Category Archives: Incidents

Passwords of 200’000 Estonian social media accounts leaked

CERT Estonia, the organization responsible for the management of security incidents in .ee computer networks, informed nearly 200,000 Estonians via their employers that their social media passwords had been leaked. According to RIA, a database was created in Dark Web, containing 1.4 billion user information and a password in the open form. The database also contains email addresses with more than 190,000 ending in .ee.

For each institution, CERT sent a list of individual email addresses. “For example, if there were people from national broadcasting, let’s say mari.maasikas@err.ee, then we sent information to the head of ERR’s information security that the passwords of these people have leaked.” explained Mägi.

The number of Estonians at risk is much bigger, since most of the personal e-mail accounts are not using .ee domain. Some Good Samaritan could instead send out direct warning e-mails to all of the addresses in the database.

Links:
http://news.err.ee/648949/200-000-estonians-social-media-passwords-breached
https://geenius.ee/uudis/200-000-eestlase-sotsiaalmeedia-konto-murti-lahti/
https://www.ria.ee/ee/tumeveebis-avaldati-14-miljardi-kasutaja-paroolide-seas-ka-eesti-inimeste-paroolid.html
https://geenius.ee/uudis/eesti-kuberkaitsja-tegelikult-voib-eestist-lekkinud-paroole-olla-palju-rohkem-kui-200-000/
https://medium.com/4iqdelvedeep/1-4-billion-clear-text-credentials-discovered-in-a-single-database-3131d0a1ae14

MyFitness self-service portal accounts created with weak default passwords

The self-service portal of the biggest Estonian sports club MyFitness has a major flaw, which allows for strangers to easily log in to the accounts and see people personal information. The club already knows the mistake for a month, but it has not been fixed so far.

The test showed that knowing the MyFitness client’s completely public information is possible to sign in to his account if he has not manually changed his password. Namely, the client will be assigned a default password when opening a self-service account, which is very easy to guess even to completely strangers. Another problem is that the client is not forced to change this password after logging in, which means that people will continue to use the unsecure password. Thirdly, the person’s password is sent to them in plain via e-mail, making it easy for it to leak.

Signing in to a person’s account will at least allow to see his contact details, contracts with MyFitness, training preferences, history and schedule.

The username is incremental number and the password is the first name of the account holder. MyFitness was informed about the flaw through CERT-EE already year ago.
This is another example that some flaws get fixed only after they are published in media.

Links:
https://geenius.ee/uudis/myfitnessi-iseteeninduses-laiutab-isikuandmeid-paljastav-ulilihtne-turvaauk-ettevote-pole-kuu-ajaga-seda-parandanud/

Estonian Tax and Customs Board website defaced

Estonian web security agency WebARX detected in their logs that hackers, apparently originating from Indonesia, had managed to find a security hole in the website of Estonian Tax and Customs Board and added there a file.

“If you look what has been posted in User98 Deface.id page, you can see that the hack of Estonian Tax and Customs Board website was in fact pure coincidence. On the same day, January 17, User98 attacked in total 72 websites. All websites were using the content management system Drupal, and in all of these sites the uploaded file lak1998.txt had identical content” said Oliver Sild, CEO of WebARX.

Tax and Customs Board spokesman Rainer Laurits said that calling the incident a hacking attack is an exaggeration. According to him, the administrator of website allowed users to write comments. Using the functionality provided, the text file was uploaded. “Unsuitable items we removed, including the post in question. In reality, no danger was caused to emta.ee website.”

Running unpatched CMS asks for trouble.

Oliver Sild, CEO of WebARX, who brought the incident to Postimees attention, in his website esec.ee offers security related services, such as restoration of hacked sites and masshack prevention.

Links:
http://tehnika.postimees.ee/3986655/haekkerid-testisid-kogemata-maksu-ja-tolliameti-veebilehe-turvalisust

Woman sentenced for accessing ex-boyfriend’s Facebook account

facebook_access

The agreement concluded with the South District Prosecutor’s Office on 16 May 2016:

In January 2015 Maarja Laanemetsa (32) without authorization logged into www.facebook.com account of L.L (her ex-boyfriend) and took a screenshots of L.L.’s private conversations (with other women).  These actions qualify to Penal Code paragraph §217 “Illegal obtaining of access to computer systems” subsection (1) “Illegal obtaining of access to computer systems by elimination or avoidance of means of protection is punishable by a pecuniary punishment or up to three years’ imprisonment”.

Moreover, after entering social network and illegally taking the screenshots of L.L.’s private conversations, the accused forwarded the conversations to K.M (L.L.’s new partner) thereby violating Penal Code paragraph §156 “Violation of confidentiality of messages” subsection (1) “Violation of the confidentiality of a message communicated by a letter or other means of communication is punishable by a pecuniary punishment.”

Type and amount of the penalty:
Prosecutor pursuant to Penal Code paragraph §63 subsection 1 asks the court to sentence the accused for two month imprisonment. On the basis of the Penal Code paragraph §73 section (1) sentence imposed is not enforced in full unless during one year probation period the accused commits a new intentional crime.

The accused shall reimburse the costs of criminal proceedings:
State legal fees of EUR 48 and according to Code of Criminal Procedure paragraph §179 section (1) subsection 2 compensation of EUR 645 (1.5 times the amount of the minimum monthly wage).

Didn’t the accused violate the confidentiality of a message already when she read the private conversations? Is the disclosure to third person required to qualify according to Penal Code paragraph §156?

Links:
http://pluss.postimees.ee/v2/3808889/sotsiaalmeedias-nuhkimine-voib-tuua-kriminaalkaristuse
https://www.riigiteataja.ee/kohtulahendid/detailid.html?id=185111724

Court decision on alleged SMIT account blocker

Tor-Anonymity-Tor-path

We wrote about the case before. Here is a summary of court’s decision:

According to the first-level Harju County Court decision, Mart Pirita (45) was pleaded guilty for disrupting the remote services of Ministry of the Interior (SM). According to the verdict, he used anonymous Tor network to enter multiple wrong passwords for 14 users, thereby blocking their access to the infrastructure.

The actions were qualified according to Penal Code paragraph 207 part 1 for “Illegal interference with or hindering of the functioning of computer systems by way of uploading, transmitting, deleting, damaging, altering or blocking of data”.

Pirita’s attorney Raul Ainla challenged the qualification of the alleged crime. In county court’s opinion, the qualification was correct, since Mart Pirita entered without lawful permission wrong passwords for 14 user accounts, by which their accounts were disabled, interfering the functioning of the computer system for SM employees.

The first-level court’s decision was appealed and District Court of Tallinn made a decision, that it was not possible to certainly establish a connection between Mart Pirita and the attacks.

In the initial verdict, it was claimed that the attack was performed through three IP addresses which are known to be Tor exit nodes. Furthermore, it was established that Pirita downloaded Tor software from Debian repository (ftp.ee.debian.org). In addition, according to Pirita’s ISP Elion metadata logs, Pirita was connected to the Tor network approximately at the time of the attacks.

District court judged that the county court has incorrectly evaluated the evidence presented. Namely, the IP addresses, where the attacks were performed from, belong to the Tor exit nodes and thus the attacks were performed through Tor network. However, the county court did not consider the technology of the Tor network. Every connection through Tor network is established via random paths and are encrypted, thus it is impossible to know who is the initial source of the communication and what are the messages. Thus, even though Pirita connected to the Tor network, it is impossible to link him to the attacks from the exit nodes.

Additionally, the prosecuror Piret Paukštys claimed that, since on the Pirita’s hard drive was found file “cached-microdesc-consensus” which included the IP addresses of Tor exit nodes participating in the attack, it proves the connection between Pirita and the exit nodes. However, this claim was found to be false, since the file is a catalog of all public Tor nodes and is included in every Tor installation. Thus, every Tor user possibly could be behind the attack.

According to prosecutor, another evidence pointing to Pirita was that Pirita had Debian Linux installed in his virtual machine and attacker’s user agent “Mozilla/5.0 (Linux; U; Debian Linux; en-US; rv: 1.8.1.12) Gecko/20080201 Firefox/2.0.0.12” presented to the court has Debian Linux operating system in it.

However, Tiit Hallas, the head of information security of SMIT could not provide to the court any log file which backed the claim of this user agent being present. The claimant couldn’t even describe from which log file this user agent was given from and why the logs weren’t presented as evidence.

Finally, the court found that there is a clear discrepancy between the times in the log files provided as evidence. Firstly, according to ftp.ee.debian.org logs, Pirita downloaded Tor software on 17.08.2014 at 00:57. However, the attacks started on 17.08.2014 at 00:14. Elion’s metadata logs show that Pirita connected Tor network after attacks started. Furthermore, an independent expert from Estonian Forensic Science Institute (EKEI) Oliver Olt stated that there are no connections between Elion’s metadata logs and attacks in claimant’s logs. The expert added that he couldn’t explain how the attack could be performed which would correspond to the logs. Thus, by his opinion, the logs rather contradicted the prosecutor’s claim.

It was said that Pirita had motive to perform the attacks as he was fired from SMIT due to loss of trust. However, the management of SMIT acknowledged that he was not the only one to be fired for this reason. There were up to ten people who could have the motive to perform the attacks. Furthermore, the fact that the attacker knew correct access point is not sufficient to claim that it was performed by current or previous employee of SMIT.

Concluding these aspects, the district court decided that the indirect proof was not sufficient to claim the guilt of Pirita with high probability. According to previous National Court decision, if it is possible that there was anyone else who could have performed the attack, then the accused should not be convicted.

The district court reviewed the previous decision and acquitted Pirita. Additionally, he was compensated for the legal fees in the amount of 7500€. The fee for IT expertise was covered by the government. The disk copy of Pirita’s hard disk is to be destroyed to assure the privacy of Pirita.

The prosecutor did not appeal the district court’s decision.

Links:
https://www.riigiteataja.ee/kohtulahendid/detailid.html?id=180104716
http://www.delfi.ee/news/paevauudised/krimi/pevkuri-ja-vaheri-meilikontode-lukustamise-parast-kohtu-all-olnud-mart-pirita-oigeks-moistmine-on-nuud-loplik?id=74558039
http://www.postimees.ee/3149415/it-spetsialist-jai-ministeeriumi-arvutikontode-blokeerimises-suudi

RIA Cyber Security Report 2015

RIA_cybersec_report_2015

Some insights:

2015 proved that the continuity of vital services can be affected, or even crippled, by simple ransomware campaigns that weren’t even intended to disrupt those services.

Around-the-clock manned monitoring of Estonian cyberspace has taken place since the summer of 2015. We also adopted new and improved monitoring technologies.As a result of the around-the-clock monitoring, we have prevented, discovered, and reacted to signifcantly more security incidents than in past years.

In 2015, the lessons learned from the CyberHEDGEHOG 2015 exercise, the amendment of the Emergency Act, and the adoption of the European Union Network and Information Security Directive (NIS) confrmed the need for a clear cyber security law that takes into account modern conditions.

In 2015 we became convinced about the necessity of thoroughly analysing both the legal questions associated with using cloud technologies and the risks connected to the integrity and confidentiality of data being processed in the cloud as well as the need to develop sufficient security measures to minimise those risks.

While European Union structural funds have been a welcome source of support for Estonian cyber security development, and indeed for the whole country’s IT development, it is clear that this situation is not sustainable for the country in the long term.

Links:
https://www.ria.ee/public/Kuberturvalisus/2015-RIA-Annual-cyber-report.pdf

District Court acquits alleged Ministry of the Interior user account blocker

ministry_of_the_interior_estonia

The District Court of Tallinn acquitted Mart Pirita (45), who was accused of locking down the e-mail accounts of the Minister of the Interior Hanno Pevkur and the Director General of Police and Border Guard Board (PPA) Elmar Vaher, because his guilt was not proved.

The District Court overruled the previous verdict by Harju County Court. The Harju County Court convicted Pirita and imposed a financial penalty of 270 daily rates, which is EUR 13’159.80.

The Prosecutor’s Office accused the ex-employee of IT and Development Centre at the Estonian Ministry of the Interior (SMIT) of illegal disrupting of computer systems by entering data. According to accusation, in August 2014 Pirita entered without permission different incorrect passwords for 14 user accounts in SM jurisdiction, which resulted in these user accounts being blocked. The attack was performed through TOR network which allows using the Internet anonymously and hide one’s tracks. The accusation noted that Pirita may have been motivated by the termination of his employment contract.

Presenting as a witness in the court, Tiit Hallas, the head of information security of SMIT described to the court that TOR network is used by child pornography and malware distributors. During the attack an IP address belonging to the company E-Positive.ee owned by Mart Pirita was logged into the TOR network.

The District Court found that the County Court made mistakes in evaluating the evidence and accidentally attested that the act was performed by Mart Pirita. Only the fact that Mart Pirita used the TOR network is not sufficient, as anyone using the network at that time could have performed the illegal act. The evidence collected by the prosecutor do not show direct relation to the act. The District Court admitted that several circumstances hinted that the blocker was related to SMIT but this is not enough for convicting someone. There are no direct evidence and indirect evidences are weak, found the District Court.

Links:
http://www.postimees.ee/3657891/ringkonnakohus-moistis-oigeks-hanno-pevkuri-ja-elmar-vaheri-vaidetava-meilikontode-lukustaja

Postimees leaks IP addresses of comment authors

postimees_commenter_IP_address

Postimees is holding IP addresses of comment authors in the parrot.php JSON file. The field “tsa” seems to hold integer which is IP and the other part is MD5 hash. This IP can be used to find out from which company’s network the comment originates from.

$ ping 3240627210
PING 3240627210 (193.40.12.10) 56(84) bytes of data.
64 bytes from 193.40.12.10: icmp_seq=1 ttl=60 time=9.68 ms

Few years ago the Postimees had the same mistake which they fixed, but now the same mistake is introduced again.

Links:
https://tingmarprog.wordpress.com/2016/02/25/postimehe-kommentaariumis-ip-jalle-avalikult-nahtav/

Poorly secured WiFi router abused to sent SMS messages to paid numbers

wifi_sms_abuse

Thanks to a poorly secured WiFi network, in a few days cyber-criminals where able to cause nearly EUR 1,000 bill to the dining place BURKS in Tallinn.

EMT WiFi router’s admin account was accessed and SMS messages were sent out to paid numbers (some Latvian numbers and Mobile parking). Seems like it was possible because router used mobile Internet and allowed to send out the messages.

Links:
http://tarbija24.postimees.ee/3456355/reporter-ee-video-kehvasti-turvatud-wifi-vork-toi-soogikohale-kopsaka-arve

Tax refund scammers use the name of the Estonian Tax and Customs Board

emta_tax_return_phishing

“Today I received an email from deklaratsioon@emta.ee. Already at the beginning it seemed doubtful that such letter would come in November. However, even more bizarre became the thing when I opened the link from this email. It is obvious that this email seeks to scam out of naive people their credit card details – card number, CVV2 code” a person who received the letter writes in her Facebook post.

Links:
http://kasulik.delfi.ee/news/uudised/hoiatus-tulumaksu-tagastusest-teavitav-e-kiri-voib-lihtsameelse-rahast-lagedaks-teha?id=72992171