Monthly Archives: August 2015

Oxford Training Sessions on Government, Security, and Conflict in the Cyber Age

oxford-dpir

egvntchlogomp

This three-day training session is organized and delivered by Oxford University faculty. It will discuss in detail the challenges and opportunities of the modern information society. These are not solely or even primarily technical in nature – they also involve elemental questions of political culture and institutions, public policy, ethics, law, and diplomacy.

Where: Tallinn University of Technology, Ehitajate tee 5, Tallinn, room U01-202 (auditorium behind the main hall)

DAY 1: September 4, Friday, Grand Hall
09:00 – 10.00    Registration and welcoming
10:00 – 10:30    Course Introduction (Lucas Kello)
10:30 – 12:00    Lecture 1: Computing and Networks: The Basics (Andrew Martin)
12:00 – 13:00    Lunch break
13:00 – 14:20    Lecture 2: Code as a Weapon: Worms and Viruses (Andrew Martin)
14:20 – 14:30    Short break
14:30 – 16:00    Lecture 3: International Security and Conflict in the Cyber Age (Lucas Kello)
16.00 – 16.10    Short break
16:10 – 17:00    Day 1 summary

DAY 2: September 5, Saturday, Grand Hall
08:30 – 09:00    Registration
09:00 – 10:20    Lecture 4: Rules of War in the Cyber Domain (Lucas Kello)
10:20 – 10:30    Short break
10:30 – 12:00    Lecture 5: Cybersecurity and the Age of Privateering: A Historical Analogy (Florian Egloff)
12:00 – 13:00    Lunch break
13:00 – 14:20    Lecture 6: Origins, Principles and Functions of the Estonian State Information System (Kuldar Taveter)
14:20 – 14:30    Short break
14:30 – 16:00    Lecture 7: Designing User Friendly and Secure Services of e-State (Kuldar Taveter)
16:00 – 16:20    Coffee break
16:20 – 17:00    Day 2 summary and simulation exercise briefing

DAY 3: September 6, Sunday, Grand Hall
08:30 – 09:00    Registration
09:00 – 09:30    Simulation exercise set up
09:30 – 13:00    Simulation Exercise
13:00 – 14:30    Lunch break and group discussion
14:30 – 15:30    Post-Exercise Debriefing: Decisionmaking in a Crisis
15:30 – 15:50    Coffee break
15:50 – 17:00    Course summary

Registration open until 02.09.2015.

Links:
http://www.egov.ee/oxford/

Four PBGB officials fired in 2014 for misusing police database

Estonian_Police_and_Border_Guard_Board_PPA

Sixteen officials faced disciplinary proceedings for Police and Border Guard Board’s (PPA) KAIRI information system. Four lost to their jobs for unauthorized access. For example, one police officer from Jõhvi made 170 queries on 70 individuals, 52 vehicles and 11 phone numbers, none related to his official duties. “PPA takes data handling very seriously and exercises ever stronger control over the use of its information systems,” said Anne Abel from PPA’s internal audit office.

Good work by PPA’s internal audit office. What about other institutions which hold state information systems?

Links:
http://news.err.ee/v/politics/e7b05226-bb75-4207-a96f-71de32b4d5a5/four-officials-fired-in-2014-for-misusing-police-database

SEB Estonia Internet bank ID card authentication bypass

SEB_Estonia_authentication_bypass

The flaw in SEB Estonia Internet bank allows to login just by knowing the victim’s username. The consequences of the flaw go beyond the read-only access to victim’s transaction history. The victim can be impersonated in any website that supports authentication through SEB (eesti.ee, mnt.ee, tele2.ee, etc.). The flaw can be abused to buy goods from online merchants (as shown in the video) since SEB does not require signature authorization for “banklink” transactions.

Timeline:
2015.05.11. 13:00 – reported to CERT-EE
2015.05.14. 12:00 – fixed by SEB Estonia

The time that was required for SEB to fix such a critical flaw surprises a bit.

SEB’s response:

SEB spokesman commented that “referred security issue existed in so-called laboratory conditions meaning that it needed several conditions to coincide and a specific knowledge”.

“Security issue got fixed and we also checked that the flaw was not maliciously exploited” said SEB’s spokesman and added that the problem got fixed faster than in an hour, after all the needed information was received.

Anto_Veldre_RIA_SEB_turvaauk

Anto Veldre (RIA): It is better that ethical people with academic degree are looking for security holes than cyber criminals doing it. People should understand that new technology is complicated, systems at home and servers need to have updates everyday there is no such a thing like secure system (security) but there are people and control methods, if there is a problem it will be handled and afterwards logs are checked if something really happened.

Silver_Vohu_SEB_turvaauk

Silver Vohu (SEB): It took less than an hour to make a fix. But reproducing the situation took most of the days and asking additional questions from CERT-EE was needed. In normal situation it was impossible to reproduce the problem.

Links:
https://www.youtube.com/watch?v=rRB8jZnS5nY
http://forte.delfi.ee/news/tarkvara/tosine-turvaauk-seb-internetipanka-sai-sisse-ainuuksi-kasutajanimega?id=72291205
http://tehnika.postimees.ee/3306453/seb-internetipangas-oli-tosine-turvaauk-sisenemiseks-piisas-vaid-kasutajanimest
http://seitsmesed.ee/eesti/uudis/2015/08/26/tosine-turvaauk-seb-internetipanka-sai-sisse-vaid-kasutajanimega/
http://www.tv3play.ee/sisu/seitsmesed-uudised-2015/648229

Health data forwarded to cancer screening register despite user’s will

health_data

In the second half of June, she had discovered in the digilugu.ee health portal that National Institute for Health Development (TAI) had made 16 inquiries regarding her during this year. Looking into it, turned out the queries came from the cancer screening register launched at the beginning of the year.

«I do not agree with the cancer screening register at TAI, or any other register, systematically collecting my health data. Health data are delicate and cannot be collected without permission by the individual. I request that my health data be immediately closed for TAI,» said Mr Sassian’s application to social ministry. However, as pursuant to Public Health Act data is forwarded to cancer screening register even when an individual has closed her data in the system.

Maarja Kirss, adviser, Data Protection Inspectorate:

Meanwhile, Public Health Act lays down rights of TAI to obtain data from health information system to perform tasks prescribed by law. Thus, an individual can only restrict access to health data when a health service provider is concerned, but not from other data processers who the law obligates to process certain data.

Katrin Merike Nyman-Metcalf, technological law professor at Tallinn University of Technology:

There is no basis to think that the ministry is misinterpreting the law; rather, this is a much broader issue: what’s the worth of an option to lock data if these can still be used? Isn’t the option then just an illusion? Simply put: they do provide the option of privacy of data but in reality they use them anyway.

Links:
http://news.postimees.ee/3296605/register-grabs-health-data-against-will-of-people