Author Archives: user469294

Cyber Defense League and Maria Mägi Law Firm conference “Cyberdefender or cyberterrorist?”

cyberdefenseleague_logo

October 29, 2015. Estonian National Library, Tallinn.

Agenda
09:30 – 10:00   Registration open, welcome coffee.
10:00 – 10:10   Opening remarks
Andrus Padar, Chief of Cyber Defense League
10:10 – 11:30   Is Estonian e-lifestyle well defended?
– short presentations and demos by cyber league members.
11:30 – 11:45   Coffee pause
11:45 – 13:00   Cyberwar and cybercivilwar – patriot or cyberterrorist?
attorney at law Eeva Mägi, Maria Mägi Law Firm, doctoral student at Tallinn University of Technology
13:00 – 14:00   Lunch
14:00 – 15:30   Cyberdefender or cybercriminal – where is the dividing line between allowed and forbidden?
attorney at law Mare Tannberg, Maria Mägi Law Firm, University of Tartu lecturer in criminal law.
15:30 – 15:45   Coffee pause
15:45 – 17:00   Roundtable, moderator Andrus Padar and Maria Mägi (Maria Mägi Law Firm Managing partner).

Working language Estonian. Participation fee EUR 25. Invitation only event. Ask invitation from your closest Cyber Defense League member.

Links:
https://kkl.conf.ee/doku.php

Hundred thousand ID card certificates issued with invalid public key encoding

3 Replies

ESTEID_RSA_negative_modulus

From the Chrome bug report:

Estonian IDs issued between September 2014 to September 2015 are broken and use negative moduli.

Not content with signing negative RSA moduli, still other Estonian IDs have too many leading zeros.

In Estonia there are 100 000+ such ID-cards and without any change with chrome 46 those card owners could not use chrome any more for every day usage.

ASN.1 DER encoding specifies that positive integer [having msb of MSB set] has to be encoded with 0-byte prefix. However, the certificates in question omit 0-byte prefix for RSA public key modulus and therefore standards complying Chrome DER decoder interprets public key value as an [invalid] negative integer.

Google developer hints that SK’s recently passed annual audit falsely attests that SK operations confirm to the standards:

It would seem each of these certificates fails to conform to the ETSI TS 102 042 policies (for which sk.ee was audited), which would invalidate them for use as QCP-SSD/QCP/NCP, nor would they conform to the sk.ee CPS in force at this time. If so, wouldn’t all of these certificates need to be revoked, per sk.ee’s CPS?

First SK asked for a “temporary” workaround, later committing to recall the ID cards in question in the next 6 months:

Is there possible to make temporary (for 5 years) workaround for such cards in chrome 46 and beyond?

AFAIK, no more certificates with incorrect encoding are being generated and the renewal of the issued ones is being planned. It shall require time, less than 5 years but obviously not a month or two, due to the sheer number of the cards out there.
6 months seems like a realistic target.

Translation of Postimees article:

Due to a software failure by Estonian ID card software vendor AS Sertifitseerimiskeskus about 250 000 ID cards have an error that may in the future cause its usage problem. ID cards with software faulty certificates were issued for one year since September 2014 and if error is not fixed in the following six month, then people will not be able to authenticate themselves anymore in the future versions of the world’s second most popular web browser Google Chrome.

“This is certainly non-compliance with standards on our side. We let error through in our software development. Reason, why this error went through and was permanent is that no browser had discovered it until now and our ID card so far works with them excellent” head of SK Kalev Pihl explains to Postimees. The thing come to light when Google made a big software update which controls subtlety, what no other software have done so far. “It came out that some certificates on Estonian ID cards do not conform to requirements,” says Kalev Pihl, who says that the error came out during the beta-testing of the new browser software.

Pihl confirms that SK agreed with Google for a half year long transition period. Result is that Chrome will not add the new software at the moment and people can use this browser for authentication with no problem. “That half a year of development time should be really enough in order to provide to a person a solution where he/she can renew ID card certificates behind the computer with one button press,” adds Pihl. “Usually during our testing we discover bugs introduced by browser developers, this time they discovered error on our side,” summarized Pihl.

RIA plans a remote update feature for Estonian ID cards / e-residency cards:

The functionality, prompting card owners to update the certificates online, has once been part of the Estonian ID card software suite and will now be re-implemented. The procedure of initiating the remote update procedure on the certificates is to be implemented in a way that is both easy to use and secure. Veinthal said the security and risk of the new functionality were to be analysed before implementation. “The eID framework has to be aware that interoperation glitches are becoming more frequent in the world of technology, increasing the necessity to create fast and convenient solutions,” commented Veinthal.

Links:
https://code.google.com/p/chromium/issues/detail?id=532048
https://code.google.com/p/chromium/issues/detail?id=534766
http://tehnika.postimees.ee/3342861/eestis-on-kaibel-sadu-tuhandeid-tarkvaraveaga-id-kaarte
http://news.err.ee/v/scitech/d95562b3-2d28-4d1c-bfce-487a6420caa5/250000-estonian-id-cards-could-be-faulty
https://blog.ria.ee/probleem-nr-532048/
http://news.postimees.ee/3348383/all-e-residents-got-faulty-cards
https://www.ria.ee/ria-plans-a-remote-update-for-estonian-id-cards/
http://news.err.ee/v/scitech/e6f4c240-b0f4-4543-a9fe-fa83a2101f10/id-card-bug-could-damage-estonias-it-image

Glich by payment processor Nets Estonia causes chaos in SEB and Swedbank accounts

1 Reply

SEB_chaos

All it took to trigger the widespread woe was an outwardly insignificant slip: on September 17th, Nets Estonia coordinating card transactions in Estonia forwarded a file with cards transactions to the financial institutions twice, and two days later attempted to correct the mistake by sending a file cancelling the «double» transactions.

The banks which for whatever reason only acted on the cancel-entries sent on September 19th, yesterday morning unexpectedly returned to customers the money spent on September 17th. This, for instance, was the lot of SEB clients. To our knowledge, clients of institutions like Swedbank and Citadele were less lucky. The control systems of said banks had already acted on the double file dating September 17th and brazenly pocketed the customers’ money twice.

As LHV and Nordea banks control systems pulled brakes both on the file prescribing double payments and dataset sent to cancel it, the clients of both escaped the mess.

Why LHV and Nordea engineers could implement fault tolerant algorithm while engineers of the two biggest banks SEB and Swedbank could not?

Links:
http://news.postimees.ee/3339225/confused-banks-erraneously-move-money-of-hundreds-of-thousands

The suspected mayor of Tallinn ordered regular bug sweeps

Leave a reply

kapo_pressconf

By eavesdropping on telephone calls, the investigators were aware who and when Mr Savisaar met and what to keep in mind while collecting evidence. The investigators were aware that dark matters are not discussed over the phone, and that plain speech would be avoided if at all possible.

Here is where hidden cameras are helpful, installed by court permission. However, even these are in danger to be discovered. Especially with Mr Savisaar, as the all-suspecting Mayor of Tallinn is in the habit of asking people close to him «bug control» places linked to him from time to time. Therefore, Kapo was at pains to diligently plan where and for how long to install stuff.

Links:
http://news.postimees.ee/3337697/the-scandal-long-feared-laid-bare

A public lecture by Mikko Hyppönen at Estonian IT College

Leave a reply

Mikko Hypponen at Estonian Information Technology College

On 13 October 2015 at 12.00pm, Mikko Hyppönen, the world renowned information security expert, whose presentations always contain ample examples of topical information security incidents and events that have endangered the privacy of Internet users will be delivering a public lecture at the IT College.

Links:
http://www.itcollege.ee/en/blog/2015/09/15/mikko-hypponen-top-specialist-of-information-security-will-be-delivering-a-public-lecture-at-the-it-college/
https://www.youtube.com/watch?v=UXSAaVx2EOo
http://uudised.err.ee/v/eesti/724d4692-24ba-48ee-ab60-b81221fbc79b/
http://news.err.ee/v/scitech/8067fe55-f06f-47be-aefa-38a2a1b834e2/

Four thousand ID card certificates issued with duplicate email addresses

Leave a reply

idcard

Upon manufacturing the ID card, residence card, Mobile-ID and Digi-ID certificate, email address in the form of name.surname@eesti.ee will be generated. In the case of namesakes, the software compares the email address to the previously used addresses and next people with the same name will get an email address in the following form: name.surname.1@eesti.ee, name.surname.2@eesti.ee etc., depending on how many people there are with the same name.

“Due to the software error, duplicate email addresses were created for namesakes, these addresses were also inserted to the certificates of identity documents. We have fixed the error and we can assure that such a situation will not reoccur in the future,” explained Kalev Pihl, the Member of the Board of the Certification Centre. Altogether 40 000 ID and residence cards were issued in June and July, 4120 of them were with duplicate email addresses.

Email address name.surname@eesti.ee is an alias to personalidentificationcode@eesti.ee, which is unique. For sending information, state authorities use the email address personalidentificationcode@eesti.ee.

After the software error was detected, the State Portal suspended the email forwarding right of all of these persons, who had received a duplicate email address with their certificates. These persons can start using their eesti.ee email address only after the renewal of the certificates.

Links:
https://www.politsei.ee/en/uudised/uudis.dot?id=471347

Oxford Training Sessions on Government, Security, and Conflict in the Cyber Age

Leave a reply

oxford-dpir

egvntchlogomp

This three-day training session is organized and delivered by Oxford University faculty. It will discuss in detail the challenges and opportunities of the modern information society. These are not solely or even primarily technical in nature – they also involve elemental questions of political culture and institutions, public policy, ethics, law, and diplomacy.

Where: Tallinn University of Technology, Ehitajate tee 5, Tallinn, room U01-202 (auditorium behind the main hall)

DAY 1: September 4, Friday, Grand Hall
09:00 – 10.00    Registration and welcoming
10:00 – 10:30    Course Introduction (Lucas Kello)
10:30 – 12:00    Lecture 1: Computing and Networks: The Basics (Andrew Martin)
12:00 – 13:00    Lunch break
13:00 – 14:20    Lecture 2: Code as a Weapon: Worms and Viruses (Andrew Martin)
14:20 – 14:30    Short break
14:30 – 16:00    Lecture 3: International Security and Conflict in the Cyber Age (Lucas Kello)
16.00 – 16.10    Short break
16:10 – 17:00    Day 1 summary

DAY 2: September 5, Saturday, Grand Hall
08:30 – 09:00    Registration
09:00 – 10:20    Lecture 4: Rules of War in the Cyber Domain (Lucas Kello)
10:20 – 10:30    Short break
10:30 – 12:00    Lecture 5: Cybersecurity and the Age of Privateering: A Historical Analogy (Florian Egloff)
12:00 – 13:00    Lunch break
13:00 – 14:20    Lecture 6: Origins, Principles and Functions of the Estonian State Information System (Kuldar Taveter)
14:20 – 14:30    Short break
14:30 – 16:00    Lecture 7: Designing User Friendly and Secure Services of e-State (Kuldar Taveter)
16:00 – 16:20    Coffee break
16:20 – 17:00    Day 2 summary and simulation exercise briefing

DAY 3: September 6, Sunday, Grand Hall
08:30 – 09:00    Registration
09:00 – 09:30    Simulation exercise set up
09:30 – 13:00    Simulation Exercise
13:00 – 14:30    Lunch break and group discussion
14:30 – 15:30    Post-Exercise Debriefing: Decisionmaking in a Crisis
15:30 – 15:50    Coffee break
15:50 – 17:00    Course summary

Registration open until 02.09.2015.

Links:
http://www.egov.ee/oxford/

Four PBGB officials fired in 2014 for misusing police database

1 Reply

Estonian_Police_and_Border_Guard_Board_PPA

Sixteen officials faced disciplinary proceedings for Police and Border Guard Board’s (PPA) KAIRI information system. Four lost to their jobs for unauthorized access. For example, one police officer from Jõhvi made 170 queries on 70 individuals, 52 vehicles and 11 phone numbers, none related to his official duties. “PPA takes data handling very seriously and exercises ever stronger control over the use of its information systems,” said Anne Abel from PPA’s internal audit office.

Good work by PPA’s internal audit office. What about other institutions which hold state information systems?

Links:
http://news.err.ee/v/politics/e7b05226-bb75-4207-a96f-71de32b4d5a5/four-officials-fired-in-2014-for-misusing-police-database

SEB Estonia Internet bank ID card authentication bypass

Leave a reply

SEB_Estonia_authentication_bypass

The flaw in SEB Estonia Internet bank allows to login just by knowing the victim’s username. The consequences of the flaw go beyond the read-only access to victim’s transaction history. The victim can be impersonated in any website that supports authentication through SEB (eesti.ee, mnt.ee, tele2.ee, etc.). The flaw can be abused to buy goods from online merchants (as shown in the video) since SEB does not require signature authorization for “banklink” transactions.

Timeline:
2015.05.11. 13:00 – reported to CERT-EE
2015.05.14. 12:00 – fixed by SEB Estonia

The time that was required for SEB to fix such a critical flaw surprises a bit.

SEB’s response:

SEB spokesman commented that “referred security issue existed in so-called laboratory conditions meaning that it needed several conditions to coincide and a specific knowledge”.

“Security issue got fixed and we also checked that the flaw was not maliciously exploited” said SEB’s spokesman and added that the problem got fixed faster than in an hour, after all the needed information was received.

Anto Veldre (RIA): It is better that ethical people with academic degree are looking for security holes than cyber criminals doing it. People should understand that new technology is complicated, systems at home and servers need to have updates everyday there is no such a thing like secure system (security) but there are people and control methods, if there is a problem it will be handled and afterwards logs are checked if something really happened.

Silver Vohu (SEB): It took less than an hour to make a fix. But reproducing the situation took most of the days and asking additional questions from CERT-EE was needed. In normal situation it was impossible to reproduce the problem.

Links:
https://www.youtube.com/watch?v=rRB8jZnS5nY
http://forte.delfi.ee/news/tarkvara/tosine-turvaauk-seb-internetipanka-sai-sisse-ainuuksi-kasutajanimega?id=72291205
http://tehnika.postimees.ee/3306453/seb-internetipangas-oli-tosine-turvaauk-sisenemiseks-piisas-vaid-kasutajanimest
http://seitsmesed.ee/eesti/uudis/2015/08/26/tosine-turvaauk-seb-internetipanka-sai-sisse-vaid-kasutajanimega/
http://www.tv3play.ee/sisu/seitsmesed-uudised-2015/648229

Health data forwarded to cancer screening register despite user’s will

Leave a reply

health_data

In the second half of June, she had discovered in the digilugu.ee health portal that National Institute for Health Development (TAI) had made 16 inquiries regarding her during this year. Looking into it, turned out the queries came from the cancer screening register launched at the beginning of the year.

«I do not agree with the cancer screening register at TAI, or any other register, systematically collecting my health data. Health data are delicate and cannot be collected without permission by the individual. I request that my health data be immediately closed for TAI,» said Mr Sassian’s application to social ministry. However, as pursuant to Public Health Act data is forwarded to cancer screening register even when an individual has closed her data in the system.

Maarja Kirss, adviser, Data Protection Inspectorate:

Meanwhile, Public Health Act lays down rights of TAI to obtain data from health information system to perform tasks prescribed by law. Thus, an individual can only restrict access to health data when a health service provider is concerned, but not from other data processers who the law obligates to process certain data.

Katrin Merike Nyman-Metcalf, technological law professor at Tallinn University of Technology:

There is no basis to think that the ministry is misinterpreting the law; rather, this is a much broader issue: what’s the worth of an option to lock data if these can still be used? Isn’t the option then just an illusion? Simply put: they do provide the option of privacy of data but in reality they use them anyway.

Links:
http://news.postimees.ee/3296605/register-grabs-health-data-against-will-of-people