Document counterfeiting case “Maarika” comes to court

Harju County Court on Thursday accepted plea bargains reached between the Office of the Prosecutor General and those charged in connection with a criminal organization found to be illegally issuing official documents and will make a decision regarding their confirmation in early February.

This is what happened in 2015:

Estonian police has detained 12 people, including four Police and Border Guard (PPA) employees, in what is believed to be the biggest scam the country has seen for years. The suspects allegedly issued official documents that need state approval, such as language test certificates, living permits, papers needed to receive Estonian citizenship, and medical certificates. The scam involved forgery, entering false information and accomplices who used fake identity.

PPA employees were abusing state databases and ignoring suspicious applications:

Four Police and Border Guard employees, who are now bribery suspects, are believed to have been involved in the process of issuing the forged documents, but were not organizers of the scam. They released confidential information, knowingly accepted application forms with false information and issued official documents in return for bribes. Two are specialists and two are customer servants.

This is how the scam got discovered:

Nobody would have ever noticed, if not for the personnel changes at PPA last year. As a result of this, a new person ended up working with follow-up check of citizenship applications, to whom lots of cases seemed an anomaly. People with positive responses to applications looked like they had nothing to do with Estonia whatsoever. As the cases were dozens, the official told internal audit.

The scam was organized by 65-year-old woman calling herself Maarika. Most “clients” who received counterfeit documents were pardoned as exchange from criminal charges. We can see here that if the base identity is not sufficiently protected, no eID system, however well designed, can help.

Links:
http://news.err.ee/v/news/politics/society/77509022-4164-4fb2-81ec-5dab57316f13/enormous-document-factory-scam-exposed
http://news.postimees.ee/3379293/passport-mafia-led-by-babushka
http://news.err.ee/v/news/927817f2-8c7c-435b-a9d9-bde9dc48d934/court-accepts-plea-bargains-in-large-scale-document-counterfeiting-case
http://news.postimees.ee/3996169/members-of-the-passport-mafia-stand-trial

Broker companies have created database of forest owners

According to Postimees, forest broker companies have created a super database of forest owners, part of which could have been leaked from agency under Ministry of Environment.

The database brings together people names, dates of birth, telephone numbers and information on their forest properties. Brokers are using phone numbers, which have not been allowed to be disclosed by telecommunication companies, as well as information about forests, which should remain locked in the forest registry of Environment Agency.

According to the head of portal metsaoksjon.ee Lehar Lindre, the passwords for use of registry are given also to forest consultants. “However, the Agency of Environmental Protection, administering the registry, does not know who and how much queries have made,” said Lindre.

Some private entities have personal data they should not have, but nobody knows where did the data came from.

Links:
http://pluss.postimees.ee/3980443/metsavahendajate-tegevus-viitab-massiivsele-infolekkele

Estonian Tax and Customs Board website defaced

Estonian web security agency WebARX detected in their logs that hackers, apparently originating from Indonesia, had managed to find a security hole in the website of Estonian Tax and Customs Board and added there a file.

“If you look what has been posted in User98 Deface.id page, you can see that the hack of Estonian Tax and Customs Board website was in fact pure coincidence. On the same day, January 17, User98 attacked in total 72 websites. All websites were using the content management system Drupal, and in all of these sites the uploaded file lak1998.txt had identical content” said Oliver Sild, CEO of WebARX.

Tax and Customs Board spokesman Rainer Laurits said that calling the incident a hacking attack is an exaggeration. According to him, the administrator of website allowed users to write comments. Using the functionality provided, the text file was uploaded. “Unsuitable items we removed, including the post in question. In reality, no danger was caused to emta.ee website.”

Running unpatched CMS asks for trouble.

Oliver Sild, CEO of WebARX, who brought the incident to Postimees attention, in his website esec.ee offers security related services, such as restoration of hacked sites and masshack prevention.

Links:
http://tehnika.postimees.ee/3986655/haekkerid-testisid-kogemata-maksu-ja-tolliameti-veebilehe-turvalisust

Cyber Security master’s theses defense in University of Tartu (January 2017)


Cybersecurity theses defence on January 6, 2017 in Tartu J. Liivi 2-224 at 11.00 AM.
Defence Committee: Raimundas Matulevičius (chairman), Olaf Manuel Maennel, Vitaly Skachek, Meelis Roos, Hayretdin Bahsi.

Student: Christian Tschida
Title: The Way to the Specialist and Management Level of Cyber Hygiene Initiative
Abstract: The prototype, of the Cyber Hygiene e-learning course was implemented and tested in the Estonian Defence Forces in early 2016. This thesis builds up on this. It tries to clarify what data should be available to the specialists and what information should be reported to the management. Additional to many interviews with specialists and security experts, a questionnaire was created to raise coverage. The testing of the questionnaire was done at an international well known think tank.
Supervisor: Sten Mäses, Raimundas Matulevičius
Reviewer: Andro Kull

Student: Mohit Kinger
Title: Enterprise Cloud Security Guidance and Strategies for Enterprises
Abstract: This thesis measures the myriad benefits of using cloud applications, and the effect of cloud computing on business performance. A nonexhaustive review of the existing literature revels that the security challenges faced by enterprises during cloud adoption and interoperability have to be addressed before the implementation of cloud computing. In this thesis, we provide a detailed overview of the key security issues in the realm of cloud computing and con-clude with the recommendations on the implementation of cloud security.
Supervisor: Andro Kull, Raimundas Matulevičius
Reviewer: Alex Norta

Student: Priit Lahesoo
Title: The Electronic Evidence Examination Reporting System by the Example of West Prefecture
Abstract: This work will focus on practical issues like how to improve the speed of drawing up an electronic evidence examination protocol. The work was done basing on examination data results that collected in the West prefecture based on real work statistics and permission by the Police and Border Guard Board. As part of the work, the practical Microsoft Access application was developed by the author.
Supervisor: Truls Tuxen Ringkjob, Raimundas Matulevičius
Reviewer: Hayretdin Bahsi

Student: Wael Mohamed Fathi Ahmed AbuSeada
Title: Alternative Approach to Automate Detection of DOM-XSS Vulnerabilities
Abstract: This thesis proposes an alternative methodology to detect DOM-XSS by building-up on the existing approach used by web scanners in detecting general XSS. The thesis proposes to add an extra scan layer which is an actual browser that would be resonsible for sending any request and render the recieved HTML response from webserver. To provide a proof of concept for this methodology, the thesis author created a web-based tool on that premises.
Supervisor: Olaf Manuel Maennel, Raimundas Matulevičius
Reviewer: Risto Vaarandi

Student: Vsevolod Djagilev
Title: Android Chat Application Forensic Process Improvement & XRY Support
Abstract: To solve a set of problems a forensic utility has been created, both manual & automated analysis of chat application data has been done. Main result in this work allows not only to perform a search, but to write a modules in Python, which can make search narrower and each of modules can understand particular format, if needed.
Supervisor: Toomas Lepik, Raimundas Matulevičius
Reviewer: Emin Caliskan

Links:
http://www.cs.ut.ee/sites/default/files/cs/cybersecurity_theses_defence_schedule.pdf

Ahto Truu presentation “Next-gen Key Infrastructure with Smart-ID”

XII. Tartu Software Development Guild Meeting, Friday, January 13, 2016, 18.00 – 20.00, Turu 2 (Tasku), 5th Floor, SaleMove Office

Presenter: Ahto Truu (Software Architect at Guardtime)
Title: Next-gen Key Infrastructure with Smart-ID
Abstract: With more and more people using smartphones and tablets as their computing devices of choice, and with the upcoming migration away from physical SIM cards, a question arises: what will replace the ID-cards and mobile-ID SIM cards as the carriers of the private keys for Estonian national digital signature infrastructure? In this talk we will look at the Smart-ID solution recently jointly proposed by Sertifitseerimiskeskus and Cybernetica. There will be quite a bit of math in the talk, but we will start with a crash course of the basics of the current systems for those who either missed it in school or have since forgotten the details.

About Ahto
During his three decades in ICT, Ahto has worked in hardware installations and user support, as a software developer and architect, and as a systems analyst. Currently he is busy helping Guardtime’s customers preserve the integrity of their important data. Outside his day job he coaches Estonia’s team to the high school students’ programming competitions. He has also been writing programming columns for the popular science magazines A&A and Horisont.

Seems that Ahto plans to describe the underlying details of key generation in the Smart-ID solution.

Links:
https://www.facebook.com/events/225528061227851/

E-Vote-ID 2016: Family Voting Patterns in E-vote Log Data: Estonian Electronic Elections 2013-2015

This paper user evidence from anonymized system log data on all Estonian e-votes from 2013-2015 to examine for patterns and combinations indicative of family voting.
[..]
Using logs we identify unique e-voting sessions coming from the same IP address and computer with the same operating system that happen in close proximity to each other, specifically with not more than 10 minutes between the end of one and the beginning of another unique voting act.
[..]
The results show that 7-8% of e-votes are cast in such pairs. The age and gender structure of these evoters also shows a set of distinct combinations. The age differences in these pairs are either very small or large. The largest group is formed by same aged pairs of opposite sexes, indicating same aged partners e-voting together. Another prominent pattern are pairs with large age differences of same or opposite sexes, indicating a parent voting together with a voting aged youth.

The new minister of Ministry of Economic Affairs and Communications (MKM) Kadri Simson sees this as a concern for i-voting:

“The Estonian Constitution says that the Election must be general and uniform. When the old man votes in the polling division, it is not allowed that his young cousin comes with him to polling booth and helps him to vote. However, in the Internet voting it is quite possible, since there is no control over who is assisting in the use of ID card.” said Kadri Simson, the chairman of the Center Party fraction in parliament.

Links:
https://digi.lib.ttu.ee/i/?6967
http://www.pealinn.ee/koik-uudised/kadri-simson-eestis-pole-antud-voimalust-e-valimiste-turvasusteemi-n174077
http://journals.plos.org/plosone/article?id=10.1371/journal.pone.0177864

SEB mobile app demands permission to access contact list

SEB’s new mobile banking terms of service, set to take effect on March 1, state that the bank can access contacts data in the client’s phone, including phone numbers, street and email addresses of contacts. If a client does not wish to share their contacts data with the bank, they will not be able to make payments based on mobile numbers using the bank’s application.

Public relations adviser at the Data Protection Inspectorate Maire Iro said that all manner of processing of personal information can only take place with explicit permission from the person or under the conditions and pursuant to the procedure provided by law, and that the client cannot give the bank the right to use phone numbers, street and email addresses or other personal data of third persons.

Allas emphasized that SEB does not process data in the way it is stored in the client’s phone, but treats it anonymously, without the part that would allow it to identify persons.

The usability reason why the bank wants to process the contact list is clear – the bank wants ability to show in the app which of the contacts have the app installed and hence can receive the payment. The app cannot provide such feature without the bank processing phone numbers of contacts. The current version of the app already asks technical permission to access the contact list. From March this will be written explicitly also in the terms of service. Although the wording should be improved, since there is a difference between the bank processing the contact information and application written by the bank processing the data in the user’s device.

Links:
http://news.postimees.ee/3970723/seb-demands-access-to-clients-contacts
http://tarbija24.postimees.ee/3969685/seb-pank-hakkab-noudma-ligipaeaesu-klientide-telefoni-kontaktiloetelule

SK introduced new eID solution Smart-ID

SK introduced its new electronic identity solution Smart-ID, which works on all the most popular smart devices, is not dependent on a SIM card and is usable all around the world.

Using Smart-ID is easy: the user downloads the Smart-ID app from the Google Play or App Store. To use Smart-ID, the user can be identified via ID-card or Mobile-ID. Just like with the ID-card and Mobile-ID, PIN1 and PIN2 codes are required to use Smart-ID. The user creates both in the app. In developing Smart-ID, a lot of emphasis has been placed on ease of use.

Basically, the Mobile-ID functionality has been implemented in mobile app. The private key sharing between the server and mobile device is pretty neat way how to achieve the same security level as in Mobile-ID, where private key is stored in SIM card.

However, we cannot expect Smart-ID to replace Mobile-ID anytime soon, since the solution have not been certified yet as a qualified electronic signature creation device.

Links:
https://sk.ee/en/News/sk-introduced-the-new-e-identity-solution-smart-id/
https://sk.ee/upload/files/8_SK%20uus%20eID%20lahendus_Urmo%20Keskel_AK2016.pdf

Cyber Security master’s theses defense in Tallinn University of Technology (January 2017)

Monday, January 9, 2016, Akadeemia Tee 15a, Room ICT-315.
Defense committee: Rain Ottis (chairman), Hayretdin Bahsi, Raimundas Matulevicius, Andro Kull.
The grades received (in random order): 5, 4, 4, 3, 3, 2.

Time: 10:00
Student: Christian Ponti
Title: Use of ICMPv6 in a Scenario-based Experiment for Computer Network Exfiltration and Infiltration Operations
Supervisor: Bernhards Blumbergs
Reviewer: Olaf Manuel Maennel

Time: 10:40
Student: Terézia Mézešová
Title: Attack Path Difficulty – An Attack Graph-based Security Metric
Supervisor: Hayretdin Bahsi
Reviewer: Aleksandr Lenin

Time: 11:20
Student: Jens Getreu
Title: Forensic-Tool Development with Rust
Supervisor: Olaf Manuel Maennel
Reviewer: Toomas Lepik

Break – 12:00

Student: Chengxiang Wang
Title: Classification of Black-Box Security Reductions and Oracle Separation Techniques
Supervisor:
Reviewer:

Time: 13:00
Student: Dineta Mahno
Title: Design of Cyber Security Awareness Program for the First Year Non-IT Students
Supervisor: Truls Ringkjob
Reviewer: Kaido Kikkas

Time: 13:40
Student: Gvantsa Grigolia
Title: Evaluation of Data Ownership Solutions in Remote Storage
Supervisor: Ahto Buldas
Reviewer: Jaan Priisalu

Time: 14:20
Student: Kasper Prei
Title: Measuring Personnel Cyber Security Awareness Level Through Phishing Assessment
Supervisor: Olaf Manuel Maennel, Bernhards Blumbergs
Reviewer: Sten Mäses

Yearbook of Estonian courts 2015

estonian_courts_yearbook_2015
The focus of this Yearbook is on criminal procedure with special emphasis on surveillance operations. There are three articles that are of our interest.

“Supervision over surveillance”,  Uno Lõhmus, Visiting Professor at the University of Tartu:

In conclusion
First, full judicial pre-approval of surveillance operations, judicial supervision of the operations at the time of conduct thereof, and effective review of the operations after their completion are not ensured. Second, the rules on surveillance are laconic, incomplete and ambiguous, and the case law has not been able to improve this situation. In other words, legal clarity of the law is not ensured. This adds to the complexity of judges’ work and may also contribute to superficiality.

In addition, the case law does not clarify whether the installation of spyware in a computer system should be regarded as the installation of a technical means.

As of 1 January 2013, examination of traffic and location data in electronic communication is not considered to be a surveillance operation.

“Problems related to surveillance – the perspective of a defence counsel”, Küllike Namm, attorney-at-law:

In conclusion
This article focuses on the questions that have arisen in connection with surveillance operations and to which the current law does not provide answers. The discussion of these issues is intended to point out that the activities of public authorities in organising surveillance are inadequately regulated by the Code of Criminal Procedure. This creates a situation where the provisions on access to information on surveillance operations do not guarantee that a person subjected to surveillance can examine the data collected by surveillance operations and, where necessary, take possession of the data in a format that can be played back.

“Some problems encountered in computer system searches”, Eneli Laurits, Adviser to the Penal Law and Procedure Division of the Ministry of Justice:

Summary
The Code of Criminal Procedure of Estonia does not regulate computer system searches. It is relatively difficult to apply the existing rules to the collection of evidence in the manner described in this article, but it is still possible.

When performing an inspection, the body conducting proceedings is not entirely free of jurisdiction-related issues: for example, if the object of inspection is the social media website of a victim or a suspect, then the inspection of the website is complicated in theory, but simple in practice – a mouse click is enough to display various data within the territory of Estonia. An inspection can be based on cooperation (the subject voluntarily provides the user IDs and passwords), but there is always the possibility that voluntary cooperation fails. An investigative body should be able to rely on a legal regime in such cases.

Links:
http://www.riigikohus.ee/vfs/2071/Riigikohtu_aastaraamat_eng_veebi.pdf