Author Archives: user469294

60 percent of Swedbank’s customers use password card for online banking

Leave a reply

Swedbank_password_card

Nearly 60 percent of Swedbank’s private customers use password cards for online banking. This is in 2016, when already for several years there are much more comfortable and safer identification tools available, which do not involve the EUR 200 transaction limit.

By studying the reasons, it appears that people are not willing to change their habits. Password cards are familiar to them, they are used to them for a long time, they know exactly where the password card is located and know how to use it. They do not need to use it to learn something new.

One of the barrier also highlights the lack of trust in relation to the new authentication. People do not trust the things that they actually do not get to keep. They are not willing to go along with the changes quickly. Many assert that the EUR 200 payment limit does not hinder them.

Links:
http://kasulik.delfi.ee/news/uudised/e-riigi-hammastavad-numbrid-eesti-pangakliendid-kasutavad-ammu-iganenud-lahendust?id=73795383

Hacking systems protected by a simple password might not be an offense

Leave a reply

Oskar_Gross

Oskar Gross, the manager of recently opened Cyber Crime Unit of Central Criminal Police writes in an opinion piece that Estonian legislation is at times more primitive than the actual cybercrime. Therefore, there may be a weird situation where hacking an account that is protected with a simple password such as “1234” is not an offense.

In the last commented edition of the Penal Code, the lawmaker rather boldly attempted to define the legal handling of computer systems’ passwords and security issues related to recovering password, and the end result is problematic in several aspects.

Penal Code has an important section §217 “Illegal obtaining of access to computer systems” which aims to penalize unauthorized access to computer systems. The commented edition of Penal Code clarifies that unauthorized access is not in case of amazingly simple passwords, such as “admin”, “123456” and “qwerty”, because such passwords can be guessed by an attacker or found from “the top worst passwords” on the Internet.

In short, this section comment says: “If you have a weak password, the access to your data is allowed.”

Links:
http://geenius.ee/uudis/arvamuslugu-kas-konto-parooliga-1234-avalik

Rain Ottis Decorated with the Order of the White Star

Leave a reply

president_decorations

Estonian President Toomas Hendrik Ilves Wednesday signed the decision to decorate 99 persons for services to Estonia on the eve of the country’s 98th Independence Day celebration.

«The decorations are a testimony to Estonian people and our supporters outside Estonia for their determination in their actions and loyalty to the principles on which modern Estonia stands — openness, democracy, knowledge, innovation,» Ilves wrote in the decision to award the decorations.

Rain_Ottis

Our country is grateful to scientists whose research has helped to make Estonia greater. Decorations of the White Star are given to […] the founder of NATO CCDCOE and later the TUT Centre of Digital Forensics and Cyber Security, information technology scientist Rain Ottis.

Congratulations!

The White Star decoration was awarded also to the information security expert Toomas Nurmoja, but the Internet does not have much information about his merits.

Rain_Ottis

Toomas_Nurmoja

Links:
https://ccdcoe.org/centre-ambassador-rain-ottis-decorated-order-white-star.html
https://president.ee/et/meediakajastus/pressiteated/11983-2016-02-04-08-22-36/index.html

ID card or Mobile-ID required to post comments on ERR

Leave a reply

err_comment_auth

In the Estonian and Russian language versions of Estonian public broadcasting portal Err.ee comments will be allowed only after identification with ID card or Mobile-ID.

Err.ee reported that for a wider audience commentators still remain anonymous and can use nicknames. However, their identification data – name and personal identity number – if necessary, will be available only to the chief editor, but not other media staff or readers. As explained ERR, user identification will allow if necessary to contact the commentators, for example, to find out further information.

Changes do not affect the English version of ERR.ee, because its users are mainly foreigners.

Links:
http://uudised.err.ee/v/eesti/d631cdc9-8393-4fc1-8fd7-96f5260c7d41/

Cyber Security master’s theses defense in Tallinn University of Technology (January 2016)

Leave a reply

TTU_peamine_logo_ENG

Monday, 18 January 2016, Akadeemia Tee 15a, Room ICT-411:

Time: 10:15
Student: Ennio Calderoni
Title: DNS Security: Analysis of Alternatives and an Android DNSSEC-Aware Browser
Supervisor: Truls Tuxen Ringkjob
Reviewer: Toomas Lepik

Time: 10:55
Student: Kadri Tahsildoost
Title: Usable Security of Two Factor Authentication Methods
Supervisor: Jaan Priisalu
Reviewer: Maria Claudia Solarte-Vasquez

Break 11:35 – 11:45

Time: 11:45
Student: Nisham Kizhakkedathil
Title: An Empirical Analysis of Current Estonian i-voting Model: Challenges and Prospects
Supervisor: Tanel Tammet
Reviewer: Jaan Priisalu

Time: 12:25
Student: Panagiotis Marzelas
Title: A Social Media Honeypot Method to Detect Spear Phishing
Supervisor: Olaf Manuel Maennel
Reviewer: Sten Mäses

Time: 13:05
Student: Seyedmorteza Zeinali
Title: Analysis of Security Information and Event Management
(SIEM) Evasion and Evasion Detection Methods
Supervisor: Bernhards Blumbergs
Reviewer: Hayretdin Bahsi

Break 13:45 – 14:00

Time: 14:05
Student: Jesse De Boise Wojtkowiak II
Title: Addressing Insider Threat Vectors in an Information Society
Supervisor: Alexander Horst Norta,
Supervisor: Mauno Pihelgas
Reviewer: Hayretdin Bahsi

Time: 14:40
Student: Alvar Ristikivi
Title: Failover Test Measurements of Load Balanced Infrastructure
Supervisor: Olaf Manuel Maennel
Reviewer: Risto Vaarandi

Defense committee: Risto Vaarandi, Rain Ottis, Olaf Maennel, Raimundas Matulevicius, Hayretdin Bahsi.

The grades received (in random order): 4, 3, 3, 2, 1, 0, 0.

Poorly secured WiFi router abused to sent SMS messages to paid numbers

Leave a reply

wifi_sms_abuse

Thanks to a poorly secured WiFi network, in a few days cyber-criminals where able to cause nearly EUR 1,000 bill to the dining place BURKS in Tallinn.

EMT WiFi router’s admin account was accessed and SMS messages were sent out to paid numbers (some Latvian numbers and Mobile parking). Seems like it was possible because router used mobile Internet and allowed to send out the messages.

Links:
http://tarbija24.postimees.ee/3456355/reporter-ee-video-kehvasti-turvatud-wifi-vork-toi-soogikohale-kopsaka-arve

Log Analysis of Estonian Internet Voting 2013 – 2015

Leave a reply

Log server

Conclusions
In this work we developed a systematic data analysis method that can be used to assess the state of an ongoing i-voting and to perform post-election analysis.
The log monitoring solution developed has been a useful tool for detecting software bugs and logging deficiencies, which might not have been otherwise detected.

Although the three elections analyzed in this study were different types of elections, we can see that most of the measured values are similar. Furthermore, taking into account all the observations, we can conclude that in KOV2013, EP2014 and RK2015, no large-scale attack against i-voters was carried out.

Links:
http://eprint.iacr.org/2015/1211.pdf
http://kodu.ut.ee/~arnis/slides_logmon.pdf

New cars stolen using smart key signal relay attack

Leave a reply

brel_signal_amplifier

This Tuesday night the next BMW X5 got stolen from near a home in Laagri, Harju County. Over these past few weeks, three pricey cars have been stolen in Southern Estonia with total value exceeding €100,000. The police suspects an international organised grouping – probably, auto thieves from Latvia or Lithuania.

At end of October, car thieves from Lithuania were apprehended by the police. While investigating their tools, their eyes fell upon a gadget they nicknamed a «bowl». This is a device that amplifies the signal of an electronic car key so as to open the doors of a vehicle hundreds of metres off in the parking lot opens its doors and starts the engine. As you read this story, a bowl like this is being studied by experts in Tartu, Estonia. The devices are obtained on the black market or over the web where at one site above €9,000 is asked for the thing.

Another example. An individual goes home and leaves the car keys close to the door, on a shelf or in coat pocket. «This the crooks know very well. They place the «bowl» i.e. the device seeking the radio signals behind the individual’s front door and the «bowl» finds out the smartkey signal. The smartkey send signals to about a metre and a half,» said Toomas Jervson of Northern police prefecture

Mr Jervson says the solution for dear wheels owners is simple: if you have a smartkey, add an extra immobiliser. It may costs hundreds of euros, though.

What prevents thieves from relaying also the immobiliser’s signal? There are some immobilisers that try to regularly ping the token and cut the engine if the signal is lost. However, because of driving safety reasons this feature is illegal by EU law.

Links:
http://news.postimees.ee/3432227/new-car-theft-now-historically-easy

Poltsamaa Gymnasium to offer cyber defence classes on its curriculum

Leave a reply

Poltsamaa_Gymnasium_cyber_defence_classes

At the Poltsamaa Gymnasium school in central Estonia, 17 boys and one girl signed up to study cyber defence and IT safety basics as well as cryptology, mechatronics and 3D modelling. One educator says the courses are an investment in the students’ futures’.

Tiia Mikson, Deputy Headteacher of Poltsamaa Gymnasium: “It is known that Estonia is an ‘e-country’ and there are lots of electronic systems that are in everyday use, but also used by the government and in school. People who can manage, protect and deal with them are needed.”

Artam Kivisild, cyber defence class student: “It is very important right now and it will continue to grow more important. Because society is increasingly based on technology and the Internet.”

In class the students learn drone construction, how to use a 3D printer and internet security basics – all meant to educate a generation more aware of cyber risks in a world ever-more dependent on technology. The education programme was introduced in cooperation with NATO and the Estonian government. After graduating from the class, students receive a certificate from the country’s paramilitary organisation, Defence League. That document is meant to help them in applying for university studies in cyber defence.

Links:
http://uatoday.tv/politics/estonia-549267.html
http://opleht.ee/26512-poltsamaa-uhis%C2%ADgumnaasium-hakkab-kuberkaitset-opetama/

Amendments to allow invasion of privacy without judicial approval

Leave a reply

kaitsepolitsei

The Ministry of the Interior is drawing up legislation to expand the rights of ISS, the Internal Security Service and the Information Board, the foreign intelligence agency. Current laws governing security agencies date back to 2001, when the security situation in Estonia and in the world was different, Eesti Päevaleht reported.

Another change would give ISS the right to breach home, family and private life sanctity without the approval of a judge, if officials are unable to reach a judge or the situation deems a quick response. The bill, if it enters force, would compel ISS officials to ask a judge for permission at the earliest possibility and if permission is rejected, the operation must be stopped immediately.

“The need for that has appeared in combating terrorism and in prevention of the movement of weapons, ammunition and explosives,” the motion reads.

Links:
http://news.err.ee/v/politics/9bd6fa2f-eff9-4122-bd12-fa4a513325ad/intelligence-agencies-to-get-more-powers
http://epl.delfi.ee/news/arvamus/juhtkiri-kapo-ei-vaja-voimu-juurde?id=73046971