Author Archives: user469294

SEB mobile app demands permission to access contact list

SEB’s new mobile banking terms of service, set to take effect on March 1, state that the bank can access contacts data in the client’s phone, including phone numbers, street and email addresses of contacts. If a client does not wish to share their contacts data with the bank, they will not be able to make payments based on mobile numbers using the bank’s application.

Public relations adviser at the Data Protection Inspectorate Maire Iro said that all manner of processing of personal information can only take place with explicit permission from the person or under the conditions and pursuant to the procedure provided by law, and that the client cannot give the bank the right to use phone numbers, street and email addresses or other personal data of third persons.

Allas emphasized that SEB does not process data in the way it is stored in the client’s phone, but treats it anonymously, without the part that would allow it to identify persons.

The usability reason why the bank wants to process the contact list is clear – the bank wants ability to show in the app which of the contacts have the app installed and hence can receive the payment. The app cannot provide such feature without the bank processing phone numbers of contacts. The current version of the app already asks technical permission to access the contact list. From March this will be written explicitly also in the terms of service. Although the wording should be improved, since there is a difference between the bank processing the contact information and application written by the bank processing the data in the user’s device.

Links:
http://news.postimees.ee/3970723/seb-demands-access-to-clients-contacts
http://tarbija24.postimees.ee/3969685/seb-pank-hakkab-noudma-ligipaeaesu-klientide-telefoni-kontaktiloetelule

SK introduced new eID solution Smart-ID

SK introduced its new electronic identity solution Smart-ID, which works on all the most popular smart devices, is not dependent on a SIM card and is usable all around the world.

Using Smart-ID is easy: the user downloads the Smart-ID app from the Google Play or App Store. To use Smart-ID, the user can be identified via ID-card or Mobile-ID. Just like with the ID-card and Mobile-ID, PIN1 and PIN2 codes are required to use Smart-ID. The user creates both in the app. In developing Smart-ID, a lot of emphasis has been placed on ease of use.

Basically, the Mobile-ID functionality has been implemented in mobile app. The private key sharing between the server and mobile device is pretty neat way how to achieve the same security level as in Mobile-ID, where private key is stored in SIM card.

However, we cannot expect Smart-ID to replace Mobile-ID anytime soon, since the solution have not been certified yet as a qualified electronic signature creation device.

Links:
https://sk.ee/en/News/sk-introduced-the-new-e-identity-solution-smart-id/
https://sk.ee/upload/files/8_SK%20uus%20eID%20lahendus_Urmo%20Keskel_AK2016.pdf

Cyber Security master’s theses defense in Tallinn University of Technology (January 2017)

Monday, January 9, 2016, Akadeemia Tee 15a, Room ICT-315.
Defense committee: Rain Ottis (chairman), Hayretdin Bahsi, Raimundas Matulevicius, Andro Kull.
The grades received (in random order): 5, 4, 4, 3, 3, 2.

Time: 10:00
Student: Christian Ponti
Title: Use of ICMPv6 in a Scenario-based Experiment for Computer Network Exfiltration and Infiltration Operations
Supervisor: Bernhards Blumbergs
Reviewer: Olaf Manuel Maennel

Time: 10:40
Student: Terézia Mézešová
Title: Attack Path Difficulty – An Attack Graph-based Security Metric
Supervisor: Hayretdin Bahsi
Reviewer: Aleksandr Lenin

Time: 11:20
Student: Jens Getreu
Title: Forensic-Tool Development with Rust
Supervisor: Olaf Manuel Maennel
Reviewer: Toomas Lepik

Break – 12:00

Student: Chengxiang Wang
Title: Classification of Black-Box Security Reductions and Oracle Separation Techniques
Supervisor:
Reviewer:

Time: 13:00
Student: Dineta Mahno
Title: Design of Cyber Security Awareness Program for the First Year Non-IT Students
Supervisor: Truls Ringkjob
Reviewer: Kaido Kikkas

Time: 13:40
Student: Gvantsa Grigolia
Title: Evaluation of Data Ownership Solutions in Remote Storage
Supervisor: Ahto Buldas
Reviewer: Jaan Priisalu

Time: 14:20
Student: Kasper Prei
Title: Measuring Personnel Cyber Security Awareness Level Through Phishing Assessment
Supervisor: Olaf Manuel Maennel, Bernhards Blumbergs
Reviewer: Sten Mäses

Yearbook of Estonian courts 2015

estonian_courts_yearbook_2015
The focus of this Yearbook is on criminal procedure with special emphasis on surveillance operations. There are three articles that are of our interest.

“Supervision over surveillance”,  Uno Lõhmus, Visiting Professor at the University of Tartu:

In conclusion
First, full judicial pre-approval of surveillance operations, judicial supervision of the operations at the time of conduct thereof, and effective review of the operations after their completion are not ensured. Second, the rules on surveillance are laconic, incomplete and ambiguous, and the case law has not been able to improve this situation. In other words, legal clarity of the law is not ensured. This adds to the complexity of judges’ work and may also contribute to superficiality.

In addition, the case law does not clarify whether the installation of spyware in a computer system should be regarded as the installation of a technical means.

As of 1 January 2013, examination of traffic and location data in electronic communication is not considered to be a surveillance operation.

“Problems related to surveillance – the perspective of a defence counsel”, Küllike Namm, attorney-at-law:

In conclusion
This article focuses on the questions that have arisen in connection with surveillance operations and to which the current law does not provide answers. The discussion of these issues is intended to point out that the activities of public authorities in organising surveillance are inadequately regulated by the Code of Criminal Procedure. This creates a situation where the provisions on access to information on surveillance operations do not guarantee that a person subjected to surveillance can examine the data collected by surveillance operations and, where necessary, take possession of the data in a format that can be played back.

“Some problems encountered in computer system searches”, Eneli Laurits, Adviser to the Penal Law and Procedure Division of the Ministry of Justice:

Summary
The Code of Criminal Procedure of Estonia does not regulate computer system searches. It is relatively difficult to apply the existing rules to the collection of evidence in the manner described in this article, but it is still possible.

When performing an inspection, the body conducting proceedings is not entirely free of jurisdiction-related issues: for example, if the object of inspection is the social media website of a victim or a suspect, then the inspection of the website is complicated in theory, but simple in practice – a mouse click is enough to display various data within the territory of Estonia. An inspection can be based on cooperation (the subject voluntarily provides the user IDs and passwords), but there is always the possibility that voluntary cooperation fails. An investigative body should be able to rely on a legal regime in such cases.

Links:
http://www.riigikohus.ee/vfs/2071/Riigikohtu_aastaraamat_eng_veebi.pdf

SEB is looking for project manager of authentication and security

seb_digiauthsec

Your responsibilities:
• Authentication and internet bank security solutions related project management
• Product management, analyze/interpret security needs and translate them into application and operational requirements
• Monitor and analyze performance data related to automated fraud detection to develop improvements
• Risk analysis and high proactivity in managing risks

Who we are looking for:
• Project management and analysis skills are essential
• You understand or are a fast learner to explain 2factor authentication, Public Key Infrastructure, Electronic identification (eID) and electronic Trust Services (eTS) in the context of EU Digital Single Market
• Ability to multitask and prioritize work in a changing business climate
• You feel that writing documentation, preparing audits and answering security and risk assessment questionnaires is something you are comfortable to handle from time to time
• Readiness to travel between Baltic countries

This is an advantage if you have knowledge of fraud prevention/detection Technologies, have university degree in computer sciences or economics and feel comfortable to work independently/use time efficiently.

Education required: Higher education (bachelor)
Languages required: English
Location: Vilnius/Riga
Deadline for applying: 04. December 2016

Links:
http://www.cv.ee/job-ad/seb-pank/project-manager-of-authentication-and-security-f3204148.html

Criminal procedure and digital evidence in Estonia by Eneli Laurits

digital_evidence_and_electronic_signature_law_review

It has been decided in Estonia that by the year 2020, a criminal file may be digital. Following on from this decision, it is necessary to decide how to incorporate into the law a regulation concerning digital evidence with the aim of seizing as much as possible evidence in its initial digital form, and ensuring the evidence is seized in the place where it is physically located.

This article aims to sum up the most common activities within which digital evidence might be taken, highlighting the potential problems of interest to the legislature when elaborating specific regulations for digital evidence.

Quite disturbing revelation is that by the current law, the law enforcement agents, after court authorized inspection, seizure or remote take-over of the computer system, are allowed to access any other remote resources that the system has access to:

The Advisory Guidelines on IT-Evidence, prepared on 24.05.2016 by law enforcement agencies, claim that in case of public investigative measures (inspection, search) and covert surveillance, no request for legal assistance is needed for data stored in cloud on foreign states’ servers.

For example, upon apprehension, a suspect has a computer or a smartphone unprotected with a password, and it is possible to obtain and to look through the information about the data stored, for example, in the cloud or in an e-mail box (which are not on the Estonian servers). Even when prosecutors approach the court on their own initiative, and by pointing out an obvious similarity between the search of a computer system and the search of a physical space to obtain permission from the court, preliminary investigation judges have so far found that such permission is not needed.

The Supreme Court has found that a permission granted by a prosecutor, and not by a court, is enough to observe, copy data in the person’s e-mail box (including when an e-mail box is located on a foreign state’s server) and to covertly examine a part of the server where a particular e-mail box is located, because messages are then not being transmitted, but they have already reached a recipient.

Links:
http://journals.sas.ac.uk/deeslr/article/download/2301/2254

Book Chapter: E-voting in Estonia by Dylan Clarke and Tarvi Martens

real_world_electronic_voting

“Real-World Electronic Voting: Design, Analysis and Deployment” is a new book about to appear on secure electronic voting. One chapter describes the Internet voting used in Estonia.

In Chapter 6, Dylan Clarke, an ERC research fellow at Newcastle University, and Tarvi Martens, the chief architect of the Estonian remote Internet voting system, describe the Estonian Internet voting system. Since the first pilot in 2005, Internet voting has been used for the whole country in three sets of local elections, two European Parliament elections and three parliamentary elections.

The draft is available in arXiv.org.

Links:
https://www.crcpress.com/Real-World-Electronic-Voting-Design-Analysis-and-Deployment/Hao-Ryan/p/book/9781498714693
https://arxiv.org/pdf/1606.08654v1.pdf

Database of real estate transactions was accessible for years

kristjan_gross

Brokers have collected information on real estate transactions including addresses in the password-protected tehingud.ee database for years. The database includes information on sale of apartments, including dates and prices. It is strange that the portal has been allowed to operate for years. A quick internet search shows it was founded in 2011 by self-proclaimed real estate expert Kristjan Gross. An article from years ago suggests that the portal charged 99 cents for a query. It also reveals that the database had information on more than 5,000 transactions from all over the country when it was launched and that data was added regularly. Searches of price information could be based on county, parish, town, borough, street, size and condition of real estate object.

«We have reason to suspect that the website uses data from the Land Board’s transactions database,» Jürgens adds. «We do not know how the data ends up in the brokers’ portal; however, current legislation states it can only be accessed by licensed valuators,» says Tiia Redi, executive manager of the Estonian Association of Appraisers. The matter is made more peculiar by the fact that the portal’s owner works as a valuator of land and admits he has access to the Land Board’s database.

«It is possible to use transaction and land register data to indirectly identify persons who have participated in transactions,» Jürgens explains. The state has so far kept to the principle that people’s income is not public information, and that includes proceeds from sale of real estate. «The trend is towards openness elsewhere in the world. The Land Board will analyze the possibility of amending laws that regulate use of transaction data. The main question is whether and to what extent society is ready for all real estate transactions to be made public. Disclosing sale prices could constitute sensitive information as it ties into people’s financial interests,» Jürgens adds. She says that the board feels corresponding public debate is necessary.

Links:
http://news.postimees.ee/v2/3871895/secret-brokers-database-under-investigation

License plate-reading cameras to be installed at border crossings

estonian_border-licence_plate_recognition

In efforts to crack down on an increasing issue with Estonians crossing the country’s southern border in order to buy cheaper alcohol there, the Estonian Tax and Customs Board (MTA) wants to install license plate-reading cameras at ten or so currently unsupervised Estonian-Latvian border crossings.

This summer season’s record violation, for example, was discovered last week, when customs officials detained a commercial vehicle in Estonia whose driver had picked up a ton and a half of beer with the intention of delivering it to Finland; the likely intention was to resell the alcohol in Finland, as the cost of beer in Finland is currently twice that of Latvian prices.

“He had already completed a number of successful trips across the border at Ikla and from here on to Finland,” explained Urmas Koidu, director of the customs department at the MTA. “We were able to track him down specifically thanks to the license plate recgnition system.

It is strange that there are still some borders that are not covered by the system. Compared to the intelligence gathering capabilities the system provides, the motive to fight alcohol smuggling is a joke.

Links:
http://news.err.ee/v/news/c6c29079-4a1b-414f-819d-a1272018d477/tax-authority-wants-alcohol-tourists-watched-by-cameras

SK Annual Conference 2016

sk_conference_2016

E-identity event SK Annual Conference 2016 will take place on November 3, 2016, Kultuuri Katel (Põhja pst 27a, Tallinn).

Agenda:
09:00-09:30    Registration and morning coffee
09:30-09:40    Presentation of the exhibitors
09:40-10:30    Overview of SK 2016, Kalev Pihl, SK
10:30-11:00    Updates to SK services portfolio, Liisa Lukin, SK
11:00-11:15    Cofee Break
11:15-12:15    Keynote Peter Zinn: We’re All Gonna Д13
12:15-13:00    Lunch
13:00-13:30    From e-Estonia to e-Europe, Katrin Laas-Mikko, SK
13:30-14:00    Future plans of ID-software, Margus Arm, Riigi Infosüsteemi Amet
14:00-14:30    Overview of near markets: Baltikum and Nordic countries, Lauri Immonen, Telia
14:30-15:00    Cofee Break
15:00-15:20    From physical to virtual: SIM and eSIM convergence, Jürgen Niinre, Telia
15:20-15:50    New SK eID solution, Urmo Keskel, SK
15:50-16:10    Renewed DigiDoc portal, Gintas Balčiūnas, Estina
16:10-16:40    Round of question and answers
16:40-17:00    Summary of the day by digital world enthusiasts
17:00-17:30    Evening snack

Links:
https://www.sk.ee/ettevottest/aastakonverents-2016