Monthly Archives: January 2017

Estonian Tax and Customs Board website defaced

Estonian web security agency WebARX detected in their logs that hackers, apparently originating from Indonesia, had managed to find a security hole in the website of Estonian Tax and Customs Board and added there a file.

“If you look what has been posted in User98 page, you can see that the hack of Estonian Tax and Customs Board website was in fact pure coincidence. On the same day, January 17, User98 attacked in total 72 websites. All websites were using the content management system Drupal, and in all of these sites the uploaded file lak1998.txt had identical content” said Oliver Sild, CEO of WebARX.

Tax and Customs Board spokesman Rainer Laurits said that calling the incident a hacking attack is an exaggeration. According to him, the administrator of website allowed users to write comments. Using the functionality provided, the text file was uploaded. “Unsuitable items we removed, including the post in question. In reality, no danger was caused to website.”

Running unpatched CMS asks for trouble.

Oliver Sild, CEO of WebARX, who brought the incident to Postimees attention, in his website offers security related services, such as restoration of hacked sites and masshack prevention.


Cyber Security master’s theses defense in University of Tartu (January 2017)

Cybersecurity theses defence on January 6, 2017 in Tartu J. Liivi 2-224 at 11.00 AM.
Defence Committee: Raimundas Matulevičius (chairman), Olaf Manuel Maennel, Vitaly Skachek, Meelis Roos, Hayretdin Bahsi.

Student: Christian Tschida
Title: The Way to the Specialist and Management Level of Cyber Hygiene Initiative
Abstract: The prototype, of the Cyber Hygiene e-learning course was implemented and tested in the Estonian Defence Forces in early 2016. This thesis builds up on this. It tries to clarify what data should be available to the specialists and what information should be reported to the management. Additional to many interviews with specialists and security experts, a questionnaire was created to raise coverage. The testing of the questionnaire was done at an international well known think tank.
Supervisor: Sten Mäses, Raimundas Matulevičius
Reviewer: Andro Kull

Student: Mohit Kinger
Title: Enterprise Cloud Security Guidance and Strategies for Enterprises
Abstract: This thesis measures the myriad benefits of using cloud applications, and the effect of cloud computing on business performance. A nonexhaustive review of the existing literature revels that the security challenges faced by enterprises during cloud adoption and interoperability have to be addressed before the implementation of cloud computing. In this thesis, we provide a detailed overview of the key security issues in the realm of cloud computing and con-clude with the recommendations on the implementation of cloud security.
Supervisor: Andro Kull, Raimundas Matulevičius
Reviewer: Alex Norta

Student: Priit Lahesoo
Title: The Electronic Evidence Examination Reporting System by the Example of West Prefecture
Abstract: This work will focus on practical issues like how to improve the speed of drawing up an electronic evidence examination protocol. The work was done basing on examination data results that collected in the West prefecture based on real work statistics and permission by the Police and Border Guard Board. As part of the work, the practical Microsoft Access application was developed by the author.
Supervisor: Truls Tuxen Ringkjob, Raimundas Matulevičius
Reviewer: Hayretdin Bahsi

Student: Wael Mohamed Fathi Ahmed AbuSeada
Title: Alternative Approach to Automate Detection of DOM-XSS Vulnerabilities
Abstract: This thesis proposes an alternative methodology to detect DOM-XSS by building-up on the existing approach used by web scanners in detecting general XSS. The thesis proposes to add an extra scan layer which is an actual browser that would be resonsible for sending any request and render the recieved HTML response from webserver. To provide a proof of concept for this methodology, the thesis author created a web-based tool on that premises.
Supervisor: Olaf Manuel Maennel, Raimundas Matulevičius
Reviewer: Risto Vaarandi

Student: Vsevolod Djagilev
Title: Android Chat Application Forensic Process Improvement & XRY Support
Abstract: To solve a set of problems a forensic utility has been created, both manual & automated analysis of chat application data has been done. Main result in this work allows not only to perform a search, but to write a modules in Python, which can make search narrower and each of modules can understand particular format, if needed.
Supervisor: Toomas Lepik, Raimundas Matulevičius
Reviewer: Emin Caliskan


Ahto Truu presentation “Next-gen Key Infrastructure with Smart-ID”

XII. Tartu Software Development Guild Meeting, Friday, January 13, 2016, 18.00 – 20.00, Turu 2 (Tasku), 5th Floor, SaleMove Office

Presenter: Ahto Truu (Software Architect at Guardtime)
Title: Next-gen Key Infrastructure with Smart-ID
Abstract: With more and more people using smartphones and tablets as their computing devices of choice, and with the upcoming migration away from physical SIM cards, a question arises: what will replace the ID-cards and mobile-ID SIM cards as the carriers of the private keys for Estonian national digital signature infrastructure? In this talk we will look at the Smart-ID solution recently jointly proposed by Sertifitseerimiskeskus and Cybernetica. There will be quite a bit of math in the talk, but we will start with a crash course of the basics of the current systems for those who either missed it in school or have since forgotten the details.

About Ahto
During his three decades in ICT, Ahto has worked in hardware installations and user support, as a software developer and architect, and as a systems analyst. Currently he is busy helping Guardtime’s customers preserve the integrity of their important data. Outside his day job he coaches Estonia’s team to the high school students’ programming competitions. He has also been writing programming columns for the popular science magazines A&A and Horisont.

Seems that Ahto plans to describe the underlying details of key generation in the Smart-ID solution.


E-Vote-ID 2016: Family Voting Patterns in E-vote Log Data: Estonian Electronic Elections 2013-2015

This paper user evidence from anonymized system log data on all Estonian e-votes from 2013-2015 to examine for patterns and combinations indicative of family voting.
Using logs we identify unique e-voting sessions coming from the same IP address and computer with the same operating system that happen in close proximity to each other, specifically with not more than 10 minutes between the end of one and the beginning of another unique voting act.
The results show that 7-8% of e-votes are cast in such pairs. The age and gender structure of these evoters also shows a set of distinct combinations. The age differences in these pairs are either very small or large. The largest group is formed by same aged pairs of opposite sexes, indicating same aged partners e-voting together. Another prominent pattern are pairs with large age differences of same or opposite sexes, indicating a parent voting together with a voting aged youth.

The new minister of Ministry of Economic Affairs and Communications (MKM) Kadri Simson sees this as a concern for i-voting:

“The Estonian Constitution says that the Election must be general and uniform. When the old man votes in the polling division, it is not allowed that his young cousin comes with him to polling booth and helps him to vote. However, in the Internet voting it is quite possible, since there is no control over who is assisting in the use of ID card.” said Kadri Simson, the chairman of the Center Party fraction in parliament.


SEB mobile app demands permission to access contact list

SEB’s new mobile banking terms of service, set to take effect on March 1, state that the bank can access contacts data in the client’s phone, including phone numbers, street and email addresses of contacts. If a client does not wish to share their contacts data with the bank, they will not be able to make payments based on mobile numbers using the bank’s application.

Public relations adviser at the Data Protection Inspectorate Maire Iro said that all manner of processing of personal information can only take place with explicit permission from the person or under the conditions and pursuant to the procedure provided by law, and that the client cannot give the bank the right to use phone numbers, street and email addresses or other personal data of third persons.

Allas emphasized that SEB does not process data in the way it is stored in the client’s phone, but treats it anonymously, without the part that would allow it to identify persons.

The usability reason why the bank wants to process the contact list is clear – the bank wants ability to show in the app which of the contacts have the app installed and hence can receive the payment. The app cannot provide such feature without the bank processing phone numbers of contacts. The current version of the app already asks technical permission to access the contact list. From March this will be written explicitly also in the terms of service. Although the wording should be improved, since there is a difference between the bank processing the contact information and application written by the bank processing the data in the user’s device.


SK introduced new eID solution Smart-ID

SK introduced its new electronic identity solution Smart-ID, which works on all the most popular smart devices, is not dependent on a SIM card and is usable all around the world.

Using Smart-ID is easy: the user downloads the Smart-ID app from the Google Play or App Store. To use Smart-ID, the user can be identified via ID-card or Mobile-ID. Just like with the ID-card and Mobile-ID, PIN1 and PIN2 codes are required to use Smart-ID. The user creates both in the app. In developing Smart-ID, a lot of emphasis has been placed on ease of use.

Basically, the Mobile-ID functionality has been implemented in mobile app. The private key sharing between the server and mobile device is pretty neat way how to achieve the same security level as in Mobile-ID, where private key is stored in SIM card.

However, we cannot expect Smart-ID to replace Mobile-ID anytime soon, since the solution have not been certified yet as a qualified electronic signature creation device.


Cyber Security master’s theses defense in Tallinn University of Technology (January 2017)

Monday, January 9, 2016, Akadeemia Tee 15a, Room ICT-315.
Defense committee: Rain Ottis (chairman), Hayretdin Bahsi, Raimundas Matulevicius, Andro Kull.
The grades received (in random order): 5, 4, 4, 3, 3, 2.

Time: 10:00
Student: Christian Ponti
Title: Use of ICMPv6 in a Scenario-based Experiment for Computer Network Exfiltration and Infiltration Operations
Supervisor: Bernhards Blumbergs
Reviewer: Olaf Manuel Maennel

Time: 10:40
Student: Terézia Mézešová
Title: Attack Path Difficulty – An Attack Graph-based Security Metric
Supervisor: Hayretdin Bahsi
Reviewer: Aleksandr Lenin

Time: 11:20
Student: Jens Getreu
Title: Forensic-Tool Development with Rust
Supervisor: Olaf Manuel Maennel
Reviewer: Toomas Lepik

Break – 12:00

Student: Chengxiang Wang
Title: Classification of Black-Box Security Reductions and Oracle Separation Techniques

Time: 13:00
Student: Dineta Mahno
Title: Design of Cyber Security Awareness Program for the First Year Non-IT Students
Supervisor: Truls Ringkjob
Reviewer: Kaido Kikkas

Time: 13:40
Student: Gvantsa Grigolia
Title: Evaluation of Data Ownership Solutions in Remote Storage
Supervisor: Ahto Buldas
Reviewer: Jaan Priisalu

Time: 14:20
Student: Kasper Prei
Title: Measuring Personnel Cyber Security Awareness Level Through Phishing Assessment
Supervisor: Olaf Manuel Maennel, Bernhards Blumbergs
Reviewer: Sten Mäses