Author Archives: user469294

Report of Estonian Information Board: International Security and Estonia in 2017

Paragraphs from the “Cyber Threats” section on page 36:

Although the crippling of a critical Estonian infrastructure by a state actor in 2017 is not likely, it is certain that Estonia will remain a target of hostile cyber activity. [..] Considering the cyber attacks that sowed confusion in the US in 2016 and Latvia’s experience in holding the presidency of the European Union in 2015, it is also likely that Estonia will come under increased scrutiny from foreign cyber criminals in the second half of 2017.

As in past years, the Estonian government sector was not unscathed by attacks in 2016. The mailboxes of employees of the Riigikogu (parliament), the Ministry of Foreign Affairs and the Ministry of Economic Affairs and Communications were the targets of phishing attempts. An example of such attacks was an incident in 2016 where an attempt was made to steal information in the possession of a Finnish member of the Bellingcat research group. The information concerned the military conflict in Ukraine and the downing of the MH17 airliner.

Haven’t heard of the phishing attempt against Bellingcat member in Estonia. The spearphishing example screenshot above actually comes from the ESET report on Sednit hacking group.

Links:
http://teabeamet.ee/pdf/EIB_public_report_Feb_2017.pdf
http://www.welivesecurity.com/wp-content/uploads/2016/10/eset-sednit-part1.pdf

Bitcoin miners found in Pärnu Hospital

Leave a reply

Last spring Pärnu Hospital received information that it is involved in a massive virtual money, or so-called bitcoin mining. “Arguably, this was the largest bitcoin miner in the area of Pärnu,” added the source. It turned out that bitcoin mining in the hospital was performed for nearly two years.

It would be interesting to know how the mining was discovered. There is no place in Bitcoin ecosystem where one could list “largest miners in the area of Pärnu”.

The mining was performed by the hospital network administrator and medical technician – they used in total six devices for this purpose. Some of the equipment was placed on the 8th floor in ventilation equipment rooms. The devices had multiple graphics cards, as well as a smaller machine Antminer was running Linux operating system from the SD card. Larger servers using Windows Server 2012 platform also engaged in the extraction of virtual money.

The medical technician was let go but the network administrator was given only a warning.

RIA will now investigate whether bitcoin mining had security implications:

“Based on media coverage, it cannot be excluded that the case could be a security incident,” said Toomas Vaks, Deputy Director General of Information System’s Authority.

Links:
http://tehnika.postimees.ee/4005003/turvarisk-ria-asus-uurima-bitcoinide-kaevandamist-paernu-haiglas
http://geenius.ee/uudis/kruptoraha-ekspert-parnu-haiglas-olnud-masinad-ei-pruukinud-olla-tulutoovad

Document counterfeiting case “Maarika” comes to court

Leave a reply

Harju County Court on Thursday accepted plea bargains reached between the Office of the Prosecutor General and those charged in connection with a criminal organization found to be illegally issuing official documents and will make a decision regarding their confirmation in early February.

This is what happened in 2015:

Estonian police has detained 12 people, including four Police and Border Guard (PPA) employees, in what is believed to be the biggest scam the country has seen for years. The suspects allegedly issued official documents that need state approval, such as language test certificates, living permits, papers needed to receive Estonian citizenship, and medical certificates. The scam involved forgery, entering false information and accomplices who used fake identity.

PPA employees were abusing state databases and ignoring suspicious applications:

Four Police and Border Guard employees, who are now bribery suspects, are believed to have been involved in the process of issuing the forged documents, but were not organizers of the scam. They released confidential information, knowingly accepted application forms with false information and issued official documents in return for bribes. Two are specialists and two are customer servants.

This is how the scam got discovered:

Nobody would have ever noticed, if not for the personnel changes at PPA last year. As a result of this, a new person ended up working with follow-up check of citizenship applications, to whom lots of cases seemed an anomaly. People with positive responses to applications looked like they had nothing to do with Estonia whatsoever. As the cases were dozens, the official told internal audit.

The scam was organized by 65-year-old woman calling herself Maarika. Most “clients” who received counterfeit documents were pardoned as exchange from criminal charges. We can see here that if the base identity is not sufficiently protected, no eID system, however well designed, can help.

Links:
http://news.err.ee/v/news/politics/society/77509022-4164-4fb2-81ec-5dab57316f13/enormous-document-factory-scam-exposed
http://news.postimees.ee/3379293/passport-mafia-led-by-babushka
http://news.err.ee/v/news/927817f2-8c7c-435b-a9d9-bde9dc48d934/court-accepts-plea-bargains-in-large-scale-document-counterfeiting-case
http://news.postimees.ee/3996169/members-of-the-passport-mafia-stand-trial

Broker companies have created database of forest owners

Leave a reply

According to Postimees, forest broker companies have created a super database of forest owners, part of which could have been leaked from agency under Ministry of Environment.

The database brings together people names, dates of birth, telephone numbers and information on their forest properties. Brokers are using phone numbers, which have not been allowed to be disclosed by telecommunication companies, as well as information about forests, which should remain locked in the forest registry of Environment Agency.

According to the head of portal metsaoksjon.ee Lehar Lindre, the passwords for use of registry are given also to forest consultants. “However, the Agency of Environmental Protection, administering the registry, does not know who and how much queries have made,” said Lindre.

Some private entities have personal data they should not have, but nobody knows where did the data came from.

Links:
http://pluss.postimees.ee/3980443/metsavahendajate-tegevus-viitab-massiivsele-infolekkele

Estonian Tax and Customs Board website defaced

Leave a reply

Estonian web security agency WebARX detected in their logs that hackers, apparently originating from Indonesia, had managed to find a security hole in the website of Estonian Tax and Customs Board and added there a file.

“If you look what has been posted in User98 Deface.id page, you can see that the hack of Estonian Tax and Customs Board website was in fact pure coincidence. On the same day, January 17, User98 attacked in total 72 websites. All websites were using the content management system Drupal, and in all of these sites the uploaded file lak1998.txt had identical content” said Oliver Sild, CEO of WebARX.

Tax and Customs Board spokesman Rainer Laurits said that calling the incident a hacking attack is an exaggeration. According to him, the administrator of website allowed users to write comments. Using the functionality provided, the text file was uploaded. “Unsuitable items we removed, including the post in question. In reality, no danger was caused to emta.ee website.”

Running unpatched CMS asks for trouble.

Oliver Sild, CEO of WebARX, who brought the incident to Postimees attention, in his website esec.ee offers security related services, such as restoration of hacked sites and masshack prevention.

Links:
http://tehnika.postimees.ee/3986655/haekkerid-testisid-kogemata-maksu-ja-tolliameti-veebilehe-turvalisust

Cyber Security master’s theses defense in University of Tartu (January 2017)

Leave a reply

Cybersecurity theses defence on January 6, 2017 in Tartu J. Liivi 2-224 at 11.00 AM.
Defence Committee: Raimundas Matulevičius (chairman), Olaf Manuel Maennel, Vitaly Skachek, Meelis Roos, Hayretdin Bahsi.

Student: Christian Tschida
Title: The Way to the Specialist and Management Level of Cyber Hygiene Initiative
Abstract: The prototype, of the Cyber Hygiene e-learning course was implemented and tested in the Estonian Defence Forces in early 2016. This thesis builds up on this. It tries to clarify what data should be available to the specialists and what information should be reported to the management. Additional to many interviews with specialists and security experts, a questionnaire was created to raise coverage. The testing of the questionnaire was done at an international well known think tank.
Supervisor: Sten Mäses, Raimundas Matulevičius
Reviewer: Andro Kull

Student: Mohit Kinger
Title: Enterprise Cloud Security Guidance and Strategies for Enterprises
Abstract: This thesis measures the myriad benefits of using cloud applications, and the effect of cloud computing on business performance. A nonexhaustive review of the existing literature revels that the security challenges faced by enterprises during cloud adoption and interoperability have to be addressed before the implementation of cloud computing. In this thesis, we provide a detailed overview of the key security issues in the realm of cloud computing and con-clude with the recommendations on the implementation of cloud security.
Supervisor: Andro Kull, Raimundas Matulevičius
Reviewer: Alex Norta

Student: Priit Lahesoo
Title: The Electronic Evidence Examination Reporting System by the Example of West Prefecture
Abstract: This work will focus on practical issues like how to improve the speed of drawing up an electronic evidence examination protocol. The work was done basing on examination data results that collected in the West prefecture based on real work statistics and permission by the Police and Border Guard Board. As part of the work, the practical Microsoft Access application was developed by the author.
Supervisor: Truls Tuxen Ringkjob, Raimundas Matulevičius
Reviewer: Hayretdin Bahsi

Student: Wael Mohamed Fathi Ahmed AbuSeada
Title: Alternative Approach to Automate Detection of DOM-XSS Vulnerabilities
Abstract: This thesis proposes an alternative methodology to detect DOM-XSS by building-up on the existing approach used by web scanners in detecting general XSS. The thesis proposes to add an extra scan layer which is an actual browser that would be resonsible for sending any request and render the recieved HTML response from webserver. To provide a proof of concept for this methodology, the thesis author created a web-based tool on that premises.
Supervisor: Olaf Manuel Maennel, Raimundas Matulevičius
Reviewer: Risto Vaarandi

Student: Vsevolod Djagilev
Title: Android Chat Application Forensic Process Improvement & XRY Support
Abstract: To solve a set of problems a forensic utility has been created, both manual & automated analysis of chat application data has been done. Main result in this work allows not only to perform a search, but to write a modules in Python, which can make search narrower and each of modules can understand particular format, if needed.
Supervisor: Toomas Lepik, Raimundas Matulevičius
Reviewer: Emin Caliskan

Links:
http://www.cs.ut.ee/sites/default/files/cs/cybersecurity_theses_defence_schedule.pdf

Ahto Truu presentation “Next-gen Key Infrastructure with Smart-ID”

Leave a reply

XII. Tartu Software Development Guild Meeting, Friday, January 13, 2016, 18.00 – 20.00, Turu 2 (Tasku), 5th Floor, SaleMove Office

Presenter: Ahto Truu (Software Architect at Guardtime)
Title: Next-gen Key Infrastructure with Smart-ID
Abstract: With more and more people using smartphones and tablets as their computing devices of choice, and with the upcoming migration away from physical SIM cards, a question arises: what will replace the ID-cards and mobile-ID SIM cards as the carriers of the private keys for Estonian national digital signature infrastructure? In this talk we will look at the Smart-ID solution recently jointly proposed by Sertifitseerimiskeskus and Cybernetica. There will be quite a bit of math in the talk, but we will start with a crash course of the basics of the current systems for those who either missed it in school or have since forgotten the details.

About Ahto
During his three decades in ICT, Ahto has worked in hardware installations and user support, as a software developer and architect, and as a systems analyst. Currently he is busy helping Guardtime’s customers preserve the integrity of their important data. Outside his day job he coaches Estonia’s team to the high school students’ programming competitions. He has also been writing programming columns for the popular science magazines A&A and Horisont.

Seems that Ahto plans to describe the underlying details of key generation in the Smart-ID solution.

Links:
https://www.facebook.com/events/225528061227851/

E-Vote-ID 2016: Family Voting Patterns in E-vote Log Data: Estonian Electronic Elections 2013-2015

1 Reply

This paper user evidence from anonymized system log data on all Estonian e-votes from 2013-2015 to examine for patterns and combinations indicative of family voting.
[..]
Using logs we identify unique e-voting sessions coming from the same IP address and computer with the same operating system that happen in close proximity to each other, specifically with not more than 10 minutes between the end of one and the beginning of another unique voting act.
[..]
The results show that 7-8% of e-votes are cast in such pairs. The age and gender structure of these evoters also shows a set of distinct combinations. The age differences in these pairs are either very small or large. The largest group is formed by same aged pairs of opposite sexes, indicating same aged partners e-voting together. Another prominent pattern are pairs with large age differences of same or opposite sexes, indicating a parent voting together with a voting aged youth.

The new minister of Ministry of Economic Affairs and Communications (MKM) Kadri Simson sees this as a concern for i-voting:

“The Estonian Constitution says that the Election must be general and uniform. When the old man votes in the polling division, it is not allowed that his young cousin comes with him to polling booth and helps him to vote. However, in the Internet voting it is quite possible, since there is no control over who is assisting in the use of ID card.” said Kadri Simson, the chairman of the Center Party fraction in parliament.

Links:
https://digi.lib.ttu.ee/i/?6967
http://www.pealinn.ee/koik-uudised/kadri-simson-eestis-pole-antud-voimalust-e-valimiste-turvasusteemi-n174077
http://journals.plos.org/plosone/article?id=10.1371/journal.pone.0177864

SEB mobile app demands permission to access contact list

Leave a reply

SEB’s new mobile banking terms of service, set to take effect on March 1, state that the bank can access contacts data in the client’s phone, including phone numbers, street and email addresses of contacts. If a client does not wish to share their contacts data with the bank, they will not be able to make payments based on mobile numbers using the bank’s application.

Public relations adviser at the Data Protection Inspectorate Maire Iro said that all manner of processing of personal information can only take place with explicit permission from the person or under the conditions and pursuant to the procedure provided by law, and that the client cannot give the bank the right to use phone numbers, street and email addresses or other personal data of third persons.

Allas emphasized that SEB does not process data in the way it is stored in the client’s phone, but treats it anonymously, without the part that would allow it to identify persons.

The usability reason why the bank wants to process the contact list is clear – the bank wants ability to show in the app which of the contacts have the app installed and hence can receive the payment. The app cannot provide such feature without the bank processing phone numbers of contacts. The current version of the app already asks technical permission to access the contact list. From March this will be written explicitly also in the terms of service. Although the wording should be improved, since there is a difference between the bank processing the contact information and application written by the bank processing the data in the user’s device.

Links:
http://news.postimees.ee/3970723/seb-demands-access-to-clients-contacts
http://tarbija24.postimees.ee/3969685/seb-pank-hakkab-noudma-ligipaeaesu-klientide-telefoni-kontaktiloetelule

SK introduced new eID solution Smart-ID

Leave a reply

SK introduced its new electronic identity solution Smart-ID, which works on all the most popular smart devices, is not dependent on a SIM card and is usable all around the world.

Using Smart-ID is easy: the user downloads the Smart-ID app from the Google Play or App Store. To use Smart-ID, the user can be identified via ID-card or Mobile-ID. Just like with the ID-card and Mobile-ID, PIN1 and PIN2 codes are required to use Smart-ID. The user creates both in the app. In developing Smart-ID, a lot of emphasis has been placed on ease of use.

Basically, the Mobile-ID functionality has been implemented in mobile app. The private key sharing between the server and mobile device is pretty neat way how to achieve the same security level as in Mobile-ID, where private key is stored in SIM card.

However, we cannot expect Smart-ID to replace Mobile-ID anytime soon, since the solution have not been certified yet as a qualified electronic signature creation device.

Links:
https://sk.ee/en/News/sk-introduced-the-new-e-identity-solution-smart-id/
https://sk.ee/upload/files/8_SK%20uus%20eID%20lahendus_Urmo%20Keskel_AK2016.pdf