Monthly Archives: July 2017

RIA is looking for Internet voting penetration testers

According to the terms and conditions of the contract, the subject of audit is: ballot counting software, software for voters, election web site and other technical infrastructure related to e-voting.

Through this, the RIA wants to make sure that there are no vulnerabilities in the system or applications which would make it possible to see or change the voting results or otherwise manipulate the system. The security examiner must draw up a report on security threats in which the potential hazard scenarios are highlighted and suggestions on how to correct the errors are provided.

The testing is organized by the RIA before all elections, using the expertise of various experts. “We can not talk about the results of the earlier security tests, because this information is confidential in terms of security. As far as I can say, the current testing period is around one month, and it also leaves enough time to ensure that if there are any bottlenecks or security problems we will have time to fix them.” said RIA spokeswoman Helen Uldrich.

Indeed, the results of the penetration tests are kept secret. The terms of the procurement stipulate that at the end of the test the reports must be submitted digitally signed and encrypted. Security tests are performed in a test environment and if necessary a secure channel for testers can be created. The i-voting environment is open only to computers with specific IP addresses that are notified to RIA.

Two companies have been chosen to do pentest and two bugs have been found:

Penetration tests were carried out by Clarified Security from Estonia and the worldwide Finnish company Nixu, whose work resulted in detection of two errors in the new system. According to specialists, this is not something tragic, but part of the normal software development.

 

Links:
http://www.err.ee/610258/ria-otsib-e-valimiste-proovihakkijat
http://www.err.ee/634302/pealtnagija-e-valimistele-leidub-endiselt-kriitikuid

Interdisciplinary Cyber Research (ICR) workshop 2017

8th of July, 2017 — Tallinn, Estonia

The aim of the workshop is to bring together young as well as established scholars undertaking research in various disciplines related to information and communication technologies such as computer sciences, political and social sciences, and law.

You can participate as a speaker (submitting an abstract+delivering a presentation) or simply join our wonderful audience. Speakers are requested to submit a 1000-word abstract.

Agenda:
08:30 – Registration
09:00 – Opening words, Dr Anna-Maria Osula & Prof Olaf Maennel
09:10 – Keynote, “The Triangle of Impossibility: Strategic Decision-Making and Cyber Security”, Mr Lauri Almann
10:05 – Keynote, “The Truth about Hacking. From Russia to Hollywood.”, Mr Ralph Echemendia
11:00 – Coffee break

11:30 – 13:00 SESSION 1: Big Data & Privacy
Ms Kärt Pormeister, “The GDPR as an Enabler for Big Data: What Does it Mean for the Data Subject?”
Ms Maris Männiste, “Social Media and Big Data”
Ms Julija Terjuhana, “Right to Data Portability”
Mr Alexander Mois Aroyo, “Bringing Human Robot Interaction towards Trust and Social Engineering – Slowly & Secretly Invading People’s Privacy Settings”

11:30 – 13:00 SESSION 2: Security
Mr Alessandro Borrello, Mr Sioli O’Connell & Mr Yuval Yarom, “Is Dynamic Analysis of Android Applications More Effective Than Mass Static Analysis at Detecting Vulnerabilities?”
Mr Ben Agnew, “Security Applications of Additive Analogue Memory”
Mr Richard Matthews, “Isolating Lens Aberrations within Fixed Pattern Noise”
Mr Muhammad Imran Khan, “On Detection of Anomalous Query Sequences”

13:00 – Lunch
14:00 – 15:30 SESSION 3: Privacy (cont) & Cyber Crime
Dr Xingan Li, “Social Networking Services and Privacy: An Evolutionary Notion”
Mr Sten Mäses, “Gone Phishin’ (But Not to Jail)”
Mr Kristjan Kikerpill, “Cybercrime Against Business: Who Draws the Short Straw?”
Ms Anne Veerpalu, “Blockchain Technologies”

14:00 – 15:30 SESSION 4: Applied IT-Security
Prof Tobias Eggendorfer, “Using Process Mining to Identify Attacks”
Ms Belgin Tastan, “Electronic Identification System – How to Adopt, Expanding and Provide One Card for All”
Mr Aykan Inan, “Project IVA”
Mr Ayden Aba & Mr Jackson Virgo, “Equity Crowdfunding with Blockchain”

15:30 – Coffee break
15:50 – 17:00 SESSION 5: State and Cyber
Ms Maarja Toots, “Why Do e-Participation Projects Fail? The Case of Estonia’s Osale.ee”
Mr Georgios Pilichos, “Securitization of Cyberspace”
Mr Madis Metelitsa, “Addressing the Security Dilemma in Cyberspace”
Ms Somaly Nguon, “Cambodia’s Effort on Cybersecurity Regulation: Policy and Human Rights’ Implications”

15:50 – 17:00 SESSION 6: eGovernment & Security
Mr Harish Gowda & Mr Matt Reynolds, “Real-Time Video Stream Substiution”
Mr Nicolas Mayer, “The ENTRI Framework: Security Risk Management Enhanced by the Use of Enterprise Architectures”
Mr David Hubczenko, “Investigation into Twitterbot Identification Techniques”
Mr Lachlan Gunn, “Geolocation of Tor Hidden Services: Initial Results”

18:00 – Social snacks at “August”, Väike-Karja 5

Links:
http://cybercentre.cs.ttu.ee/en/icr2017/

SK ID Solutions declared provider of vital services

The Identity Documents Act was amended declaring the provider of certification services a vital service provider:

(31) The provider of certification service that enables digital identification and digital signing with the certificate which is entered in the documents issued on the basis of this Act is the provider of vital service specified in clause 36 (1) 8) of the Emergency Act.
[RT I, 03.03.2017, 1 – entry into force 01.07.2017]

In practice, at least currently the new status does not introduce significant new requirements, since for SK as a qualified trust service provider the operational requirements set by law were quite high anyway.

Links:
https://www.riigiteataja.ee/en/eli/521062017003/consolide