Author Archives: user469294

RIA Cyber Security Report 2016

The Estonian version of the report was released already in March.

One interesting piece of information disclosed in the report is the case of targeted attack against the SCADA system used at Viru Keemia Grupp AS. The case was also widely covered in Estonian media.

In 2016, traffic bearing the hallmarks of malware was spotted in the computer network of Viru Keemia Grupp (VKG), an Estonian group of oil shale, power and public utility companies. Software experts found the Mimikatz malware in the VKG office network, used in Windows systems to extract identity credentials (such as passwords, password hashes etc.). [..] Upon further investigation, it was found that a workstation in the SCADA monitoring segment was infected. The workstation was then removed from the network. Network traffic and examples of malware found on computers all pointed to a targeted attack. The malware and control server used have been linked to the APT28 cyber espionage group.

The report also includes RIA position statement on technology backdoors:

From Estonia’s perspective, strong encryption is vital for ensuring trust in the state’s digital services, as all of the e-services provided by the government and many private sector e-services are based on strong encryption (Estonian digital identity). In the longer term, building in backdoors would thus reduce trust in the digital state, but trust is an extremely important value for Estonia. As a result, Estonia has not supported building backdoors into e-services, and the objective and function of RIA continues to be to ensure the high level of trust in Estonian digital identity.

Links:
https://www.ria.ee/en/ria-cyber-security-more-important-than-ever.html
https://www.ria.ee/public/Kuberturvalisus/RIA_CSA_2017.PDF

Use of password cards for online banking will be limited

1 Reply

Modern security requirements will also be applied to online payments, which is why the field of use of password cards will be limited. The bill will also seek to coordinate Estonian laws with the new European Union Payment Services Directive.

In the future, payment service providers must apply so-called strong authentication requirements when identifying a customer. In Estonia, for example, it means ID-card, mobile-ID, as well as different applications and password calculators. To reduce the security risks associated with payments, the use of existing password cards will be limited because they are easily copied. Limitations also apply to those online payments, where a combination of numbers printed on a bank card is used as the only security feature.

The security measures in question are expected to fully enter into force in the first half of 2019. The exact date depends on when the European Commission will approve the relevant implementing regulation.

Links:
http://news.err.ee/612354/government-approves-amendments-to-payment-institutions-act
http://majandus24.postimees.ee/4206571/uue-eelnouga-muutuvad-makseteenused-turvalisemaks

Workshop on source code of Estonian i-voting system in Tartu hackerspace

Leave a reply

On Friday Sep 8th from 18:00 we will discuss next generation source code for Estonian e-voting software.

The code was published on GitHub Sep 5th, which leaves us exactly a month to check it out, test it and hack it. To give this new national sports of hacking e-voting a good kickoff we have a) invited coders behind the system to introduce the code to us and we will host b) a brainstorming session on what interesting hacks we can come up with. Let’s see where it goes!

Everybody is welcome, however some tehcnical knowledge about software and coding will help a lot to make the event meaningful for you.

Links:
https://hackest.org/syndmused:2017-09-08_i-voting

RIA is looking for Internet voting penetration testers

Leave a reply

According to the terms and conditions of the contract, the subject of audit is: ballot counting software, software for voters, election web site and other technical infrastructure related to e-voting.

Through this, the RIA wants to make sure that there are no vulnerabilities in the system or applications which would make it possible to see or change the voting results or otherwise manipulate the system. The security examiner must draw up a report on security threats in which the potential hazard scenarios are highlighted and suggestions on how to correct the errors are provided.

The testing is organized by the RIA before all elections, using the expertise of various experts. “We can not talk about the results of the earlier security tests, because this information is confidential in terms of security. As far as I can say, the current testing period is around one month, and it also leaves enough time to ensure that if there are any bottlenecks or security problems we will have time to fix them.” said RIA spokeswoman Helen Uldrich.

Indeed, the results of the penetration tests are kept secret. The terms of the procurement stipulate that at the end of the test the reports must be submitted digitally signed and encrypted. Security tests are performed in a test environment and if necessary a secure channel for testers can be created. The i-voting environment is open only to computers with specific IP addresses that are notified to RIA.

Two companies have been chosen to do pentest and two bugs have been found:

Penetration tests were carried out by Clarified Security from Estonia and the worldwide Finnish company Nixu, whose work resulted in detection of two errors in the new system. According to specialists, this is not something tragic, but part of the normal software development.

Links:
http://www.err.ee/610258/ria-otsib-e-valimiste-proovihakkijat
http://www.err.ee/634302/pealtnagija-e-valimistele-leidub-endiselt-kriitikuid

Interdisciplinary Cyber Research (ICR) workshop 2017

Leave a reply

8th of July, 2017 — Tallinn, Estonia

The aim of the workshop is to bring together young as well as established scholars undertaking research in various disciplines related to information and communication technologies such as computer sciences, political and social sciences, and law.

You can participate as a speaker (submitting an abstract+delivering a presentation) or simply join our wonderful audience. Speakers are requested to submit a 1000-word abstract.

Agenda:
08:30 – Registration
09:00 – Opening words, Dr Anna-Maria Osula & Prof Olaf Maennel
09:10 – Keynote, “The Triangle of Impossibility: Strategic Decision-Making and Cyber Security”, Mr Lauri Almann
10:05 – Keynote, “The Truth about Hacking. From Russia to Hollywood.”, Mr Ralph Echemendia
11:00 – Coffee break

11:30 – 13:00 SESSION 1: Big Data & Privacy
Ms Kärt Pormeister, “The GDPR as an Enabler for Big Data: What Does it Mean for the Data Subject?”
Ms Maris Männiste, “Social Media and Big Data”
Ms Julija Terjuhana, “Right to Data Portability”
Mr Alexander Mois Aroyo, “Bringing Human Robot Interaction towards Trust and Social Engineering – Slowly & Secretly Invading People’s Privacy Settings”

11:30 – 13:00 SESSION 2: Security
Mr Alessandro Borrello, Mr Sioli O’Connell & Mr Yuval Yarom, “Is Dynamic Analysis of Android Applications More Effective Than Mass Static Analysis at Detecting Vulnerabilities?”
Mr Ben Agnew, “Security Applications of Additive Analogue Memory”
Mr Richard Matthews, “Isolating Lens Aberrations within Fixed Pattern Noise”
Mr Muhammad Imran Khan, “On Detection of Anomalous Query Sequences”

13:00 – Lunch
14:00 – 15:30 SESSION 3: Privacy (cont) & Cyber Crime
Dr Xingan Li, “Social Networking Services and Privacy: An Evolutionary Notion”
Mr Sten Mäses, “Gone Phishin’ (But Not to Jail)”
Mr Kristjan Kikerpill, “Cybercrime Against Business: Who Draws the Short Straw?”
Ms Anne Veerpalu, “Blockchain Technologies”

14:00 – 15:30 SESSION 4: Applied IT-Security
Prof Tobias Eggendorfer, “Using Process Mining to Identify Attacks”
Ms Belgin Tastan, “Electronic Identification System – How to Adopt, Expanding and Provide One Card for All”
Mr Aykan Inan, “Project IVA”
Mr Ayden Aba & Mr Jackson Virgo, “Equity Crowdfunding with Blockchain”

15:30 – Coffee break
15:50 – 17:00 SESSION 5: State and Cyber
Ms Maarja Toots, “Why Do e-Participation Projects Fail? The Case of Estonia’s Osale.ee”
Mr Georgios Pilichos, “Securitization of Cyberspace”
Mr Madis Metelitsa, “Addressing the Security Dilemma in Cyberspace”
Ms Somaly Nguon, “Cambodia’s Effort on Cybersecurity Regulation: Policy and Human Rights’ Implications”

15:50 – 17:00 SESSION 6: eGovernment & Security
Mr Harish Gowda & Mr Matt Reynolds, “Real-Time Video Stream Substiution”
Mr Nicolas Mayer, “The ENTRI Framework: Security Risk Management Enhanced by the Use of Enterprise Architectures”
Mr David Hubczenko, “Investigation into Twitterbot Identification Techniques”
Mr Lachlan Gunn, “Geolocation of Tor Hidden Services: Initial Results”

18:00 – Social snacks at “August”, Väike-Karja 5

Links:
http://cybercentre.cs.ttu.ee/en/icr2017/

SK ID Solutions declared provider of vital services

1 Reply

The Identity Documents Act was amended declaring the provider of certification services a vital service provider:

(31) The provider of certification service that enables digital identification and digital signing with the certificate which is entered in the documents issued on the basis of this Act is the provider of vital service specified in clause 36 (1) 8) of the Emergency Act.
[RT I, 03.03.2017, 1 – entry into force 01.07.2017]

In practice, at least currently the new status does not introduce significant new requirements, since for SK as a qualified trust service provider the operational requirements set by law were quite high anyway.

Links:
https://www.riigiteataja.ee/en/eli/521062017003/consolide

Personal data tracker service allows to infer activities of other persons

Leave a reply

From the March of this year everyone is able to check on the eesti.ee portal, which state agencies have reviewed their data from the population register. The new service is a matter of grave concern to notaries who are required to make inquiries into the population register, for example, if it is necessary to find out whether real estate may be the joint property of spouses or former spouses, or if it is necessary to organize succession proceedings based on data, including identifying potential heirs. According to Eve Strangi, Chief Executive Officer of the Chamber of Notaries, after the Data Tracker service came into being, people who did not use the notarial service themselves, but whose parents, children or spouse had done this, also came to the notice that personal data was viewed.

In most cases, people can get information that their data has been viewed, but not always. “An exception, for example, is the situation where heir data is required to make a will. However, the will until the death of the maker is secret, and the existence and content of the act can not be disclosed to the heir earlier than specified by the law.

Heiko Vainsalu, Head of the State Information System Agency X-Road, said that the Data Tracker highlighted weaknesses in information systems, which should now be addressed by the authorities themselves. “It is now up to the authorities to eliminate them – to improve the logic of data services and to find data services better suited to specific needs. Besides the ability to track the use and processing of the data in the state information system, the Data Tracker helps to highlight and correct the design mistakes of information systems.”

Some filters are needed. For example, the queries made by law enforcement institutions in investigating the crimes must not show up to the subjects in the Data Tracker service.

Links:
http://arileht.delfi.ee/news/uudised/andmejalgija-paljastas-notarite-salajased-toimingud?id=78131976

Possible to apply for new ID card online using bank authentication

Leave a reply

The Police and Border Guard (PPA) have a new online portal where citizens can apply for ID cards based on previously issued identification. Beyond their existing ID cards, people could also log in using their Mobile ID or Internet bank, which is good news for Apple users, as the state’s systems typically don’t work to the full extent for anyone coming in using Apple devices. That people could use their bank to log in meant that also those could apply for a new ID whose existing one had already lost its validity, Abram added.

The solution likely to be very welcome, as PPA has limited the number of offices where people can apply for documents to just a handful of service centers, and queues have been a constant problem. There are plans to extend the portal’s services to include passport applications as well other processes that are currently limited to PPA’s service centers, and to include all residents of Estonia that have a personal identification code (isikukood).

The law was changed to remove the requirement for the application to be digitally signed:

§ 5. Electronic filing of application
(1) Upon submission of an application electronically, the documents specified in the Regulation shall be attached to the application electronically.
(2) An electronically filed application shall be signed digitally or submitted uniquely via an electronic channel that allows verification of identity.
(3) If an application is submitted via an electronic channel specified in paragraph 2, the applicant shall, upon issuing his identity document, confirm with the signature that the data and documents submitted by him in the application are correct.

Links:
http://news.err.ee/602902/police-opens-new-internet-environment-for-simplified-id-application
https://www.riigiteataja.ee/akt/114012017014
http://forte.delfi.ee/news/tarkvara/veebi-teel-id-kaardi-taotlemine-on-populaarne?id=79758000

Sensitive personal data published in document registers of state agencies

Leave a reply

During a Garage48 hackathon held in Tallinn over the weekend, one participating team announced that they could not publish the results of their work as it contained too much personal data they had accidentally come across in state document registers. There are hundreds of such registers across Estonia, as each ministry, agencies, local governments and schools all have their own digital document registers.

The paper noted that while the Estonian Data Protection Inspectorate does check the security of document registers, it does so by hand, and checks are often followed by monitoring procedures and, less frequently, even fines for register administrators.

A similar problem was discovered back in April by Estonian startup Texta that created its own document registers analysis tool. Co-founder of Texta Silver Traat said they discovered a lot of highly detailed personal information in the documents register of the education ministry.

„We held a workshop as part of a language technology conference where we did what the state lacks the capacity to do itself. We downloaded 150,000 documents from the ministry’s document register and discovered that they held, among other things, people’s personal identification numbers, bank account numbers, addresses. We even came across some passport numbers,“ Traat described. He added that most of the information was from employment contracts.

This is the unfortunate side-effect of open data. For that data to be useful it actually has to contain at least some bits of personal data.

Links:
http://news.postimees.ee/4123431/stacks-of-sensitive-data-lying-unprotected
http://news.err.ee/597791/sensitive-personal-data-exposed-in-state-registers

Estonian “data embassy” to open in Luxembourg

Leave a reply

Data of the Estonian administration may be stored on servers in Luxemburg as well as in Estonia already towards the end of this year. The “data embassy” created this way will contain information vital to the functioning of the state, and make an attack on the country’s systems more difficult.

As cyber security expert of Tallinn’s NATO Cyber Defence Centre of Excellence, Jaan Priisalu, says, “If an operator is planning to occupy another country, one of their objectives is going to be to take over the existing institutions, or to suppress them, and if you can make these institutions ex-territorial, take them out of reach of the potential attacker, you increase the political price of the attack.”

According to advisor to the ministry’s state information systems department, Laura Kask, negotiations were held with other countries as well, but the ones with Luxembourg had developed the furthest. “For one thing, they offer data centers with a very high level of security, and for another they are quite similar to us in terms of their IT development and their way of thinking,” Kask said. In terms of money, there are no exact figures available, but the data center in Luxemburg will be markedly more expensive than running a similar infrastructure in Estonia. There is one entry in the government’s schedule concerning the data embassies, showing an allocation of €240,000.

The physical location of the servers will remain secret, and only people will have access to them that are cleared by the Estonian state.

The data to be backed up in Luxembourg so far covers ten priority databases, including the information system of the Governmental Payments Office (the Estonian treasury), the pensions insurance register, the business register, the population register, the cadaster, and the identity documents database.

Even now nothing forbids Estonian state to store data backups in Estonian embassies located in foreign states. Most likely the plan is to build failover system that is kept in sync in real time.

Links:
http://news.err.ee/592384/first-data-embassy-to-open-in-luxembourg
http://www.opengovasia.com/articles/7597-exclusive%E2%80%94whats-next-for-data-management-in-estonian-government%E2%80%93data-embassies-expanding-e-residency
http://news.err.ee/602273/estonian-government-approves-setting-up-data-embassy-in-luxembourg