Author Archives: user469294

Banks twisting client arms to draw out personal data

Leave a reply

danske_data_form

Nordea and Danske clients complained to Postimees that said banks withheld services related to transfers and purchase of shares as the individuals failed to fill fresh personal data declaration.

The banks told Postimees that they are not collecting the detailed data on their own initiative but are under obligation to fulfil diligence measures arising from laws and other regulations.

Danske Bank explained that the information collected about customers has become very detailed. «In addition to an individual’s personal and document data, a bank must identify the customer’s activity profile, field of activity, volume of activity (bank account turnover), main partners,» explained the bank’s communication chief Tõnu Talinurm. «Pursuant to Tax Information Exchange Act, Danske Bank A/S Estonian branch needs to provide Tax and Customs Board information regarding US tax residents known to it or presumed by it. Because of that, we need to ask all clients whether they are US tax residents.»

Data Protection Inspectorate’s main stand is that the bank presenting the questions must also ensure that the clients know why they need to declare the extra data.

Financial Supervision Authority said the laws do lay on banks the obligation to know their customers, but do not prescribe specific questions.

Links:
http://news.postimees.ee/3396503/banks-twist-client-arms-to-draw-personal-data
http://news.postimees.ee/3396619/editorial-need-to-know-or-nice-to-know

Public lecture at Estonian IT College by CyberOlympics winner Jaanus Kääp

Leave a reply

Jaanus_Kaap_kyberolumpia

On Thursday, 19 November at 15.00, the winner of CyberOlympics, Jaanus Kääp, will give a free public lecture at the IT College. The Olympic champion will share what he learned at world famous security conferences and talks about finding security errors and developing the necessary skills.

The first CyberOlympics were organised by the Information Technology Foundation for Education, the Ministry of Defence, the Estonian Information Technology College, and Vequrity Ltd and it was won by Jaanus Kääp, a second-year student of IT systems development at the Estonian Information Technology College and data security expert at Clarified Security. The grand prix was the opportunity to participate at the prestigious “Black Hat Europe 2015” information security conference in Amsterdam. At the public lecture, the Olympic champion Jaanus will share the more interesting tips and tricks for finding security errors that were presented at the Black Hat Europe and Defcon security conferences and talk about the application of skills to finding security errors during the CyberOlympics and elsewhere.

The public lecture will take place in the IT College building in Mustamäe (Raja 4C, Tallinn, lecture hall 316).

Cybersec.ee already informed about hacking competition CyberOlympics 2015.

Links:
https://www.facebook.com/events/1645832179012356/
https://www.youtube.com/watch?v=3hitj0R1bHY

E-enabled elections in Estonia: Forum on research and development in 2015

Leave a reply

Estonian_internet_voting

During the first half day, Estonian researchers will present the results of a 3-year scientific project that studied the Estonian flavour of verifiable Internet voting from both technical and social aspects. The second half of the first day will be devoted to the presentation of the development ideas of the Estonian solution. The second day holds additional interventions on the topic of remote online voting and offers brainstorming activity where feedback to the ideas of the first day will be gathered interactively.

Thursday (05.11.2015)
09:00 – 09:30 Registration
09:30 – 09:45 Opening keynote
09:45 – 10:30 Kristjan Vassil “Diffusion of Internet Voting in Estonia”
10:30 – 11:15 Mihkel Solvak “Impact of Verification on Trust toward Internet Voting”
11:15 – 11:45 Coffee break
11:45 – 12:15 Taavi Unt “Usage Patterns in Internet Voting Log Files”
12:15 – 13:45 Jan Willemson, Sven Heiberg and Arnis Paršovs “Log analysis of Estonian Internet
voting 2013-2015”
14:00 – 15:00 Lunch
16:00 – Coffee break
15:00 – 17:30 Tarvi Martens, Sven Heiberg and Jan Willemson “Estonian Internet voting 2017+”

Friday (06.11.2015)
10:00 – 10:30 Bingsheng Zhang “How to Achieve Unconditional Integrity in an End-to-end Verifiable E
voting System”
10:30 – 11:00 Kristjan Gjøsteen “A security usability study on the Norwegian e-voting system”
11:00 – 11:30 Carsten Schürmann “Creating Credible Elections”
11:30 – 12:00 Coffee break
12:00 – 12:30 Jurlind Budurushi “An Investigation into the Usability of Electronic Voting Systems with
Paper Audit Trails in the Context of Complex Elections”
12:30 – 13:00 Helger Lipmaa “Privacy and Accountability in Networks via Optimized Randomized Mixnets”
13:00 – 13:30 Filip Zagorski “Improving security of remote voting”
13:30 – 14:30 Lunch
15:00 – Coffee break
14:30 – 17:00 Argument game

Links:
http://cyber.ee/en/news/e-enabled-elections-in-estonia-forum-on-research-and-development-in-2015/

Data Protection Inspectorate allows to process personal data in privacy-preserving manner

Leave a reply

sharemind-it-students-deployments

In Estonia, the Ministry of Education and Science keeps track of students and the Tax and Customs Board keeps track of working (by tracking income tax payments). If data scientists could access these databases, they could find the correlation between working during studies and not graduating in time. However, this data cannot be shared because of the Personal Data Protection Act and the Taxation Act (not to mention the relevant EU regulation). This prevents such studies from being performed.

Personal Data Protection Act actually permits processing of personal data for research purposes (see § 16), although data mining in privacy-preserving manner might have some advantages.

We used the Sharemind Application Server with its analytics package Rmind to perform the study in a privacy-preserving way. The privacy-preserving solution was checked by the Estonian Data Protection Inspectorate. Their response was that our solution does not process Personally Identifiable Information (PII) in the meaning of the law.

For actual privacy of the study the institutions are required to audit the code which is being run on the Sharemind server. In this case Tax and Customs Board had a person having skills and willingness to audit the code:

Furthermore, the Tax and Customs Board reviewed Sharemind’s source code to ensure that everything is performed according to the study plan.

The  findings of the study:

Our study showed relations between higher education and higher income, but we found no relation between working during studies and not graduating on time. Instead, it turned out that Estonian students of all fields work an equal amount. Also, our data showed clearly the reduction of employment during the financial crisis in 2008.

Links:
https://www.youtube.com/watch?v=Age06E1TWaA
http://sharemind.cyber.ee/stories_privacy-preserving-policy-decisions.html
http://news.err.ee/v/politics/education/01447de3-b5ef-4863-a42b-8275eb823cab/studies-majority-of-it-students-drop-out-of-university
http://eprint.iacr.org/2015/1159

DDoS attack against Omniva’s partner distrupts the work of parcel machines

Leave a reply

omniva_parcel_machine

The DDoS (Distributed Denial of Service) attack that started yesterday (22.10) at 2.30 p.m. and is still ongoing, was directed at the Integer network of Omniva’s cooperation partner, and resulted in a global error in Integer systems. The attack was isolated and main functions of the system were restored by 7 p.m. yesterday evening. The functionality check of parcel machines was completed at 8 p.m. By now, the attack no longer jeopardizes Omniva’s systems. In addition, databases and customer data stored in Integer are definitely protected and are not affected by the attack in any way.

In connection with the attack, sending parcels from parcel machines and receiving paid parcels from the parcel machines was disrupted from 2.30 p.m. to 7 p.m. Customers were able to use parcel machines for receiving packages that were free of charge.

From the description it seems that Omniva accessed Integer’s databases from the same public channel which was attacked, but now Omniva has non-public access to Integer’s databases, which is not available to the attackers.

Links:
https://www.omniva.ee/about_us/news/all_news/parcel_machine_malfunctions_were_caused_by_a_cyber_attack
http://uudised.err.ee/v/eesti/9f133660-eb7d-4091-a199-9fa38942040b/omniva-pakiautomaadid-langesid-kuberrunnaku-ohvriks

SK Annual Conference 2015

Leave a reply

sk_conference_2015

E-identity event SK Annual Conference 2015 will take place on November 5, 2015, Vabal Laval Telliskivi Loomelinnakus (Telliskivi 60a, C1-hoone)

09:00-09:30 Registration and morning coffee
09:30-09:45 Overview of SK 2015, Kalev Pihl, SK
09:45-10:45 Identification physically and digitally, Joseph Leibenguth, Gemalto
10:45-11:15 Coffee Break
11:15-11:55 eIDAS and international interoperability, Katrin Laas-Mikko, SK
11:55-12:25 New Mobile-ID and alternatives, Urmo Keskel, SK
12:25-12:45 NutiKaitse 2017: development of security, Andri Möll, Monday Calendar
12:45-13:30 Lunch
13:30-14:00 Life of cryptography, Anto Veldre, RIA
14:00-14:30 Underlying technologies of cryptocurrency, Asse Sauga, Eesti Krüptoraha Liit
14:30-15:40 Tech trends 2030 & company of the future, Richard van Hooijdonk
15:40-16:00 Coffee Break
16:00-16:35 Questions and answers
16:35-16:55 Summary of the day
16:55-17:30 Evening snack

Links:
https://www.sk.ee/ettevottest/aastakonverents-2015/

Webinar “Cybersecurity Risk Management: Estonia Experiences”

Leave a reply

webinar_Estonia_Experiences_cybersecurity_risk_management

The Organization of American States (OAS) in partnership with the Estonian Information System Authority (RIA), would like to invite you to register for our next webinar on “Cybersecurity Risk Management: Estonia Experiences”.

Invited Expert: Sven Kivvistik, Head of Risk Control and Advisory Department, Estonian Information System Authority
Thu, Oct 8, 2015 17:00-18:00 EEST

Links:
https://www.sites.oas.org/cyber/EN/Pages/Events/eventsdet.aspx?docid=71
https://vimeo.com/141810655

Talk by IT law and data protection specialist professor Lee Bygrave

Leave a reply

Lee A. Bygrave

The IT law programme invites you to a discussion with a distinguished IT law and data protection specialist professor Lee Bygrave from Oslo University. He will give his talk on Friday, October 9, 2015, from 14.15 to 17.30 at the University of Tartu, Faculty of Law, Näituse 20 room 103. The talk will cover the following topics:

  • the US-EU cleavage on data protection regulatory policy;
  • the extent to which data protection rules can and ought to apply to use of human biological material;
  • regulatory policy on privacy-enhancing technology and privacy/data protection by design.

Lee Bygrave’s visit to Estonia is organized by the IT Law Programme. Additional information: Helen Eenmaa-Dimitrieva, Director of the IT Law.

Links:
http://www.ut.ee/itlaw
http://www.jus.uio.no/ifp/english/people/aca/lee/

CyCon 2015 videos are now available online

3 Replies

ccdcoe_cycon_2015

Videos, proceedings and other materials from the 7th Conference on Cyber Conflict, CyCon 2015, are now available online.

Links:
https://ccdcoe.org/cycon/2015/
https://ccdcoe.org/cycon-2015-materials-now-public.html

GSM jammer found on the table of deputy mayor of Tallinn

1 Reply

deputy_major_tallinn_gsm_jammer

An unique device was noticed on the table of Tallinn deputy mayor Kalle Klandorf during a interview which took place on Thursday. It is probably a jammer. Jammer is an electronic device which fills specific frequencies with electromagnetic noise. Other devices using the same frequencies are unable to transmit.

Even though the exact inscription is not seen, it may be [this device, costing USD 208]. The device blocks frequencies 925-960 MHz, 1805-1880 MHz and 1930-1990 Mhz used for mobile phones. It also blocks WiFi connection on 2.4GHz and UHF frequencies 400-470 MHz.

Klandorf laughed at the question if there is an jammer on his table. “I haven’t noticed. Maybe it’s not mine? I haven’t bough. I don’t know” he replied. He suggested that it may be a handheld radio. Ten of those were recently bought for the municipal police and crisis team. Klandorf thought that it could be a amplifier. Considering wiretapping, Klandorf said that he wouldn’t mind if they listen.

According to Electronic Communication Act p. 23 it is forbidden to use devices which create interference and disturbs radio communication. It is forbidden to sell, facilitate etc. and importing into EU. [According to the Technical Regulatory Authority], it is forbidden to allow such devices to the market and take into use because they do not comply with the regulations.

The use of frequency jammers is probably one of the methods how bribery allegations facing mayor of Tallinn tried to prevent eavesdropping by KAPO.

Comment by Estonian jammer vendor:

According to research director of OÜ Rantelon professor emeritus Andres Taklaja, the device in Klandorf’s office is meant to interrupt wiretapping devices. OÜ Rantelon produces commercial jamming devices for govermental agencies and defence forces. He said that most certainly it is a jammer. It looks like a cheap jammer with separate antenna for every frequency range. He suggested that if there is a jammer, then there must be bugs.

“These gentlemen should know the frequencies used by the bugs as they were former militiamen. They probably chose the device according to the potential bugs. The looks of the device depends on the frequencies it is meant to interfere. The length of the antennas depends on the wavelength of the radio-waves. It is possible to deduce the frequencies by external observation.”

“If the device is too powerful, then it may interfere with other equipment in the building, so I suspect that it is quite low-power. The device is powered from the plug and the power can be adjusted. It could have a battery but such devices take quite a lot of power. If it is unplugged, then it is probably turned off.” Rantelon produces bigger and more powerful devices as they are meant to be used in the field. The professor didn’t suggest how the deputy mayor could have obtained the jammer.

Links:
http://forte.delfi.ee/news/digi/mis-viie-antenniga-masin-kalle-klandorfi-laual-on-ilmselt-jammer?id=72543507