Let’s speak about cyber security @Elektrilevi

The first meetup will be brought to you in cooperation with Elektrilevi and will focus on cyber security issues in energetics sector. The goal of the first seminar is to map out the interest in cybersecurity topics in the field of energy and finding opportunities for collaborative projects in SmartGrid area. Elektrilevi supplies electricity to almost all households and companies in Estonia. Their role as the largest network operator is to ensure the constant supply of electricity to our customers. Elektrilevi manages a unique SmartGrid network that covers almost the whole country. The technology has brought many new solutions but also some new issues to be resolved in cyber security domain. In the meetup, we will discuss the different cyber security questions and challenges in energetics sector.

15:00 – 15:05 Moderator’s welcome to the Let’s speak about cyber security @ meetup series – Marily Hendrikson, Cyber Security project manager at Startup Estonia team
15:05 – 15:15 Introduction to Elektrilevi – Taavi Liivandi, Head of Smart Grid Development Center @Elektrilevi
15:15 – 16:15 Cyber security @Elektrilevi – Indrek Künnapuu, Information security manager @Elektrilevi
16:20 – 17:05 Klaid Mägi, Head of CERT EE @Information System Authority.
Networking until 17.30


MSc thesis: Security of Loyalty Cards Used in Estonia

This thesis identifies the card technologies used in loyalty programs across Estonia. These technologies include magnetic-stripe cards, contactless cards (in the form of MIFARE Classic, MIFARE Ultralight, MIFARE DESFire EV1 and low frequency RFID cards) and a smart card known as the Estonian electronic identification card (ID card). Each card type implements its own security features to prevent cloning and/or unauthorized access to the content stored on the card. The contents of each card was read and the method in which it was used in the system analysed. In the cases where possible a clone of the card was created and tested against the real system to verify that it passed the authentication procedures.

This is MSc thesis from TUT Cyber Security curriculum. The thesis was defended in June 2017.

The thesis analyzed cloneability aspects of the loyalty cards used in Estonia. While the magnetic-stripe cards are known to be trivially cloneable, the study also analyzed bunch of contact-less cards: MyFitness, Elron, Tallinn Bus Card, ISIC, SEB ISIC, Tartu Bus Card, Rimi Card. Only the Rimi and Elron card was found to withstand known cloning attacks.


Estonian Defence Forces to set up Cyber Command of 300 hackers

The Estonian Defence Forces next year will create Cyber Command, which, if necessary, will also take cyber attacks against both virtual and physical targets.

“It will begin to carry out cyber-attacks in the entire spectrum, which means both defense and, if necessary, attack,” explained the undersecretary of the Ministry of Defense Erki Kodar meeting today in Tallinn with the international press. Kodar pointed out that Estonia does not plan to use the cybersecurity’s capability to act only in cyberspace, but also, if necessary, in other areas of warfare, in other words to attack physical targets.

“All of this activity must, of course, be based on Estonian law and in accordance with international law,” Kodar confirmed.

The unit should begin work on August 1, 2018 and achieve full capacity for work by 2020. By that time, 300 people should serve the cyber command. The cyber command is not very common in the world or in NATO allied countries. A similar entity already works in the United States, the United Kingdom, Germany, France and the Netherlands. Next year Estonia will be added to the list.

The number 300 is a big number for the small Estonia. This will be very expensive for the Defence Forces, because these specialists are paid a lot in the private sector.


Smart-ID paper: Server-Supported RSA Signatures for Mobile Devices

We propose a new method for shared RSA signing between the user and the server so that: (a) the server alone is unable to create valid signatures; (b) having the client’s share, it is not possible to create a signature without the server; (c) the server detects cloned client’s shares and blocks the service; (d) having the password-encrypted client’s share, the dictionary attacks cannot be performed without alerting the server; (e) the composite RSA signature “looks like” an ordinary RSA signature and verifies with standard crypto-libraries. We use a modification of the four-prime RSA scheme of Damgård, Mikkelsen and Skeltved from 2015, where the client and the server have independent RSA private keys. As their scheme is vulnerable to dictionary attacks, in our scheme, the client’s RSA private exponent is additively shared between server and client. Our scheme has been deployed and has over 200,000 users.

The paper was published in proceedings of the conference ESORICS 2017, Oslo, Norway, September 11-15, 2017.

The paper contains several pages of cryptographic proofs. The RSA key generation involves “l-safe” primes, which is not a standard practice in generating RSA primes. This is worrisome, especially after it became known that the flaw in ID card was caused by other instance of nonstandard RSA prime generation.


TallinnSec meetup: DevSec, 4G broadband modem pwning, Database Hoarding and Certbot

Tuesday, December 12, 2017, 17:00 to 20:00.
Technopolis Ülemiste, Lõõtsa 6, 2nd floor
Room name: Helsinki

17:10 – Sponsor greetings from Märt Ridala (Solita OÜ)
17:20 – Antti Virtanen: DevSec
17:50 – Iiro Uusitalo: WAN-to-LAN exploitation of 4G broadband modem
18:10 – Shamil Alifov: Database Hoarding. For fun and profit.
18:40 – Joona Hoikkala: Road ahead for encrypted web with Certbot and Let’s Encrypt
19:10 – Stefano Alberico: Communication solution based on end-to-end hardware encryption


CERT-EE is looking for monitoring specialists and security experts


The main tasks:
• Information security incident investigation, solving and technical analysis;
• Network monitoring;
• Threat and vulnerability monitoring, reaction and solving;
• Development of technical solutions;
• Log analysis;
• Performing tasks of international contact point in incident investigation and solving.


The main tasks:
• Information security incident monitoring and management 24/7.
• Incident monitoring and management of RIA services and state networks;
• Tracking of information security news and compilation of summary;
• Performing tasks of international contact point in incident investigation and solving.

If you think that you are the person we are looking for, send your CV together with suggested amount of salary to klaid@cert.ee until 05.12.2017.


Security Software OÜ is looking for security operators

We are looking for a competent security operator to undertake the surveillance of our customers IT systems, networks, servers, and operate the security measures of our customers. You will be responsible for detecting any suspicious network behavior and reacting accordingly. The ideal candidate will inspire respect and authority as well as possess a high level of observation.

• Patrol system logs for threats
• Respond to alarms by investigating and assessing the situation
• Remove hackers, trespassers, and policy violators from network
• Work with customer IT staff to secure all endpoints, network devices, servers, services, and IoT
• Provide assistance to customer IT staff
• Apprehend and detain perpetrators
• Submit periodic reports of surveillance activity and important occurrences

Soft skills & personality:
• Sharp mind, act fast
• Investigative mindset
• Tech-savvy
• Dealing with uncertainty

Technical knowledge (work experience or learning):
• Networks – good understanding of how computer networks work
• Windows – yes – people use Windows
• Linux – yes – people use Linux
• Scripting – comfortable working with PERL


Seminar on secure SSL load balancer configuration

Santa Monica Networks and F5 invites you to attend the morning seminar on November 17 at 08:30 – 12:30 at the LIFT99 event center. At the seminar, we will look at how the F5 SSL Orchestrator works, and discuss the typical errors that are being encountered in setting up the load balancer.

Day plan:
08:30 – 09:00 Morning coffee and check-in
09:00 – 10:30 F5 Networks SSL Orchestrator – how does it work, what does it do?
Continuing this year’s Security Day seminars on HTTPS visibility and F5 SSL Orchestrator themes, you can now learn about SSLO setup options and its functionality from a technical demo.
– Tarmo Mamers | Network Security Specialist @ Santa Monica Networks
10:30 – 10:45 Coffee break
10:45 – 11:30 Load balancer to identify a person – what could go wrong there?
Typical errors that occur when setting up the load divider. By living examples, it turns out how criminals can exploit such weaknesses and can be done by each network gatekeeper to prevent such errors.
– Mait Peekma | Pentester, trainer @ Clarified Security
11:30 – 12:30 Lunch @ F-Building
Seminar presentations are in Estonian

Because we remember how misconfiguration of F5 SSL load balancer used by SEB and Swedbank allowed to bypass ID card authentication.


Russian student accused of penetrating state systems on the orders of FSB

This past weekend, Estonian Internal Security Service agents at the border checkpoint in Narva arrested a man on his way to Russia suspected of acting as an agent for the Federal Security Service of the Russian Federation (FSB). The Russian citizen is suspected of non-violent activities against the Republic of Estonia and the preparation of computer-related crime. The targets in his activities against Estonia were Estonian state agencies.

The suspect is a young man with a very high IT skills proficiency. He arrived in Estonia «some time ago» with a valid visa. This was supposed to dispel all suspicions. The Estonian Internal Security Service (KAPO) believes the man was instructed by the FSB on what to do and take interest in while still in Russia. The young man was supposed to use his skills to find weaknesses in the computer networks of Estonian state agencies. Because KAPO needed proof of the agents actions, and because there was no direct and acute threat to the state, the agency placed the spy under surveillance and allowed him to continue his activities. Postimees has been told that all attempts by the IT specialist to penetrate Estonian networks failed. The man was apprehended a few hundred yards from the Russian border in Narva while on his way back during the weekend.

Story by the Russian news agency 47news.ru:

On suspicion of cyber espionage, the special services of Estonia detained a 20-year-old student from Kingisepp – Aleksei Vasilev. He was called an agent of the FSB. And 47news believes that so treacherous neighbors want to humiliate our State security.

As far as it is currently known, Aleksei from age 16 to 19 studied in the Estonian college (Ida-Virumaa Vocational Education Centre). Then a year he worked in Russia, at age 19 he returned to Estonia and started studies (in Virumaa College of TUT) as a programmer. In Estonia he resided on the basis of student’s residence permit.

With the Aleksei’s 38-year-old mother, Elena Pesovets, the embassy already talked. She is also a resident of Kingisepp. The 47news also talked with Elena.
– Aleksei graduated from some kind of a specialized class?
No, the usual Kingisepp school. Nine classes. Then he went to Sillamäe College (Ida-Virumaa Vocational Education Centre) to study as a programmer. Then for the higher education in Kohtla-Jarve (Virumaa College of TUT). He planned to work in profession.
– But why he did not try to study in Petersburg?
In St. Petersburg, tuition fees must be paid, but in Estonia it is free.
– But to work, to build a career he planned in Russia?
He did not think about it yet, he wanted to get the higher education, and after that to choose.
– Did he had any problems with the Estonian language?
He does not know Estonian well. But in Sillamäe and Kohtla-Järve studies are in Russian. It was not required to know Estonian to study.
– Computers are his main hobby?
Yes, he was fond of computers. But his friends, like for every guy – classmates. He does not smoke, does not drink alcohol, does not rove. Every weekend he came home. He has two brothers. All the time at home with them.
– And he lived on a scholarship or worked part-time somewhere?
He got a scholarship, and I gave him money. Like all students.
– Did you spoke with your son?
There is no connection. No possibilities to meet. I am preparing the documents. I only know one thing: my son is not a criminal.

In this story there is an incomprehensible or unpleasant yet nuance. When, after detention, an employee of the Russian embassy arrived at the detention center, instead of Aleksei, a police officer came out. He acquainted our diplomat with the paper signed by the detainee. In it, Aleksei says that he is acquainted with his rights, but he does not need the services of the embassy. But most likely, this is a childish step.


Using the Estonian Electronic Identity Card for Authentication to a Machine

Abstract: The electronic chip of the Estonian ID card is widely used in Estonia to identify the cardholder to a machine. For example, the electronic ID card can be used to collect rewards in customer loyalty programs, authenticate to public printers and self-checkout machines in libraries, and even unlock doors and gain access to restricted areas.
This paper studies the security aspects of using the Estonian ID card for this purpose. The paper shows that the way the ID card is currently being used provides little to no assurance to the terminal about the identity of the cardholder. To demonstrate this, an ID card emulator is built, which emulates the electronic chip of the Estonian ID card as much as possible and is able to successfully impersonate the real ID card to the terminals deployed in practice. The exact mechanisms used by the terminals to authenticate the ID card are studied and possible security improvements for the Estonian ID card are discussed.

The TLDR; of the paper is that when the ID card is used to authenticate to a machine (unless PIN1/PIN2 is involved), the ID card does not provide additional authentication factor. This is not a surprise to anyone who is familiar with the technology, but some still believe that ID card provides some security over the magnetic-stripe card.

The paper describes proof-of-concept implementation of non-cryptographic “ID card emulator” and demonstrates transplantation of the fake chip to a real ID card.