sgml : 2011090720110907075836ACCESSION NUMBER:0001193125-11-241796CONFORMED SUBMISSION TYPE:8-KPUBLIC DOCUMENT COUNT:14CONFORMED PERIOD OF REPORT:20110902ITEM INFORMATION:Other EventsITEM INFORMATION:Financial Statements and ExhibitsFILED AS OF DATE:20110907DATE AS OF CHANGE:20110907

FILER:

COMPANY DATA:COMPANY CONFORMED NAME:VASCO DATA SECURITY INTERNATIONAL INCCENTRAL INDEX KEY:0001044777STANDARD INDUSTRIAL CLASSIFICATION:SERVICES-COMPUTER INTEGRATED SYSTEMS DESIGN [7373]IRS NUMBER:364169320STATE OF INCORPORATION:DEFISCAL YEAR END:1231

FILING VALUES:FORM TYPE:8-KSEC ACT:1934 ActSEC FILE NUMBER:000-24389FILM NUMBER:111077107

BUSINESS ADDRESS:STREET 1:1901 SOUTH MYERS ROADSTREET 2:SUITE 210CITY:OAKBROOK TERRACESTATE:ILZIP:60181BUSINESS PHONE:6309328844

MAIL ADDRESS:STREET 1:1919 S HIGHLAND AVESTREET 2:STE 118 CCITY:LOMBARDSTATE:ILZIP:60148

8-K1d8k.htmFORM 8-K

Form 8-K

SECURITIES AND EXCHANGECOMMISSION

WASHINGTON, D.C. 20549

FORM 8-K

CURRENT REPORT

PURSUANT TO SECTION 13 OR 15(d) OF THE

SECURITIES EXCHANGE ACT OF 1934

Date of Report (Date of earliest eventreported): September2, 2011

VASCO Data Security International, Inc.

(Exact name of registrant as specified in charter)

Delaware000-2438936-4169320

(State or other jurisdiction

of incorporation)

(Commission

File Number)

(IRS Employer

Identification No.)

1901 South Meyers Road, Suite 210

Oakbrook Terrace, Illinois 60181

(Address of principal executive offices) (Zip Code)

Registrantstelephone number, including area code: (630)932-8844

N/A

(Former name or former address, if changed since last report)

Check the appropriate box below if the Form 8-K filing is intended to simultaneously satisfy the filing obligation of the registrant under any of the following provisions (see General Instruction A.2.below):

Written communications pursuant to Rule 425 under the Securities Act (17 CFR 230.425)

Soliciting material pursuant to Rule 14a-12 under the Exchange Act (17 CFR 240.14a-12)

Pre-commencement communications pursuant to Rule 14d-2(b) under the Exchange Act (17 CFR 240.14d-2(b))

Pre-commencement communications pursuant to Rule 13e-4(c) under the Exchange Act (17 CFR 240.13e-4(c))

Item8.01. Other Events

On August 30, 2011, VASCO Data Security International, Inc. (VASCO) issued a press release commenting on a reported security incident at DigiNotar B.V., a wholly-owned subsidiary of VASCO (DigiNotar). Thepress release was filed on Form 8-K dated August 31, 2011. Additional activity related to the DigiNotar security incident follows:

OnSeptember 2, 2011, VASCO issued a press release announcing it had invited the Dutch Government to jointly address the recent security incident at DigiNotar. In the press release, in the third sentence under the caption Forward LookingStatements, there was a reference to VASCOs Annual Report on Form 10-K for the fiscal year ended December 31, 2009 filed with the Securities and Exchange Commission. The reference should have been to VASCOs Annual Report on Form10-K for the fiscal year ended December 31, 2010 filed with the Securities and Exchange Commission. The full text of the press release, as corrected, is furnished as Exhibit 99.1 and is incorporated herein by reference in its entirety.

On September 5, 2011, DigiNotar posted to its website (www.diginotar.com) an interim report prepared by Fox-IT B.V., an information technology securitycompany, detailing preliminary findings of its review of the DigiNotar security incident. The interim report is furnished hereto as Exhibit 99.2 and is incorporated herein by reference in its entirety.

On September 5, 2011, DigiNotar issued an open statement to DigiNotars partners, customers, and the people of Iran related to the DigiNotarsecurity incident. A copy of the letter is furnished hereto as Exhibit 99.3 and is incorporated by reference in its entirety.

On September 5,2011, VASCO Data Security International, Inc. posted an open letter to VASCO shareholders on the VASCO website (www.vasco.com) related to the DigiNotar incident. A copy of the letter is furnished hereto as Exhibit 99.4 and is incorporated herein byreference in its entirety.

Item 9.01 Financial Statements and Exhibits.

(d) Exhibits. The following Exhibits are furnished herewith:

Exhibit

Number

Description

99.1Press Release dated September 2, 2011, as corrected.

99.2Interim Report issued by Fox-IT BV dated September 5, 2011, related to the Investigation DigiNotar Certificate Authority Environment.

99.3Statement issued by DigiNotar on September 5, 2011.

99.4Letter issued by VASCO on September 5, 2011.

SIGNATURE

Pursuant to the requirements of the Securities Exchange Act of 1934, the Registrant has duly caused this report to be signed on its behalf by the undersigned hereunto duly authorized.

Date: September7, 2011

VASCO Data Security International, Inc.

/s/ Clifford K. Bown

Clifford K. Bown

Chief Financial Officer

EXHIBIT INDEX

The following Exhibits are furnished herewith:

Exhibit
Number

Description

99.1Press Release dated September 2, 2011, as corrected.

99.2Interim Report issued by Fox-IT BV dated September 5, 2011, related to the Investigation DigiNotar Certificate Authority Environment.

99.3Statement issued by DigiNotar on September 5, 2011.

99.4Letter issued by VASCO on September 5, 2011.

EX-99.12dex991.htmPRESS RELEASE DATED SEPTEMBER 2, 2011, AS CORRECTED

Press Release dated September 2, 2011, as corrected

Exhibit 99.1

Press Release dated September2, 2011, as corrected.

VASCO Offers Dutch Government JointApproach of DigiNotar Incident

OAKBROOK TERRACE, Ill. and ZURICH, Switzerland - Sept. 2, 2011 - VASCO Data Security International, Inc.(NASDAQ: VDSI; www.vasco.com) today announced that it has invited the Dutch government to jointly solve the DigiNotar incident. As part of its proposal, VASCO invites the Dutch Government to send staff to work together to jointly assess andremedy the problem.

It is our firm belief that cooperating with VASCO is the right decision for the Dutch Government. We are convincedthat together we will solve this issue, said Ken Hunt, VASCOs Chairman& CEO.

About VASCO

VASCO is a leading supplier of strong authentication and e-signature solutions and services specializing in Internet security applications andtransactions. VASCO has positioned itself as a global software company for Internet security serving a customer base of approximately 10,000 companies in more than 100 countries, including approximately 1,700 international financial institutions.VASCOs prime markets are the financial sector, enterprise security, e-commerce and e-government.

Forward Looking Statements:

Statements made in this news release that relate to future plans, events or performances are forward-looking statements. These forward-lookingstatements (1)are identified by use of terms and phrases such as expect, believe, will, anticipate, emerging, intend, plan, could, may,estimate, should, objective and goal, possible, potential, and similar words and expressions, but such words and phrases are not the exclusive means of identifying them, and(2)are subject to risks and uncertainties and represent our present expectations or beliefs concerning future events. VASCO cautions that the forward-looking statements are qualified by important factors that could cause actual results todiffer materially from those in the forward-looking statements. These risks, uncertainties and other factors have been described in greater detail in the Annual Report on Form 10-K for the fiscal year ended December31, 2010 filed with theSecurities and Exchange Commission and include, but are not limited to, (a)risks of general market conditions, including currency fluctuations and the uncertainties in world economic and financial markets, (b)risks inherent to thecomputer and network security industry, including rapidly changing technology, evolving industry standards, increasing numbers of patent infringement claims, changes in customer requirements, price competitive bidding, and changing governmentregulations, and (c)risks specific to VASCO, including, demand for our products and services, competition from more established firms and others, pressures on price levels and our historical dependence on relatively few products, certainsuppliers and certain key customers. Reference is made to VASCOs public filings with the U.S. Securities and Exchange Commission for further information regarding VASCO and its operations.

This document may contain trademarks of VASCO Data Security International, Inc. and its subsidiaries, including VASCO, the VASCO V design,DIGIPASS, VACMAN, aXsGUARD and IDENTIKEY.

For more information contact: Jochem Binst, +32 2 609 97 00, jbinst@vasco.com

Follow us on Twitter: http://twitter.com/VASCODataNews

EX-99.23dex992.htmINTERIM REPORT

Interim Report

Exhibit 99.2

Interim Report

September 5, 2011

DigiNotar Certificate Authority breach

Operation Black Tulip

ClassificationPUBLIC

CustomerDigiNotar B.V.

Subject:Investigation DigiNotar Certificate Authority Environment

Date5 September 2011

Version1.0

AuthorJ.R. Prins (CEO Fox-IT)

Business UnitCybercrime

Pages13

Fox-IT BV

Olof Palmestraat 6

2616 LM Delft

P.O. box 638

2600 AP Delft

The Netherlands

Phone: +31 (0)15 284 7999

Fax: +31 (0)15 284 7990

Email: fox@fox-it.com

Internet: www.fox-it.com

Copyright 2011 Fox-IT BV

All rights reserved.

Trademark

Fox-IT and the Fox-IT logo are trademarks of Fox-IT BV.

All other trademarks mentioned in this document are owned by the mentioned legacy body or organization.

PUBLIC2

1Introduction

1.1Background

The company DigiNotarB.V. provides digital certificate services; it hosts a number of Certificate Authorities (CAs). Certificates issued include default SSL certificates, Qualified Certificates and PKIoverheid (Government accredited) certificates.

On the evening of Monday August29th it became public knowledge that a rogue *.google.com certificate was presented to a number of Internet users in Iran.This false certificate had been issued by DigiNotar B.V. and was revoked1 that same evening.

On the morning of the following Tuesday, Fox-IT was contacted and asked toinvestigate the breach and report its findings before the end of the week.

Fox-IT assembled a team and started the investigation immediately.The investigation team includes forensic IT experts, cybercrime investigators, malware analysts and a security expert with PKI experience. The team was headed by CEO J.R. Prins directly.

It was communicated and understood from the outset, that Fox-IT wouldnt be able to complete an in-depth investigation of the incident within this limited timeframe. This is due to the complexity ofthe PKI environment and the uncommon nature of the breach.

Rather, due to the urgency of this matter, Fox-IT agreed to prepare an interimreport at the end of the week with its preliminary findings, which would be published.

1.2Investigation questions

Theinvestigation predominately focused on following questions:

1.How did the perpetrators access the network?

2.What is the scope and status of the breach?

Have other DigiNotar CA environments been breached?

Do we still see hacker activity on the network of DigiNotar?

Are rogue certificates actively being used by hackers?

3.Can we discover anything about the impact of the incident?

What certificates were issued without knowledge of DigiNotar?

What other (rogue) certificates might have been generated?

How many rogue connections were made using rogue certificates?

What was the nature of these connections?

In order to address these questions we (basically) (i)implemented specialized monitoring to be able to detect, analyse and follow up on active misuse, and (ii)analysed digital traces on harddisks, and in databases and log files to investigate the origin and impact of the breach.

1Revoked: A certificate is irreversibly revoked if, for example, it is discovered that the certificate authority (CA) had improperly issued a certificate, or if aprivate-key is thought to have been compromised. Certificates may also be revoked for failure of the identified entity to adhere to policy requirements such as publication of false documents, mis-representation of software behavior, or violation ofany other policy specified by the CA operator or its customer. The most common reason for revocation is the user no longer being in sole possession of the private key (e.g., the token containing the private key has been lost or stolen).

PUBLIC3

1.3This report

The goal of this report is to share relevant information with DigiNotar stakeholders (such as the Dutch Government and the Internet community), based on which they can make their own risk analysis.Because this is a public report, some investigation results and details cannot be included for privacy and/or security reasons.

Since theinvestigation has been more of a fact finding mission thus far, we will not draw any conclusions with regards to the network-setup and the security management system. In this report we will not give any advice to improve the technical infrastructurefor the long term. Our role is to investigate the incident and give a summary of our findings until now. We leave it to the reader in general and other responsible parties in the PKI- and internet community to draw conclusions, based on thesefindings. We make a general reservation, as our investigations are still on going.

PUBLIC4

2Investigations

2.1Prior investigations

Someinvestigations were conducted before we started.

Fox-IT was given access to a report produced by another IT-security firmwhich performs the regular penetration testing and auditing for DigiNotar. The main conclusions from this report dated July27th were:

A number of servers were compromised. The hackers have obtained administrative rights to the outside webservers, the CA server Relaties-CA and also to Public-CA. Traces of hackeractivity started on June17th and ended onJuly22nd.

Furthermore, staff from DigiNotar and the parent company Vasco performed their own security investigation. E-mail communication and memos with furtherinformation were handed over to us.

This information gave us a rough overview of what happened:

The signing of 128 rogue certificates was detected on July19th during the daily routine security check. These certificates were revoked immediately;

During analysis on July20th the generation of another 129 certificates was detected. These were also revoked on July21th;

Various security measures on infrastructure, system monitoring and OCSP validation have been taken immediately to prevent further attacks.

More fraudulent issued certificates were discovered during the investigation and 75 more certificates were revoked on July27th.

OnJuly29th a *.google.com certificate issued wasdiscovered that was not revoked before. This certificate was revoked on July29th.

DigiNotar found evidence on July28th that rogue certificates were verified by internet addresses originating from Iran.

On August30th Fox-IT was asked investigate the incident and recommend and implement new security measures. Fox-IT installed aspecialized incident response network sensor to assist in the investigation. Furthermore we created images of several other servers.

2.2Monitoring

The rogue certificate found by Google was issued by the DigiNotar Public CA 2025. The serial number of the certificate was, however,not found in the CA systems records. This leads to the conclusion that it is unknown how many certificates were issued without any record present. In order to identify these unknown certificates and to prevent them from being used by victims,the OCSP responder2 requests were monitored.

Current browsers perform an OCSP check as soon as the browser connects to an SSL protected website through the https-protocol3. The serial number of the certificate presented by the website a uservisits is send to the issuing CA OCSP-responder. The OCSP-responder can only answer either with good, revoked or unknown. If a certificate serial number is presented to the OCSP-responder and no record of thisserial is found, the normal OCSP-responder answer would be good4. The OCSP-responder answer revoked is only returned when the serial is revoked by the CA. In order to prevent misuse of the unknown issued serials the OCSP-responder of DigiNotar has been setto answer revoked when presented any unknown certificate serial it has authority over. This was done on September1st.

Theincident response sensor immediately informs if a serial number of a known fraudulently issued certificate is being misused. Also, all unknown serial number requests can be analysed and used in the investigation. All large number of requests to asingle serial number is suspicious and will be detected.

2

The Online Certificate Status Protocol (OCSP) is an Internet protocol used for obtaining the revocation status of an X.509digital certificate.

3

Other applications using certificates can also use the OCSP verification method.

4

According to the RFC2560

PUBLIC5

Note that advanced methods for misusing the rogue certificates are possible by which a thorough attacker cancircumvent our detection method.

The incident response sensor logged all network traffic since August 30th. Current analyses still show hacking attempts on the web serveroriginating from Iran. During monitoring, we also saw unusual traffic after the company F-Secure announced its findings of a possible earlier breach of the website.5 We havent investigated this breach yet in detail. In August, DigiNotar installed a new web server. Its fairto assume these hacker traces where copied from the previous web server install.

2.3CA servers investigation

DigiNotar hosts several CA services on different servers. Earlier reports indicated two of these servers where compromised and misused by the attacker(s).It was essential to verify the status of the other CA systems and investigate if they were compromised or misused. Forensic disk images were made of all the CA servers for investigation.

Because of security implications, the details of these results are not shared in this public report. More generally, we found tracesof hacker activity with administrator rights on the Qualified and PKIoverheid CA server as well as on other CA servers. Furthermore, we can share that on September 3rd more rogue certificates were discovered. The list of certificates is in the Annex 5.1.

The log files on the Qualified & PKI Overheid CA server do not show traces of deleted entries. These traces are present on other CA servers, whererogue certificates were produced. During further investigation however, we encountered several serial numbers of certificates that cannot be related to trusted certificates. Two of these were found on the Qualified & PKI Overheid CA server. Itmight be possible that these serial numbers have been temporarily generated by the CA software without being used. Alternatively, these serials were generated as a result of a bug of the software. However, we cannot rule out the possibility thatthese serial numbers relate to rogue certificates. Further investigation needs to be done to confirm or contradict this. The list of serials is in the Annex 5.2; this list has been communicated with the web browser vendors.

2.4Firewall investigation

Thefirewall log files have not been analysed yet.

2.5Malicious software analyses

A number of malicious/hacker software tools was found. These vary from commonly used tools such a the famous Cain & Abel tool6 to tailor made software.

Specifically developed software probably enabled the hackers to upload the generated certificates to a dropbox. Both the IP-addresses of an internal DigiNotar server and the IP-address of the dropbox werehardcoded in the software. Possibilities are being explored to investigate this server, as (parts of) the uploaded rogue certificates might be still available there.

A script was found on CA server public 2025. The script was written in a special scripting language only used to develop PKI software. The purpose of the script was to generate signatures by the CA forcertificates which have been requested before. The script also contains English language which you can find in Annex 5.3. In the text the hacker left his fingerprint: Janam Fadaye Rahbar7. The same text was found in the Comodo hack in March ofthis year8. This breach also resulted in the generation ofrogue certificates.

5

The IT-Security company F-Secure blogs about a breach of the webserver of DigiNotar in May 2009.

http://www.f-secure.com/weblog/archives/00002228.html

6

Cain&Abel is a very powerful hackers toolkit. Its capable of sniffing and breaking passwords. Most anti-virus software will detect C&Aand flag is as malicious.

7

Supposedly meaning: I will sacrifice my soul for my leader

8

http://www.wired.com/threatlevel/2011/03/comodo_hack/

PUBLIC6

3Provisional results

3.1Fraudulent issued certificates

Intotal 531 fraudulent certificates have been issued. We have no indication that more certificate were issued by the attacker(s). 344 Of these contain a domain name in the common name. 187 Certificates have in the common name Root CA. Wehave reason to believe these certificates are not real CA certificates but normal end user certificates.

3.2Compromised CAs

The attacker(s)had acquired the domain administrator rights. Because all CA servers were members of the same Windows domain, the attacker had administrative access to all of them. Due to the limited time of the ongoing investigation we were unable to determinewhether all CA servers were used by the attacker(s). Evidence was found that the following CAs were misused by the attacker(s):

DigiNotar Cyber CA

DigiNotar Extended Validation CA

DigiNotar Public CA - G2

DigiNotar Public CA 2025

Koninklijke Notariele Beroepsorganisatie CA

Stichting TTP Infos CA

The security of the following CAs was compromised, but no evidence of misuse was found (this list is incomplete):

Algemene Relatie Services System CA

CCV CA

DigiNotar PKIoverheid CA Organisatie - G2

DigiNotar PKIoverheid CA Overheid en Bedrijven

DigiNotar Qualified CA

DigiNotar Root CA

DigiNotar Root CA Administrative CA

DigiNotar Root CA G2

DigiNotar Root CA System CA

DigiNotar Services 1024 CA

DigiNotar Services CA

EASEE-gas CA

Hypotrust CA

MinIenM Autonome Apparaten CA - G2

MinIenM Organisatie CA - G2

Ministerie van Justitie JEP1 CA

Nederlandse Orde van Advocaten - Dutch Bar Association

Orde van Advocaten SubCA Administrative CA

Orde van Advocaten SubCA System CA

Renault Nissan Nederland CA

SNG CA

TenneT CA 2011

TRIAL DigiNotar PKIoverheid Organisatie TEST CA - G2

TU Delft CA

For some ofthese CAs extra security measures were in place (like the CCV CA). This makes it more unlikely they were misused.

3.3Misuse

Weinvestigated the OCSP responder log files around the time of the *.google.com incident. That incident was detected on August 27th. The first known public mention was a posting in a google forum. The user (from Iran) was warned by the GoogleChrome browser that there was something wrong with the certificate. The corresponding rogue certificate was created on July 10th.

PUBLIC7

Based on the logging mentioned above from the OCSP responder, we were able to extractthe following information. On August 4th the number ofrequest rose quickly until the certificate was revoked on August29th at 19:09. Around 300.000 unique requesting IPs to google.com have been identified. Of these IPs >99% originated from Iran, as illustrated in figure 1.9

A sample of the IPs outside of Iran showed mainly to be TOR-exit nodes, proxies and other (VPN) servers, andalmost no direct subscribers.

The list of IP-addresses will be handed over to Google. Google can inform their users that during this periodtheir e-mail might have been intercepted. Not only the e-mail itself but also a login cookie could have been intercepted. Using this cookie the hacker is able to log in directly to the Gmail mailbox of the victim and also read the stored e-mails.Besides that, he is able to log in all other services Google offers to users like stored location information from Latitude or documents in GoogleDocs. Once the hacker is able to receive his targets e-mail he is also able to reset passwords ofothers services like Facebook and Twitter using the lost password button. The login cookie stays valid for a longer period. It would be wise for all users in Iran to at least logout and login but even better change passwords.

Other OSCP request logs show some activity on August the 30th with a misused *.torproject.org certificate. None of these originated from Iran. However this does not prove thatrogue certificates werent abused between the issue date and revocation date of the certificates based on the OCSP logs because some applications might not use the OCSP protocol for revocation checking.

9This static image shows all IP-addresses detected. On http://www.youtube.com/watch?v=_eIbNWUyJWQ you can see the interception of Google users taking place in atimeline.

PUBLIC8

4Discussion

4.1Skills and goal of the hackers

Wefound that the hackers were active for a longer period of time. They used both known hacker tools as well as software and scripts developed specifically for this task. Some of the software gives an amateurish impression, while some scripts, on theother hand, are very advanced. In at least one script, fingerprints from the hacker are left on purpose, which were also found in the Comodo breach investigation of March 2011. Parts of the log files, which would reveal more about the creation ofthe signatures, have been deleted.

The list of domains and the fact that 99% of the users are in Iran suggest that the objective of thehackers is to intercept private communications in Iran.

4.2Other possible rogue certificates

Using the OCSP responder requests we verify if the requested serial belongs to a known certificate. We have seen requests for unknown serials that cannotbe matched against a known certificate. Its possible that these serials belong to a rogue certificate or are just bogus OCSP requests, for instance done by security researchers. Its still possible other unknown10 rogue certificates have been produced.

OCSP logging could still catch other possible rogue certificates based on the number of requests for an unknown serial, although Its difficult tomatch the common name with that serial if the certificate in question is not known.

4.3Trust in the PKIoverheid and Qualified environment

Although all CA-servers have been accessed by a hacker with full administrative access rights and attempts have been made to use the running PKI-software we have no proof of generated rogue Qualified orPKIoverheid certificates. The log files of these CA-Servers validate as correct and no deleted log files have been found on these CA-servers. This is in contrast to our findings on the other breached CA servers.

Investigators encountered two (2)serial numbers of certificates on the Qualified or PKIoverheid server that cannot be related to trustedcertificates11. Based on this, we cannot rule out thepossibility that these relate to rogue certificates.

4.4Current network infrastructure at DigiNotar

The successful hack implies that the current network setup and / or procedures at DigiNotar are not sufficiently secure to prevent this kind of attack.

The most critical servers contain malicious software that can normally be detected by anti-virus software. The separation of critical components was notfunctioning or was not in place. We have strong indications that the CA-servers, although physically very securely placed in a tempest proof environment, were accessible over the network from the management LAN.

The network has been severely breached. All CA servers were members of one Windows domain, which made it possible to access them all using one obtaineduser/password combination. The password was not very strong and could easily be brute-forced.

The software installed on the public webservers was outdated and not patched.

No antivirus protection was present on the investigated servers.

An intrusion prevention system is operational. It is not clear at the moment why it didnt block some of the outside web server attacks. No securecentral network logging is in place.

10Unknown as in, that we havent been able to revoke them yet because we dont know their existence.

11OCSP requests to these serial numbers will result in a revoke reply.

PUBLIC9

5Appendix

5.1Fraudulent issued certificates

The following list of Common Names in certificates are presumed to be generated by the attacker(s):

Common Name

Number
of certs
issued

CN=*.*.com

1

CN=*.*.org

1

CN=*.10million.org

2

CN=*.JanamFadayeRahbar.com

1

CN=*.RamzShekaneBozorg.com

1

CN=*.SahebeDonyayeDigital.com

1

CN=*.android.com

1

CN=*.aol.com

1

CN=*.azadegi.com

1

CN=*.balatarin.com

3

CN=*.comodo.com

3

CN=*.digicert.com

2

CN=*.globalsign.com

7

CN=*.google.com

26

CN=*.logmein.com

1

CN=*.microsoft.com

3

CN=*.mossad.gov.il

2

CN=*.mozilla.org

1

CN=*.skype.com

22

CN=*.startssl.com

1

CN=*.thawte.com

6

CN=*.torproject.org

14

CN=*.walla.co.il

2

CN=*.windowsupdate.com

3

CN=*.wordpress.com

14

CN=Comodo Root CA

20

CN=CyberTrust Root CA

20

CN=DigiCert Root CA

21

CN=Equifax Root CA

40

CN=GlobalSign Root CA

20

CN=Thawte Root CA

45

CN=VeriSign Root CA

21

CN=addons.mozilla.org

17

CN=azadegi.com

16

CN=friends.walla.co.il

8

CN=login.live.com

17

CN=login.yahoo.com

19

CN=my.screenname.aol.com

1

CN=secure.logmein.com

17

CN=twitter.com

19

CN=wordpress.com

12

CN=www.10million.org

8

CN=www.Equifax.com

1

CN=www.balatarin.com

16

CN=www.cia.gov

25

CN=www.cybertrust.com

1

CN=www.facebook.com

14

CN=www.globalsign.com

1

CN=www.google.com

12

CN=www.hamdami.com

1

CN=www.mossad.gov.il

5

CN=www.sis.gov.uk

10

CN=www.update.microsoft.com

4

PUBLIC10

5.2Unknown serial numbers

Root-CAserver

On the Root-CA server the following serials were encountered:

Qualified-CA server

On the Qualified-CA server the following serials were encountered:

These serials might have been issued by the following CAs:

DigiNotar PKIoverheid CA Organisatie - G2

DigiNotar Qualified CA System CA

DigiNotar Root CA

DigiNotar Qualified CA Administrative CA

DigiNotar Qualified CA

TRIAL DigiNotar PKIoverheid Organisatie TEST CA G2

TRIAL DigiNotar PKIoverheid Organisatie TEST CA - G2

DigiNotar PKIoverheid CA Overheid en Bedrijven

Taxi-CA

On the Taxi-CA server the following serials were encountered:

Public-CA server

On the Public-CA server the following serials were encountered:

PUBLIC11

These serials might have been issued by the following CAs (list incomplete):

Algemene Relatie Services System CA

CCV CA

DigiNotar Cyber CA

DigiNotar Extended Validation CA

DigiNotar PKIoverheid CA Organisatie - G2

DigiNotar PKIoverheid CA Overheid en Bedrijven

DigiNotar Public CA - G2

DigiNotar Public CA 2025

DigiNotar Qualified CA

DigiNotar Qualified CA Administrative CA

DigiNotar Qualified CA System CA

DigiNotar Root CA

DigiNotar Root CA Administrative CA

DigiNotar Root CA G2

DigiNotar Root CA System CA

DigiNotar Services 1024 CA

DigiNotar Services CA

EASEE-gas CA

Hypotrust CA

Koninklijke Notariele Beroepsorganisatie CA

MinIenM Autonome Apparaten CA - G2

MinIenM Organisatie CA - G2

Ministerie van Justitie JEP1 CA

Nederlandse Orde van Advocaten - Dutch Bar Association

PUBLIC12

Orde van Advocaten SubCA Administrative CA

Orde van Advocaten SubCA System CA

Renault Nissan Nederland CA

SNG CA

Stichting TTP Infos CA

TenneT CA 2011

TRIAL DigiNotar PKIoverheid Organisatie TEST CA - G2

TRIAL DigiNotar PKIoverheid Organisatie TEST CA G2

TU Delft CA

5.3Plain text left in script to generate signatures on rogue certificates

3I know you are shocked of my skills, how i got access to your network

4to your internal network from outside

5how I got full control on your domain controller

6how I got logged in into this computer

7HOW I LEARNED XUDA PROGRAMMING

8HOW I got this IDEA to write such XUDA code

9How I was sure its going to work?

10How i bypassed your expensive firewall, routers, NetHSM, unbreakable hardware keys

11How I did all xUDA programming without 1 line of resource, got this idea, owned your network accesses your domain controlled, got all your passwords, signed mycertificates and received them shortly

12THERE IS NO ANY HARDWARE OR SOFTWARE IN THIS WORLD EXISTS WHICH COULD STOP MY HEAVY ATTACKS

13MY BRAIN OR MY SKILLS OR MY WILL OR MY EXPERTISE

14Thats all ok! Everything I do is out of imagination of people in world

15I know youll see this message when it is too late, sorry for that

16I know its not something you or any one in this world have thought about

17But everything is not what you see in material world, when God wants something to happen

18

19

20My signature as always: Janam Fadaye Rahbar

21

22

23Rahbare azizam mesle hamishe asoode bash, ta vaghti ke man va amsale man baraye in marzo boom

24va baraye barafrashte negah dashtane parchame velayate faghih kar mikonand

25daste har doshmano mozdouri ghat khahad bood

26Rahbaram, Tamame vojoodam fadaye to ke ham jani o ham janani

5.4Timeline

06-Jun-2011

Possibly first exploration by the attacker(s)

17-Jun-2011

Servers in the DMZ in control of the attacker(s)

19-Jun-2011

Incident detected by DigiNotar by daily audit procedure

02-Jul-2011

First attempt creating a rogue certificate

10-Jul-2011

The first succeeded rogue certificate (*.Google.com)

20-Jul-2011

Last known succeeded rogue certificate was created

22-Jul-2011

Last outbound traffic to attacker(s) IP (not confirmed)

22-Jul-2011

Start investigation by IT-security firm (not confirmed)

27-Jul-2011

Delivery of security report of IT-security firm

27-Jul-2011

First rogue *.google.com OSCP request

28-Jul-2011

First seen that rogue certificates were verified from Iran

04-Aug-2011

Start massive activity of *.google.com on OCSP responder

27-Aug-2011

First mention of *.google.com certificate in blog

29-Aug-2011

GOVCERT.NL is notified by CERT-BUND

29-Aug-2011

The *.google.com certificate is revoked

30-Aug-2011

Start investigation by Fox-IT

30-Aug-2011

Incident response sensor active

01-Sep-2011

OSCP based on white list

PUBLIC13

EX-99.34dex993.htmSTATEMENT ISSUED BY DIGINOTAR

Statement issued by DigiNotar

Exhibit 99.3

Statement to DigiNotars partners, customers and the people of Iran

Whathappened?

Recently, we informed you that DigiNotar became the victim of an intrusion into its Certificate Authority (CA) infrastructure, whichresulted in the fraudulent issuance of public key certificates.

The source of the requested validations of these certificates stronglyindicates that these certificates are used to obtain confidential information of people in Iran. We believe that the hacking action was politically inspired.

What are we doing?

DigiNotar is working with browser vendors, security experts and the Dutchgovernment in order to prevent further intrusions and to minimize impact for browser users. The CA systems have been taken offline, certificates have been blocked by browsers and revoked, and OCSP validations are being now done based on a white listprincipal.

The security firm FOX-IT has been invited to research the incident to re-assure trust in the CA activities being vital for anumber of Dutch government organizations. We will do anything to reinstate the trust in DigiNotar and to migrate all our customers to a new, highly secure infrastructure.

What can you do?

Our advice to consumers is to follow common security practices includingupdating your browser, validating certificates. It is important for end user to take any online security warning seriously.

We stronglyadvise the people of Iran to follow these instructions in order to activate the blacklisted certificates and recent security warnings that are implemented. It is possible that the results of the hack are used for internal Iranian politic activitiesin order to thwart the local democratic movements.

DigiNotar will fully cooperate with all companies involved in order to address and remedyyour individual situation. Please contact us at your earliest convenience to discuss an optimal approach to your specific requirements.

EX-99.45dex994.htmLETTER ISSUED BY VASCO

Letter Issued by VASCO

Exhibit 99.4

Letter issued by VASCO on September 5, 2011

Dear VASCO Stakeholder,

In January, 2011, VASCO acquired the Dutch PKI company and Certification Authority DigiNotar B.V.

On July19th, 2011, DigiNotar detected an intrusion into its Certificate Authority (CA) infrastructure, which resulted in thefraudulent issuance of public key certificate requests for a number of domains, including Google.com.

Please understand that the abovementioned security incident does not have any effect on VASCOs core DIGIPASS, VACMAN and IDENTIKEY authentication business.

Thetechnological infrastructures of VASCO and DigiNotar are completely separated, meaning that there is no risk for infection of VASCOs strong authentication business.

The integration of DigiNotar technology into VASCOs products was planned for 2012. This means that all VASCO products in the market today are 100% DigiNotar-free.

Your authentication project is safe with VASCO.

VASCO does not expect that the DigiNotar security incident will have a significant impact on the companys future revenue or business plans. Infact, DigiNotars expected revenue for the year 2011 was approximately 2% of VASCOs guided revenue for the year 2011 as communicated on July26, 2011.

Yours truly,

T. Kendall Hunt

VASCO Data Security

Chairman& CEO

GRAPHIC6g228535g38g09.jpgGRAPHIC

begin 644 g228535g38g09.jpgM_]C_X``02D9)1@`!`@``9`!D``#_[``11'5C:WD``0`$````9```_^X`#D%DM;V)E`&3``````?_;`(0``0$!`0$!`0$!`0$!`0$!`0$!`0$!`0$!`0$!`0$!M`0$!`0$!`0$!`0$!`0("`@("`@("`@("`P,#`P,#`P,#`P$!`0$!`0$"`0$"M`@(!`@(#`P,#`P,#`P,#`P,#`P,#`P,#`P,#`P,#`P,#`P,#`P,#`P,#`P,#M`P,#`P,#`P,#_\``$0@`-``W`P$1``(1`0,1`?_$`*$````'``,`````````M``````(&!P@)"@L``P0!``$#!0$```````````````@%!@D?*F"2G,9GB7:)6>2%MVZXE,`$CBI4Y8,NLGQ!&1!ZX7R0F(N)2\\I*1\8B'459%ZT8IM@'QJ=RJF4*:2669IT[66UND\A\(`:8WW7Y=HP==0@\B0/]24[/[.46721P@"(`\B)V1=L>EGD3$NHH>;5$*&1CUQ++Q_P"4^7.6L#DKB3FG)#R0M>Y1Q\[98HNI1-C"2*-_6P4\ZPMN=DHANP4EXR\D&AFZY7&\3F+2O]P:CY=W;M^C6)/T^_+:E`9AB=0AQ@^9"Y=S*86E&6U38(.Z/LQ.MIWG4[Q;>M:M.("'9=MSTRD;%%:4Y15$QZC%O\`]`W!AUQ$X6QUWWS!C#YDY&23?(]ZM%0(+V!ME%NJMSQ[::RA1,7_90ZRD@J!3"'U$B8OH/'``5BES-&GW9"90I);64B/*)AA.J5$`#NM-`I4._;OVUNQ!X:835(6@P5Q(C[\2V>F+@E-\Y.8UK1#W[S%8BP^9IDK+USPM[AS&O6K!DL9.U[7B9AL9-9A/7=-E!,ADS`JDT09@PTE6>TN'=O2-!!)"SKY1$1Q)O:RUYNY+D:*-Z)67"E+6G+(PB(\SP'CBYMWZH,@7EBE?/7K;S%+O)3)?"Z[Q)C2=ESG4D`3=&MB7JH"8$3IHIF^8.H@]RY"4GVZ9?E(;0BG5A@I=0B`2S-,)VO9#Y$K@DH2222M5&,,$[8TY,M34U:DZI7U,DZ5)*OS2ZOD@=2%!43R(Q,T0YA(8PB%0K3Y1"E"MAW#N/7KJ)`HEO=#.!^!.)!2>*U?^9,1SA^/'';J_%V`&(!P$!KU"E0I4/Q`:M=!U6N>8Y:'QQ4>66*K_\AKU22^>X(.;''JUW$SES'L`E'YELJ#:&5ETRV@K;M6(0.H^>OG*@$,9P(E`L)5[-!@Y[M%M*5L^B?;6LYQ>;R^)*R!':8""1H.CB8G#V0_#'__V3\_`end

GRAPHIC7g228535img002.jpgGRAPHIC

begin 644 g228535img002.jpgM_]C_X``02D9)1@`!`@``9`!D``#_[``11'5C:WD``0`$````9```_^X`#D%DM;V)E`&3``````?_;`(0``0$!`0$!`0$!`0$!`0$!`0$!`0$!`0$!`0$!`0$!M`0$!`0$!`0$!`0$!`0("`@("`@("`@("`P,#`P,#`P,#`P$!`0$!`0$"`0$"M`@(!`@(#`P,#`P,#`P,#`P,#`P,#`P,#`P,#`P,#`P,#`P,#`P,#`P,#`P,#M`P,#`P,#`P,#_\``$0@`/0$:`P$1``(1`0,1`?_$`-'Q0U-U8X,D9";_V@`,`P$``A$#$0`_`+-O=*[P6/>V+-8EMK%CP[=U]N5>X?K*G?;I&]:D=TMMLZ9@&1)()QRB][=YRVR^WEBTFD]^#Z?';M[-KVLY/NGM2A0G*:>R2H3Z!+KC`=S\R-L[54JGK'N^K@9%MJ14DR!DK&0./AZHA?LGS9$2M5Z^8QA`//+CDQ=^8]J>O#%;3TE(U4M=QV@5'7(*RPE@1T^")F]>9]OV7>6T%`@R&,\L#/+'WHC>_BRE&%_O[MOS!WX]'H0?Q9.-OV*,B?KEJ_YC:?MRMWK]9]6F?#E*.+S8>6FR+57HNEL;*JAH@I/>]X)^`M1[/?#YPV;@WPBL-CQM*##9BR]8&6(,8S:?3ZNK.YR.D9&SW)B4P&`9"MU>-3=%7H*K'2([]]`S6A*@`V.LJE/JBHYG[I?VMKMIRJI2/7ZE?=-]4Q,RZ^CPQK5'*\A*2#ATNN^EIB7?J.'#EZY6>R2$D^7$RBJAC***'$QA$1$=?1^3%,R4-)":1I,@G()2D8)D.A.!MCAR;]943\X6"N1$UD.PWF4GU(.M$L$JP1?/ZW3ZY&2T=%1L/`*K^E(NHFL\D"\H[-YH;NV`P]3;>+"F7E:ME)>1J2#E,8C&0CHK[JINLO+:U/-B0(,IC'JB#WN2=@[@QQ/X.\B>1&M+Y#.RM_Q;3X^=K"=IR/'3%?,^-M4=RJTO>LO-:E2(E/4K^J>$3=\%NT/Q`[>UVMN1\#1V1'MXN-;+4)"MQ9%NJEI2'.SCMA^HHODX%`#&M$@>?)P*40$1#SX`?/`PZUZ'1J*ZJ#*X6N#KCN_W)EGE+;2CY)NM9;Q(QDI,LM:M$IB(FI1(OJ,F4OE5,/)U1]*1`\F^TMZIOL*'[3#^S@=7/3T+5X6;L=BE6,+!5J'D+!8)60I0*%IB(^M=JDK),]'B*J])6;G`RS9Y#2GM&C)AHN15HNL0P#P)+T;8?'3H67TFXL+:@,+$HS7*M`M.;S@EHV9/1^HU;GHS_CT55ZK:LT@$\_R@Z"6YD!=E[FL3&B7365$;MV`)U(@M+!A%8(9);&^*ED0O^H8`I4OY=/_0>M)/'9USDR9(4H)%;7_%G4F;W#_;8`=30UIA.9/CB^8H.!5[9EMS:,F+L:5KKJ=M>,&5S1`\J.;+JTRN6N0'&^!%?TJE6+3F_H_:+9[H6T:;:Z[/X#&'^499@U\8M8:$F8'E/34]8/%G8MD;"V9ZO#3FE5?#RZ=)=9+)ZS5+JA#"'.9=S@U9@JDM0U)36VSMR;U[E[FP,&*5ZG;DKE_599?_`#UVV?CCY/R(>U/Y,OY_LOG%RO'UM\(S#7CD\WB7##)CR^T1.4$M=-WYZLO_K.JM(,8-U'H1A7ZUI]441;5:8V8^=MLQ7(YYL;^4RH8=ZWRSM7JO-$Q952\A9"L%ES/Y9;^QMB.>W^8^`R3/;6E=H^26@HD!+97"H>0H6($-P77BOR;,`^W/;EE[#R^%E$[M`KF+Y-.JWTU6Y1HY>N7M1SG:&^[!MG0S^(E")ZYO_P!R,#UUQ\"RL[KV;@@.!P(@"R&.>>$S4PL]Z7L"1SWJ>9N$>AX60+^D)VM3_:]R1R1]M^@1D/FG$CR#I/6EU42"65;ZTJRN]>3Q+&5TF6NH4-VF[!*-@8V;);KUW"*\@-'-NAJIT^4SR>>3^SWZ#"7M7?BUA6>?4,#^&'*)B.HDKYS?;SHX#T[^P,_ZLD08PM5ZWK7^P];3J&0LU85D8V8P@-HSVQK]I2$YB(>U-P@:8).,(\\`$C6#\)"8J_#7'5DAFG./N2JJD+M%U&?&9G4>=-C9UC-2KJ&DL'0>A9_D6TKD+"Q/!(06C%]$=`&7,C)_7XKJ?V-M.O5OS0]T>0LK_+?]X7VD=\>&'K*O.;"%(],I"`300-E>2UE)_"%RD"*@0_=2I`O\`>18[#P#P2R;;*,@?#LIKIUZ;*Y9_R:;?+0JV$%\/J`W/M0K6Y)8+#_4%32KC8^M[EHLZ+;DP9#C)-D\+M8XYT5=Y,8O=13/3/VO[9_M^(>!A.)/Q0N&[RYI]O1ETZ0O/.PO,-"/@?8_EBY2-NDQHNAL*6Z/+):;?O^_Z"W]3?BQKZM8]#2)U:1I2S97MEIA+)[753]]/H6+,C_&UX9.D9#S9D,GQBH8N?E?/V9G\FB`'!7UKQAEK41;EM7#FVP\H>Z,T2V/,/T^YIW^TW1]NT2L!:W!/A&Y"RCCX_`1@81KY6#+F\?:6[MGPG`64/[K9RJK?YG;-OI.NJGR[]CMR$/H-&@-\6W$_P!IACZ:&9370D]A7NP!L/R`/$X95$+^R$8?+%[&^6Y4*A9_ML+\ENO!0.M&^Z)U_DJ]G[YZ$'ZOBJ(Y:98K7!?)\ZV^^@9H2OR>8J?M?QY_,U85I%/^)WZ7(B4W,CA])W.>7F!D#V3IHLVTDW$OBV=`WW$5]OS%F1B(MF95P)[]TK=V6=T\\[:HVV52`VQ8?C9HZ\0F+Z$M3Z3G-ER1GFXSL-_F+QOH7M?]PZ4NVO/B'V9Y"[ZY0T442M^V[Z`\GMS_X^G/EV0K?TEFFW-8FA6V,^LA=6BB='ZMOZ_O@5VM`^,-B,1Z!?T`C0J;;P6+;T1J:FY?T&M&U&4=MV;U?V,%5-]=.?1Y=YGE*$_/N\CX`[T;B;255N0\M2,PK*E4R8IHS4UM`GRE9M30JB$`%F`1(MNC?HIMAO+72CY=&48U`&M7Q_Z^S@>U;8T`A#1U1XMX:PT#*.U.^^P+5RMW',QX@M=**NZ5MF(KUQCIM)E55KI"[+"7]7>2V9,>JW1'[+?Y`[NXZ^U]0=FM?&+*N$.C'VXK#)TQ^*9>JM&6%?'!5:MF1"0.:BAV!K!T;=9$?X0TR]AYY5#V.G5#Z`%4/CQTE"Y7PC",&KM#ATOG38O\%R5Q']1&\NI;A[NPMDME//]Z!KU[;:0]QG-UOIN.KHYGBMP/T(LS+H,`T-(FB=@Q]):'@,Q'D4UJYJ5+B,%6#"/&CM%-=L8^W7>PII]M\#Y7\9NI8N>C0&.E>L=('NP%`#U9V;I.!JY3=U1A&,_IGUC`*(2WM&W,?QR)M:\Y7*+JONIRY/93IA;HD&_M^.7:BW6V?J.UJ6IJ?F:6[53P)A2]VA*O.E,.7=DQ!EM.)DP/F8'Z;8YJ:)V_P#K*[\7\>2EX&'?T+XDB0(%-`FM7-9A\P)NJP-&+.M\6P:C7Q+_HN2"Q5:G5YATQ]"8FYXYYM#4)O7B:-QMO/8*_3C:.4LWM0GAN714D[0B?Y9R/SKI'F'2.+70+GI7B+7>DWP"VEOP%*U=5>>5)8Q_MK]D'?60?4>'>#XYH]9?0;F_C18]]7^VGO+RVZP_YV8HK-.!FYP_[#9'SVPOA5&2NVF*72*9,OLZ0C,LKN!,[^5K)L2M7-LU92_,P^S[==?0$MU\@V1LK)=T0!;/6F4=!INMFCMJ>(W92^8VMZ9?.\F3+&IN6,*8705JS8NF9CD)OXU-IH5T6DX:YGVEC:0B;:20B5S;9.OM@@C$A4B;9E$UB+_[_0;3OQT8/^/K^-&=`$CK>D;-6ZA@YE1)%Q],KLM;TC>+L3MM-:^HFU#2VVBNTVH5W5Q7:?(RS^J;J5`@D9SJU!-90W+K2:!B0#I`./N)#!%MIJ&2T^*ZNYYY;/8;;\QO-@!4^I`-*IZ^'=6OLR2U+=:4'$OVAY:V",K80NIRM;,1&0(R!J12ZDU=0;&,:8`CK?CXBKW9I^Q2L1GS&+G-6YO7]'M91'VMBN*ZQ&?']@+HTL.;@3A_^V)W8CS3;CE2YCDSKC>+&VP*I-X65VHI7Z6BW,JHM#D,:>14/UM/J7Q5=?3^LC]D&!:PZ@P8O195FAR/DYGMN5$OVSKIM@B0@FN+HF-4#)=+8DE"+30'@`@Q`+:^F,1J=A11==-](MU(^LDLNV9I)0H8_&JL!]G;]C5,_UISU[+=FRN"OU_8IA?=N:0EDZI:FXRNTWB[\X@`2UM9)GGESNO0RNE?U$,L"TK:R-:TYGU@7Z'8W#^GF70B`C:7.^H%97'.BE[*K-GMN!^G3E6MG6"V[6@U7:O15&VZUK9E5(*7G?./JP,*B"Q&+F83FQL-9/=+N'+LM%Z`(.\1QSKQ_M";J-O(Z6+?Z'[AK'M+H.:QVWP)@HG,4>,E$9D#);?#0#H*%"BO?3+,^UJ7#V_(M*H2!6?T35JP5E;='C&K9RV!B]B&K:B/Z)GV%6TJN*7$&NVTNNX-&I\8MZ'MI3GHKOKK*XD.57Z?8!Q2ZH/,L51KA!QDJ5F#!%(H0:N1]VDXP\4>YILGY)EFMTBATC!;">'BU/4K4CJMVBI;KH5BK[/HC*G1[C*4R1;8G@=5MZ6D/F=6(QM=U5>M>I/YUTL6C*-0_O)C19BLQ0^S,3`;+%%]N/69+[KMR'KM)Z#:G7CQ90+"R92KJG2JL&AJA'8JC8H*[`Q3$I+\UO+/%*_66-\D;\`:TE#R.MI=+DNHY=DKTUWRL(MG=&8-ZDY3BW&GB6L_P#V#5J;SAKU6SEGVM#0!=(FI'[746T32Z1YC(US()D#MBTT7NID'B&4'S5.-3*1TRF%&4VIR3\_8U.6:],A).BV>AUU:ZJ4"Q;R+&VTRMB-I%`O;NBX_;-F$7>(/TN]!/03T$]!/03T"3[^GLCSGNP=?"=MPX[-4C;G7JMPPV5V6S8;LJ8MUHM_&NPE54U%W==0:I;&4YKZD=BN$E)UY;T85=9K@01.@V_5PD,L:0Y'"MO>USHU=/["_H_&NM,+GM=O(,UW.JNX.\A>>].J=-O,UI+M4\V1SEOZ1SUA0E%"B>6PR]236IIB6_4"Y+JY;#-=AP"1/V!T8,.82X/LYB#FMZY7VAF6\\N0R[G0W0^7=EOU33W#O4M="J$;JG-EZBR+Z.9M2?Q7)^MGM>>C+'VS)\",K2"`/G.^G?LI0M%Q@>?@P"&-DWM`^1,!^@_H)Z">@GH)Z">@YG\L4-EN?*8N>5:I'VHWH=VI-48R#-&Z)?6:W,_M$:6FR/+!72(;)7P(:^K($A.7Z3E"GECR8CSIKOMJ')+BG=LM=,IRZ[=['+I^-=XJZG3KZ$VS*KBHN=W51C+N4=.6M,&0G-_\`=-('?\NIZ!5SK'5(.J*))*D_GN*^FK%(O[6_HMQ3SJ19[!:E]Y9NAW![ZA64IK8,$P@UC816F-"CG`TCS)[(08%1\;-JQR99S'M>R1FZ-.L?[5Z.:3$\;:60D[H.>EO4`,]DL#M]])HZ@@$F)8FGDDA_-M-G:2;M/M`BKO.>EU:QN%*MES4*EL:6-,'FM[H6-9@GH)Z#%/B?,$V!.3>+$GX]V-=MQ6::&I'T-7M$:R$3J\:RQ["$D#[`O8_%SJ%>M_.'M3M=&GBY]R3E7+EY[[;H(NL6U((N4-AM>D@VC9FFN,FBR-K"1.L+'C(U(VWSMG(=[^@GH)Z">@GH)Z!/\`=>:%M=:YPPIH90`Y,CFJ/X(FF[,=:QEJ5H46>)2:R0DAV%+`SE4ZPY.7RZ&"9WQ+'M[_;F/G70#>M0;.[NW[0INPNP$;"M1\WMZ'5557J05:KQBO632T5J*CU>4G)YI:PC=85B,>/!V?A#,EIV+ZR.G%_G_:UDP@[27T0CG;FVVV^G.9$S?7I(#VZQ,37"]%^"LUX+:"SMMR"0VLN9I1UN=0-@Y-L?=R"DYYXL]!Y4M-TKG0%=I.JO9`NDM^]%9\+Y2X)M-V'[4-3*F*CJU61]0L!U.'%@4[VY2M"`P'DE/-&%@ED(T!QURXI77D'T4%3T/JL*ZO)NB+[FJ>3W@J%XT$W38SKS>GMX2:(JNAYG!%O`(W`AT/L)I.^NF3M8OLR@I0+#;9^;=)+AO[Z:@)>]K=JH:3TMCMZO-YYUO11(\4Q!UO:OVCM0]BQ6?2EJ=KU\)1>N@EY=5DF2AZ]M!K))&LE>6"1#I%B_4OJ`=@[P;3MM(;QJ&2J13#L(8]&.QWPA^J_H)Z">@GH)Z">@Y^\JG3JN^._6G=;=.Z]8EM3)M)0MZ[L=HX%+:-64#3$L=M7^0;/1>_MCZ>X*/A,YK.+U'+/C"D'CJ]K`]@_:627BMED%.NZ.,/!/ZW0@EJ\VBU8[_`%R(/0(GD=TZUOSK>3HEZO:2FD7[GZ[HUX0&M7YV?4U9'*WYMOVCL?1$4ULJ;(GK@:L&Q0@B[)JT,9[`YAF5FCTANR-C+WA;RC'G*-1Q8R))/U>0I&_1^L)>^5!M97ND6Z\`0J/%G1F%)M95>;G-:_P`S_P!5FU8R9W7OHM&.Q=C4[U_6M26?&--XM89P^]3NMP2%>19'/NA=#S5!JYSZ98HL6/?`4LX"%IZ3;-%7'11NV=,#7%1]3BZ/8-']MX%$7%C;@NB]2WX8SWK=YLEATOAVX>U[7HK/0>Y=$.,NU`L!;JT*J(A:&&87MK9FI,9#3Z&YN(-)(]@R/0,G2^6/7S#MB)IT:^@U(:Z5!;6JFK/LK/!S)WSNBMYEKTE/\`]=2537G.9G+9B>_TL$A2]D'I%C2/3&@GH)Z">@1WD,P;K.X5L\3*N#`3.485D=I,./BL0&F;+TE1OXP6=YVNY/.N:KW''6JWK20RZ/WM@6KM[99ONU-TEIA#="H+G+,'L:]E],0/24N$+$\D^H6W^Q/("/N?E.O&K5V_>)^`M-GO%J8:973.:''U9_=5=",2E*FC23-PZ07M&,.4.)*())%[1-9)P`Q+3M8F_%51;3I%HIDZ#J?VF5W-:>3-J1]4)_U8>057MC4)_/>@U2("U-XH)@`MC\_TZD>#7V%OKRQ+$%T+IG4JD$,KG6.,3?JXMYF)$:ZM77&3`MJU%U6Y=1\HBE_8K15DG.[#B>9"[H-9N#A%3A3&Z)QS6O)D@=NWGBFL?5K873:_5+HT)JX'\;:ZZT%QM+8!AH'(R\273'4/%V\R`Z%SRF]%LM*7(%%DK=_OM)DEBZ&E7KYJ709ULND]`>:,;(=1^@GH)Z">@GH)ZM!2=QZK!Q3F[;HQ:B)T$G9U9>8,18%-7$&AM%I3571F;QK`%RLAUI.3O)GM_C!'OG7&=L8UR``N\@'K&K\?N&O,]X4?4KROJDIV;LC,%6H[%))BFWBOE*Q3MX+BAMHN\!0VNF0I-!)L[R>W?7X]@+2>J61?UM7SIA08XDM@C>;H;`';0F5C(M'KR(=N?96M($5[81T65C-A1`PF9Y*W;201;AQQD1S9`#HGD4]O?+7UV@HZ!#MV76MS56NME4;G#6X'6'CZA^!L,'";C_\`34K46!M5'7&M>X6ANLLU:VEK%,A8S!,2EJMA,M86O`PZ:VL0K[HE!KIE->:*TE^HMVLQ[;93:K:`W,('%B`*V',V#WVUEUTWCVR!QGRG5S=IVXVOK,9;617]T(>:PM[`VLC:3FF.EC-Y:Q,ARK$H\H^VJ?9GLWR7&\S\.0/KX^UZ"IY9Y?)^D\L?=:MVIDR^MKU=5DK^45QJUXS;+?;-Y0@N7KYD!&8Q>BB/)UX$X4GYAU):#ZZS[?BM;X@NC>_]`_UKR[J2;DJ(]'T!%R\IDL/ZALOL">S]-?5]`)4T(H-"=KK5*L*?M:YV,D*6#S:Z?G_AI[M]`\+_*&$[M5VY#M318=>=.I!+J_P`="IVYM9J^U*6WM(3HKRI2$P-UM))_U6505]9@AMB^)](K`'+UYJ1_87!K>*EM5K#T"EU4X7H=(;TU/BB*232B@K2WMLEZ`G3[A[YB(%EQOM-D?;W::@T!^V6B.\[U-]S32OAF4NPW),67>%!+T0&N#+-Y2[^B%7;K*'7W#$MV81>=LU.VFF$EQ+!![.:4NZ5CEC@JV6WH2_G9//#;A41#*\PKJ%C1MX^#:RL,:$DD_D`=-B^9Y1XYQV%%Y65VP!M>,70UP2:MF=P865;UA@GH)Z">@GH$7Y)Z]%WXO;X^5[%:7"6:KQ:R@:.Y&.T]MK.;(;$XTD3WM?S0RMI^M8(J/.L2(B]A]-A]3L9"Y!2],6/O'*UN-.B/>FKZ)RNN,*98Z1>W]M=^DQM1PUTL+WI"5T/3*I?:[3&TA#3=OB>8J=>/I'@K:7X]@%KC$]95WR;>2>+/>+3!?%FT'0-6`0@>PL0A6NP:!952-36]NL2]B%NTWI4D6D"Q89\,&MII`6VP-3H"9N35E.U*@\F+%7Y:QW*?D,]@_VG-;%/=&5EK9'*6#K)VHMI64MM/!N?&A.M>NJX15'/@V7.D\.9@Z"&+V!\C>L!CA=9P*]XU3\S,M4'4CZ1M;$YMUYE/'IKIR+)SE#.(PL6_(-A+]W!Q42;OSH(CBMB4PW,$V]6:=I?>EM6]B?69M(EW>,2FK#GT->7971+88IX9&A`HF=/QKIJ'(A23MXE>HL$@W0*W3S^YV+K0QM"]IH70Z[3_(#?E=83\-Y/:T]]:=6VL3\:_5@LBR7=KRK^.9U6Q/:6UL5=RYLM0A0NZV5,\B(VSB3V[A8,*@Q:M_),),1UZMN-J\[&8]/1+K#%T*"&USM^M;261/K.92)*QB#5/;;E7-UP&PC4PR..6(F/3;?2(%!-Y;VU)0J@XL%)KT-MZ;=`AHMRJ;C_`&S3-Z+.QYQ8^CIIIED7)[WTP!H*2GRRO&S#%LFZ*$X#;$T@>OQFM0;Q[`(]$\N[)SNB`6QM2D^LM?-[&%T.6,FVLU!C/B;?18?4^?R(:LV8%VSHHM&I#%'"?%!'%`%/%-F3?3??0&7/W]PDZ1J[%+3%B!Q'0;"DEXFVD7R9]V,[1Z;`GD'FN[:\BZ%TJ2D50=E5IM.5Y1)K3;;)RU&S,Z^T'45VK,K1>*'IO"0N8&CP[6(0$NKL\S^\0OVP%8A`F?M>;E/4;^.;4>&DDTWNJO#5JW-ZBH5.:6/FQ5"D2R*TDJ/=RQ$RX(S]`3.#9!8MB04E>\P,6*?R)2+ZG6V]MXM#:6%8K].Z''S4KZR+8J6G%-!R&PGS!M%,)DKYH],A6C>3O0K+Q^\=(I"GF;0CD[JU5ZZ3L2^A+D-M:*MZM5K35]>8:%505PT&M=9L@;9\C'P_D(DXH?4!((3MI%*=B>/M9BOKMV?.7'0Y68]FUKFE`P"#LDE6X3D,H+&1G;!^@F`LQ[3`(:>5M=N1\KZ;VM?-`R%EQM'\=4]&=[M%1/5[8=633V;L%KXP-1:\"_$=]2JU09SVJWS+SGO/U0K99+:9C.M7I$"\"Q"'1;[0)VKUH+C27.!98H9YH0RG]_ZFAI]T9O:WSO!]:Z^#R_6W+S[MN1SI8'_**W;NTV36"MF62`!19RI*[_T1[Q;-=H_EE@BQ+OH%*M\TD]J,XTN0M+!*^3T.DUCI%KGN:V^_6J-KZV*X!)8NFXR`JO3J90-F6CLW.A5+5%U3^GYW4->9;(NB*"5KWJY:Y930SASJDPM3D>9E*7']A0L.R9(%)`M/#L3C:'4/CWRLMZIORFJ5ZGT._63I](L3U/+!:^@TP)O;ZLVW6,Z,`&9R2T9MJY^=M-H\RV4M-J*;%*+/C273_(/ZM7ZZN[CV2G$UFKBG4+2N%4W>&T-IAK"%M:%+,M9BT$[U2.2N&8-5[:D:!PM(X89,9TWFVQG7((:Q^6%FK7-N`7$JBU*1OMV@XBOL`R;?=1TE>LVBXN9%=XOQ&WB1PXW@QOMM'"1IOH&K5/,M1!:^LN^;"+*O&'O0`KE1&/\`L(3:UV)K/SZL]/)J=CY[N@A;U$F"E6\(^(V.M=F)/#F;7&=98=H\AOU;O/4[K7POAH_-Z/:S^>4CL4$CZ_P!@LM+UYI:Q&P=#:B^-1[VEU96#VX"?%DM^O9'>[>L.9>K7#+BO1JM2FG!]1Z.D*XX'>N'"MZ(7MT\KG_/>CUNTW.-7$_UI-A'FMEG0P."Q3&P]9MTFGATGU$@V#+T3QM?V91R\7D]`LG'F,,.0XA6.>96Q9R=+'UN/H6QX=A;6=\M\I5KFVEFFV@J\#:":'>%=I,+&(.:(%M7?&']E>_*>Y73FA&8[._O,W.`!5/)M$3YV/5SHR)V?9I-[@M:%0[`6K06$G6'&_OVB"W'YC;L\*MU!M9\NO!RDNRL`^4+YDGB^[ZGSI,;35X.]E8JW\G^E2CM[;,UC'_/WR8U9L?V,9MQ\FL(``?&>^I.K\VZPOYG6H&7':EP'D>T"Z=0?8;[2R$90/S,M+3>5]2OZNH56'I"LRWUA'^QBCK[?=J%JR-^:/;>>"#4JE?0B'/LUVU]`MUOE7V$2IVE`=3;,YZ$)UKEG*DCLCFH-EE8:FT,OHL:T2>H[0S"#2,WJD4G4L">638>30DP#4ORI.AN/BU2D[B0@JKJ;4+:Z824WVR68,"(+#''K)HQ@)MB"RL'9>NU=7WJRAO*3?$5%JKXQ.6NJQJ9,DZ$"YC"6QTC4M!0?(*W=&VZG1MTAV+#Q.W45*74,ETCMIYU6J8.D%NFBE:0RV*#3$$4VN)O^W38!55Y;]8BO%AB=T8>>B?L>@+ZU+K2&M];DC.KO&ANQ5NLDW&7H-HC>W4\;[2\H+6O*X,;!$3Z3Z[PZ"D@0J^W]JDB65M4>T\N=6=QQJ+A4%\UHZM_J5C2U5._=I;250K_=`^HW));#K,,S7HM&7.J*P/5PZCS[A3QQZ2S%_)G.`84'6;%4SO))V9`^!!"Q_=M,%]:.I=]JU%YS>78(PJ)M&KZ)\;'Z^+H8^)N*^P!AAH3L[P:`)M=P\RKB(266D\T8\`*R@]>\MNGH6:G"W5MIF5RCM*;T/J==9MTZ,Q79.B]%NBZE=*#GL!5N&Q0(*&*S&:*A\0G2M\[SP1YMGS#MIH"]W\R.@[*?(C5?'4FCBF06"S\5-&YCT8599ZA3ND_ZYM`C*)Q:E*>]M.L%["%+RT+H;TJ=BONQ-_WL46I3&QWC$4:-1H-KNP0_*1_MC,@GMH$WW[I+7DO*K#=T26:P/!F%0KZ59"!,TQLWO%TKU'5F$KH#U,A@"LZQQE$QYM,"CV@AW^0H:/W3QAR'IL=S@E,#W0!C2I19=M)XYLXVU"O@N_DMB\YI,?2F->M[([I:P"GW'6KI:@RN?,]D&63NP)*9;+F,HQG]["1&JGE-UR>CMBP;I!+KF,@@+Z'L5RM[GB;3G-E2L$]Z34M^?06-/SO9I*BT8_!>;MTA,N*PH3N6],N]2IQRBU3M6VNO:N6#FNJ7L\%Q&$N@H:^,N*RZCPHIUC+XH8LRZ>_?`;%UZKV]?3.TP)6%M:]W*F7NXVEYSOF]6K3*TUN2VON36E1!@U/M=EZE=8:%IMUFWP='7,:[$P&CADB6$_T6!HM!R(L[P[@6VJU^0@G):1;X[?6ZME=6;$MM9R2!'9@4%>TU,FW!WV)W``I;=3\B)>TU[F"%-388B>)*7%.)2