Monthly Archives: May 2015

Cyber Security Summer School 2015

Print

13-17 July 2015, Laulasmaa Spa and Conference Hotel.

Topics:
* How to live securely in a digital society?
* E-Estonia, a role model for the future? On implementation, challenges and limitations
* Privacy and other concerns of a digital society
* Anonymisation and deanonymisation techniques
* Internet measurements and routing: big data and network mathematics
* Examples and hands-on activities from experts
* Lots of fun and insights into controversial topics

Tentative Program:
Sunday, July 12: 18.30 Welcome Reception

Monday, July 13:  Living in a digital society, securely?
09.30 – 13.00 Steven M. Bellovin
13.00 – 14.00 Lunch
14.00 – 17.30 Jaan Priisalu & Kristjan Vassil
18.30 Dinner

Tuesday, July 14: Privacy and concerns about a digital society
09.00 – 12.30 Ben Zevenbergen
12.30 – 13.30 Lunch
13.30 – 17.00 George Danezis
18.30 Dinner

Wednesday, July 15: Security Ecosystems
09.00 – 12.30 Vern Paxson
12.30 – 13.30 Lunch
13.30 – 17.00 Richard Kemmerer
18.30 Dinner
20.00 – 22.00 Mehis Hakkaja (Hacking Demo)

Thursday, July 16: Internet measurements and routing: big data and mobile networks
09.00 – 12.30 Tristan Henderson
12.30 – 13.30 Lunch
13.30 – 17.00 Walter Willinger
18.00 Transport to the gala dinner location
19.00 Gala dinner

Friday, July 17: Student presentations
09.00 – 12.30 Students presentations
12.30 – 13.30 Lunch
13.30 – 14.30 Students presentations
14.30 Closing remarks
15.00 Transport to Tallinn and departure

The registration to summer school has already ended.

Links:
http://studyitin.ee/c3s/program

Failure at card payment processor Nets Estonia causes inconveniences

card_payments

There was congestion situation when some of the requests went through, but some did not and at some point card payments did not work at all. This was when the system was taken down to make changes. Banks urged customers to equip themselves with cash.

The company managing terminals Nets Estonia has confirmed that the failure resulting in overloaded card payments was caused by old data erasure process which has become too bulky. In the coming night the maintenance operation will take place which is expected to eliminate the problem permanently.

Comment from EISA:

According to head of EISA Vital Services Protection Division Urmo Sutermäe, Nets Estonia is not itself a vital service, but if their services are disrupted for any reason, it prevents banks to offer a vital service. In his opinion, it would help to reduce such disruptions in the future, if services continuously evaluate the extent of cross-dependencies and their impact and reduce the associated risks by having alternative solutions.

Not clear what merchants should do. Should they have a backup PoS terminal serviced by different card payment processor?

Links:
http://tarbija24.postimees.ee/3196937/ria-kaardimaksetega-seotud-riske-saab-vahendada
http://uudised.err.ee/v/majandus/61eb0173-1457-4edf-b4f7-c5aca3c7cc5a

Two Estonian companies received Bitcoin extortion letters

dd4bc_extortion_letter

According to the Police and Border Guard Board, at least two Estonian companies have become victims of the latest cyber-attack, in which they also received an email demanding Bitcoins. The cyber-criminals threatened in the emails that should they not received Bitcoins, more serious attacks will follow.

In both cases, the denial-of-service (DoS) attack was first committed against the official web pages of the respective companies. The businessmen then got an email which specified the account and deadline for transferring the Bitcoins – to avoid a more deadly ambush. According to police representative, the cyber-attack lasted for about an hour. However, the attackers have not carried through their threats, despite the entrepreneurs not giving in to Bitcoin demands. The police have started a criminal investigation.

Took a year for Estonian criminals to try out the business plan.

Its not yet known who is behind the attack and extortion. Similar cases in Estonia have not been seen before, but the rest of the world is familiar and law enforcement agencies in various countries cooperate to apprehend the criminals. The extortion letters are sent by organized criminals who call themselves “DD4BC”.

Searching by “DD4BC” shows that in the last months several organizations in various countries have received Bitcoin extortion letters from group calling themselves DD4BC. However, these might as well be Estonian criminals going under DD4BC handle.

Links:
http://news.err.ee/v/scitech/09f4d9ae-dd8e-499f-aaf1-f56d9e9188b9
http://epl.delfi.ee/news/eesti/hakkerid-noudsid-runnakutega-ahvardades-bitcoine?id=71475581
https://www.politsei.ee/et/uudised/uudis.dot?id=446825

Concerns about European Commission’s plans to backdoor Estonian ID card

idcard_backdoor

The European Commission presented a new plan for internal security, which is driven by the concern that powerful encryption is helpful to crime and terrorism. The initiative will not leave Estonia untouched as currently ID card provides encrypted communication ability.

Prime Minister Taavi Rõivas announced that Estonia should not give up to pressure by allowing to create a backdoor in ID card. Taavi Rõivas confirmed to Eesti Päevaleht and Delfi that cybersecurity and data confidentiality is fundamentally important.

He added that the law enforcement authority will have to find other ways to control crime, “Estonia is of the view that the fight against crime will have to find other means and not at the expense of ID card security“.

While the ID card software package includes utility that can be used to encrypt files, average Estonian does not use ID card to encrypt his communications, but merely use it as an authentication tool. Unless this significantly changes, the encryption ability provided by ID card will not be of significant interest to law enforcement authorities.

Even today, If a law enforcement authority would want to decrypt files encrypted with ID card, they could use official feature built into the ID card which lets ID card manufacturer to reset PIN code and gain authorization to private key operations (i.e., decryption).

Anto_Veldre_RIA

Anto Veldre: This it is not very likely that some criminal would like to go to migration authority, give biometrics to the government and start to encrypt. Isn’t there any easier way to do it? Western world do not like that terrorist can send encrypted emails.
Interviewer: Is Estonian ID card in danger on the background of Europol requirements/thoughts?
Anto Veldre: I don’t think so. Estonian representatives in EU can handle this problem on political level (show the danger and peoples’ trust in current system). Police have their own techniques and they can handle their work.

Links:
http://epl.delfi.ee/news/eesti/politseile-oigus-id-kaardi-koodi-murda-euroopas-tahetakse-krupteerimisele-ametlikke-tagauksi?id=71438223
http://epl.delfi.ee/news/eesti/roivas-id-kaarti-kompromiteerida-ei-tohi-kuritegevusega-voitlemiseks-tuleb-leida-teised-viisid?id=71443761
http://etv.err.ee/v/meelelahutus/terevisioon/saated/4d030bd7-c496-476c-9f21-551007d89c06 (39:32 – 46:43)
http://uus.minut.ee/tagauksed-kruptos-ja-id-kaart/