Author Archives: user469294

Cyber Security master’s theses defense in Tallinn University of Technology (January 2017)

Leave a reply

Monday, January 9, 2016, Akadeemia Tee 15a, Room ICT-315.
Defense committee: Rain Ottis (chairman), Hayretdin Bahsi, Raimundas Matulevicius, Andro Kull.
The grades received (in random order): 5, 4, 4, 3, 3, 2.

Time: 10:00
Student: Christian Ponti
Title: Use of ICMPv6 in a Scenario-based Experiment for Computer Network Exfiltration and Infiltration Operations
Supervisor: Bernhards Blumbergs
Reviewer: Olaf Manuel Maennel

Time: 10:40
Student: Terézia Mézešová
Title: Attack Path Difficulty – An Attack Graph-based Security Metric
Supervisor: Hayretdin Bahsi
Reviewer: Aleksandr Lenin

Time: 11:20
Student: Jens Getreu
Title: Forensic-Tool Development with Rust
Supervisor: Olaf Manuel Maennel
Reviewer: Toomas Lepik

Break – 12:00

Student: Chengxiang Wang
Title: Classification of Black-Box Security Reductions and Oracle Separation Techniques
Supervisor:
Reviewer:

Time: 13:00
Student: Dineta Mahno
Title: Design of Cyber Security Awareness Program for the First Year Non-IT Students
Supervisor: Truls Ringkjob
Reviewer: Kaido Kikkas

Time: 13:40
Student: Gvantsa Grigolia
Title: Evaluation of Data Ownership Solutions in Remote Storage
Supervisor: Ahto Buldas
Reviewer: Jaan Priisalu

Time: 14:20
Student: Kasper Prei
Title: Measuring Personnel Cyber Security Awareness Level Through Phishing Assessment
Supervisor: Olaf Manuel Maennel, Bernhards Blumbergs
Reviewer: Sten Mäses

Yearbook of Estonian courts 2015

Leave a reply

estonian_courts_yearbook_2015
The focus of this Yearbook is on criminal procedure with special emphasis on surveillance operations. There are three articles that are of our interest.

“Supervision over surveillance”,  Uno Lõhmus, Visiting Professor at the University of Tartu:

In conclusion
First, full judicial pre-approval of surveillance operations, judicial supervision of the operations at the time of conduct thereof, and effective review of the operations after their completion are not ensured. Second, the rules on surveillance are laconic, incomplete and ambiguous, and the case law has not been able to improve this situation. In other words, legal clarity of the law is not ensured. This adds to the complexity of judges’ work and may also contribute to superficiality.

In addition, the case law does not clarify whether the installation of spyware in a computer system should be regarded as the installation of a technical means.

As of 1 January 2013, examination of traffic and location data in electronic communication is not considered to be a surveillance operation.

“Problems related to surveillance – the perspective of a defence counsel”, Küllike Namm, attorney-at-law:

In conclusion
This article focuses on the questions that have arisen in connection with surveillance operations and to which the current law does not provide answers. The discussion of these issues is intended to point out that the activities of public authorities in organising surveillance are inadequately regulated by the Code of Criminal Procedure. This creates a situation where the provisions on access to information on surveillance operations do not guarantee that a person subjected to surveillance can examine the data collected by surveillance operations and, where necessary, take possession of the data in a format that can be played back.

“Some problems encountered in computer system searches”, Eneli Laurits, Adviser to the Penal Law and Procedure Division of the Ministry of Justice:

Summary
The Code of Criminal Procedure of Estonia does not regulate computer system searches. It is relatively difficult to apply the existing rules to the collection of evidence in the manner described in this article, but it is still possible.

When performing an inspection, the body conducting proceedings is not entirely free of jurisdiction-related issues: for example, if the object of inspection is the social media website of a victim or a suspect, then the inspection of the website is complicated in theory, but simple in practice – a mouse click is enough to display various data within the territory of Estonia. An inspection can be based on cooperation (the subject voluntarily provides the user IDs and passwords), but there is always the possibility that voluntary cooperation fails. An investigative body should be able to rely on a legal regime in such cases.

Links:
http://www.riigikohus.ee/vfs/2071/Riigikohtu_aastaraamat_eng_veebi.pdf

SEB is looking for project manager of authentication and security

Leave a reply

seb_digiauthsec

Your responsibilities:
• Authentication and internet bank security solutions related project management
• Product management, analyze/interpret security needs and translate them into application and operational requirements
• Monitor and analyze performance data related to automated fraud detection to develop improvements
• Risk analysis and high proactivity in managing risks

Who we are looking for:
• Project management and analysis skills are essential
• You understand or are a fast learner to explain 2factor authentication, Public Key Infrastructure, Electronic identification (eID) and electronic Trust Services (eTS) in the context of EU Digital Single Market
• Ability to multitask and prioritize work in a changing business climate
• You feel that writing documentation, preparing audits and answering security and risk assessment questionnaires is something you are comfortable to handle from time to time
• Readiness to travel between Baltic countries

This is an advantage if you have knowledge of fraud prevention/detection Technologies, have university degree in computer sciences or economics and feel comfortable to work independently/use time efficiently.

Education required: Higher education (bachelor)
Languages required: English
Location: Vilnius/Riga
Deadline for applying: 04. December 2016

Links:
http://www.cv.ee/job-ad/seb-pank/project-manager-of-authentication-and-security-f3204148.html

Criminal procedure and digital evidence in Estonia by Eneli Laurits

Leave a reply

digital_evidence_and_electronic_signature_law_review

It has been decided in Estonia that by the year 2020, a criminal file may be digital. Following on from this decision, it is necessary to decide how to incorporate into the law a regulation concerning digital evidence with the aim of seizing as much as possible evidence in its initial digital form, and ensuring the evidence is seized in the place where it is physically located.

This article aims to sum up the most common activities within which digital evidence might be taken, highlighting the potential problems of interest to the legislature when elaborating specific regulations for digital evidence.

Quite disturbing revelation is that by the current law, the law enforcement agents, after court authorized inspection, seizure or remote take-over of the computer system, are allowed to access any other remote resources that the system has access to:

The Advisory Guidelines on IT-Evidence, prepared on 24.05.2016 by law enforcement agencies, claim that in case of public investigative measures (inspection, search) and covert surveillance, no request for legal assistance is needed for data stored in cloud on foreign states’ servers.

For example, upon apprehension, a suspect has a computer or a smartphone unprotected with a password, and it is possible to obtain and to look through the information about the data stored, for example, in the cloud or in an e-mail box (which are not on the Estonian servers). Even when prosecutors approach the court on their own initiative, and by pointing out an obvious similarity between the search of a computer system and the search of a physical space to obtain permission from the court, preliminary investigation judges have so far found that such permission is not needed.

The Supreme Court has found that a permission granted by a prosecutor, and not by a court, is enough to observe, copy data in the person’s e-mail box (including when an e-mail box is located on a foreign state’s server) and to covertly examine a part of the server where a particular e-mail box is located, because messages are then not being transmitted, but they have already reached a recipient.

Links:
http://journals.sas.ac.uk/deeslr/article/download/2301/2254

Book Chapter: E-voting in Estonia by Dylan Clarke and Tarvi Martens

Leave a reply

real_world_electronic_voting

“Real-World Electronic Voting: Design, Analysis and Deployment” is a new book about to appear on secure electronic voting. One chapter describes the Internet voting used in Estonia.

In Chapter 6, Dylan Clarke, an ERC research fellow at Newcastle University, and Tarvi Martens, the chief architect of the Estonian remote Internet voting system, describe the Estonian Internet voting system. Since the first pilot in 2005, Internet voting has been used for the whole country in three sets of local elections, two European Parliament elections and three parliamentary elections.

The draft is available in arXiv.org.

Links:
https://www.crcpress.com/Real-World-Electronic-Voting-Design-Analysis-and-Deployment/Hao-Ryan/p/book/9781498714693
https://arxiv.org/pdf/1606.08654v1.pdf

Database of real estate transactions was accessible for years

Leave a reply

kristjan_gross

Brokers have collected information on real estate transactions including addresses in the password-protected tehingud.ee database for years. The database includes information on sale of apartments, including dates and prices. It is strange that the portal has been allowed to operate for years. A quick internet search shows it was founded in 2011 by self-proclaimed real estate expert Kristjan Gross. An article from years ago suggests that the portal charged 99 cents for a query. It also reveals that the database had information on more than 5,000 transactions from all over the country when it was launched and that data was added regularly. Searches of price information could be based on county, parish, town, borough, street, size and condition of real estate object.

«We have reason to suspect that the website uses data from the Land Board’s transactions database,» Jürgens adds. «We do not know how the data ends up in the brokers’ portal; however, current legislation states it can only be accessed by licensed valuators,» says Tiia Redi, executive manager of the Estonian Association of Appraisers. The matter is made more peculiar by the fact that the portal’s owner works as a valuator of land and admits he has access to the Land Board’s database.

«It is possible to use transaction and land register data to indirectly identify persons who have participated in transactions,» Jürgens explains. The state has so far kept to the principle that people’s income is not public information, and that includes proceeds from sale of real estate. «The trend is towards openness elsewhere in the world. The Land Board will analyze the possibility of amending laws that regulate use of transaction data. The main question is whether and to what extent society is ready for all real estate transactions to be made public. Disclosing sale prices could constitute sensitive information as it ties into people’s financial interests,» Jürgens adds. She says that the board feels corresponding public debate is necessary.

Links:
http://news.postimees.ee/v2/3871895/secret-brokers-database-under-investigation

License plate-reading cameras to be installed at border crossings

Leave a reply

estonian_border-licence_plate_recognition

In efforts to crack down on an increasing issue with Estonians crossing the country’s southern border in order to buy cheaper alcohol there, the Estonian Tax and Customs Board (MTA) wants to install license plate-reading cameras at ten or so currently unsupervised Estonian-Latvian border crossings.

This summer season’s record violation, for example, was discovered last week, when customs officials detained a commercial vehicle in Estonia whose driver had picked up a ton and a half of beer with the intention of delivering it to Finland; the likely intention was to resell the alcohol in Finland, as the cost of beer in Finland is currently twice that of Latvian prices.

“He had already completed a number of successful trips across the border at Ikla and from here on to Finland,” explained Urmas Koidu, director of the customs department at the MTA. “We were able to track him down specifically thanks to the license plate recgnition system.

It is strange that there are still some borders that are not covered by the system. Compared to the intelligence gathering capabilities the system provides, the motive to fight alcohol smuggling is a joke.

Links:
http://news.err.ee/v/news/c6c29079-4a1b-414f-819d-a1272018d477/tax-authority-wants-alcohol-tourists-watched-by-cameras

SK Annual Conference 2016

Leave a reply

sk_conference_2016

E-identity event SK Annual Conference 2016 will take place on November 3, 2016, Kultuuri Katel (Põhja pst 27a, Tallinn).

Agenda:
09:00-09:30    Registration and morning coffee
09:30-09:40    Presentation of the exhibitors
09:40-10:30    Overview of SK 2016, Kalev Pihl, SK
10:30-11:00    Updates to SK services portfolio, Liisa Lukin, SK
11:00-11:15    Cofee Break
11:15-12:15    Keynote Peter Zinn: We’re All Gonna Д13
12:15-13:00    Lunch
13:00-13:30    From e-Estonia to e-Europe, Katrin Laas-Mikko, SK
13:30-14:00    Future plans of ID-software, Margus Arm, Riigi Infosüsteemi Amet
14:00-14:30    Overview of near markets: Baltikum and Nordic countries, Lauri Immonen, Telia
14:30-15:00    Cofee Break
15:00-15:20    From physical to virtual: SIM and eSIM convergence, Jürgen Niinre, Telia
15:20-15:50    New SK eID solution, Urmo Keskel, SK
15:50-16:10    Renewed DigiDoc portal, Gintas Balčiūnas, Estina
16:10-16:40    Round of question and answers
16:40-17:00    Summary of the day by digital world enthusiasts
17:00-17:30    Evening snack

Links:
https://www.sk.ee/ettevottest/aastakonverents-2016

The head of SMIT’s security department Tiit Hallas gives public lecture on cryptography

Leave a reply

tiit-hallas

The public lecture will be held in the building of the IT College, Raja 4C, auditorium 314, Tuesday, October 18, at 13:00. The public lecture will also be broadcast live on the website of the IT College.

The main purpose of Tiit Hallas public lecture is to answer various question on the topic. Tiit will talk about cryptography related terms, describe the overall level of how cryptography works and the need for cryptography to ensure the security. Tiit has promised to bring sophisticated content to listeners as simply
and understandably as possible.

Tiit Hallas has worked in information security for over eight years in both public and private sector and has gained plenty of practical as well as theoretical experience in the field. He has a BA in Information System Development from IT College and an MSc in Cyber Security from Tallinn University of Technology. As well as delivering lectures and talks on the subject, Tiit is involved with Information Security in his daily work as the Head of Information Security at the IT and Development Centre of the Ministry of the Interior, where he not only manages staff but is also engaged with finding solutions to practical information security issues.

The lecture will be in Estonian.

Links:
http://www.itcollege.ee/blog/2016/10/12/smiti-infoturbeosakonna-juhataja-tiit-hallas-peab-kuberturvalisuse-kuu-raames-it-kolledzis-avaliku-loengu-kruptograafiast/
https://www.youtube.com/watch?v=KLhbaSRjz2s

E-Vote-ID 2016: Improving the verifiability of the Estonian Internet Voting scheme

Leave a reply

Estonian_internet_voting

Abstract. We describe an update of the Estonian Internet Voting scheme targeted towards adding verification capabilities to the central system. We propose measures to ensure the auditability of the correctness of vote decryption and i-ballot box integrity. The latter will be improved to a level where it would be possible to outsource the vote collection process to an untrusted party and later fully verify the correctness of its operations.

The short summary is that I-voting system used for local municipal elections in October 2017 will use ElGamal cryptosystem that can be plugged into mix-net. Currently it is not clear whether the general public will be allowed to verify mix-net inputs and outputs.

Links:
http://research.cyber.ee/~jan/publ/ivxv-evoteid.pdf