Author Archives: user469294

Cyber Security Newsletter 2019-11-14

Leave a reply

[2019-11-12] RIA organized information day. The topics covered: new Mobile-ID procurement, closure of DigiDocService, authentication gateway, developments in eID field, signature service, X-Road and others. Full video recording available online (in Estonian).
https://www.ria.ee/et/uudised/tana-toimub-ria-koostoopartnerite-infopaev.html
https://riainfopaev2019.publicon.ee/paevakava/
[2019-11-11] RIA decided to support with EUR 5,550 grant the association for the visually impaired as a compromise for RIA’s failure to support screen readers in DigiDoc4 client.
https://www.ria.ee/et/uudised/ria-solmis-nagemispuudega-inimestega-hea-tahte-margiks-kompromissi.html
https://digi.geenius.ee/rubriik/uudis/kohus-hakkab-vaagima-kas-riik-peab-nagemispuudega-inimestele-vigase-tarkvara-parast-maksma-10-000-eurot/
[2019-11-11] Supreme Court is discussing EDF law expanding surveillance rights. Chancellor of Justice Ülle Madise has found that the amendments are constitutional, because they do not allow for the restriction of individuals’ fundamental rights any more than the legislation currently in force.
https://news.err.ee/1001642/supreme-court-discussing-edf-law-expanding-surveillance-rights
https://news.err.ee/982963/justice-chancellor-law-expanding-edf-surveillance-rights-constitutional
[2019-11-11] Telia offers NFC-enabled SIM card that can be used in the phone to validate ride on public transport in Tallinn.
https://digi.geenius.ee/rubriik/uudis/tallinna-bussis-saad-nuud-oma-soidu-valideerida-ka-nutitelefoniga-viibates/
https://digi.geenius.ee/rubriik/uudis/juhend-kuidas-kaib-labi-nutitelefoni-uhiskaardiga-valideerimine-ja-palju-see-teenus-maksab/
https://news.err.ee/1001643/what-the-papers-say-accessible-tartu-baby-boom-in-paide
[2019-11-07] SK ID Solutions annual conference was held second time in English. Presentation slides available.
https://www.skidsolutions.eu/en/about/sk-annual-conference/sk-annual-conference-2019
[2019-11-04] Estonia is planning a system that would collect data from hotels to alert the authorities when somebody on a watchlist checks in. Dan Bogdanov discussed how to build a totally anonymous electronic accommodation card.
https://twitter.com/danbogdanov/status/1189805333146935296
https://digi.geenius.ee/rubriik/uudis/andmeteadlane-kuidas-ehitada-taiesti-anonuumset-elektroonset-majutuskaarti/
https://digi.geenius.ee/rubriik/uudis/testimisse-jouab-riiklik-e-majutuskaart-mis-informeerib-politseid-tagaotsitavatest/
[2019-11-04] UT researchers performed interdisciplinary research studying Estonian digital signature compliance to national and EU legal requirements. The finding is that the “Signed on” time displayed by DigiDoc software cannot be trusted to establish the actual time of signing. Other finding is that due to the certificate validity suspension option, vast majority of digital signatures created as of now cannot be verified according to legal requirements.
https://cybersec.ee/timesign/
[2019-10-31] From next year, the Consumer Protection and Technical Surveillance Authority (TTJA) will have the rights to restrict access to e-shops and mobile apps, and will have the right to find out who are the customers of the telecom operators.
https://digi.geenius.ee/rubriik/uudis/ttja-hakkab-e-poodide-ja-appide-kasutust-piirama-kui-muud-meetmed-ei-aita/
https://digi.geenius.ee/rubriik/uudis/riik-saab-hakata-piirama-ligipaasu-e-poodidele-ja-appidele-ning-naeb-operaatorite-klientide-andmeid/
[2019-10-28] Storm caused extensive power outage that disrupted internet connection in south of the country. Border crossing was disrupted for several hours. Better preparation for next storm needed.
https://news.err.ee/996771/storm-disrupts-agencies-internet-connection-in-south-of-country
[2019-10-25] Justice ministry conducted an audit into whether judges had accessed documents in the court information system regarding cases in which they do not take part. Judges warned that such audits would undermine judges’ confidence in and willingness to use the information systems.
https://news.err.ee/995904/judges-protest-justice-ministry-court-information-inspection
[2019-10-25] Märt Põder shared a photo from IT minister’s i-voting work group and discussed the risk of i-vote selling.
https://gafgaf.infoaed.ee/posts/myya-v3hekasutatud-kryptogramm/
[2019-10-23] Tele2 blocked foreign phone numbers associated with massive fraudulent call wave. By contrast, Telia and Elisa are not yet blocking the numbers, claiming that intervention of a regulatory body is required.
https://digi.geenius.ee/rubriik/uudis/ootamatu-kaik-tele2-blokeerib-massilise-petukonede-lainega-seotud-valismaised-telefoninumbrid/
[2019-10-23] IT and foreign trade minister Kert Kingo submited resignation. MKM workgroups will keep working. The new IT minister is Kaimar Karu. In his view the transparency of i-voting should be improved.
https://news.err.ee/995118/it-and-foreign-trade-minister-kert-kingo-submits-resignation
https://digi.geenius.ee/rubriik/uudis/endise-it-ministri-kert-kingo-algatatud-tooruhmad-jatkavad-tood/
https://news.err.ee/1002119/new-ekre-minister-kaimar-karu-in-first-interview-the-weak-need-protection
[2019-10-21] Full list of all concerns raised by the IT Minister Kingo’s i-voting working group has been published.
https://digi.geenius.ee/rubriik/uudis/taispikk-nimekiri-it-minister-kingo-e-valimiste-tooruhma-koik-valja-toodud-murekohed/
[2019-10-18] The Estonian state will form a large cyber security policy council. MKM wishes to involve 32 different parties. The tasks of the council will include sharing information on sectoral developments and challenges, building situational awareness on cyber security, and addressing cyber security policies.
https://digi.geenius.ee/rubriik/uudis/eesti-riik-moodustab-suure-kuberturvalisuse-poliitika-noukogu/
[2019-10-09] Data Protection Inspectorate issued memorandom inviting public authorities to not store data on public cloud services, because the confidentiality of the data may not be guaranteed and also the access to data in case of emergency may not be provided.
https://digi.geenius.ee/rubriik/uudis/ameti-margukiri-eesti-riigiasutused-ei-tohi-andmeid-hoiustada-avalikes-pilveteenustes/
https://www.aki.ee/et/uudised/it-kulutohususest-olulisem-turvalisus
[2019-10-05] Research article by TalTech researchers: On Positive Feedback Loops in Digital Government Architecture. The case of Estonia is presented.
https://www.researchgate.net/publication/336362287_On_Positive_Feedback_Loops_in_Digital_Government_Architecture
[2019-10-03] The state wants to reduce the dependency on a single trust service provider and considers running their own trust service provider. Currently ID card and Mobile-ID both depend on SK ID Solutions. SK is ready for competition – Smart-ID provides them with alternative markets.
https://digi.geenius.ee/rubriik/uudis/riik-soovib-vabaneda-riskist-et-id-kaart-mobiil-id-ja-smart-id-on-soltuvad-uhest-firmast/
https://digi.geenius.ee/rubriik/uudis/sk-tahame-enda-valdkonnas-rohkem-konkurentsi-naha/
[2019-09-30] In September, Smart-ID downtime exceeded the allowed limits due to the problems with failing hardware. This year, three Mobile ID interruptions have exceeded allowed limits.
https://digi.geenius.ee/rubriik/uudis/sel-aastal-on-kolm-mobiil-id-katkestust-uletanud-lubatu-piire/
https://forte.delfi.ee/news/digi/mobiil-id-torkus-jalle-kas-ppa-kehtestab-lopuks-sanktsioonid?id=87888275
https://forte.delfi.ee/news/digi/smart-id-teenusega-esines-torkeid?id=87389433
https://forte.delfi.ee/news/tarkvara/mobiil-id-teenus-hetkel-ei-toota?id=87357159
[2019-09-30] DigiDocService will be shut down in October 2020. Mobile-ID service will be provided over REST API similar to Smart-ID. Other services (signature and certificate validation) will not be supported.
https://www.skidsolutions.eu/en/News/the-digidocservice-service-will-be-shut-down-in-2020/
https://digi.geenius.ee/rubriik/uudis/mobiil-id-on-vaikselt-saanud-selle-kasutust-mojutavaid-uuendusi-ja-neid-tuleb-veel-juurde/
[2019-09-26] LHV bank decided to enable Smart-ID API call that requires their clients to choose in mobile app the correct Smart-ID verification code from the three suggested ones. The change is aimed to force their clients to compare the verification codes shown by the Smart-ID application. Unfortunately, such measure helps only against phishing attacks using static phishing pages.
https://www.lhv.ee/et/uudised/2019/29
https://tehnika.postimees.ee/6787356/enneolematu-lhv-pani-smart-id-kasutamisele-lisakontrolli-peale
https://raha.geenius.ee/blogi/lhv-blogi/lhv-muutis-smart-id-kasutamise-veelgi-turvalisemaks/
[2019-09-25] The state is looking for next generation Mobile-ID. This is partly motivated by the eIDAS requirement for expensive security certification of currently non-certified SIM card platforms.
https://digi.geenius.ee/rubriik/uudis/riik-tahab-mobiil-id-paremaks-muuta-laual-on-mitu-varianti/
[2019-09-24] Software error disrupted emergency calls for 20-minute period. In total, 26 people called emergency services during the affected period but were called back later.
https://news.err.ee/993893/ria-number-of-cyber-incidents-in-september-slightly-above-annual-average
https://www.ria.ee/et/uudised/olukord-kuberruumis-september-2019.html
[2019-09-19] Researchers discovered “Simjacker” vulnerability that exploits technology embededed on SIM cards used over the world. According to representatives of Tele2, Elisa and Telia, the SIM cards issued in Estonia do not use technology that would enable the attack.
https://www.adaptivemobile.com/newsroom/press-release/adaptivemobile-security-uncovers-sophisticated-hacking-attacks-on-mobile-phones-exposing-massive-network-vulnerability
https://digi.geenius.ee/rubriik/uudis/mobiilioperaatorid-kinnitavad-sim-kaartide-pohine-haavatavus-ei-mojuta-eestlasi/
[2019-09-13] RIA plans to eventually remove the bank link as an authentication option in government e-services.
https://digi.geenius.ee/rubriik/uudis/ria-plaanib-riigiteenustes-autentimisvoimalusena-pangalingi-ara-kaotada/
[2019-09-13] RIA finished price negotiations with SK ID Solutions and have introduced Smart-ID for authentication to government e-services. RIA has assessed that Smart-ID authentication solution provides eIDAS security level “high”. Support for signing using DigiDoc client will come in the future.
https://www.ria.ee/et/uudised/ria-votab-riiklikes-teenuses-kasutusele-smart-id.html
https://news.err.ee/980219/public-services-can-soon-be-accessed-using-smart-id
https://leht.postimees.ee/6776871/eesti-vottis-ametlikult-kasutusele-smart-id
[2019-09-12] Ministry of Foreign Affairs will launch a cyber diplomacy department headed by Heli Tiirmaa-Klaar, a diplomatic representative with special powers in the field of cybersecurity.
https://news.err.ee/979941/department-of-cyber-diplomacy-to-launch-later-this-year
[2019-09-10] EuroPark has obtained the details of 6000 vehicle owners who have not paid the parking fee. Previously the court ordered Estonian Road Administration to share car owner personal data with EuroPark.
https://kasulik.delfi.ee/news/uudised/europark-on-katte-saanud-6000-soidukiomaniku-andmed-kellel-on-parkimistrahv-tasumata?id=87391211
[2019-07-09] Research article by Emin Caliskan, Risto Vaarandi, Birgy Lorenz (TalTech): Improving Learning Efficiency and Evaluation Fairness for Cyber Security Courses: A Case Study. They present a case study on the Cyber Defense Monitoring Solutions course from TalTech Cyber Security MSc program.
https://link.springer.com/chapter/10.1007/978-3-030-22868-2_45

Cyber Security Newsletter 2019-09-05

Leave a reply

[2019-09-03] OSCE assessed Estonian 2019 parliamentary elections and have produced report containing recommendations for i-voting. According to OSCE, the Election Service should develop a strategy to reduce the risk of internal attack before the next election, and should also publish third-party risk assessments, audits and other reports before the next election.
https://digi.geenius.ee/rubriik/uudis/rahvusvahelise-ekspertruhma-raport-leidis-eesti-e-valimiste-osas-mitu-kriitilist-kohta/
https://www.osce.org/odihr/elections/estonia/424229
[2019-09-03] Uku Särekanno, head of cyber security at RIA, starting October will take up duty at the European Union’s IT agency eu-LISA, where he will coordinate the deployment of new large-scale databases in the Schengen area. RIA will be looking for new Deputy Director General.
https://www.err.ee/976328/ria-tippametnik-liigub-el-i-it-agentuuri-juhtima-andmebaaside-rakendamist
https://www.ria.ee/et/uudised/uku-sarekanno-asub-toole-euroopa-liidu-it-agentuuri-eu-lisa.html
[2019-09-03] Estonian passports will be manufactured by ID Global Solutions Limited. They will provide all the templates and equipment but PPA will print them. Currently Gemalto OY provides the service (until 2021). To mitigate the risks the state prefers to purchase ID-1 format documents and travel documents from different companies (source: Lips et al.).
https://news.err.ee/976363/id-global-solutions-awarded-estonian-passport-contract-from-2021
https://www.err.ee/976324/eesti-passe-asub-tootma-id-global-solutions-limited
[2019-08-29] I-voting workgroup members have submitted 30 suggestions for improvements. Among them is the proposal that the number of people involved in conducting and supervising elections should increase and to raise the number of independent observers at election counts.
https://news.err.ee/974715/e-voting-workgroup-recommends-more-audits-and-observers
[2019-08-23] MoD announced MSc thesis scholarship competition in categories: cryptography; situational awareness; accounting of defense material; planning and management of defense infrastructure; drones. The Master’s thesis scholarship competition is aimed primarily at students entering the Master’s program, but applications may also be submitted by second-year students who have not yet chosen a Master’s Thesis.
http://www.kaitseministeerium.ee/et/eesmargid-tegevused/teadus-ja-arendustegevus/kaitsealaste-magistritoode-stipendiumikonkurss
[2019-08-15] Minister of Finance showed Director General of PPA printout with the line that the document has been digitally signed. It turned out that the document was only a draft which has not been signed. This created a discussion on whether the printout was a forgery.
https://www.postimees.ee/6754513/lauri-lugna-mina-ei-ole-allkirjastanud-elmar-vaheri-toolepingu-peatamist
https://digi.geenius.ee/rubriik/teadus-ja-tulevik/taltechi-professor-selgitab-mis-on-digiallkiri-ja-ajatempel-ja-kas-neid-saab-voltsida/
https://digi.geenius.ee/rubriik/uudis/advokaat-pelgalt-allkirjastatud-digitaalselt-kirjutamine-dokumendile-pole-allkirja-voltsimine/
[2019-08-06] The Estonian government approved objectives to simplify processing of identity documents at foreign representations by introducing online applications and streamlining of passport deliveries by mail. Contrary to government proposal, PPA thinks that mailing documents has security risks and is currently not working on such plan.
https://news.err.ee/968060/police-think-delivering-passports-id-documents-via-courier-not-safe
https://news.err.ee/966949/applying-for-receiving-estonian-passports-ids-abroad-to-be-simplified
[2019-08-07] Microsoft Security Response Center published the list of 75 most valuable security researchers who have contributed to securing the Microsoft’s customers and the broader ecosystem this year. Estonian Jaanus Kääp is among them. He was there also last year.
https://msrc-blog.microsoft.com/2019/08/07/announcing-2019-msrc-most-valuable-security-researchers
[2019-08-07] Gemalto left Estonia without paying to PPA legal expenses of litigation process.
https://tehnika.postimees.ee/6747591/gemalto-lasi-eestist-jalga-aga-suur-volg-jai-maha
[2019-07-31] Visually impaired people claimed 10 000 EUR from RIA due to faulty DigiDoc4 software that did not support screen readers for nearly a year. RIA refused to pay.
https://digi.geenius.ee/rubriik/uudis/nagemispuudega-inimesed-esitasid-vigase-id-kaardi-tarkavara-tottu-riigile-10-000-eurose-noude/
https://digi.geenius.ee/rubriik/uudis/ria-jatab-puuetega-inimestele-10-000-eurot-maksmata/
[2019-07-28] Silvia Lips, Krista Aas, Ingrid Pappel and Dirk Draheim wrote an article “Designing an Effective Long-Term Identity Management Strategy for a Mature e-State” where they analyze the process of developing identity management strategy white paper.
https://link.springer.com/chapter/10.1007/978-3-030-27523-5_16
https://www.ria.ee/sites/default/files/content-editors/EID/valge-raamat-2018.pdf
[2019-07-26] Head of SK ID Solutions reported about a scam where criminals promise several thousands of euros in earnings. During a Skype call people are asked to share access to their computer. After making the connection, people are prompted to insert ID card into the computer and criminals use it to create a Smart-ID account on behalf of the person. This is quite extreme scam which is hard to prevent with technological means. Nevertheless, these scams should not be used as an excuse for the scams that rely on the poor security design choices of Mobile-ID/Smart-ID.
https://digi.geenius.ee/rubriik/uudis/levib-veel-uks-uus-pettus-nuud-luuakse-inimestele-arvutist-ule-kauguhenduse-smart-id-kontosid/
https://news.err.ee/971425/ria-more-cyber-incidents-than-average-registered-in-july
[2019-07-23] IT minister to establish cybersecurity working group whose task will be to coordinate the implementation of the 2019-2022 cybersecurity strategy. This is the third strategy document for the cybersecurity and safety field that defines a longer-term vision for the sector, the objectives to be achieved, and priority courses of action, roles and responsibilities for achieving it.
https://news.err.ee/964005/it-minister-to-establish-cybersecurity-working-group
[2019-07-22] The first-ever Tallinn Summer School of Cyber Diplomacy was held in Estonia, bringing to Estonia approximately 80 diplomats, researchers and experts engaged in cyber issues.
https://vm.ee/en/news/diplomats-eu-and-nato-countries-will-discuss-essential-cyberspace-issues-tallinn-week
[2019-07-22] Cyber Security Summer School 2019 took place. This time it was organized by UT on the bockchain topic.
https://blog.cs.ut.ee/2019/07/22/summary-of-the-cyber-security-summer-school-2019/
[2019-07-17] Estonian Juhan Lepassaar was elected from among 80 candidates to become the next executive director of the European Union Agency for Cybersecurity (ENISA).
https://blog.ria.ee/juhan-lepassaar-kuberpotis-oleme-koik-koos/
https://news.err.ee/962076/juhan-lepassaar-elected-director-of-eu-agency-for-cybersecurity
[2019-07-12] Olerex had it’s customer transaction database stolen. The leak affects about 100 000 transactions concluded in the previous month and a half. It consisted mostly of business client’s names, personal identification numbers, fueling limits and other undisclosed pieces of data. The database was freely available online for a month and a half. Olerex claims that the data was downloaded only by an IT security expert who has confirmed to Olerex that the data has been deleted.
https://news.postimees.ee/6730265/client-information-leaked-from-olerex
https://news.err.ee/961211/information-authority-urges-attention-to-cybersecurity-following-breaches
https://digi.geenius.ee/rubriik/uudis/ria-tunnistab-et-olerexi-andmelekke-avalikustamisel-tehti-viga/
https://majandus24.postimees.ee/6727953/hiigelleke-olerexis-patid-said-katte-kuni-100-000-kliendi-andmed
https://digi.geenius.ee/rubriik/uudis/olerexi-it-juht-hoiatas-eile-it-spetsialiste-veebiserveritest-norkusi-otsivate-bottide-eest/
https://digi.geenius.ee/rubriik/uudis/uus-suur-andmeleke-olerexi-andmebaasi-turvaaugu-tottu-lekkis-kuni-100-000-tehingu-info/
[2019-07-10] Tartu Smart Bike Share website maintained by Bewegen Technologies had a security flaw which allowed to access personal data of registered users (contact details and usage history). Bewegen fixed the flaw in few hours and claimed that nobody except the person who reported the flaw had accessed the data.
https://digi.geenius.ee/rubriik/uudis/tartu-rattaringluse-infosusteemist-leiti-turvaviga-mis-lubas-ligi-paaseda-laenutajate-andmetele/
https://www.tartu.ee/en/node/10640
[2019-07-10] Smart-ID account creation using Mobile-ID has been augumented with SMS notification containing security code that has to be entered when creating Smart-ID instance. This should prevent Mobile-ID phishing attacks towards Smart-ID account creation. To date, there are 42 cases in Estonia where Smart-ID counterfeit accounts were created, in 10 cases it was actually used. Unfortunately, this does not address Mobile-ID/Smart-ID phishing attacks against other services.
https://www.id.ee/index.php?id=39509
https://digi.geenius.ee/rubriik/uudis/smart-id-tegemisel-on-nuud-suur-muudatus-mis-peaks-valistama-voltskontode-loomise/
https://digi.geenius.ee/rubriik/uudis/kalev-pihl-meie-meede-maandab-smart-id-riske-paremini-kui-ria-pakutud-lahendus/
https://digi.geenius.ee/rubriik/uudis/smart-id-petuskeemi-ohvriks-langes-tervelt-28-inimest/
https://digi.geenius.ee/rubriik/uudis/kurjategijad-proovisid-smart-id-kontosid-luua-ka-juunis-kummekond-korda-jouti-kontosid-ara-kasutada/
https://digi.geenius.ee/rubriik/uudis/uus-statistika-kurjategijad-jatkasid-smart-id-kontode-valja-petmist-ka-maikuus/
[2019-07-03] Web shop charlot.ee leaked usernames, home addresses and plaintext passwords of 14 000 users. The personal details were published as plain text documents and were easily found by googling. The manager of the company initially denied the leak, but later admitted it. So far, there have been no cases in Estonia where the Data Protection Inspectorate has fined some companies for data leakage.
https://digi.geenius.ee/rubriik/uudis/toimus-eesti-ajaloo-suurim-e-poe-andmeleke-ripakil-olid-14-000-eestlase-isikuandmed/
https://digi.geenius.ee/rubriik/uudis/andmekaitseinspektsioon-alustab-andmeid-lekitanud-e-poe-osas-menetlust/
https://news.err.ee/961211/information-authority-urges-attention-to-cybersecurity-following-breaches
[2019-07-02] At the National Defense Council meeting it was agreed that MKM would come out by the end of the year with proposals to strengthen the country’s cryptographic and information security areas. It also gave an overview of the current status of the agreed activities following the ID-card crisis of 2017.
https://www.ituudised.ee/uudised/2019/07/02/kaljulaid-peame-kuberturbe-alast-voimekust-suurendama
[2019-06-28] Email notices sent by the state to personal_ID_code@eesti.ee (but not name@eesti.ee) address will be stored on a virtual “mailbox” on eesti.ee, regardless of whether e-mail forwarding has been configured.
https://blog.ria.ee/eesti-ee-meiliaadressidest-ja-postkastist/
[2019-06-28] ICR2019 workshop took place. Video recordings of the presentations are online.
https://www.ttu.ee/institutes/centre-for-digital-forensics-cyber-security/events-19/interdisciplinary-cyber-research-icr-workshop/icr2019-3/agenda-6/
[2019-06-26] PPA found that due to a technical failure, for more than 15 000 automatically revoked ID cards the certificates were not revoked, which in 285 cases resulted in the ID card of the deceased person being electronically abused by other persons. The bug was discovered already in 2015, but investigated only in the begginning of 2019. Praise to the authorities for not sweeping the incident under the carpet!
https://news.err.ee/956106/thousands-of-id-cards-not-properly-deactivated-due-to-software-glitch
[2019-06-26] Father of i-voting Tarvi Martens made quite a strong statement saying that the i-voting system has no weaknesses and nothing depends on people or computers.
https://news.postimees.ee/6715816/e-voting-creator-the-system-is-bulletproof
[2019-06-22] Märt Põder wrote in his blog why he accepted invitation to take part in i-voting workgroup.
https://gafgaf.infoaed.ee/posts/linnamyyr/
[2019-06-21] The i-voting workgroup has been established and members have been listed. The working group is headed by MKM and includes RIA, the election service, research institutions and other experts. The task of this working group will be to analyze the security and transparency of electoral system processes and, if necessary, make suggestions for improvement. The workgroup will present its report by 12 December 2019 at the latest, which will include an assessment and proposals for system security and public awareness.
https://news.err.ee/958188/it-minister-convenes-inaugural-e-voting-working-group
https://digi.geenius.ee/rubriik/uudis/it-minister-kingo-kutsus-kokku-tooruhma-ja-votab-e-valimised-luubi-alla/
https://www.ituudised.ee/uudised/2019/06/07/it-minister-kingo-kutsub-kokku-e-valimiste-tooruhma
https://mkm.ee/et/uudised/kinnitati-e-valimiste-tooruhma-koosseis
https://www.mkm.ee/et/uudised/valiskaubandus-ja-it-minister-kutsub-kokku-elektroonilise-valimissusteemi-ja-elektroonilise
[2019-06-19] President has rejected the amended Defence Forces Organisation Act for the second time, the Supreme Court will look into the constitutionality of the act this fall. The bill of amendments would grant the Estonian Defence Forces (EDF) the right to secretly gain access to data of the state, municipalities, and legal as well as private persons. EDF argues that this is needed to improve background checks.
https://news.err.ee/953694/supreme-court-to-decide-on-military-surveillance-expansion-this-fall
[2019-06-17] RIA is preparing to implement a new national information security standard, which will replace the ISKE reference security system, which is currently mandatory for public authorities in Estonia. In May, the public procurement process was completed and KPMG Baltics, Cybernetica and TalTech will start assembling a new information security standard. The new standard and accompanying materials should be ready by the end of next year.
https://www.ria.ee/et/uudised/olukord-kuberruumis-mai-2019.html
[2019-06-06] RIA had annual conference. The slides are available.
https://www.ria.ee/et/uudised/ria-juht-peame-pingutama-et-digiriigi-sisu-ei-jaaks-mainest-maha.html
https://www.ria.ee/et/kalender/ria-aastapaeva-konverents-06-06-2019.html
[2019-06-04] PPA will not apply contractual sanctions against SK for Mobile-ID downtime in May.
https://digi.geenius.ee/rubriik/uudis/mobiil-id-teenusepakkuja-paases-politsei-sanktsioonidest/
[2019-05-14] The report “Development and application of cryptography in the Estonian public and private sectors” commissioned by the Ministry of Defence has been released. The report prepared by Cybernetica gives an overview of the state of art in development of cryptography in Estonia, and analyzes the technological and economic potential of the field. Among recommendations is establishment of a national cryptographic competence centre and improving math and science education in Estonia.
https://www.etag.ee/wp-content/uploads/2019/05/Krypto_KAM.pdf

Cybersecurity related bachelor’s and master’s theses in University of Tartu 2018/2019 (August)

Leave a reply

The defences took place on the last week of August.

Student: Aleksandr Tsõganov (Software Engineering MSc)
Title: Integrating User Identity with Ethereum Smart Contract Wallet
Supervisor: Orlenys López Pintado, Aivo Kalu, Kristjan Kuhi
Reviewer: Fredrik Payman Milani

Student: Rahul Puniani (Innovation and Technology Management MSc)
Title: Conceptualization of a Blockchain Based Voting Ecosystem in Estonia
Supervisor: Fredrik Payman Milani, Mihkel Solvak
Reviewer: Orlenys López Pintado

Student: Indrek Purga (Conversion Master in IT)
Title: Detection of forged PDF documents
Supervisor: Kristjan Krips
Reviewer: Alo Peets

Student: Shahla Atapoor (Computer Science MSc)
Title: On Privacy Preserving Blockchains and zk-SNARKs
Supervisor: Helger Lipmaa, Janno Siim, Karim Baghery
Reviewer: Ivo Kubjas

Student: Mart Simisker (Computer Science MSc)
Title: Security of Health Information Databases
Supervisor: Jan Willemson, Dominique Unruh
Reviewer: Meelis Roos

Links:
https://comserv.cs.ut.ee/ati_thesis/index.php?year=2019
https://www.cs.ut.ee/sites/default/files/www_ut/augusti_kaitsmiste_ajakava_28-08-2019.pdf

Cyber Security Engineering bachelor’s theses defense in TalTech (June 2019)

Leave a reply

Monday, June 3 at 9.00-15.00, room 217, curriculum Cyber Security Engineering
Chairman of the Defence Committee: Valdo Praust
The Defence Committee: Kaido Kikkas, Toomas Lepikult

• Steven Rugam, “Cyber Security Assessment for Panbaltic Information System”
• Mikus Teivens, “Detection of Web-based Malware in Linux Environment Using YARA”
• Farhan Nayeem Islam, “Testing and Comparing Android Based Penetration Testing Tools”
• Mark Parfeniuk, “Designing Effective Measures to Promote Secure Video Conferencing”
• Frank Korving, “Choosing and Implementing Continuous Integration: the Case of Certidude”
• Kirill Trunov, “Distributed Payment Automated Systems Risk Assessment and Management”
• Nika Ptskialadze, “Comparative Analysis of Open-source and Proprietary Security Information and Event Management (SIEM) Tools”
• Peep Kuulme, “Cybersecurity Awareness Training Program at Hansab Group OÜ”
• Christopher James Vallintine Carr, “Analysing the Security of Internet Facing Industrial Control Systems – Estonian Refrigeration Companies”
• Andris Männik, “Functionality and Efficiency of Modern Protection Software”

Links:
https://www.taltech.ee/itcollege/teated-8/diplomi-ja-magistritoode-kaitsmised-taltech-it-kolledzis-3-7-juuni-2019/

Cyber Security Newsletter 2019-06-02

Leave a reply

[2019-05-30] In the EP elections the long time i-voting observer was asked to stop filming the vote counting on the grounds that his camera is a communication device, which could leak the results of i-voting before the allowed deadline. The observer wrote formal complaint, will see the response. It is quite naive to believe that some organizational measures could prevent leaking the results if someone from the observers really wanted to do so.
https://digi.geenius.ee/rubriik/uudis/valimisteenistus-korvaldas-europarlamendi-e-haalte-kokkulugemiselt-vaatleja/
https://www.riigiteataja.ee/akt/305062019003
https://digi.geenius.ee/rubriik/uudis/segadus-e-haalte-vaatleja-osas-valimisteenistuse-juhi-ja-kaebaja-utlused-on-vastuolus/
[2019-05-27] Bernhards Blumbergs (TalTech) defended his PhD thesis on “Specialized Cyber Red Team Responsive Computer Network Operations”
https://digi.lib.ttu.ee/i/?12015&
[2019-05-26] In the EP elections 2019, 25.4% of voters cast their vote using i-voting method. There was a technical glitch concerning candidate data on the electoral website, which lasted for about 12 hours and meant that candidate searches did not yield a result on names which included diacritical marks.
https://news.err.ee/946026/grazin-e-vote-cancellation-bid-rebuffed-by-electoral-committee
[2019-05-17] Mobile-ID users have experienced phishing attacks, where the victim is tricked into authorizing creation of Smart-ID instances, which then can be used by the attacker without victim’s consent. Some victims lost money, the police investigation is ongoing. In the beginning of the year, users of SEB, Swedbank and LHV bank experienced similar phishing attacks, where the victims were asked to authorize Smart-ID transactions made by the attacker. According to authorities, Mobile-ID and Smart-ID is secure, the negligent users are to be blamed.
https://digi.geenius.ee/rubriik/uudis/hullem-kui-id-kaardi-kriis-smart-id-turvaauk-ajab-pangad-ja-eksperdid-arevile/
https://www.ria.ee/et/uudised/ria-aprillikuu-raport-kurjategijad-loid-inimeste-teadmata-smart-id-kontod.html
https://www.ituudised.ee/uudised/2019/05/23/pangaliit-smart-id-pettusi-aitab-valtida-ettevaatlikkus
https://news.postimees.ee/6689341/e-services-suffer-worst-breach-yet
https://www.err.ee/943492/riik-hindab-smart-id-d-ka-pettustelaine-jarel-turvaliseks-lahenduseks
https://www.err.ee/937490/lhv-hoiatab-lhv-nimel-saadetud-ongitsuskirjade-eest
https://digi.geenius.ee/rubriik/uudis/ettevaatust-kurjategijad-petavad-tana-eestlastelt-smart-id-paroole-valja/
[2019-05-17] SK’s Mobile-ID service again experienced unexpected downtime. This time the downtime was for more than 24 hours. Due to downtime EMTA decided to extended deadline for submitting declarations. PPA is considering imposing some contractual fines against SK. The contract is confidential and it is not known how much the state pays to SK and what is the benefit for the state to be formally involved in the “issuance” of Mobile-IDs.
https://news.err.ee/938354/mobile-id-service-restored-after-day-of-disruptions
https://raha.geenius.ee/rubriik/uudis/maksuamet-pikendab-mobiil-id-torke-tottu-deklaratsioonide-esitamise-tahtaega/
https://forte.delfi.ee/news/tarkvara/ppa-kaalub-mobiil-id-torgete-tottu-sanktsioonide-rakendamist?id=86240169
https://digi.geenius.ee/rubriik/uudis/mobiil-id-teenuse-katkestus-on-kestnud-juba-ule-poole-paeva/
https://digi.geenius.ee/rubriik/uudis/mis-juhtus-mobiil-id-ga-ja-miks-see-veel-ikka-osaliselt-maas-on/
[2019-05-13] The new IT minister announced that there are plans to conduct an analysis of the i-voting system and independent international audit to make sure that the process of i-voting is transparent and ultimately verifiable. The previous IT minister, who resigned shortly after being appointed, stated that coalition considers ending i-voting if it does not resist “the toughest tests”.
https://digi.geenius.ee/rubriik/uudis/uus-it-minister-viime-labi-e-valimiste-susteemi-analuusi-ja-soltumatu-rahvusvahelise-auditi/
https://digi.geenius.ee/rubriik/uudis/uus-it-minister-kaalume-e-valimiste-lopetamist-kui-see-ei-pea-vastu-koige-kovematele-testidele/
[2019-05-09] RIA and MoD is offering 1.1 million to study: “Simulation of Critical Information Infrastructure Protection in the Cyberspace”. The purpose is to develop a virtual environment in which to simulate situations in the area of vital critical information infrastructure.
https://www.ituudised.ee/uudised/2019/05/09/riik-otsib-kuberkaitse-uuringu-labiviijat
[2019-04-23] Estonian Foreign Intelligence Service has published job ad looking for Microsoft administrator and IT support personnel. It is not common for intelligence agencies to publish job advertisements.
https://digi.geenius.ee/rubriik/uudis/eesti-koige-salajasem-luureamet-otsib-enda-ridadesse-avalikult-kahte-it-tootajat/
[2019-04-03] Baltic Security and Security Summit took place. Among the Estonian speakers were Liisa Past and Uko Valtenberg.
https://tehnika.postimees.ee/6560059/otseulekanne-infoturbekonverentsilt-security-summit
[2019-04-01] RIA released “Annual Cyber Security Assessment 2019”. Among other things it includes interview with Dominique Unruh (UT) about post-quantum cryptography.
https://www.ria.ee/sites/default/files/content-editors/kuberturve/ktt_aastaraport_eng_web.pdf
https://www.ria.ee/sites/default/files/content-editors/kuberturve/kuberturvalisus-2019.pdf
[2019-04-01] In the “Annual Cyber Security Assessment 2019” RIA disclosed details about the vulnerability in eesti.ee authentication system discovered in June 29, 2018. Turns out that bank link implementation on eesti.ee side did not verify signature, which allowed the attacker to bypass authentication. According to RIA, they checked logs and did not find evidence of the flaw being exploited. It is not said whether the logs actually contained full parameters to retrospectively verify the signatures.
https://digi.geenius.ee/rubriik/uudis/eesti-ee-keskkonnas-oli-ohtlik-turvaviga-mis-lubas-sinna-siseneda-teise-inimesena/
[2019-04-01] RIA plans to expand i-voting system to referendums and other types of elections.
https://news.err.ee/925891/information-system-authority-looks-to-expand-e-voting-as-continuous-service
[2019-03-22] Ministry of Interior published code of conduct for crisis situations, among other things, recommending to be prepared for disruptions in e-services, including the ID card, Mobile-ID, and other means of authentication.
https://kriis.ee/en/preparing-for-crisis-situations/cyberattack-or-cyber-incident/
[2019-03-22] Margus Noormaa was appointed as the new Director General of RIA by Minister of Economic Affairs and Communications (MKM).
https://www.err.ee/922725/ria-peadirektoriks-saab-margus-noormaa
[2019-03-22] From the leaked password dumps journalists found at least 356 passwords belonging to people working in the public sector.
Head of CERT-EE claims that the cyber hygiene of state officials has improved in the recent years.
https://digi.geenius.ee/rubriik/uudis/bingo1-ja-123kalle-vaata-kui-norgad-paroolid-on-eesti-tipp-poliitikutel-ja-ametnikel/
https://digi.geenius.ee/rubriik/uudis/ria-lekkinud-paroolid-naitavad-kuberhugieeni-taset-viis-aastat-tagasi/
[2019-03-20] Mihkel Solvak (UT) gave presentation “Anonymized i-voting log data: how can it be used or abused to understand voter behavior?” (time: 1:15:07).
https://www.uttv.ee/naita?id=28355
[2019-03-14] Authorities plan to perform security analysis to decide whether to implement i-voting with mobile phones starting 2021.
https://tehnika.postimees.ee/6545060/eesti-kaalub-tosiselt-minna-ule-ka-m-haaletamisele
https://digi.geenius.ee/rubriik/uudis/riigi-plaan-mobiiliga-saab-haaletada-juba-jargmistel-valimistel/
[2019-03-13] Aivo Kalu (Cybernetica AS) gave presentation on SplitKey technology used by Smart-ID solution.
https://csrc.nist.gov/CSRC/media/Presentations/SplitKey-Case-Study/images-media/Kalu%20and%20van-de-Poll-threshold-crypto-March-2019.pdf
[2019-03-13] Cybernetica released now cryptography study commissioned by RIA. This time the focus is on post-quantum cryptography.
https://www.ria.ee/et/uudised/kruptograafia-uuring-aitab-kaasa-turvalisemate-lahenduste-leidmisele.html
[2019-03-07] Estonian pet register used 15-digit chip identifier which was not random. This allowed to download data about thousands of dogs and cats and their owners.
https://epl.delfi.ee/news/eesti/ule-eestiline-register-voimaldas-alla-laadida-tuhandete-lemmikloomaomanike-andmeid?id=85544497
[2019-03-07] President refused to promulgate the new law that would grant the Estonian Defence Forces (EDF) the right to secretly gain access to data of the state, legal as well as private persons, clandestinely follow individuals, and carry out other surveillance activities against persons.
https://news.err.ee/946931/riigikogu-backs-extension-of-military-surveillance-capabilities
[2019-03-05] CERT-EE warned about malware emails originating from @swedbank.ee domain. Part of the blame, however, must be taken by Swedbank, because it has not enabled DKIM email authentication for swedbank.ee domain.
https://twitter.com/CERT_EE/status/1103214465766641664
https://twitter.com/SadEstonianIT/status/1110220361575120896
[2019-03-02] In Riigikogu elections 2019, 43.8% of voters cast their vote using i-voting method. One antivirus software considered the i-voting application a virus. There were many appeals. Two appeals related to i-voting procedure reached Supreme Court, but were rejected. However, the Supreme Court found that the rules in place for identifying, counting and mixing up the votes, as well as signing the results, should be clarified in regulatory acts.
http://forte.delfi.ee/news/digi/piltuudis-tuntud-viirusetorje-arvab-et-eesti-valimisrakendus-on-viirus?id=85397077
https://news.err.ee/917378/richness-of-life-demanding-recount-of-e-votes
https://www.valimised.ee/sites/default/files/uploads/rk2019/RK2019_Visitors_programme_slides.pdf
https://news.err.ee/924034/supreme-court-e-voting-regulations-need-legal-act-clarification
[2019-03-01] RIA is planning public procurement for developing Estonian information security standard.
https://www.ria.ee/et/uudised/kolmapaeval-toimub-riigihanke-eesti-infoturbestandardi-valjatootamine-teabepaev.html
[2019-02-28] Starting from March, SEB and Swedbank will stop providing ID card support services. PIN code replacement will be possible only in PPA customer service points.
https://digi.geenius.ee/rubriik/uudis/homsest-saab-id-kaardi-pin-koode-asendada-ainult-politseis/
[2019-02-28] Data Protection Inspectorate ordered to close down website of math exercises for minors, because no data protection conditions were published and processing of personal data for persons under age 13 was done without consent of the parents.
https://digi.geenius.ee/rubriik/uudis/matemaatikaulesannete-veebileht-edastab-avalikult-paroole-ja-naitab-opilaste-isikuandmeid/
[2019-02-25] Estonian social network rate.ee is storing plaintext passwords and recently a critical flaw was found which allowed to read private messages.
https://tehnika.postimees.ee/6531236/korobeiniku-flirdiportaali-rate-ee-kasutajate-eravestlused-voisid-lekkida
[2019-02-09] Tallinn public transport ticket system, which allows passengers to pay with contactless payment cards, has no realtime communication with banking systems, debiting the amount when it gets online. As a result, it is possible to pay also with these bank cards where contactless payments have been disabled. The good news (for passengers) is that debiting payments for these cards will fail. To fight against free-riders, such payment cards after their use will get blacklisted by ticketing system terminals.
https://tehnika.postimees.ee/6519517/jahmatav-avastus-tallinna-piletisusteem-muub-soiduoigust-ka-rahatu-pangakaardiga
https://raha.geenius.ee/eksklusiiv/auk-piletisusteemis-validaator-vottis-pangakaardilt-raha-ehkki-viipemaksed-olid-keelatud/
[2019-02-07] Apparently in Estonia the information what property a person owns is a public information.
https://digi.geenius.ee/rubriik/uudis/kas-teadsid-sellest-portaalist-saab-igauks-tasuta-vaadata-millist-kinnisvara-sa-omad/
[2019-02-07] Estonian Foreign Intelligence Service released annual report describing cyber threats on page 52. No crypto puzzle this year.
https://www.välisluureamet.ee/pdf/raport-2018-ENG-web.pdf
[2019-02-04] Former State Prosecutor Steven-Hristo Evestus will continue his career in the cybersecurity company CybExer Technologies. CyberExer has already hired top personnel from NATO CCDCOE, CERT-EE, SK, and others.
https://digi.geenius.ee/rubriik/uudis/steven-hristo-evestus-liitub-cybexeriga/
[2019-01-31] All three major Estonian banks: SEB, Swedbank and LHV have joined the flash payment system today, which means that up to 95% of payments within Estonia will reach the recipient in just a few moments.
https://tehnika.postimees.ee/6512535/eesti-pankade-vahel-liiguvad-tanasest-maksed-valgukiirusel
[2019-01-31] The court has ordered PPA to take down video showing detention of crime suspect. The court found that even though the important details that would allow the person to be identified were blurred, the person had become identifiable by means of additional information available.
http://www.delfi.ee/news/paevauudised/eesti/politsei-peab-eemaldama-sotsiaalmeediast-video-hubert-hirve-kinnipidamisest?id=85191065
[2019-01-30] On January 17, data leak with 280 000 email addresses and passwords containing Estonian domains (.ee) was published.
https://www.ria.ee/et/uudised/jaanuaris-avalikustatud-andmelekkekogu-sisaldab-460-000-eesti-meiliaadressi.html
[2019-01-28] From 1st to 5th July 2019, the annual Cyber Security Summer School will take place. The focus this year will be on blockchain technologies and its impact on digital transformation.
http://studyitin.ee/c3s2019
[2019-01-28] The 5th Interdisciplinary Cyber Research (ICR) Conference 2019 will take place on 29th of June 2019. Deadline for abstracts is 15 April 2019.
https://www.taltech.ee/institutes/centre-for-digital-forensics-cyber-security/events-19/interdisciplinary-cyber-research-icr-workshop/icr2019-3/
[2019-01-25] Card payments rise as ATM withdrawals fall. In Estonia around €1.50 are spent by card for every €1 withdrawn.
https://news.err.ee/904120/card-payments-rise-as-atm-withdrawals-fall
[2019-01-23] Martin Paljak found that the entire electronic functionality of new Estonian ID card can be used also over the contactless interface. To establish the connection only the CAN code printed on the ID card must be known.
https://github.com/martinpaljak/esteidhacker/wiki/NFC
[2019-01-21] Geenius raised attention to a registration form in school’s website, which was not served over a secure connection. Good to see that non-TLS forms are not anymore accepted as a norm.
https://digi.geenius.ee/rubriik/uudis/reaalkool-kogus-sisseastumise-isikuandmeid-ule-ebaturvalise-uhenduse/
[2019-01-16] Court decided that private company “Europark Estonia” has the right to obtain personal data of car owners from traffic register maintained by Road Administration. Road Administration decided not to appeal the decision.
https://majandus24.postimees.ee/6500697/kohus-europark-voib-maanteeametilt-nouda-parkimisrikkujate-andmeid
[2019-01-14] The use of Smart-ID in state services is behind price negotiations, Smart-ID being twice expensive than Mobile-ID.
https://geenius.ee/uudis/smart-id-kasutamine-riigi-teenustes-seisab-hinnalabiraakimiste-taga/
[2019-01-12] From February three major banks SEB, Swedbank and Coop Bank will discontinue code cards, Smart-ID being the most popular tool for authentication.
https://news.err.ee/897951/three-major-high-street-banks-phase-out-pass-code-cards-beginning-february
https://tehnika.postimees.ee/6499400/25-000-swedbanki-klienti-ahvardab-veebiteenuseta-jaamine
[2019-01-11] MKM issued regulation specifying requirements for Trust Service Providers who provide certification services for certificates included in Estonian identity documents. According to the regulation, OCSP certificate validity service is currently recognized as vital service, while time-stamping and Mobile-ID service is not.
https://www.riigiteataja.ee/akt/115012019011
[2019-01-10] Scientific study of Estonian X-Road usage log patterns suggests that e-governance adoption is linear.
https://novaator.err.ee/897071/e-riigi-vereringe-logianaluus-paljastab-millised-e-kodanikud-me-oleme
https://www.sciencedirect.com/science/article/pii/S0736585318309390
[2018-12-27] RIA released white paper “Identity Management and Identity Documents 1.0”
https://www.ria.ee/sites/default/files/content-editors/EID/valge-raamat-2018.pdf
[2018-10-23] Bank of Estonia has published interesting statistics about bank card fraud in 2016. The majority – 76% of fraudulent transactions are related to e-shopping on the Internet, 18% using payment terminals and only 6% using ATMs.
https://www.eestipank.ee/blogi/kaardipettused-kolinud-internetti

Cybersecurity related bachelor’s and master’s theses in University of Tartu 2018/2019 (June)

Leave a reply

The defences are taking place on the first and second week of June.

Student: Ivo Pure (Cyber Security MSc)
Title: An Automated Methodology for Validating Web Related Cyber Threat Intelligence by Implementing a Honeyclient
Supervisor: Risto Vaarandi, Raimundas Matulevicius
Reviewer: Alejandro Manzanares

Student: Bruno Didier Produit (Cyber Security MSc)
Title: Optimization of the ROCA (CVE-2017-15361) Attack
Supervisor: Arnis Paršovs
Reviewer: Jan Villemson

Student: Kärt Padur (Cyber Security MSc)
Title: Information Security Risk Assessment in the Context of Outsourcing in a Financial Institution
Supervisor: Raimundas Matulevičius, Liis Rebane, Toomas Vaks
Reviewer: Andro Kull

Student: Marek Matsalu (Cyber Security MSc)
Title: The Development of Digital Forensics Workforce Competency on the Example of Estonian Defence League
Supervisor: Raimundas Matulevičius, Hillar Põldmaa
Reviewer: Hayretdin Bahsi

Student: Pubudini Gayanjalie Dissanayake (Cyber Security MSc)
Title: A Comparison of Security Risk Analysis in the In-house IT Infrastructure and Cloud Infrastructure for the Payment Gateway System
Supervisor: Hayretdin Bahsi, Raimundas Matulevičius
Reviewer: Alexander Horst Norta

Student: Lukáš Bortník (Cyber Security MSc)
Title: Mobile Phone Digital Evidence Providers to Investigate Driver’s Distraction
Supervisor: Pavel Laptev, Satish Narayana Srirama
Reviewer: Matthew Sorell

Student: Mari Seeba (Conversion Master in IT)
Title: A Specification of Layer-Based Information Security Management System for the Issue Tracking System
Supervisor: Raimundas Matulevičius, Ahto Buldas
Reviewer: Meelis Roos

Student: Doris Sarapuu (Conversion Master in IT)
Title: Penetration Testing of Glia’s Web Application
Supervisor: Kristjan Krips, Carlos Paniagua
Reviewer: Riivo Talviste

Student: Kaspar Kala (Conversion Master in IT)
Title: Refinement of the General Data Protection Regulation (GDPR) Model: Administrative Fines Perspective
Supervisor: Raimundas Matulevičius, Jake Tom
Reviewer: Eneken Tikk

Student: Maksym Yerokhin (Software Engineering MSc)
Title: Multi-level Policy-aware Privacy Analysis
Supervisor: Pille Pullonen, Luciano García-Bañuelos
Reviewer: Sara Belluccini

Student: Reelika Tõnisson (Computer Science MSc)
Title: Tighter Post-quantum Secure Encryption Schemes Using Semi-classical Oracles
Supervisor: Dominique Peer Ghislain Unruh
Reviewer: Sven Laur

Student: Helen Tera (Computer Science BSc)
Title: Introduction to Post-Quantum Cryptography in Scope of NIST’s Post-Quantum Competition
Supervisor: Dominique Unruh
Reviewer: Raul-Martin Rebane

Student: Omar Purik (Computer Science BSc)
Title: Creation of Practical Assignments on Information Security for High School Students
Supervisor: Kristjan Krips, Tauno Palts
Reviewer:

Links:
https://comserv.cs.ut.ee/ati_thesis/index.php?year=2019
https://www.cs.ut.ee/sites/default/files/www_ut/kaitsmised_v_30-05.pdf

Cyber Security master’s theses defense in TalTech (May 2019)

Leave a reply

May 27th, 2019, Akadeemia Tee 15a, Room ICT-411.

Time: 10:00
Student: Olesia Yaremenko
Title: Skills Evaluation of Participants of Cybersecurity Exercises on the Example of a Virtual Hands-on Forensic Lab
Supervisor: Sten Mäses
Reviewer: Kaie Maennel

Time: 10:40
Student: Saber Yari
Title: Creating Cyber Security Exercises for Open Source Intelligence and Reverse Engineering
Supervisor: Sten Mäses
Reviewer: Birgy Lorenz

Time: 11:20
Student: Heleri Aitsam
Title: Teaching Cyberethics and Measuring Cyberethical Behavior in a Classroom Setting
Supervisor: Sten Mäses
Reviewer: Birgy Lorenz

LUNCH 12:00-12:40

Time: 12:40
Student: Jaana Metsamaa
Title: Framework for Measuring and Maximizing Security Feature Impact in Business to Business SaaS Products
Supervisor: Andro Kull
Reviewer: Erwin Orye

Time: 13:20
Student: Bitchiko Kodua
Title: Creating Labs for Web Application Security and Methods of Defining Difficulty Levels
Supervisor: Hayretdin Bahsi
Reviewer: Kaie Maennel

BREAK 14:00-14:30

Time: 14:30
Student: Jorge Alberto Medina Galinda
Title: Generation of Malware Behavioral Datasets in a Medium Scale IoT Networks
Supervisor: Hayretdin Bahsi
Reviewer: Olaf Maennel

Time: 15:10
Student: Roman Kononov
Title: Macintosh Operating System Exploitation and Intrusion Prevention
Supervisor: Toomas Lepik
Reviewer: Olaf Maennel

Time: 15:50
Student: Kristine Hovhannisyan
Title: Applying Confidence-Building Measures to Cyber Conflict: Computer Emergency Response Cooperation and Cyber Espionage
Supervisor: Eneken Tikk; Olaf Maennel
Reviewer: Anna-Maria Osula

May 28th, 2019, Akadeemia Tee 15a, Room ICT-315.

Time: 10:00
Student: Alberto Zorrilla Garza
Title: Beaconleak: Use and Detection of 802.11 Beacon Stuffing as a Covert Channel
Supervisor: Olaf Maennel
Reviewer: Hayretdin Bahsi

Time: 10:40
Student: Krishna Vaishnav
Title: Analysis of WhatsApp Data Obtained before the General Election (Lok Sabha) 2019 in India
Supervisor: Olaf Maennel
Reviewer: Adrian Venables

Time: 11:20
Student: Alessandro Mirani
Title: Unintentional Cybercrime
Supervisor: Tiia Sõmer
Reviewer: Sten Mäses

LUNCH 12:00-12:40

Time: 12:40
Student: Abenezer Berhanu Weldegiorgis
Title: Developing National Cybersecurity Strategy for Ethiopia
Supervisor: Mika Kerttunen
Reviewer: Tiia Sõmer

Time: 13:20
Student: Tambet Paljasma
Title: Validating Docker Image and Container Security Using Best Practices and Company Policies
Supervisor: Margus Ernits
Reviewer: Alejandro Guerra Manzanares

BREAK 14:00-14:20

Time: 14:20
Student: Kirke Pralla
Title: Creation of Freely Accessible Interactive Training Materials for Secure Android Development
Supervisor: Margus Ernits
Reviewer: Alejandro Guerra Manzanares

Time: 15:00
Student: Annika Aavaste
Title: How to Improve Data Protection and Information Security in Local Governments Using GDPR compliant training
Supervisor: Eneken Tikk
Reviewer: Matthew Sorell

Time: 15:40
Student: Randel Raidmets
Title: A Comparative Analysis of Open-Source Full Packet Capture Software Solutions
Supervisor: Mauno Pihelgas
Reviewer: Risto Vaarandi

May 29th, 2019, Akadeemia Tee 15a, Room ICT-315.

Time: 10:00
Student: Nikita Kuznietsov
Title: Researching Underground Forums to Improve Fraud Detection at TransferWise [RESTRICTED defense]
Supervisor: Jaan Priisalu; Sandra Horma
Reviewer: Aleksandr Lenin

Time: 10:40
Student: Kristopher Ryan Price
Title: Analysis of the Impact of Poisoned Data within Twitter Classification Models
Supervisor: Jaan Priisalu; Sven Nõmm
Reviewer: Kieren Lovell

Time: 11:20
Student: Andreas Jürimäe
Title: The Security Implications of DMARC in Estonian Goverment Institutions Based on Phishing Attacks in Cambridge University
Supervisor: Kieren Lovell
Reviewer: Hayretdin Bahsi

LUNCH 12:00-12:40

Time: 12:40
Student: Vita Krainik
Title: Distributed Consensus Problems and Protocols: a Systematic Literature Review
Supervisor: Ahto Buldas
Reviewer: Alex Norta

Time: 13:20
Student: Deniz Basar
Title: Uniqueness Criteria for Blockchain Type Distributed Ledgers
Supervisor: Ahto Buldas
Reviewer: Jaan Priisalu

BREAK 14:00-14:20

Time: 14:20
Student: Henry Okere
Title: Analysis of a Node-based Integrity Attack on Networked SCADA Power Plant
Supervisor: Hayretdin Bahsi
Reviewer: Ahto Buldas

Time: 15:00
Student: Mostafa Hadi
Title: Making the shift from DevOps to DevSecOps at Distribusion Technologies GmbH
Supervisor: Hayretdin Bahsi
Reviewer: Kieren Lovell

Time: 15:40
Student: Joanna Rose Castillon Del Mar
Title: Automated Photo Categorization for Digital Forensic Analysis Using a Machine Learning-Based Classifier
Supervisor: Hayretdin Bahşi; Leo Mršić; Krešimir Hausknecht
Reviewer: Matthew Sorell

May 30th, 2019, Akadeemia Tee 15a, Room ICT-315.

Time: 10:00
Student: Kayla Marie Cannon
Title: America’s Panopticon: Privacy Implications of Facial Recognition By Law Enforcement
Supervisor: Mika Kerttunen
Reviewer: Hayretdin Bahsi

Time: 10:40
Student: Andres Antonen
Title: Securing an Automated Code Testing System
Supervisor: Ago Luberg
Reviewer: Toomas Lepik

Time: 11:20
Student: Jessica Ai Truong
Title: Evaluating the Detection Accuracy of JA3 and JA3S in Security Monitoring of SSL Communication
Supervisor: Hayretdin Bahsi
Reviewer: Toomas Lepik

LUNCH 12:00-12:40

Time: 12:40
Student: Tornike Nanobashvili
Title: Improving the Use of a Cyber-Insurance Product in Georgia: the Example of Commercial Banks
Supervisor: Eneken Tikk; Mika Kerttunen
Reviewer: Hayretdin Bahsi

Time: 13:20
Student: Arefeh Fathollahi Kalkhoran
Title: Data Breach: NIST and GDPR
Supervisor: Eneken Tikk
Reviewer: Mika Kerttunen

BREAK 14:00-14:20

Time: 14:20
Student: Chinmay Khandekar
Title: Cookie Security and its Implementation in the Light of GDPR and E-Privacy Regulation
Supervisor: Eneken Tikk
Reviewer: Rain Ottis

Time: 15:00
Student: Nurbanu Konayeva
Title: Application of Active Learning for Botnet Detection
Supervisor: Hayretdin Bahsi; Sven Nõmm
Reviewer: Risto Vaarandi

Time: 15:40
Student: Raul Ezequiel Jimenez Haro
Title: Forensic Tool to Study and Carve Virtual Machine Hard Disk Files
Supervisor: Pavel Laptev
Reviewer: Hayretdin Bahsi

May 31th, 2019, Akadeemia Tee 15a, Room ICT-315.

Time: 10:00
Student: Maarja Heinsoo
Title: Implications of Information Security Culture on Risk Management – Case of a Technology Company
Supervisor: Hayretdin Bahsi
Reviewer: Kaie Maennel

Time: 10:40
Student: Prabin Krishna Subedi
Title: Forensics Analysis of Client-Side Artifacts in Cloud-Based Applications
Supervisor: Hayretdin Bahsi
Reviewer: Matthew Sorell

Time: 11:20
Student: John Chukwufumnanya George
Title: Analysis of the Impact of Bank Verification Number on Financial Security in Nigeria and Potential Cyber Threat Through Social Engineering
Supervisor: Andro Kull
Reviewer: Sten Mäses

LUNCH 12:00-12:40

Time: 12:40
Student: Roman Müller
Title: Analysis of the Estonian X-tee network based on centralized log data [RESTRICTED defence]
Supervisor: Jaan Priisalu; Sven Nõmm
Reviewer: Peeter Laud

Time: 13:20
Student: Ragnar Kobin
Title: A Model for Evaluating State Cyber Security Exercises
Supervisor: Rain Ottis; Kim Joonsoo
Reviewer: Tiia Sõmer

Time: 14:20
Student: Sasan Rezaeifars
Title: Hands-on Lab for Teaching Security Misconfiguration and Broken Authentication
Supervisor: Sten Mäses
Reviewer: Andro Kull

Cyber Security master’s theses defense in Tallinn University of Technology (January 2019)

Leave a reply

January 14th, 2019, Akadeemia Tee 15a, Room ICT-315.

Time: 10:00
Student: Ephrem Demesa
Title: Implementation of a Hands-on Attack and Defense Lab on Insecure Direct Object References
Supervisor: Margus Ernits
Reviewer: Tiia Sõmer

Time: 10:40
Student: Mikk Romulus
Title: Security Testing Estonian Contactless Bank Cards
Supervisor: Olaf Maennel; Tiit Hallas
Reviewer: Hayretdin Bahsi

Time: 11:20
Student: Silver Saks
Title: Towards Building a Covert Cyberspace Operations Infrastructure
Supervisor: Bernhards Blumbergs
Reviewer: Hayretdin Bahsi

LUNCH 12:00-13:00

Time: 13:00
Student: Pavel Tšikul
Title: Encrypted Data Identification by Information Entropy Fingerprinting
Supervisor: Pavel Laptev
Reviewer: Matthew Sorell

Time: 13:40
Student: Randel Raidmets
Title: Data Center Network Traffic Visibility with Open-Source Tools
Supervisor: Hannes Aavaste; Mauno Pihelgas
Reviewer: Risto Vaarandi

Time: 14:20
Student: Annika Aavaste
Title: How to Improve Data Protection in Local Governments by Complying to GDPR
Supervisor: Eneken Tikk
Reviewer: Kaie Maennel

Cyber Security Newsletter 2018-12-31

Leave a reply

[2018-12-21] Estonian criminal police has once again published job advertisement that requires to solve some puzzle. This time there is a cryptic MySQL database published.
https://geenius.ee/uudis/kui-suudad-selle-kruptilise-kuber-moistatuse-ara-lahenda-ootab-sind-eestis-ainulaadne-tookoht/
[2018-12-20] Martin Paljak discovered that PIN envelopes for the new generation Estonian ID cards (issued by IDEMIA) have a security flaw which allows to see through the envelope with flashlight.
https://news.err.ee/886313/new-id-card-issue-codes-can-be-read-using-torch-without-opening-envelope
https://tehnika.postimees.ee/6481827/ekspert-avastas-eesti-uue-id-kaardiga-seotud-turvaprohmaka
https://tehnika.postimees.ee/6486878/id-kaardi-turvaumbrik-ei-paista-enam-labi
[2018-12-19] Due to some human error, several confidential contracts were available publicly on the Ministry of the Environment file management system.
https://tehnika.postimees.ee/6481004/keskkonnaministeeriumist-lekkisid-arisaladused
[2018-12-12] RIA has announced EUR 315k procurement to create SIGa (Signature and Signature Validation Service) which will enable public authorities to add digital signature support to their e-services with minimal development costs. RIA has already created a federated authentication system (supports ID card, Mobile-ID and bank link authentication) which can be used by the public sector.
https://tehnika.postimees.ee/6475645/riik-loob-uhise-digiallkirjastamise-teenuse
[2018-12-04] Cryptography professor Dominique Unruh (UT) has been awarded a 1.7 million grant by ERC to develop quantum cryptography solutions and their computer-based control methods.
https://www.ut.ee/en/news/ut-researcher-awarded-significant-grant-e-estonia
[2018-12-03] The new generation ID cards are being issued by IDEMIA. The cards have color photo and new physical security features. Contact-less interface is disabled by default – requires security analysis before enabling. New cards uses different API (IAS ECC standard), therefore software has to be updated. In the new specification the “Card Management Key” has been renamed to “Police Key”. This has raised suspicion about possible backdoor key in the ID card.
https://news.err.ee/883962/estonia-s-first-new-id-cards-to-be-issued-this-week
https://geenius.ee/uudis/uute-id-kaartide-tootja-lubab-kaartide-isikustamine-toimub-rangelt-ainult-eestis/
https://geenius.ee/uudis/uutele-id-kaartidele-paaseb-ligi-politsei-votmega-milleks-see-moeldud-on/
[2018-11-28] Estonian Defence Forces Cyber Command (military unit performing also offensive cyber operations) is hiring. The competitive advantage for work in Cyber Command is that people are given quite free hands (because there is no money to be made) and access to exclusive weapon systems not seen in the private sector. The unit has been assembled from the existing staff and communications battalion. The primary recruitment point is the conscripts.
https://geenius.ee/uudis/uus-joud-eesti-it-tooturul-meelitab-helgemaid-paid/
https://geenius.ee/uudis/kuberajateenija-voib-juhtuda-et-tuleb-kirjutada-koodi-ka-lahingvarustuses/
[2018-11-28] The head of the Institute of Estonian Academy of Security Sciences (SKA) wants to hold a debate about making the state’s work easier by allowing it to analyze masses of cell phone data. There is an opinion that the state is already using far more cell phone data than is admissible for ensuring privacy.
https://news.postimees.ee/6464646/estonia-s-cyber-reputation-owed-to-putin
[2018-11-09] RIA’s Director General Taimar Peterkop has been appointed by the Prime Minister Jüri Ratas as Secretary of State. Peterkop played a key role in solving the 2017 ID card crisis. New head of RIA is to be appointed.
https://geenius.ee/uudis/ria-juht-taimar-peterkop-saab-uueks-riigisekretariks/
https://news.err.ee/875809/taimar-peterkop-named-new-secretary-of-state
[2018-11-08] Smart-ID solution has been certified by German TUViT as a qualified signature creation device (SSCD), hence Smart-ID signatures now are legally equivalent to handwritten signature. From service provider’s perspective, however, the transaction cost for Smart-ID is double the cost of Mobile-ID. Smart-ID still cannot be used for I-voting, because currently the law requires electronic voter identification using a document issued by the Estonian state.
https://news.err.ee/875538/smart-id-signatures-now-legally-equivalent-to-handwritten-signature
https://sk.ee/en/News/smart-ids-security-was-recognized-on-the-highest-possible-level/
https://geenius.ee/uudis/smart-id-arendaja-jargmise-sammu-peab-tegema-riik-et-smart-id-ga-avalikele-teenustele-ligi-paaseda/
https://geenius.ee/uudis/suur-uudis-smart-id-saab-vordseks-omakaelise-allkirja-ja-id-kaardiga/
https://geenius.ee/uudis/smart-id-vordsustamine-omakaelise-allkirjaga-tuli-eesti-riigile-ullatusena/
https://geenius.ee/uudis/elisa-smart-id-uuendus-on-tervitatav-aga-ei-paku-otseseid-eeliseid-vana-ees/
https://geenius.ee/uudis/telia-mobiil-id-on-endiselt-vajalik-ega-kao-kuskile/
https://geenius.ee/uudis/riigikogu-valimistel-e-haalt-smart-id-abil-anda-ei-saa-kull-tulevad-aga-mitmed-muud-vaiksemad-muudatused/
[2018-11-07] Estonians working in airports and airplanes must fill out a ten-page KAPO form, which requires them to specify, among other things, the names of Facebook, Twitter, Instagram and other social accounts, all telephone numbers, and even the current place of residence and contact details of “previous spouse or person similar to marriage”. It is estimated that up to 3,000 people may be subject to a such background check required by the Minister of the Interior from October 30.
https://ekspress.delfi.ee/kohver/reisiuudised-eesti-alustas-lennundustootajate-radikaalse-taustakontrolliga?id=84238029
[2018-11-07] Personal identification code for the woman was updated due to the change of date of birth. The state information systems were not ready for such change. Around 300 persons will get new personal identification code because of updated date of birth.
https://news.err.ee/875268/birth-date-mismatches-mean-nearly-300-getting-new-id-code
https://www.postimees.ee/6401054/87-aastase-oilme-taassund-raputas-e-riiki
[2018-11-06] PPA submitted one more claim against Gemalto asking 300k EUR for not informing PPA about the ID card ROCA vulnerability.
https://news.err.ee/874973/ppa-seeking-300-000-from-gemalto
[2018-11-06] RIA plans to create few 2-3 minutes long educational videos showing how cyber attacks happen.
https://geenius.ee/uudis/riik-tahab-hakata-demovideotega-naitama-kuidas-kuberrunnakud-tootavad/
[2018-11-06] Criminals took over transaction partners’ email accounts and phished out from Estonian company 80k EUR.
https://tehnika.postimees.ee/6446437/eesti-ettevote-langes-erakordse-kuberpettuse-ohvriks-ja-maksis-hakkeritele-kopsaka-summa
[2018-10-31] Owners of 3-year valid digital ID cards can remotely extend their Digi-ID validity to 5 years.
https://www.ria.ee/et/uudised/ppa-digi-id-kaartide-kehtivusaega-saab-kahe-aasta-vorra-pikendada.html
https://www.id.ee/index.php?id=39010
https://medium.com/e-residency-blog/estonia-is-extending-the-validity-period-of-32-000-digital-id-cards-810d6dbaf73b
[2018-10-25] Gemalto has submitted counter-claim against PPA for PPA being in bad faith (whatever it means) in the compromise negotiations in September.
https://news.err.ee/871871/former-id-card-manufacturer-gemalto-files-against-ppa
[2018-10-19] CERT.LV organized international cybersecurity conference “Cyberchess 2018”. Webapp pentester from Estonia Silvia Väli (Clarified Security) talked about the vulnerabilities she found in the Electron framework.
https://cert.lv/en/2018/09/cybersecurity-conference-cyberchess-2018
https://www.youtube.com/watch?v=NXq1uVyBbkU
[2018-10-18] SilverTicket system had a flaw which allowed to buy tickets without paying for them. The user had to simply access the return URL visible in the bank link request.
https://geenius.ee/uudis/turvaauk-eesti-piletiportaalist-sai-endale-tasuta-pileteid-valjastada/
[2018-10-15] Due to unknown error, for years sensitive personal data of children was publicly available in the Estonian Schools Information System (EKIS) document register.
https://news.postimees.ee/6431380/personal-information-of-children-publicly-available-for-years
https://geenius.ee/uudis/koolide-infosusteemist-lekkisid-opilaste-iseloomustused/
[2018-10-10] Interview in jail with Russian student Aleksei Vasilev accused of penetrating state systems on the orders of FSB. According to him, he wrote a code to access the internal wireless network of an unnamed state agency. He is disappointed that Russian authorities show no interest to help him in his situation.
https://news.postimees.ee/6426230/spy-left-out-in-the-cold-my-homeland-forgot-about-me
[2018-10-10] In the Riigikogu scientific policy conference Professor of Information Security Ahto Buldas (TalTech) in his presentation “E-government base-technologies as a secure protector” stated that current e-government information systems have not been built with the knowledge of engineering based on scientific worldview and attack resistance of systems and components has not been measured. He invited the state to cooperate with universities.
https://novaator.err.ee/867961/teadlane-eesti-e-riigi-kui-susteemi-rundekindlust-ei-tahetagi-moota
[2018-10-05] Starting from November it is possible to buy tickets in Tallinn public transport using contact-less bank cards.
http://forte.delfi.ee/news/digi/uus-valideerimissusteem-toob-kaasa-muudatused-opilastele-ja-mitme-kaardiga-viipajatele?id=83891613
http://forte.delfi.ee/news/digi/video-puust-ja-punaseks-kuidas-toimib-uus-viipemaksetega-validaator?id=83902919
[2018-10-01] Estonian police is using license plate recognition cameras on the Estonian roads (scale not known). Large part of cameras used by police have known security vulnerabilities.
https://geenius.ee/uudis/eesti-politsei-kasutab-kahtlaseid-hiina-kaameraid-mis-on-usas-turvakaalutlustel-keelatud/
[2018-09-27] Police (PPA) sued Gemalto claiming 152 million for generating keys outside Estonian ID card.
https://news.err.ee/864523/police-claim-152-million-from-id-card-producer-gemalto
[2018-09-21] Last year Estonian security authorities eavesdropped on a total of 4,596 calls made in Telia’s network. This is ten times that of Sweden (taking into account countries’ population). Judges sign off on an average of 90% of the wiretap requests. Of all wiretaps 30% concern drug crime investigations, and another 30% suspected corruption cases. Number of wiretaps has stayed the same in recent years. For the purpose of counterintelligence the Office of the Prosecutor General does not need to suspect someone of having committed a crime to order a wiretap. Frequently the information obtained is in turn used to open actual criminal proceedings against individuals.
https://news.err.ee/862992/estonian-state-taps-ten-times-as-many-phones-as-sweden-finland
https://news.err.ee/866369/prosecutor-sees-no-problem-with-high-number-of-wiretaps-lawyers-disagree
[2018-09-20] Professor of eGovernment Robert Krimmer (TalTech) calculated price for voting, i-vote being the cheapest (2.32 EUR) compared to voting on election day (4.37 EUR).
https://tehnika.postimees.ee/6409689/hinnalipik-sai-kulge-kui-palju-maksab-uks-haal-eesti-valimistel
[2018-09-19] eID Forum 2018 was held on 19-20 September. ID card 2017 crisis was among the discussed topics.
https://www.eidforum.org/agenda
https://novaator.err.ee/862756/oppetund-id-kaardi-kriisist-me-ei-peaks-ootama-tehnoloogialt-taiuslikkust
[2018-09-18] In the context of upcoming elections, RIA will provide personalized cybersecurity counseling to political parties and will pentest their websites. RIA has also significantly contributed to the ENISA handbook on election security “Compendium on Cyber Security of Election Technology”.
https://geenius.ee/uudis/riik-hakkab-otsima-erakondade-veebide-norkusi-ja-koolitama-kandidaate/
https://www.ria.ee/en/news/european-union-members-share-advice-cyber-security-elections.html
https://www.err.ee/851275/ria-euroopa-parlamendi-valimised-voivad-saada-kuberrunnakute-marklauaks
[2018-09-17] Cybernetica AS and TalTech organizes Second Workshop on the Protection of Long-Lived Systems (17-18 September, Pärnu, Estonia).
http://plls2018.ttu.ee/
[2018-09-12] Draft regulation has been prepared for allowing the face recognition robots to identify people who apply for Mobile-ID. The purpose is to enable enrollment for Mobile-ID without the need to confirm the application using the ID-card. It would be necessary to visit the PPA only if identification by robot fails.
https://news.postimees.ee/6403388/estonia-to-have-ai-identify-people
[2018-09-07] Cybernetica AS won the defense ministry’s procurement to prepare study to identify opportunities in the Estonian economy in the field of cryptography and to develop concrete proposals to enable the development of the field at national level.
http://www.ituudised.ee/uudised/2018/09/07/cybernetica-asub-uurima-kruptomajandust
[2018-09-06] Apparently Gemalto leaked to local journalists some internal presentation trying to convince the public that Gemalto informed the Estonian state about the ID card vulnerability (ROCA) already in June 15, 2017. In the response PPA concluded that Gemalto is not interested in compromise and will settle the dispute in court.
https://tehnika.postimees.ee/6277212/miljoneid-maksma-lainud-kuberuimerdamine
https://news.postimees.ee/6399999/police-to-take-gemalto-to-court-postimees
https://geenius.ee/uudis/hans-lougas-kuidas-meile-id-kaardi-kriisi-kohta-dokumendid-lekitati-ja-miks-me-neid-ei-usu/
[2018-09-05] Märt Põder in Civic Tech Stockholm #2 explains Estonian I-voting.
https://youtu.be/nllpriKcmVY?t=2876
[2018-09-04] Article “Key Factors in Coping with Large-scale Security Vulnerabilities in the eID Field” by Silvia Lips, Ingrid Pappel, Valentyna Tsap, Dirk Draheim. Describes few positive and negative effects of the vulnerability and key factors that helped to cope with the Estonian ID-card crisis 2017.
https://link.springer.com/chapter/10.1007%2F978-3-319-98349-3_5
[2018-09-04] Heli Tiirmaa-Klaar has been appointed cybersecurity ambassador (Ambassador at Large for Cyber Diplomacy), being responsible for developing Estonia’s foreign policy on cyber security, ensuring its coordinated implementation, representing Estonia in international organisations and contributing to international cooperation in the field.
https://vm.ee/en/news/estonia-appoints-heli-tiirmaa-klaar-its-first-ambassador-large-cyber-security
[2018-09-01] Jaak Tarien takes over as director of NATO CCDCOE. The current director Merle Maigre will go to work for CybExer Technologies.
https://news.err.ee/853814/col-jaak-tarien-to-take-over-as-director-of-nato-ccd-coe
[2018-08-31] Significant DDoS attack by unknown actors for half an hour hit news portals owned by Express Group (Delfi, EPL, Eesti Ekspress, Õhtuleht) and PPA website.
http://forte.delfi.ee/news/digi/eesti-asutusi-ja-ettevotteid-tabasid-eile-kuberrunnakud?id=83515931
https://geenius.ee/uudis/eestit-rasib-ddos-runnakute-laine-mis-see-on-kust-see-tuleb-ja-kuidas-ennast-kaitsta/
[2018-08-08] There are ideas for the next generation ID card to replace PIN-based cardholder verification with fingerprint verification.
https://geenius.ee/uudis/plaani-id-kaart-saab-pin-koodide-asemele-sormejalje-ning-dokumentide-saaks-iseteeninduskioskitest/
[2018-08-06] Tele2 could not provide roaming service for its customers due to faulty software update by Comfone. The failure lasted for several hours. As a compensation Tele2 will cancel the monthly bill for the affected customers.
https://geenius.ee/uudis/tele2-tuhistab-pea-20-000-eestlasel-randlusteenuse-rikke-tottu-augusti-arved/
[2018-07-22] Card payments and ATMs for two hours were down on Sunday due to malfunction on Nets Estonia side.
https://majandus24.postimees.ee/5904349/kaardimakseterminalid-ule-eesti-lakkasid-tootamast
[2018-07-06] Smart-ID is soon to be certified as qualified signature creation device (QSCD). This will require change from 4096-bit to 6144-bit RSA keys (providing 3072-bit RSA security).
https://github.com/SK-EID/smart-id-documentation/wiki/Smart-ID-service-will-start-to-use-6K-RSA-keys

Cyber Security Newsletter 2018-07-06

Leave a reply

[2018-07-06] There are plans to simplify application for Mobile-ID. Currently, to enable Mobile-ID the person has to authenticate in PPA web environment. In the future this security feature will be implemented using face recognition. The solution is developed with MindTitan.
https://www.err.ee/844674/mobiil-id-taotlemine-lihtsustub
[2018-07-06] RIA temporary removed banklink authentication from eesti.ee due to some vulnerability being found in the implementation of authentication mechanism.
https://www.err.ee/844496/ria-on-tanavu-avastanud-mitu-tosist-turvanorkust
[2018-07-03] New version of DigiDoc 4 client has been released. The changes are mainly in the frontend. The functionality of DigiDoc3 Client, DigiDoc Crypto and ID card utility is now merged in a single application.
https://www.err.ee/843839/uus-id-kaardi-rakendus-digidoc-4-jouab-arvutitesse
[2018-06-29] It is now possible to order test cards of new generation ID card chips. New generation will be introduced in identity documents in the end of 2018. While the software and drivers are available, the technical documentation is not yet public. The card will also have a contactless interface, but not clear yet what functionality will be accessible over it.
https://www.ria.ee/ee/rialt-saab-susteemide-testimiseks-tellida-uue-id-kaardi-testkaardi.html
https://www.err.ee/843133/tanavuse-aasta-lopus-tuleb-valja-kontaktivaba-liidesega-id-kaart
[2018-06-27] The maintenance of ID card helpline moves from AS SK ID Solution to Tieto Estonia AS. The new helpline will have new number, but will not provide support 24/7.
The certificates can be suspended 24/7 calling SK ID Solutions using the current number.
https://www.ria.ee/en/the-id-card-helpline-number-will-be-changed-on-sunday.html
https://news.err.ee/842614/ria-changing-id-card-helpline-number-scaling-down-user-support
[2018-06-22] Government discussed the results of implementing cybersecurity strategy 2014-2017. The report shows that 70% of the activities were completed, 16% of the activities were completed in the next period, and 14% of the activities were either not completed mainly due to lack of financial or human resources.
http://www.ituudised.ee/uudised/2018/06/22/kuberturvalisuse-edendamisel-mitmeid-kitsaskohti
[2018-06-22] CyberSpike 2018 has finished and winners are known: 1st place – Artur Luik (TUT), 2nd place – Georg Kahest (TUT), 3rd place – Martin Širokov (Tallinn Technical Gymnasium).
https://geenius.ee/rubriik/teadus-ja-tulevik/eesti-noored-panid-oma-kuberkaitseoskused-proovile-kaitstes-lumemaad/
[2018-06-18] Tõnu Tammer is the head of Estonian CERT from the beginning of June 2018. Interview (in Estonian):
https://geenius.ee/uudis/certi-uus-juht-mullu-kollitas-lunavara-tanavu-pannakse-ohver-oma-teadmata-kruptoraha-kaevandama/
https://geenius.ee/uudis/eesti-cert-sai-uue-juhi/
[2018-06-15] Geenius has analyzed transparency reports of biggest service providers for information requests from Estonian state authorities. Google has received requests about 85 user accounts, delivered data 75% of cases. No requests received by Apple. Microsoft has received requests for five user accounts. Facebook received request for 143 users, delivered data in 67% cases. No data requested from Twitter.
https://geenius.ee/uudis/suur-ulevaade-tehnoloogiafirmadelt-noutakse-endiselt-palju-eestlaste-andmeid/
[2018-06-14] CyCon 2018 videos of keynotes and panels are online:
https://www.youtube.com/watch?v=G0SRPC0Etv0&list=PLV8RTnZwQxcmJQGPlyxknrsVArsUNx1oE
[2018-06-13] National Audit Office has done some audits in Estonia’s local governments and have found that IT security requirements still aren’t implemented.
https://news.err.ee/839106/local-councils-it-security-entirely-inadequate-national-audit-office-finds
https://www.riigikontroll.ee/Riigikontrollipublikatsioonid/Auditiaruanded/tabid/206/Audit/2466/Area/1/language/et-EE/Default.aspx
[2018-06-11] Estonian man arrested for stealing Bitcoin wallets by accessing victim’s e-mail accounts. Large database of user account credentials found on the suspect’s computer.
https://geenius.ee/uudis/kahtlus-eesti-mees-teenis-bitcoine-varastades-mitu-miljonit-eurot/
[2018-06-11] Estonian criminal police has added databases of compromised user accounts found in their investigations to the publicly searchable service “Have I Been Pwned” which will help the victims to get informed.
https://geenius.ee/uudis/politsei-kontrollige-ega-teie-kontot-pole-ule-voetud-ega-bitcoine-varastatud/
https://www.troyhunt.com/data-provided-by-the-estonian-central-criminal-police-is-now-searchable-on-have-i-been-pwned/
[2018-06-08] The state supports UT and TUT cyber security studies with 1.5 millions. The universities are expected to open up research teams for cryptography, digital expertise and cyber defense.
http://www.ituudised.ee/uudised/2018/06/08/riik-toetab-tu-ja-ttu-kuberkaitse-opet-15-miljoniga
[2018-06-08] Swedbank implements limitations for code card use in internet banking. From February 2019 code cards will be abandoned. Currently around 200 000 users are using password card.
https://tehnika.postimees.ee/4501277/swedbank-asus-paroolikaarte-kaotama
https://tarbija24.postimees.ee/4486778/paroolikaardi-kasutajate-arv-vaheneb-visalt-200-000-swedbanki-klienti-jatkuvalt-kasutab-seda
[2018-06-06] RIA’s “Annual Cyber Security Assessment 2018” has been translated to English. Section about ROCA flaw and Internet voting included.
https://www.ria.ee/en/head-of-ria-last-year-was-proof-that-securing-the-digital-lifestyle-requires-investing.html
https://www.ria.ee/public/Kuberturvalisus/RIA-CSA-2018.pdf
https://www.ria.ee/ee/ria-esitles-kuberturvalisuse-aastaraamatut.html
[2018-06-01] Vulnerability has been found in AS Ühisteenused self-service portal parkimine.ee. The flaw allows to browse parking tickets issued to other persons by changing ID in the URL.
https://geenius.ee/uudis/turvaauk-uhisteenuste-veebist-sai-igauks-naha-teiste-inimeste-ja-soidukite-andmeid/
https://geenius.ee/uudis/anto-veldre-uhisteenuste-trahviveebist-leitud-turvaauk-on-muldvana-nii-et-kuidas-see-sinna-sattus/
[2018-05-24] National Audit Office has identified problems with critical state databases: they lack risk analysis, action plan, only minimum needed audits are conducted, backups have not been tested, but no reason to panic.
https://news.err.ee/834127/national-audit-office-identifies-weaknesses-in-critical-database-care
[2018-05-24] Anto Veldre published harsh opinion article in the response to the seminar held by National Electoral Committee about the possibility to introduce i-voting using mobile device.
https://geenius.ee/uudis/anto-veldre-mobiilihaaletamine-saab-tulla-ainult-ule-minu-laiba/
[2018-05-23] RIA is performing security assessment of Smart-ID to decide whether it should be allowed for authentication to state services.
https://www.err.ee/833840/turvatesti-labimisel-voib-ka-smart-id-st-saada-riigiteenuste-autentimisviis
[2018-05-17] It has been found that ID card manufacturer Gemalto has generated private keys outside the chip. As a result, PPA is recalling 12’500 ID cards and revoking the affected certificates on 2018-06-01. Gemalto denies accusations.
https://news.postimees.ee/4490059/estonia-replacing-12-500-unsecure-id-cards-for-free
https://news.postimees.ee/4491312/new-id-card-fault-could-have-been-intentional
https://news.err.ee/832236/police-12-500-id-card-certificates-to-be-deleted-due-to-security-issue
[2018-05-10] RIA has published TUT study about lessons learned from the ID card case. The translation to English is in progress.
https://www.ria.ee/public/PKI/ID-kaardi_oppetunnid.pdf
https://news.err.ee/822819/ttu-cybersecurity-center-director-estonia-needs-more-specialists
https://geenius.ee/uudis/uuring-id-kaardi-kriisile-oleks-olnud-kiire-lahendus-kui-info-selle-kohta-eestisse-oleks-joudnud/
https://www.err.ee/822535/rain-ottis-id-kaardi-kriisist-eestis-on-vaja-spetsialistide-reservi
https://www.err.ee/822452/ttu-raport-kritiseerib-id-kaardi-kriisi-valguses-eesti-hadaolukordade-plaane
[2018-04-25] State will allocate 1.1 million to RIA to cover expenses due to ID card crisis.
https://majandus24.postimees.ee/4478455/valitsus-plaanib-id-kaardi-kriisi-tottu-ria-le-eraldada-ule-miljoni-euro
[2018-04-19] RIA managed to factor one vulnerable RSA authentication key to prove that the ROCA flaw was not only a theoretical threat and the steps taken to eliminate the risk were justified. The factorizing software was provided by Cybernetica AS. Not known how much processing resources the attack required.
http://epl.delfi.ee/news/eesti/id-kaart-murti-lahti-ria-toestas-et-kara-id-kaardi-turvanorkuse-parast-polnud-asjata?id=81807683
[2018-04-11] Digi-ID validity term will be extended from 3 to 5 years.
https://geenius.ee/uudis/digiisikutunnistus-ehk-digi-id-kehtib-nuud-varasemast-kauem/
https://tarbija24.postimees.ee/4481983/digi-id-kehtivusaeg-pikenes-viiele-aastale
[2018-03-26] Police has posted a job offer which involves solving puzzle of cat GIF.
https://geenius.ee/uudis/kui-suudad-selle-kassi-gifi-moistatuse-lahendada-ootab-sind-eestis-haruldane-toopakkumine/
[2018-03-23] RIA has announced EUR 150k worth procurement for design of new eID logos.
https://geenius.ee/uudis/ria-tellib-150-000-euroga-e-id-visuaalse-segapudru-asemele-uue-valimuse/
[2018-03-23] Geenius has listed what data by law the law enforcement agencies in Estonia can ask from mobile operators and Internet service providers:
https://geenius.ee/uudis/millised-sinu-kohta-kaivad-andmed-politsei-su-telefonioperaatori-kaest-katte-saab/
[2018-03-20] The videos from Nordic-Baltic Security Summit 2018 are online. Some selected presentations:
Andres Elliku – CERT-EE S4A: an Open-Source Solution for Distributed Network Security Monitoring
Merike Käo – Estonian 2007 and 2017 Incidents – Have We Learned to Respond Better?
Elsa Neeme – Estonian Cyber Security Act – Ensuring Public Order In Cyber Domain
Rain Ottis – Selected lessons from the 2017 ID-Card case
Oskar Gross – What are the Challenges of Handling Cyber Crime?
https://tehnika.postimees.ee/4444549/otse-kaljurand-koppel-keskkriminaalpolitsei-ja-teised-kogu-tode-kuberturvalisusest
https://summit.confent.com/summary18/
[2018-03-05] According to the head of cybercrime bureau Oskar Gross, secure encryption capability improves the security for ordinary users. The technological environment has not caused a particular headache for PPA in solving crimes.
https://novaator.err.ee/687558/ppa-kruptorakendustest-krupteeritud-sideta-oleks-internet-ohtlikum-koht
[2018-02-13] Due to human error on mobile operator Elisa side, emergency line 112 could not be reached for several hours. In total 151 persons were affected. SMIT discovered the error and Elisa fixed it in 20 minutes. Elisa as a provider of vital service failed to report the fault to RIA.
https://geenius.ee/uudis/elisa-vea-tottu-ei-saanud-paev-otsa-112-helistada-firma-jattis-sellest-teavitamata/