Monthly Archives: January 2015

Secure multi-party computation considered for fighting VAT fraud in Estonia

mpc_tax

In 2013 parliament mandated an invoice data annex to the VAT return whereby all firms must report all transactions with other firms exceeding 1000 Euros, with a view to checking that the buying and selling companies were declaring the same amount. Following lobbying by businesses about the accounting overhead and business secrets, the president vetoed the bill.

Sander and colleagues approached the tax and customs board with a proposal to use secure multiparty computation, and built a research prototype using Sharemind. The idea is to break VAT declarations into three shares, on servers run by the tax board, the business association, and another party, and run distributed computations to get risk scores for companies. His tests show that it’s feasible; the Estonian economy’s monthly tax returns could be processed in ten days. The remaining problem is that the tax board currently keeps its algorithms proprietary, and would prefer not to reveal them in case they get gamed; at present we don’t know how to run obscure queries in practical amounts of time. Revised legislation has now been accepted and secure MPC is on the tax board’s roadmap for the next few years. In conclusion, MPC can solve some real problems, although business processes may have to be changed.

Links:
https://www.lightbluetouchpaper.org/2015/01/26/financial-cryptography-2015/
http://fc15.ifca.ai/preproceedings/paper_47.pdf

IT College organizes hacking competition CyberOlympics 2015

Kyberolympia

We invite You to take part in CyberOlympics for students on the 14th of February 2015 starting at 9:00 at Estonian Information Technology College, Raja 4C.

Your skills and toughness will be tested on the Estonian Defence Cyber Training Platform. All students from bachelor’s, applied science and master’s level are welcomed to apply. FIRST PRIZE: BLACKHAT EUROPE in Amsterdam

Sounds interesting and You would like to know more, but You’re not quite ready to jump on board this time?
No worries! Come join us still on the event day, because at 12:00 we open a CyberCaffeteria where You can:

  • watch the whole competition live in action
  • take part in sumorobot workshop
  • compete in hands-on hacking competition
  • listen to short presentations on life in the cyberworld, possible field related studying and working possibilities.

Jaanus_Kaap_cyberolimpics_winner

Winners:
1. Jaanus Kääp, Estonian IT College (IT System Development)
2. Henri Ots, Estonian IT College (IT System Administration)
3. Andres Elliku, Tallinn University of Technology (Cyber Security), Estonian IT College alumni
4. Karl-Martin Karlson, Estonian IT College (IT System Administration)
5. Urmo Lihten, Tallinn University of Technology (Cyber Security), Estonian IT College alumni

Links:
http://www.kyberolympia.ee/en
http://www.goodnews.ee/kuberolumpia-2015-voitis-jaanus-kaap-kolledzist

Tartu students prove drones are easy targets for hijacking

UT_classroom_drones

Erasmus exchange students of the Institute of Computer Science of the University of Tartu have demonstrated that it is possible to fully take over the control of commercial drones.

Kramer and Schmeisser first proved that it was possible to spy on the video stream sent out by a drone without getting detected. They also showed that it it possible to hijack the drone in several ways, concluding that the communication of most drones is currently insecure, making drones vulnerable.

Critics have, however, pointed out that the study only involved a very specific model controlled through WiFi and the hijacking scenarios the students used are not applicable to other types of drones.

Interesting what cryptography other drones use to protect communication between the drone and controller.

Links:
http://news.err.ee/v/scitech/b3c39c8f-1775-4b2a-a4be-fd99957b8c2c

BSc thesis: Secure Data Transmission over Mobile Voice Channel

data_over_gsm_voice_channel

Student: Maksim Lind
Supervisor: Alexander Tkachenko
Reviewer: Ilya Verenich

Abstract: A number of attempts has been done to address the issue of mobile communication security. In this work, we describe an alternative solution, where security is enforced before any information reaches the phone. Sensitive information such as voice is processed in an external device and then passed into the mobile phone as an analog sound signal. The advantage of this approach is that the external unit and can be attached to any phone with a sound input. While building the system, we analyzed a number of existing solutions, tuned parameters and performed experiments.

Conclusion:
As a result, our system established a secure data connection with transfer speeds up to 2000 bps and a medial error rate of 21 percent. Because of the high error rate, the channel we provided was not reliable enough to carry a voice signal.

The work does not deal with key management problem, but assumes that both parties have established symmetric key beforehand.
The idea itself is pretty neat and has been commercialized by JackPair kickstarter project.

Links:
http://comserv.cs.ut.ee/forms/ati_report/datasheet.php?id=45531&year=2015

e-Governance Academy planning to create a strategic cybersecurity index

ega_logo

For 2015, the academy has other exciting work underway. As part of a joint project with the Estonian Foreign Ministry, Finland’s Aalto University, and Norway’s Info and Cybersecurity Institute, the academy is planning to create a strategic index to measure cybersecurity performance in different countries.

According to the academy’s cybersecurity program director Raul Rikk, the index should give entrepreneurs, planners, scientists, and other interested parties information about the levels of cybersecurity of a certain state or the levels in specific areas of online security. The specific focus is going to be defined in the first half of 2015 and the pilot project will be tested in a few countries first. If the trial is successful, the index could go global.

“The index would be beneficial with services like e-residency. If Estonia or some other country wanted to provide its e-services outside of its own country to a large number of people, the question – are the e-services of this country secure and reliable? – arises. Can the user be sure that the state is giving enough attention to the protection of its cyberspace?” Rikk said.

It seems that there already exists Global Cybersecurity Index.

Links:
http://www.zdnet.com/article/the-students-have-become-the-masters-how-estonias-tech-prowess-has-inspired-countries-around-the/

Investigators disclose best disguised cybercrime in years

cybercrime

This was no classical computer fraud investigation. In this criminal case, the police has no crime notice by any person or foreign bank suffering loss of money. That was what the fraud was built upon: to act unnoticed and avoid being seen by investigators.

Generally speaking, credit card fraud and the obtaining of other people’s credit card data in specialised internet forums is nothing extraordinary. Still, the activity Sergei is accused of was a long step forwards when it comes to conspiracy – for he got his cards data from forums to enter which an invitation was needed from the inner circle.

Getting caught was supposedly avoided by so-called virtual machines used to hide themselves while making purchases with credit cards of strangers. In theory, this was supposed to be the perfect crime. To leave no evidence, all parties involved used encrypted data communication between themselves. The criminal idea as such was simple: purchase at full price for other people’s money, and to resell at considerably lower prices.

To avoid being linked with the goods, he ordered these to post offices in some European countries. Like Germany, Austria, Czech Republic, Sweden of Finland. Mainly the latter. Individuals hired by Sergei’s closest assistant travelled to get the goods; stuffing their luggage full of laptops, the marched off to an airplane.

The article does not tell why the super disguised crime failed.
Probably the guys attracted the attention by selling too cheap goods.

Links:
http://news.postimees.ee/3061473/cyber-investigators-disclose-best-disguised-crime-in-years

BSc thesis: Denial of Service Attacks and Defense Solutions

smurf_attack

Student: Erki Vaino
Supervisor: Meelis Roos
Reviewer: Ljubov Feklistova

Abstract
Over time denial of service attacks have become more sophisticated and a popular method amongst attackers. This document will provide overview of different attacks and defense solutions against them. Although there are many great resources about the subject in English, there are very few of them in Estonian. Firstly there is a general overview of the attacks how they can be classified. Then descriptions of how different attacks work and which vulnerabilities or mechanics they use to stop the victim for providing service. In the last part there are descriptions how these attacks can be stopped or mitigated and also which products and solutions companies currently provide on the market at the moment. Each product is described briefly and info given how it helps to protect the network.

The thesis also contains interviews with two Estonian IT infrastructure architects.

Links:
http://comserv.cs.ut.ee/forms/ati_report/datasheet.php?id=45551&year=2015

Estonian mobile operators vulnerable to interception, impersonation and tracking attacks

Estonian_mobile_operators_ss7_security

Estonian_mobile_operator_security

During the last CCC (31C3), several talks were given which analysed security provided by different mobile operators.

This document provides a security analysis of Estonia’s three mobile networks, based on data collected between October 2012 and December 2014. The analysis is based on data samples submitted to the GSM Map project. It compares implemented protection features across networks. All 3G networks in Estonia implement sufficient 3G intercept protection. None of the networks sufficiently protect against 2G intercept attacks. In all 2G networks, user impersonation is possible with simple tools. All 2G networks in Estonia allow user tracking.

Estonia allows 5 SS7 MAP messages to leak subscriber city location. Estonia allows 2 SS7 MAP messages to leak precise street-level subscriber location (200m). Estonia has 2 operators that leak subscriber keys. Leak of subscriber keys allows an attacker to decrypt calls and SMS of subscriber, by impersonating the network using a fake base station. Estonia has 2 operators susceptible to fraud via change of prepaid/postpaid status.

The EMT seems the most secure, TELE2 the worst secure.

Links:
http://gsmmap.org/assets/pdfs/gsmmap.org-country_report-Estonia-2014-12.pdf
http://ss7map.p1sec.com/country/Estonia/
https://www.youtube.com/watch?v=GeCkO0fWWqc
https://www.youtube.com/watch?v=lQ0I5tl0YLY

Sensitive information related to cyber security will be classified as a state secret

kapo_state_secrets

The amendments in the State Secrets And Classified Information Of Foreign States Act, which will define a state secret any classified information related to cyber security or critical information infrastructure protection, will increase number of officials who will have access to state secrets and their responsibility towards their employers.

Estonian Internal Security Service (KaPo) is responsible for maintaining information about people with state secrets clearance.
“KaPo has never disclosed how many people exactly have the right to access the state secrets and classified information of foreign states. It is clear that these (cyber security) persons now will also need the access, but precise number we will not disclose.” said KAPO spokesman Harrys Puusepp.

“The need to access state secrets is always derived from the particular job description, it is not granted for fun. The employer’s primary responsibility is to protect state secrets, and now he will also have a sufficient possibility to do that. The amendments to the Act will certainly help to do that.” added Puusepp.

According to Interior Ministry spokesperson Toomas Viksi the amendments of the Act primarily concerns employees of Estonian Information System Authority (EISA).

The head of EISA PR department, Rauno Veri said that today EISA staff already have the necessary clearance thus the amendment will not raise the number of people eligible to access the state secrets.

In mid-December the government passed a draft making an obligation for officials having access to state secrets to inform about their private trips abroad. The list of countries will be established by the Ministry of the Interior. Viks noted that the obligation to notify will not apply to European Union, the Schengen Agreement and NATO member countries.

Additions to the current version of the State Secrets And Classified Information Of Foreign States Act:

Paragraph 10  [list of State Secret subcategories] is amended by clause 9 as below:
EISA risk assessments, monitoring data, information gathered during supervisory actions about critical vulnerabilities in information systems; to the extent that such information contains technical data on the critical vulnerabilities of the information systems of: constitutional institutions, government agencies and their subordinated institutions; vital service providers, international organizations which security is provided by Estonia; and, if the revelation of such information to the irrelevant parties could raise the risk of a security incident in these fields, except such information, which, if revealed, will not endanger the security of the Estonian Republic; such information will be classified up to 10 years on “restricted” level.

Links:
http://www.postimees.ee/3035403/riigisaladuse-loaga-ametnike-arv-jaab-saladuseks
http://www.riigikogu.ee/?op=ems&page=eelnou&eid=12261279-a8d0-4246-be4a-8c9c0405b3e1&

The hands of the Prosecutor’s Office remain short when catching foreign cyber criminals

prokuratuur_logo

In the interview prosecutor tells how foreign requests for legal aid are too expensive and take too much time so that victims cannot actually rely on the police or prosecutor’s office in e-crime cases which are below EUR 1000 or EUR 5000 (in case of UK). Nigeria and USA are called bad. Former for obvious reasons, the latter because US laws are helpless for investigating the cybercrimes. Germany has been praised because they sometimes still prosecute cybercrooks.

Links:
http://www.sakala.ajaleht.ee/3046067/prokuratuuri-kaed-jaavad-piiritaguseid-kaaperdajaid-puudes-vaga-luhikeseks