Author Archives: user469294

Sensitive information related to cyber security will be classified as a state secret

Leave a reply

kapo_state_secrets

The amendments in the State Secrets And Classified Information Of Foreign States Act, which will define a state secret any classified information related to cyber security or critical information infrastructure protection, will increase number of officials who will have access to state secrets and their responsibility towards their employers.

Estonian Internal Security Service (KaPo) is responsible for maintaining information about people with state secrets clearance.
“KaPo has never disclosed how many people exactly have the right to access the state secrets and classified information of foreign states. It is clear that these (cyber security) persons now will also need the access, but precise number we will not disclose.” said KAPO spokesman Harrys Puusepp.

“The need to access state secrets is always derived from the particular job description, it is not granted for fun. The employer’s primary responsibility is to protect state secrets, and now he will also have a sufficient possibility to do that. The amendments to the Act will certainly help to do that.” added Puusepp.

According to Interior Ministry spokesperson Toomas Viksi the amendments of the Act primarily concerns employees of Estonian Information System Authority (EISA).

The head of EISA PR department, Rauno Veri said that today EISA staff already have the necessary clearance thus the amendment will not raise the number of people eligible to access the state secrets.

In mid-December the government passed a draft making an obligation for officials having access to state secrets to inform about their private trips abroad. The list of countries will be established by the Ministry of the Interior. Viks noted that the obligation to notify will not apply to European Union, the Schengen Agreement and NATO member countries.

Additions to the current version of the State Secrets And Classified Information Of Foreign States Act:

Paragraph 10  [list of State Secret subcategories] is amended by clause 9 as below:
EISA risk assessments, monitoring data, information gathered during supervisory actions about critical vulnerabilities in information systems; to the extent that such information contains technical data on the critical vulnerabilities of the information systems of: constitutional institutions, government agencies and their subordinated institutions; vital service providers, international organizations which security is provided by Estonia; and, if the revelation of such information to the irrelevant parties could raise the risk of a security incident in these fields, except such information, which, if revealed, will not endanger the security of the Estonian Republic; such information will be classified up to 10 years on “restricted” level.

Links:
http://www.postimees.ee/3035403/riigisaladuse-loaga-ametnike-arv-jaab-saladuseks
http://www.riigikogu.ee/?op=ems&page=eelnou&eid=12261279-a8d0-4246-be4a-8c9c0405b3e1&

The hands of the Prosecutor’s Office remain short when catching foreign cyber criminals

Leave a reply

prokuratuur_logo

In the interview prosecutor tells how foreign requests for legal aid are too expensive and take too much time so that victims cannot actually rely on the police or prosecutor’s office in e-crime cases which are below EUR 1000 or EUR 5000 (in case of UK). Nigeria and USA are called bad. Former for obvious reasons, the latter because US laws are helpless for investigating the cybercrimes. Germany has been praised because they sometimes still prosecute cybercrooks.

Links:
http://www.sakala.ajaleht.ee/3046067/prokuratuuri-kaed-jaavad-piiritaguseid-kaaperdajaid-puudes-vaga-luhikeseks

Workshop about smart card programming in Tartu hackerspace

Leave a reply

hakkerikoda_hackEST

In 20 January, 2015 16:00 at Tartu Hackerspace there will be a workshop (in Estonian) about JavaCard development, with focus on EstEID and open eID software.

Introduction of smart card programming, a practical example.

  • Programmable smart cards (JavaCard) – what, why, how and from where
  • JavaCard development lifecycle overview
  • Related technologies, standards (from ISO 7816-3 to PKCS#11)
  • Opensource development tools in the development process: javacard.pro
  • Hands on! Estonian ID-card “clone” in your computer!

EUR 30 participation fee (for the white plastic). The necessary skills are to orientate in the Linux command line, average level of Java programming, and the ability to distinguish hashing from encryption.

Registration: martin@martinpaljak.net

Links:
http://javacard.pro/#news
https://hackest.org/syndmused:2015-01-20-platskaart-vol2

Jaan Priisalu director general of EISA resigns

1 Reply

Jaan_Priisalu

Estonian Information System Authority (EISA) director general Jaan Priisalu submitted an application to leave for personal reasons from his office on 19 January 2015.

“Jaan Priisalu is a reputable international cyber expert who has built up a cyber capacity to world level. I thank him for that,” said the Secretary General of the Ministry of Economic Affairs and Communications Merike Saks via a press release.

The contest will be announced to find a new head of EISA.

Estonian Information System Authority (RIA in Estonian) organizes activities related to cyber security in Estonia.

Links:
http://majandus24.postimees.ee/3048297/ria-juht-lahkus-ametist
http://www.delfi.ee/news/paevauudised/eesti/riigi-infosusteemi-ameti-peadirektor-lahkub-ametist?id=70513357

The hacker who attacked the website of “Meie Maa” newspaper fined EUR 455

1 Reply

meiemaa.ee_DoS

A 22-year-old hacker has been fined 455 euros for breaching the Meie Maa media website and disabling the comments section, which then diverted readers to a rival site. The attack took place in May, forcing Meie Maa, a media outlet in Saare County, to temporarily shut down its comments section, Meie Maa reported. Readers entering the section were told the site is unsafe and were directed to Saarte Hääl, a rival news site.

The Western District Prosecutor’s Office fined the man 455 euros, of which 100 euros, which has already been paid, will go to Meie Maa as compensation for damages and 355 euros will go to state coffers. Head of Meie Maa, Priit Rauniste, said they are yet to decide whether they will pursue civil action against the man.

Escaped criminal punishment – Western District Prosecutor’s Office closed the criminal proceedings in this case.

Apparently, meimemaa.ee had a XSS vulnerability in the comments section, which was exploited by adding a HTML code which displayed the message and redirected visitor’s browser to other news site.

Not clear how the fine was calculated and what section under Estonian Penal Code was originally imposed against the attacker.

Links:
http://news.err.ee/v/society/e0f267a5-b8f5-45e0-baac-584a1fd61360
http://uudised.err.ee/v/eesti/cbe747dc-22e2-4b9b-ab05-a8d90a1a50b0

31C3 talk: Security Analysis of Estonia’s Internet Voting System

1 Reply

Halderman_Tarvi

Estonia is the only country in the world that relies on Internet voting in a significant way for legally-binding national elections — up to 30% of all voters cast their ballots online. This makes the security of Estonia’s Internet voting system of interest to technologists and citizens the world over. Over the past year, I helped lead the first rigorous, independent security evaluation of the system, based on election observation, code review, and laboratory testing. The findings are alarming: there are staggering gaps in Estonia’s procedural and operational security, and the architecture of the system leaves it open to cyberattacks from foreign powers. Our investigation confirmed the viability of these attacks in the lab, but the Estonian government has chosen to downplay them. We urgently recommend that Estonia discontinue use of the system before the country suffers a major attack.

The presentation contains good technical overview of Estonian i-voting. The presenter argues that Estonian i-voting has weak operational security. Some of the arguments used by the presenter are quite questionable:

Harri Hursti, one member of our team who is a very large Finnish man and known as a prodigious drinker, went out for serious drinking with this very nice Russian fellow, who is the head of security for the election operations team. During this dinner, I am told, each man consumed two bottles of Vodka, after witch nothing can be hidden from the truth. So, Hursti reports that by the end of this evening he had dranked that root password out of the head of security.

Links:
https://events.ccc.de/congress/2014/Fahrplan/events/6344.html
https://www.youtube.com/watch?v=JY_pHvhE4os

Sniffing real world EMV payment card protocol transaction

1 Reply

emv_sniffing_simtrace

Abstract
The objective of this report is to observe and describe a real world online transaction made between a debit card issued by an Estonian bank and a payment terminal issued by a Estonian bank. In this process we can learn how the EMV protocol works and which protocol features are used in a Chip-and-PIN card issued by an Estonian bank.

The transaction analyzed in this report was captured using a terminal from a friendly merchant in Tartu and using a Visa Electron debit card issued by SEB Estonia. The amount of transaction was 0.99 EUR. The transaction was performed in September, 2014. The full output (all requests and responses) with annotation can be found from the appendix.

The report has been published for UT course “Research Seminar in Cryptography (MTAT.07.022)”.

Links:
https://courses.cs.ut.ee/2014/cryptoseminar/fall/uploads/Main/mart-report-f14.pdf

Summary of master’s theses: Attack-tree based risk analysis of Estonian i-voting

Leave a reply

attack_tree_vote_publishing_attack

This report analyzes two independent works published in 2014 that model security threats of Estonian i-voting scheme using attack trees. The first one, the master’s thesis of Tanel Torn [11] constructs several realistic attack trees for various types of attacks on Estonian i-voting system and evaluates them using three different state-of-the-art methodologies proposed in attack-tree literature. The second work, the master’s thesis of Ruud Verbij [13], proposes a general framework to allow comparison of different internet voting schemes. Verbij evaluates the proposed framework by applying it on Estonian i-voting protocol.

Despite using different approaches, both Torn and Verbij agree on some of the results. First, they both consider attacks on the Central System to be much more expensive, involving more risk and thus less probable. Second, results of both authors’ analyzes show that revocation attacks are more profitable than vote modification attacks. This in mainly due to the fact that in the former case the attack does not have to go through undetected.

The report has been published for UT course “Research Seminar in Cryptography (MTAT.07.022)”.

Links
https://courses.cs.ut.ee/2014/cryptoseminar/fall/uploads/Main/riivo-report-f14.pdf

Two criminal investigations are underway related to Bitcoin

2 Replies

bitcoin_logo

They warned the mediator that in case anyone operates in said area without licence, this could spell violation as treated by Penal Code come under activity without licence. Following the correspondence, Fiscal Intelligence Unit issued a precept in which they demanded data to determine if the person came under Money Laundering and Terrorist Financing Prevention Act.

«He contested the precept and meanwhile our goal was to get him to give the data and say whether he had deals exceeding €1,000. With this we are now in court and we won at first instance,» explained Mr Paul.

Representative of mediator Priit Lätt said Fiscal Intelligence Unit had no right to require the data.

Links:
http://news.postimees.ee/3028413/bitcoin-offers-options-to-launder-money

PhD thesis: “Deriving Security Requirements from Business Process Models”

Leave a reply

ahmed_naved_PhD_thesis

Naved Ahmed PhD thesis: “Deriving Security Requirements from Business Process Models”
Defense date: 16.12.2014 – 16:15 to 17:45 (J. Liivi 2-404, Tartu, Estonia)

Thesis supervisors:
Assoc. Prof. PhD. Raimundas Matulevicius, University of Tartu
Prof. PhD. Marlon Dumas, University of Tartu

Opponents:
Prof. PhD. Andreas L. Opdahl, University of Bergen, Norway
Assoc. Prof. PhD. Rafael Accorsi, University of Freiburg, Germany

Summary:
To consider this need, the approach taken in this thesis is to analyse the business process models from a security perspective to derive security objectives and requirements. The thesis has proposed three complementary contributions: Firstly, security risk-oriented patterns that integrate the security risk analysis into business process models. These patterns supports security risk concepts in business process models that business analyst can understand easily. Secondly, the taxonomy for assessing security in business processes. This taxonomy is used to classify the security risk-oriented patterns and helps analysts to apply these patterns in business process models. Finally, these contributions form a foundation for a method, security requirements elicitation from business processes (SREBP) that performs a systematic elicitation of security requirements for their business processes.

Links:
http://www.ut.ee/en/events/naved-ahmed-deriving-security-requirements-business-process-models
http://dspace.utlib.ee/dspace/bitstream/handle/10062/44267/ahmed_naved.pdf