Monthly Archives: May 2017

Cyber Security master’s theses defense in Tallinn University of Technology (May 2017)


Monday, May 29, 2017, Akadeemia Tee 15a, Room ICT-315.

Grades received (random order): 5, 4, 4, 3, 3, 3, 2, 2.

Time: 10:00
Student: Kristjan Oja
Title: Cyber Security Awareness For IT Students Through Practical Assignments
Supervisor: Sten Mäses
Reviewer: Tiia Sõmer

Time: 10:40
Student: Sander Arnus
Title: Providing guaranteed log delivery and proof value of logs
Supervisor: Risto Vaarandi
Reviewer: Tiit Hallas

Time: 11:20
Student: Bolaji Ayoola Ladokun
Title: An Analytical Approach to Characterization of Targeted and Untargeted Attack in Critical Infrastructure Honeypot
Supervisor: Hayretdin Bahsi
Reviewer: Risto Vaarandi

Time: 12:00-13:00 – Lunch

Time: 13:00
Student: Iryna Bondar
Title: LUDROID: Evaluation of Android Malware Detection Tools and Techniques and Development of a First Line of Defense For the User
Supervisor: Emin Caliskan
Reviewer: Toomas Lepik

Time: 13:40
Student:  Seifollah Akbari
Title: A New Method for the SYNful Knock Attack Implementation
Supervisor: Truls Ringkjob
Reviewer: Bernhards Blumbergs

Time: 14:20
Student: Safak Tarazan
Title: GPS Spoofing/Jamming Resilient Mini UAV Implementation Strategy
Supervisor: Truls Ringkjob
Reviewer: Juhan Ernits

Time: 15:20
Student: Danielle Morgan
Title: Security of Loyalty Cards Used in Estonia
Supervisor: Rain Ottis, Arnis Paršovs
Reviewer: Aleksandr Lenin

Time: 16:00
Student: Katrin Kukk
Title: Ensuring the digital continuity of e-Estonia in different crisis scenarios
Supervisor: Rain Ottis
Reviewer: Jaan Priisalu

Tuesday, May 30, 2017, Akadeemia Tee 15a, Room ICT-315.

Grades received (random order): 4, 4, 3, 3, 2, 1.

Time: 10:00
Student: Christopher David Raastad
Title: Euro 2.0 – Securing an Ethereum Crypto Fiat Currency System
Supervisor: Alex Norta
Reviewer: Raimundas Matulevicius

Time: 10:40
Student: Mobolarinwa Taofeek Balogun
Title: Comparative Analysis of Industrial IoT and HealthCare System IoT for Cyberterrorism
Supervisor: Hayretdin Bahsi
Reviewer: Ahto Buldas

Time: 11:20
Student: Chengxiang Wang
Title: Classification of Black-Box Security Reductions and Oracle Separation Techniques
Supervisor: Ahto Buldas
Reviewer: Peeter Laud

Time: 12:00-13:00 – Lunch

Time: 13:00
Student: Celik Neslisah
Title: Anomaly Detection Using Locked Shields Logs
Supervisor: Olaf Maennel
Reviewer: Mauno Pihelgas

Time: 13:30
Student: Sophio Sakhokia
Title: Developing a Cyber Security Master Programme for Georgia
Supervisor: Tiia Sõmer
Reviewer: Olaf Maennel

Time: 14:20
Student: Zaghum Awan
Title: Analytical Comprehensive Approach to Cyber Laundering and its Solutions
Supervisor: Tiia Sõmer
Reviewer: Andro Kull

Oberthur will produce Estonian ID cards from 2019

id_card_blank

The Police and Border Guard Board (PPA) and French company Oberthur Technologies signed an agreement on Thursday for the production of Estonia’s ID cards, permanent resident cards, digital IDs and diplomatic IDs after the current manufacturer agreement expires at the end of 2018.

Oberthur Technologies will be responsible for the manufacture of the card and chip as well as and linking the document to personal data. It will also be responsible for the functioning of the card. The French company will manufacture and personalize the cards in Estonia.

The value of the five-year contract is approximately €40 million. Under the new agreement, the expenses of the PPA for the manufacture of the ID card will remain at the present level.

A tender committee, which in addition to PPA experts included experts from the Estonian Information System Authority, the Ministry of the Interior and the ministry’s IT and Development Centre, chose the offer by Oberthur from among three different offers.

This was already the second tender. In the first tender Safran Morpho was chosen as the winner. The results of the first tender were appealed by two other participants – Oberthur Technologies and Gemalto/Trüb AG. The result of the appeal was that the current contract with Trub AG was prolonged for one more year.

In a public procurement tender of the Estonian Police and Border Guard Board three renowned European ID producers submitted their offers. The tender committee chose the offer of Safran Morpho as the winner, the Police and Border Guard Board said.

The German company Trub AG, which last year was acquired by Gemalto, has been manufacturing ID cards for Estonia since 2001.

It is notable that this is the first tender in the last 15 years, where PPA decided to make participation in tender available to wider range of companies. Previous contract extensions with Trub AG were justified by “potential security risk avoidance reasons”.

Update: Gemalto and Safran Morpho appealed in court the results of the tender.

Links:
http://news.err.ee/592722/ppa-signs-deal-with-france-s-oberthur-to-produce-ids-beginning-2019
http://www.baltic-course.com/eng/good_for_business/?doc=119884
http://uudised.err.ee/v/eesti/d5436b80-2965-4a27-9e3d-92953dc4fd4f/id-kaardi-kujundus-vahetub-hiljemalt-2018-aastast
http://arileht.delfi.ee/news/uudised/konkurendid-kahtlustavad-40-miljoni-eurose-ppa-hanke-juures-valemangu?id=74676029
http://tehnika.postimees.ee/3577961/kas-sel-korral-laheb-teisiti-riik-on-seni-tellinud-id-kaarte-vaid-uhelt-ettevottelt
http://tehnika.postimees.ee/4140063/laane-suurettevotted-kaebasid-eesti-politsei-kohtusse

Personal data processing by state systems wider than it should


The first issue concerns state systems querying more personal data from X-Road than required:

In March a service was added to the Eesti.ee online portal that allows users to see which government institutions have accessed their personal data. According to daily Eesti Päevaleht, there are plenty of illegal queries. As the paper wrote on Tuesday, the Unemployment Insurance Fund, the E-Health System, notaries, and plenty of others regularly break the law by accessing people’s personal data without a legally valid reason.

What happens is that every time e.g. someone’s general practitioner accesses their data, the system automatically also displays their immediate relatives and their personal ID codes. This data represents a series of illegal queries by the system. “Thanks to the data tracker it has become clear that the information systems of plenty of institutions apply only the broader query also for their services that don’t require the data of connected persons. Those institutions where the problem has come up are already improving their systems,” the Data Protection Inspectorate’s press spokeswoman, Maire Iro, said. According to Iro the inspectorate does not have a complete overview of all the institutions affected, but that local government, liquidators, and notaries had already begun to check their queries.

The second issue is about recent law amendments and interest of state institutions to perform mass data processing on wide range of personal data:

Director General of the Estonian Data Protection Inspectorate (AKI) Viljar Peep sent a letter to Minister of Jutice Urmas Reinsalu this week expressing concern about extensive data processing by state agencies, first and foremost by the Estonian Tax and Customs Board (MTA). An amendment to the Taxation Act entered into force on April 1 which granted the MTA access to a large number of databases for risk assessment, i.e. tax intelligence, purposes, reported daily Eesti Päevaleht (link in Estonian). The tax authority primarily requests information from transaction databases of the Central Commercial Register, the Traffic Register and the Land Register. The Police and Border Guard (PPA) and the Estonian Road Administration have expressed interest in similar access to databases.

“In the initial bill, data processing was in no way hindered, meaning that the MTA could have even looked at a person’s e-health data,” Peep recalled. “Thankfully this was limited somewhat during proceedings.” According to the director general, the issue is that Estonia lacks legislation that would regulate mass data requests. “Yes, it is specified in the Law Enforcement Act and the misdemeanor procedure how to conduct inquiries regarding specific violations, however mass data processing cannot be conducted by the same rules,” he stressed. “It is important that every authority not begin making up it own rules.”

Links:
http://news.err.ee/590473/state-systems-illegally-passing-around-personal-data-on-massive-scale
http://news.err.ee/591100/data-protection-inspectorate-concerned-by-state-agencies-data-collection

Cyber Security Support Group formed in the Riigikogu

Members of the Riigikogu formed the Cyber Security Support Group on Thursday, electing Arto Aas (he was chairman of the Riigikogu’s EU Affairs Committee at the time he had his Dropbox access data stolen. Source: ERR) as a chairman and Kalle Palling as a deputy chairman of the group.

The support group was founded with the objective of promoting the development of cyber security in Estonia, strengthening cooperation between the private and public sectors as well as raising society’s awareness of cyber security, according to a Riigikogu press release.

Others members of the Cyber Security Support Group of the Riigikogu include Keit Pentus-Rosimannus, Jüri Jaanson, Lauri Luik, Jürgen Ligi, Ants Laaneots, Laine Randjärv, Kalle Laanet, Madis Milling, Yoko Alender, Aivar Sõerd, Urve Tiidus, Taavi Rõivas, Remo Holsmer, Eerik-Niiles Kross, Kristen Michal, Erki Savisaar, Raivo Aeg and Jaanus Karilaid.

Will see in a year how productive the group will be.

Links:
https://www.riigikogu.ee/en/press-releases/others/cyber-security-support-group-formed-riigikogu/
http://news.err.ee/589915/cyber-security-group-formed-in-riigikogu

Employees of foreign embassies to be issued diplomatic eID card

The Ministry of Foreign Affairs on Friday acquainted heads of the representations of foreign countries and international organizations with a new diplomatic ID which will provide employees with a digital identity giving them access to Estonian e-services, spokespeople for the ministry said.

“It’s unique in the EU and hopefully will encourage other countries to make more rapid progress in e-Europe development,” said the minister.

Digital diplomatic IDs will enable both the physical and electronic identification of an individual as well as provide access to Estonian e-services. Users will receive an Estonian personal identification number that will make it easier for employees of foreign diplomatic representations to handle official business in Estonia.

New type of identity document. Probably will contain the same data as ID card, but will have a bit different look and will be issued to a specific group of people.

Links:
http://news.err.ee/588887/employees-of-foreign-embassies-to-be-issued-digital-ids
http://www.ituudised.ee/uudised/2017/04/10/valisriikide-saatkondade-tootajad-eestis-saavad-digitaalse-diplomaatilise-isikutunnistuse
https://twitter.com/Karen_van_S/status/850306183093211136

 

Ten years since cyber attacks following 2007 Bronze Night riots

Opinion by Jaan Priisalu, at that time the head of SIRT at Swedbank:

Jaan Priisalu, senior researcher at Tallinn’s NATO Cooperative Cyber Defence Centre of Excellence (CCDCOE), told ERR in an interview last week that through Estonia’s initiative and the public debate that followed the attacks, a topic was now getting attention that before was talked about only behind closed doors, and that some even looked at as an embarrassment.

Estonia’s 2008-2013 cyber strategy shows that after the attacks, development in the field went in several different directions. As Priisalu puts it, the strategy was a collection of the lessons learned, and based on them, a system to respond to this sort of incident was put in place.

People involved in cyber security were brought together and asked what could have been done differently, and what else should have been done. Instructions were written up, lines of communication laid out, and a cyber security curriculum put together at the Tallinn University of Technology (TUT). With it, systematic education in the field of cyber security began in Estonia.

Opinion by Klaid Mägi, the current head of CERT-EE:

Estonia’s capability to manage cyber crises has substantially improved over the past ten years, CERT Estonia chief Klaid Mägi said at a conference dedicated to the 10th anniversary of the April 2007 cyber attacks.

According to Mägi, compared to ten years ago, Estonia is substantially more capable of managing cyber crimes. “We have created systems that identify attacks and protect [us] from them, have practiced cooperation with public and private institutions, have substantially contributed to improving the knowledge of end users and are taking part in substantial international cooperation in order to manage crisis situations better,” he highlighted.

Links:
http://news.err.ee/592075/estonia-s-reaction-to-cyber-attacks-influenced-global-security-policy
http://news.err.ee/592250/cert-chief-estonia-s-cyber-crisis-management-capability-improved-in-decade

HITSA is looking for a chief information security officer

HITSA announces a competition for the post of information security manager.

The main area of work for information security manager is launching and maintaining an information security management system, evaluating its performance and making the necessary improvements to ensure an adequate level of security for information assets of HITSA.

Come to apply if:
• You have a university degree in the field of IT;
• You have worked in the IT field for at least three years;
• You have the knowledge of information security organization and security project design and implementation experience;
• You have knowledge of information systems and their principles of operation;
• Have Estonian language skills at advanced level, both oral and in writing, and you have a good level of sector-specific English speaking and writing skills;
• You show initiative and have organizational potential, teamwork and independent work skills, analytical thinking, reliable and good to increased levels of stress.

For our employees we offer:
• Opportunity to contribute to the development of Estonian education information system in the field of information security;
• Good working conditions;
• 35-day vacation;
• Supportive team.

Deadline for applications is 31 May 2017. Work starts in September 2017.

Links:
http://www.cv.ee/toopakkumine/hariduse-infotehnoloogia-sa/infoturbejuht-f3315468.html
http://hitsa.ee/uudised-1/tookuulutus-hitsa-otsib-infoturbejuhti