Monthly Archives: June 2015

National Cyber Security Organisation: Estonia

ccdcoe_logo

The study outlines the division of cyber security tasks and responsibilities between different agencies, describes their mandate, tasks and competences, and the coordination among them. In particular, it describes the mandates of political and strategic management; operational cyber security capabilities and cyber incident management; military cyber defence; and cyber aspects of crisis prevention and crisis management. It also offers a summary of the national information society setting and e-government initiatives as well as the national cyber security strategy objectives in order to clarify the context for the organisational approach in a particular nation.

Agencies mentioned: Ministry of Economic Affairs and Communications, Ministry of Defence, Cyber Security Council of the Security Committee of the Government, Estonian Information System Authority (EISA (RIA)), Estonian Computer Emergency Response Team (CERT-EE), Estonian Defence Forces, Strategic Communication Centre, NATO CCD COE, Estonian Defence League, National Crisis Management Committee, Ministry of the Interior, Estonian Internal Security Service (ISS (KAPO)).

Links:
https://ccdcoe.org/sites/default/files/multimedia/pdf/CS_organisation_ESTONIA_032015_1.pdf

 

Open Vacancy: Security Engineer in Guardtime R&D division

guardtime_logo

About The Role
The security engineer is part of a team of highly skilled, dedicated individuals who support research and software/security architecture for new product developments. This role will be based in Estonia (Tallinn/Tartu) and be a part of an international organization where most of the clients and market is growing overseas.
Responsibilities:
* Research/develop new technologies applicable to our products/services
* Software/security architecture for prototypes, new product developments
* Integration of KSI with various technologies like virtualization platforms, Internet of Things, PKI-based systems, code repositories, networking platforms, big data and others.
* Document and present research results
* Participate/present in security conferences, publish research papers, follow current trends in the information security world

Profile:
* Strong background in cryptography engineering information security
* Eloquent in formal methods, mathematics and statistics
* Familiarity with security infrastructure and protocols
* Experience with distributed systems, networking, cloud deployment and virtualization
* Strong background in programming – C/C++/Java/JS
* Strong experience with Unix Scripting: shell, perl, python or equivalent
* Result oriented and eager to learn

Links:
https://guardtime.com/about/jobs/security-engineer

Open Vacancy: Officer in Swedbank Security Incident Response (SIRT) Team

swedbank_logo

Your tasks will consist of:
* Gathering and analyzing of information about potential threats to Swedbank,
* Discovery and management of security incidents, including computer fraud and post-incident’s investigation,
* Proactive work to prevent security incidents.

Skills and qualities important to possess as a SIRT Officer in order to be successful in the role:
* University degree or practical IT working experience of at least 4 years,
* Ability to gather and analyse information,
* Knowledge and experience at least one of the following: Windows, Unix, or databases.
* Fundamentals of computer networks, network protocols, and applications,
* Knowledge of basic information security principles, including risks and threats to computers and networks, security vulnerabilities and attacks,
* Knowledge and experience of Java and Python programming languages would be seen as an advantage
* Software reverse engineering, or cryptography knowledge, or penetration testing (OWASP), and demonstrated computer forensics skills would be seen as an advantage,
* Knowledge of basic digital electronics would be seen as an advantage, and
* Good verbal and written communication skills in Estonian and  English is a necessity; knowledge of Russian would be seen as advantage

Links:
http://swedbank.easycruit.com/intranet/ee_homepage/vacancy/1411080/70633?iso=ee

 

Estonian Police to start collecting personal data of air passengers

passenger_name_record_PNR

On January 1, 2016, Estonian Police and Border Guard Board (PPA) will start collecting booking information for all flights to and from Estonia.

“The main reason for collecting PNR data is to fight cross-border crime, because drug and human traffickers, smugglers and the rest all make use of the broadened opportunities for free movement,” PNR project leader Kristi Laul said. “The PNR system will have a direct effect on public safety and have a positive effect on state’s internal security and its ability to counter serious crimes.” The data will only be used to investigate terror threats and other serious crime. The database serves as a tool to find people who could pose a risk to public safety.

PNR, or Passenger Name Records, are, in essence, data about your flight details. Every time we travel by plane, either the airline or the travel agent needs a series of data to proceed with our reservation, including itinerary, contact details, forms of payment, accompanying guests, and sometimes food preferences.

Meanwhile, civil society groups, the European Parliament and the EU data protection watchdog, the European Data Protection Supervisor, have repeatedly highlighted the lack of evidence regarding the necessity and proportionality of this “massive and routine processing of data of non-suspicious passengers for law enforcement purposes.”

Links:
http://news.err.ee/v/politics/72da111e-be78-4c6f-9cb3-196a18b4ff24
https://www.accessnow.org/blog/2014/11/26/wishing-bon-voyage-to-pnr-agreements-in-europe

Study on the lifecycle of cryptographic algorithms 2015

crypto_primitive_strength

Commissioned by Estonian Information System Authority (RIA), a new study has been completed on the lifecycle of encryption algorithms. According to Toomas Vaks, Deputy Director-General of RIA, it is important to abolish 1024-bit keys as soon as possible everywhere. For the next five years, 2048-bit keys and, in the long-term, 3072-bit keys at a minimum should be used.

Links:
https://www.ria.ee/ee/it-lahendustesse-ehitada-voimalus-asendada-kruptoalgoritmid.html

Evaluation of Research in ICT in Estonia 2009–2014: Evaluation Report 5/2015

ETAG_logo
Tallinn University of Technology:

4.4.15. Research Group: Faculty of Information Technology: Cyber Security
The group is led by Prof. Olaf Maennel. It is a very young and active group, started around 2013. The main interests of the group are in intrusion detection, testing security policies, and security simulation exercises. They have gained a European FP7 project on E-Crime. The group is still establishing itself in research and its activities are promising. The number and quality of publications is still limited and should be increased. This can be done since the leader of the group is well cited. Assessment: The panel judges the research to be of high international level. The overall evaluation of the group is good.

University of Tartu:

4.6.10. Research Group: Institute of Computer Science: Cryptography and Theoretical Computer Science
This group represents a number of subunits, with 6 topics led by 5 lead PIs (Sven Laur, Helger Lipmaa, Vitaly Skachek, Dirk Oliver Theis, Dominique Unruh). The group was restructured in 2011 with the recruitment of Unruh and Lipmaa. The group addresses six key research topics, namely classical cryptography, quantum cryptography, coding theory, combinatorics and algorithms, security, and verification of cryptography. All topics are related to computer security.
The research highlights include quantum proofs of knowledge, privacy-preserving data-mining, efficient non-interactive zero-knowledge proofs, communication complexity and the rank of matrices, and permutation codes. The group claims 8 level 1.1 publications, which seems a bit low. However, it is also a bit misleading since their list of 30 best papers includes 11 articles in top or at least internationally well recognized journals (J Cryptology, European J Combinatorics, IEEE Tr Information Theory, IEEE J selected areas in communication, Theoretical Computer Science, Journal of Computer Security, Bioinformatics, European J. Operations Research), besides 7 papers in the very best conferences (FOCS, Crypto, Eurocrypt, ICALP). Remaining top 30 items are papers in more specialized cryptography and security venues like ACM CCS, PKC, SCN, CSF, Eurocomb. Publication rate of top level papers has increased significantly over the evaluation period.
Many of the students (10+) are working in related industrial SMEs such as Cybernetica. They are contributing to several practical applications such as e-voting. The group is recommended to keep its current high quality and volume of output, and to develop some additional internationally financed projects. Based on the evidence, panel judges the research to be of high international level. Because of the strong upward trend the overall evaluation of the group is excellent.

Links:
http://www.etag.ee/wp-content/uploads/2012/05/Evaluation_raport2015veeb.pdf

Call for ideas to improve Estonian Internet voting

Estonian_internet_voting

Electronic Voting Committee invites those interested in Internet voting to attend the day of ideas event, which will take place on Thursday, 18 June, 2015 from 11:00 to 15:00 in the hall of commandant house at Toompea street 1, Tallinn.

I-voting in Estonia has been used already for 8 elections in 10 years. The system has been continuously developed, but since the time of the next regular elections is after little more than two years, it is an opportune time for introducing something larger and more substantial.

Hence the aim for the day of ideas: everyone will have the opportunity to present his ideas or thoughts on how to make i-voting even better, more secure, more transparent, more reliable, etc. – invited are both technical and organizational improvement proposals.

To have a smooth management of the event:
a) register your participation no later than 16 June by sending an e-mail to vvk dot ee.
b) describe in a few sentences the idea and give an estimate on the time needed for the presentation. If you wish, you can show the slides.

Invited are also those who do not have their ideas, but still would like to participate in the debate about the ideas.

Additional information: Tarvi Martens (Head of the Committee)

Presentations:

Sven Heiberg “What is possible for 2017”
Ivo Kubjas “Mixnets – why, what and how?
Arnis Paršovs “Homomorphic Tallying for Estonian Internet Voting”
Tanel Tammet “About e-election problems”
Ahto Truu “Data integrity detection KSI service”

Links:
http://www.vvk.ee/valimiste-korraldamine/vvk-uudised/kutse-ideepaev-e-haaletamise-parenduseks/
http://vvk.ee/valimiste-korraldamine/elektroonilise-haaletamise-komisjon/ideepaev-2015/

Cyber Security master’s theses defense in Tallinn University of Technology (June 2015)

TTU_peamine_logo_ENG

Thursday, 4 June 2015, Akadeemia Tee 15a, Room ICT-411:

Time: 09:00
Student: Vladimeri Tskhakaia
Supervisor: Jüri Kivimaa
Reviewer: Rain Ottis
Title: IT Security Cost Optimization Model for ProVoice Holding AB

Time: 09:40
Student: Sten Mäses
Title: Evaluation Method for Human Aspects in Information Security
Supervisor: Aare Klooser
Supervisor: Liina Randmann
Supervisor: Rain Ottis
Reviewer: Tiia Sõmer

Break: 10:20-10:30

Time: 10:30
Student: Olga Dalton
Supervisor: Roger Kerse
Supervisor: Rain Ottis
Reviewer: Olaf Maennel
Title: An Automated Framework for Securing iOS Applications

Time: 11:10
Student: Anti Räis
Supervisor: Elar Lang
Supervisor: Rain Ottis
Reviewer: Kaur Kasak
Title: Hands-on Laboratory on Web Content Injection Attacks

Break: 11:50-12:30

Time: 12:30
Student: Triin Muulmann
Supervisor: Silver Püvi
Supervisor: Rain Ottis
Reviewer: Truls Ringkjob
Title: Information Security Management Learning Object for Vocational Schools

Time: 13:10
Student: Onur Aydin Korkmaz
Title: Discovering And Analyzing New Malware

Friday, 5 June 2015, Akadeemia Tee 15a, Room ICT-411:

Time: 09:00
Student: Kevin Kamugisha Lwakatare
Title: A proposed IT security risk management policy and guidance for University of Dar es Salaam

Time: 09:40
Student: Ragnar Kreis
Supervisor: Olaf Maennel
Reviewer: Jaan Priisalu
Title: Smart Contracts and Digital Identities

Break: 10:20-10:30

Time: 10:30
Student: Sergei Komarov
Supervisor: Risto Vaarandi
Reviewer: Teemu Väisänen
Title: Choosing Open-Source Flow-Based Network Monitoring Solution

Time: 11:10
Student: Artur Tychina
Supervisor: Truls Ringkjob
Reviewer: Mauno Pihelgas
Title: Implementation of Corporate Data Leakage Prevention in Estonia

Break: 11:50-12:30

Time: 12:30
Student: Rainer Aavik
Supervisor: Jüri Kivimaa
Reviewer: Andro Kull
Title: Optimization of information technology security costs of Enterprise Estonia based on ISKE and the Graded Security Model

Time: 13:10
Student: Recai Adar
Supervisor: Jüri Kivimaa
Reviewer: Rain Ottis
Title: Software Development of a Web Portal and Research and Solution of Security Problems on it

Time: 14:00
Student: M. A. A. Mohamed Ali
Supervisor: Truls Ringkjob
Reviewer: Indrek Rokk
Title: Analysis of Malware Protection Solutions in a Bring Your Own Device (BYOD) Environment

Defense committee: Risto Vaarandi, Rain Ottis, Ahto Buldas, Olaf Maennel, Raimundas Matulevicius

The theses of Olga Dalton (An Automated Framework for securing iOS Applications) and Sten Mäses (Evaluation Method for Human Aspects of Information Security) received the highest grade “5” and participated in ICT thesis contest 2015. Congratulations!

US Embassy collects personal data about people in Tallinn

U.S._surveillance_map

Postimees possesses a document proving that a secret unit at US Embassy has for years been surveying people on streets of Tallinn, collecting personal data citing security, and entering those whose behaviour causes suspicion into global terror database. All this is approved by Estonian interior ministry and happens with help by police.

The rules regarding reporting suspicious behaviour are so strict that it seemingly takes trivialities to get reported. As an example of that, there is this Tallinn housewife included who often waits long for her child at the Südalinna School. Or take the old lady walking her dog in Lembitu Park. Need some more? A report has also been filed on a man who attends Alcoholics Anonymous close by.

The activity of the unit is okayed by Estonian government. Its information reaches the police, as agreed between the two countries. Automatic inquiry reaches Central Criminal Police which, as requested by the embassy, discloses personal data – such as background of the owner of a car, the person on the picture and his/her background. These data are added to the SIMAS report. Depending on the behaviour of the people concerned, entries may remain active for 5 to 20 years – or permanently. Getting entered may affect decision by USA whether or not to grant visa for entry.

Erkki Koort of the Ministry of the Interior comments:

Why and on what basis does Estonian police hand personal data of our citizens to US Embassy as soon as they apply for it?
State agencies share data with third parties strictly pursuant to law. Suspected attack against a diplomatic representation or danger towards human lives or health is reason enough, doubtless, to exchange data. The question leaves one with the impression like Estonian state agencies would submit data upon initial request. This definitely is not the case.

Links:
http://news.postimees.ee/3206887/us-embassy-secretly-surveys-people-in-tallinn
http://news.postimees.ee/3206893/estonian-official-this-is-a-specific-issue
http://news.postimees.ee/3209457/erkki-bahovski-estonian-and-us-reputations-on-the-line
http://news.postimees.ee/3213479/riigikogu-backs-off-from-us-embassy-issue

Cybersecurity related bachelor’s and master’s theses in University of Tartu 2014/2015

university_of_tartu_logo

An Empirical Comparison of Approaches for Security Requirements Elicitation
Abstract: Security Quality Requirements Engineering (SQUARE) and Security Requirements Elicitation from Business Processes (SREBP). This thesis compares the two methods based on an empirical case study of the Estonian Football Association. The elicited security requirements are categorized and the completeness of their coverage is compared.
Student: Karl Kolk
Curriculum: Cyber Security (MSc)
Supervisor: Raimundas Matulevicius
Reviewer: Fredrik Payman Milani
Defense: 26.02.2015

The Analysis and Design of a Privacy-Preserving Survey System
Abstract: This master’s thesis describes the design and business processes of the prototype of a secure survey system using secure multi-party computation. The design of the system is also described in this paper and is illustrated with a deployment model.
Student: Meril Vaht
Curriculum: Cyber Security (MSc)
Supervisor: Dan Bogdanov
Reviewer: Raimundas Matulevicius
Defense: 04.06.2015, 09:00, Liivi 2-405

Pattern Based Security Requirement Derivation with Security Risk-aware Secure Tropos
Abstract: In this master thesis we investigate the integration of a pattern based security requirement elicitation process in the goal-oriented IS development. By performing this integration we aim at providing a process that enables the elicitation of security requirements from Security Risk-aware Secure Tropos (RAST) models. The contribution of this thesis are five Security Risk-aware Patterns expressed using RAST.
Student: Atilio Rrenja
Curriculum: Software Engineering (MSc)
Supervisor: Raimundas Matulevicius
Reviewer: Peep Küngas
Defense: 04.06.2015, 09:00, Liivi 2-405.

Comparing Security Risk-oriented Modelling Languages to Manage Social Engineering Risks
Abstract: The paper applies structured approach in identification of one security risk management standard that can be applied with different modelling languages. For a more in-depth analysis in this paper considered several modelling languages as BPMN, Secure Tropos and Misuse case.
Student: Sarbar Tursunova
Curriculum: Cyber Security (MSc)
Supervisor: Raimundas Matulevicius
Defense: 04.06.2015, 09:00, Liivi 2-405.
Reviewer: Olga Altuhhova

Analysis and Mitigation of Recent Attacks on Mobile Communication Backend
Abstract: This thesis presents a broad and thorough overview and analysis of the known attacks against mobile network signaling protocols and the possible mitigation strategies. The attacks are presented in a uniform way, in relation to the mobile network protocol standards and signaling scenarios. Moreover, this thesis also presents a new attack that enables a malicious party with access to the signaling network to remove lost or stolen phones from the blacklist that is intended to prevent their use.
Student: Siddharth Prakash Rao
Curriculum: NordSecMob (MSc)
Supervisor: Tuomas Aura
Supervisor: Dominique Unruh
Supervisor: Silke Holtmanns
Supervisor: Ian Oliver
Reviewer: Arnis Paršovs
Defense: 09.06.2015, 09:00, Liivi 2-405.

Entropy Based Robust Watermarking Algorithm
Abstract: In this work, multiple robust watermarking algorithms are introduced. They embed watermark image into singular values of host image’s blocks with low entropy values. The quantitative and qualitative experimental results are indicating that the proposed algorithms are imperceptible and robust against many signal processing attacks.
Student: Lauri Laur
Curriculum: Software Engineering (MSc)
Supervisor: Gholamreza Anbarjafari
Supervisor: Mary Agoyi
Reviewer: Kaveh Khoshkhah
Defense: 09.06.2015, 09:00, Liivi 2-405.

NFC Security Solution for Web Applications
Abstract: This thesis compares existing and possible security solutions for web applications, analyses NFC compatibility for security solutions and proposes a new NFC authentication and signing solution using Google Cloud Messaging service and NFC Java Card. This new proposed solution enables authentication and signing via NFC enabled mobile phone and NFC Java Card without any additional readers or efforts to be made.
Student: Jonas Kiiver
Curriculum: Software Engineering (MSc)
Supervisor: Eero Vainikko
Reviewer: Meelis Roos
Defense: 09.06.2015, 09:00, Liivi 2-404.

Applying Estonian Internet Voting Individual Verification System to Other Electoral Systems
The current paper gives an overview of the Estonian internet voting individual verification system and introduces different ballot styles. It proposes and describes modifications to the Estonian system, so it could be used for individual verification with the introduced ballot styles and multiple elections.
Student: Joonas Lõmps
Curriculum: Informatics (BSc)
Supervisor: Sven Heiberg
Reviewer: Arnis Paršovs
Defense: 12.06.2015, 09:00, Liivi 2-404

Secure Bitcoin Wallet
This report outlines various methods and solutions targeting security concerns and aims to understand their effectiveness. It also describes Secure Bitcoin Wallet, standard Bitcoin transactions client, enhanced with various security features and services.
Student: Sevil Guler
Curriculum: NordSecMob (MSc)
Supervisor: Sead Muftic, Vitaly Skachek
Reviewer: Arnis Paršovs
Defense: 27.08.2015

Links:
http://comserv.cs.ut.ee/forms/ati_report/index.php?language=en
http://www.cs.ut.ee/en/msc/theses/deadlines