Author Archives: user469294

The head of SMIT’s security department Tiit Hallas gives public lecture on cryptography

tiit-hallas

The public lecture will be held in the building of the IT College, Raja 4C, auditorium 314, Tuesday, October 18, at 13:00. The public lecture will also be broadcast live on the website of the IT College.

The main purpose of Tiit Hallas public lecture is to answer various question on the topic. Tiit will talk about cryptography related terms, describe the overall level of how cryptography works and the need for cryptography to ensure the security. Tiit has promised to bring sophisticated content to listeners as simply
and understandably as possible.

Tiit Hallas has worked in information security for over eight years in both public and private sector and has gained plenty of practical as well as theoretical experience in the field. He has a BA in Information System Development from IT College and an MSc in Cyber Security from Tallinn University of Technology. As well as delivering lectures and talks on the subject, Tiit is involved with Information Security in his daily work as the Head of Information Security at the IT and Development Centre of the Ministry of the Interior, where he not only manages staff but is also engaged with finding solutions to practical information security issues.

The lecture will be in Estonian.

Links:
http://www.itcollege.ee/blog/2016/10/12/smiti-infoturbeosakonna-juhataja-tiit-hallas-peab-kuberturvalisuse-kuu-raames-it-kolledzis-avaliku-loengu-kruptograafiast/
https://www.youtube.com/watch?v=KLhbaSRjz2s

E-Vote-ID 2016: Improving the verifiability of the Estonian Internet Voting scheme

Leave a reply

Estonian_internet_voting

Abstract. We describe an update of the Estonian Internet Voting scheme targeted towards adding verification capabilities to the central system. We propose measures to ensure the auditability of the correctness of vote decryption and i-ballot box integrity. The latter will be improved to a level where it would be possible to outsource the vote collection process to an untrusted party and later fully verify the correctness of its operations.

The short summary is that I-voting system used for local municipal elections in October 2017 will use ElGamal cryptosystem that can be plugged into mix-net. Currently it is not clear whether the general public will be allowed to verify mix-net inputs and outputs.

Links:
http://research.cyber.ee/~jan/publ/ivxv-evoteid.pdf

KaPo suspects defense forces’ officer of exposing state secret

Leave a reply

ivo_jurak

Captain Ivo Jurak (38) has been in custody for a month already as the Estonian Internal Security Service (KaPo) suspects him of having exposed a state secret. Jurak served as junior staff officer at the Estonian Defence Forces’ Movement Coordination Centre, reported Estonian daily Eesti Ekspress. This center coordinates the Defence Forces’ strategic transport, including the movement of NATO forces and equipment arriving in Estonia.

The KaPo suspects Jurak of having taken documents containing a state secret along with him from work and keeping them at home. Accrording to Jurak’s lawyer Natalia Lausmaa, Jurak admits to his guilt. Jurak is suspected according to Paragraph 241 of the Penal Code, which means that the exposure of a state secret is unrelated to treason or spying. If found guilty, Jurak could face a fine or up to five years in prison.

Case similar to this one.

KAPO annual review 2016 mentions also an illegal surveillance charge, whatever it means:

Jurak took state secrets he possessed home from work. During the investigation, it was also established that Jurak unlawfully obtained and kept a weapon not related to the defence forces, and was involved with unauthorised surveillance after leaving employment.

Links:
http://news.err.ee/v/news/7199b45e-30d3-4e73-b487-fe4a5c5be9aa/internal-security-service-suspects-defense-forces-officer-of-exposing-state-secret
https://kapo.ee/sites/default/files/public/content_page/Annual%20Review%202016.pdf

UT Seminars on Blockchain Technology

Leave a reply

university_of_tartu_logo

bitcoin_logo

The course will consist of a number of seminars given by invited lecturers. Lecturers will be both from the University and from the industry companies. They will present the research results along with the practice best experiences and examples of the application of the blockchain and smart contract technology.

Kick-off seminar:
3.October, 10:15-12:00: Smart contracts and identity on blockchain – using e-Residency in Ethereum, Speaker: Thomas Bertani, Oraclize.it

Regular seminars (Tuesdays 18.15-20.00, Liivi 2-404, Tartu):

25.October: Introduction to Smart Contracts and Applications
Speaker: Kristo Käärmann, TransferWise

1.November: Blockchain as an Enabling Technology for Businesses
Speaker: Frederik Payman Milani, University of Tartu

8.November: Lightweight BPMN engine on ethereum
Speaker: Luciano Garcia Banuelos, University of Tartu

15.November: Cryptographic Foundations of Bitcoin
Speaker: Michal Zajac, University of Tartu

29.November: Introduction to KSI blockchain
Speaker: Andreas Sisask, Guardtime

6.December: Creation of Smart-Contracting Collaborations for Decentralized Autonomous Organizations
Speaker: Alex Norta, Tallinn Technical University

Links:
https://courses.cs.ut.ee/2016/blockchain/fall/Main/Seminars

CERT-EE is looking for a monitoring specialist

Leave a reply

RIA

Duties:
• information security incident monitoring and defense 24/7;
• state network (ASO) and RIA service monitoring;
• RIA service and state network incident monitoring and defense.

Requirements:
• at least year IT work experience;
• at least secondary education;
• computer skills on average level (MS Windows and UNIX work experience);
• interest towards information security;
• willingness to work in shifts.

Desired:
• international work experience;
• knowledge in administration of Estonian public information systems;
• clearance for access to state secrets (classification – ‘secret’).

If you believe that you are the right person we are looking for, please send your CV along with a latter of motivation to klaid@cert.ee. For additional questions, please call 6630243 or send them to klaid@cert.ee

In 2015 CERT-EE had 5 monitoring specialist positions.

Links:
https://cybersec.ee/wp-content/uploads/2016/09/CERT-seirespetsialisti-kuulutus.pdf

Checking who has accessed your personal data is a challenge in practice

Leave a reply

digilugu_peremeditsiin-debug

Peeter Marvet dispels the myth of transparency in finding out who has accessed your data in state databases:

For the past 20 years or so Estonian e-government and the X-Road backbone has been promoted with the promise of transparency. Yes, we keep a lot of data, but it is stored securely and you can always check who has accessed it. This means transparency and trust. Or “trust”, as in this The Guardian interview with Toomas Henrik Ilves.

Problem is, there is no such transparency – no notifications, no place to log in and see who has accessed your data. There was one system with such functionality, but it was shut down like 10 years ago (added: there is one system – E-Health’s Digilugu.ee “patient portal”). And even when it worked, it displayed only trivial amount of accesses [..].

The rest of the databases? I recall a meeting (in the government residence, no less) where the topic was discussed, possibly on a roundtable arranged by the National Audit Office. After some serious googling I found a contact address where to submit a request to get information about who has accessed my data in the Population Registry. It took some months to get the answer, it supposedly had information about who had requested my data available only in the “comments field” and had to be assembled manually. Promoting the idea to requesting such transparency is a good start for denial-of-service attack on Estonian e-government.

Then there was a case when somebody from the Ministry of the Interior was to promote some new legislation mandating more data storage with the argument, that everybody is able to see who has been accessing the data, so it is not a privacy violation. Our correspondence with her ended after couple of rounds, after she was unable to find any proof of solution where I could view the access log.

And don’t get me started on the question of who can purchase the data from our Population Registry or from Business Register. Want to get contacts of unemployed pensioners? Give us your monies! Want to spam every e-resident who has created a company? Sure, all addresses in registry must be business contacts so spam away (and give us some monies)!

Interesting research to conduct would be to submit bunch of requests for personal data access reports to various state database holders and analyze the response time and the detailedness level of the answers.

Links:
https://tehnokratt.net/2016/05/meme-based-trust-lockean-contract-la-e-stonia/

Woman sentenced for accessing ex-boyfriend’s Facebook account

Leave a reply

facebook_access

The agreement concluded with the South District Prosecutor’s Office on 16 May 2016:

In January 2015 Maarja Laanemetsa (32) without authorization logged into www.facebook.com account of L.L (her ex-boyfriend) and took a screenshots of L.L.’s private conversations (with other women). These actions qualify to Penal Code paragraph §217 “Illegal obtaining of access to computer systems” subsection (1) “Illegal obtaining of access to computer systems by elimination or avoidance of means of protection is punishable by a pecuniary punishment or up to three years’ imprisonment”.

Moreover, after entering social network and illegally taking the screenshots of L.L.’s private conversations, the accused forwarded the conversations to K.M (L.L.’s new partner) thereby violating Penal Code paragraph §156 “Violation of confidentiality of messages” subsection (1) “Violation of the confidentiality of a message communicated by a letter or other means of communication is punishable by a pecuniary punishment.”

Type and amount of the penalty:
Prosecutor pursuant to Penal Code paragraph §63 subsection 1 asks the court to sentence the accused for two month imprisonment. On the basis of the Penal Code paragraph §73 section (1) sentence imposed is not enforced in full unless during one year probation period the accused commits a new intentional crime.

The accused shall reimburse the costs of criminal proceedings:
State legal fees of EUR 48 and according to Code of Criminal Procedure paragraph §179 section (1) subsection 2 compensation of EUR 645 (1.5 times the amount of the minimum monthly wage).

Didn’t the accused violate the confidentiality of a message already when she read the private conversations? Is the disclosure to third person required to qualify according to Penal Code paragraph §156?

Links:
http://pluss.postimees.ee/v2/3808889/sotsiaalmeedias-nuhkimine-voib-tuua-kriminaalkaristuse
https://www.riigiteataja.ee/kohtulahendid/detailid.html?id=185111724

Homomorphic Tallying for the Estonian Internet Voting System

1 Reply

Estonian_internet_voting

Abstract. In this paper we study the feasibility of using homomorphic tallying in the Estonian Internet voting system. The paper analyzes the security benefits provided by homomorphic tallying, the costs introduced and the required changes to the voting system. We find that homomorphic tallying has several security benefits, such as improved ballot secrecy, public verifiability of the vote tallying server and the possibility for observers to recalculate the tally without compromising ballot secrecy. The use of modern elliptic curve cryptography allows homomorphic tallying to be implemented without a significant loss of performance.
[..]
The homomorphic tallying scheme described above is not new. The scheme was introduced in 1997 by Cramer et al. [6] and has been used in the Helios open-audit voting system [1] for years. The contribution of this paper is an analysis of the deployment of homomorphic tallying in the context of Estonian Internet voting, where the performance of the protocol is improved by the use of elliptic curve cryptography.

In the new tender specification published by National Electoral Committee (NEC) we can read that there is a plan to use some kind of mix-net-based technology to provide counted-as-cast verifiability for the local government elections in October 2017. While mix-nets cryptographically are more complicated than homomorphic tallying, the mix-nets are more universal and thus can be used also in elections abroad, where the ballot style is not as simple as in Estonia (e.g., elections where the voter can vote for more than one candidate).

Links:
http://eprint.iacr.org/2016/776.pdf

Kapo eavesdropped on Savisaar outside criminal procedure

Leave a reply

kaitsepolitsei

Lawyers defending Edgar Savisaar are hopeful to kill criminal case against the Centre chairman with just one move – asking that the initial evidence, the basis for all the rest, be declared invalid. This would be the piece of information acquired by security police which afterwards triggered the whole criminal case – by eavesdropping a private conversation between then Mayor of Tallinn Mr Savisaar and Meriton Hotel owner Aleksander Kofkin at the Balalaika.

While talking about the food, a topic slipped in which made police ears perk up. [..] After years of eavesdropping on Mr Savisaar, this for the security police seemed to be a sign that the mayor was involved in issues outside of official responsibilities. [..] While Mr Savisaar is contesting that, the main issue is the method of acquiring the information may not have been legally justified and thus the basis for all the rest of the case would fall off.

In Estonia, security agencies are allowed to eavesdrop on people and institutions outside criminal procedure to prevent danger and in the interests of security. For this, special permission is granted by an expert administrative judge. All related information and related issues (such as statistics) is state secret.

Years of eavesdropping without having a right to ever find it out, and overall statistics being a state secret. As EFF says: When electronic searches are done in secret, we lose our right to challenge the legality of law enforcement invasions of privacy.

Links:
http://news.postimees.ee/3785723/lawyers-of-savisaar-see-ray-of-hope

Estonian Internet voting system to be rewritten from scratch

1 Reply

e-voting_estonia

The new system should provide end-to-end verifiability features:

The current software, created in 2004, needs overhaul as the gradual updates (such as adding the Mobile-ID capacity and others) have rendered the grasp on the source code structure challenging. “The new system will be more universal, allowing more possible applications, in addition to using it for Estonian nation-wide elections and referendums – such as internal elections of large corporations, local government polls and also abroad,” said Tarvi Martens, chairman of Estonian Electronic Voting Committee.

The voting procedure will remain the same for the voter and the source code will remain open. “The planned changes will allow the observers to keep an eye on how the stored e-votes will become election results more efficiently, based on mathematical proof,” Martens explained. “In other words, mathematics will prevail over the human factor. Technical proof allows us to control the system with much more efficiency,” he added.

The full cost of the first contract is 236 800 euros (VAT excluded). The bid was open to all EU entities and received bids from three companies. Cybernetica has won the bid for developing the Estonian electronic voting system, entailing a renewal of the system for the local government elections in October 2017.

Links:
http://uudised.err.ee/v/eesti/fe86efd4-9811-48cc-ae2b-234acd4e6c60/vabariigi-valimiskomisjon-soovib-e-haaletamise-susteemi-uuesti-ules-ehitada
https://cyber.ee/en/news/cybernetica-selected-to-renew-estonian-internet-voting-software/