CERT-EE is looking for a monitoring specialist

RIA

Duties:
• information security incident monitoring and defense 24/7;
• state network (ASO) and RIA service monitoring;
• RIA service and state network incident monitoring and defense.

Requirements:
• at least year IT work experience;
• at least secondary education;
• computer skills on average level (MS Windows and UNIX work experience);
• interest towards information security;
• willingness to work in shifts.

Desired:
• international work experience;
• knowledge in administration of Estonian public information systems;
• clearance for access to state secrets (classification – ‘secret’).

If you believe that  you are the right person we are looking for, please send your CV along with a latter of motivation to klaid@cert.ee. For additional questions, please call 6630243 or send them to klaid@cert.ee

In 2015 CERT-EE had 5 monitoring specialist positions.

Links:
https://cybersec.ee/wp-content/uploads/2016/09/CERT-seirespetsialisti-kuulutus.pdf

Checking who has accessed your personal data is a challenge in practice

digilugu_peremeditsiin-debug

Peeter Marvet dispels the myth of transparency in finding out who has accessed your data in state databases:

For the past 20 years or so Estonian e-government and the X-Road backbone has been promoted with the promise of transparency. Yes, we keep a lot of data, but it is stored securely and you can always check who has accessed it. This means transparency and trust. Or “trust”, as in this The Guardian interview with Toomas Henrik Ilves.

Problem is, there is no such transparency – no notifications, no place to log in and see who has accessed your data. There was one system with such functionality, but it was shut down like 10 years ago (added: there is one system – E-Health’s Digilugu.ee “patient portal”). And even when it worked, it displayed only trivial amount of accesses [..].

The rest of the databases? I recall a meeting (in the government residence, no less) where the topic was discussed, possibly on a roundtable arranged by the National Audit Office. After some serious googling I found a contact address where to submit a request to get information about who has accessed my data in the Population Registry. It took some months to get the answer, it supposedly had information about who had requested my data available only in the “comments field” and had to be assembled manually. Promoting the idea to requesting such transparency is a good start for denial-of-service attack on Estonian e-government.

Then there was a case when somebody from the Ministry of the Interior was to promote some new legislation mandating more data storage with the argument, that everybody is able to see who has been accessing the data, so it is not a privacy violation. Our correspondence with her ended after couple of rounds, after she was unable to find any proof of solution where I could view the access log.

And don’t get me started on the question of who can purchase the data from our Population Registry or from Business Register. Want to get contacts of unemployed pensioners? Give us your monies! Want to spam every e-resident who has created a company? Sure, all addresses in registry must be business contacts so spam away (and give us some monies)!

Interesting research to conduct would be to submit bunch of requests for personal data access reports to various state database holders and analyze the response time and the detailedness level of the answers.

Links:
https://tehnokratt.net/2016/05/meme-based-trust-lockean-contract-la-e-stonia/

Woman sentenced for accessing ex-boyfriend’s Facebook account

facebook_access

The agreement concluded with the South District Prosecutor’s Office on 16 May 2016:

In January 2015 Maarja Laanemetsa (32) without authorization logged into www.facebook.com account of L.L (her ex-boyfriend) and took a screenshots of L.L.’s private conversations (with other women).  These actions qualify to Penal Code paragraph §217 “Illegal obtaining of access to computer systems” subsection (1) “Illegal obtaining of access to computer systems by elimination or avoidance of means of protection is punishable by a pecuniary punishment or up to three years’ imprisonment”.

Moreover, after entering social network and illegally taking the screenshots of L.L.’s private conversations, the accused forwarded the conversations to K.M (L.L.’s new partner) thereby violating Penal Code paragraph §156 “Violation of confidentiality of messages” subsection (1) “Violation of the confidentiality of a message communicated by a letter or other means of communication is punishable by a pecuniary punishment.”

Type and amount of the penalty:
Prosecutor pursuant to Penal Code paragraph §63 subsection 1 asks the court to sentence the accused for two month imprisonment. On the basis of the Penal Code paragraph §73 section (1) sentence imposed is not enforced in full unless during one year probation period the accused commits a new intentional crime.

The accused shall reimburse the costs of criminal proceedings:
State legal fees of EUR 48 and according to Code of Criminal Procedure paragraph §179 section (1) subsection 2 compensation of EUR 645 (1.5 times the amount of the minimum monthly wage).

Didn’t the accused violate the confidentiality of a message already when she read the private conversations? Is the disclosure to third person required to qualify according to Penal Code paragraph §156?

Links:
http://pluss.postimees.ee/v2/3808889/sotsiaalmeedias-nuhkimine-voib-tuua-kriminaalkaristuse
https://www.riigiteataja.ee/kohtulahendid/detailid.html?id=185111724

Homomorphic Tallying for the Estonian Internet Voting System

Estonian_internet_voting

Abstract. In this paper we study the feasibility of using homomorphic tallying in the Estonian Internet voting system. The paper analyzes the security benefits provided by homomorphic tallying, the costs introduced and the required changes to the voting system. We find that homomorphic tallying has several security benefits, such as improved ballot secrecy, public verifiability of the vote tallying server and the possibility for observers to recalculate the tally without compromising ballot secrecy. The use of modern elliptic curve cryptography allows homomorphic tallying to be implemented without a significant loss of performance.
[..]
The homomorphic tallying scheme described above is not new. The scheme was introduced in 1997 by Cramer et al. [6] and has been used in the Helios open-audit voting system [1] for years. The contribution of this paper is an analysis of the deployment of homomorphic tallying in the context of Estonian Internet voting, where the performance of the protocol is improved by the use of elliptic curve cryptography.

In the new tender specification published by National Electoral Committee (NEC) we can read that there is a plan to use some kind of mix-net-based technology to provide counted-as-cast verifiability for the local government elections in October 2017. While mix-nets cryptographically are more complicated than homomorphic tallying, the mix-nets are more universal and thus can be used also in elections abroad, where the ballot style is not as simple as in Estonia (e.g., elections where the voter can vote for more than one candidate).

Links:
http://eprint.iacr.org/2016/776.pdf

Kapo eavesdropped on Savisaar outside criminal procedure

kaitsepolitsei

Lawyers defending Edgar Savisaar are hopeful to kill criminal case against the Centre chairman with just one move – asking that the initial evidence, the basis for all the rest, be declared invalid. This would be the piece of information acquired by security police which afterwards triggered the whole criminal case – by eavesdropping a private conversation between then Mayor of Tallinn Mr Savisaar and Meriton Hotel owner Aleksander Kofkin at the Balalaika.

While talking about the food, a topic slipped in which made police ears perk up. [..] After years of eavesdropping on Mr Savisaar, this for the security police seemed to be a sign that the mayor was involved in issues outside of official responsibilities. [..] While Mr Savisaar is contesting that, the main issue is the method of acquiring the information may not have been legally justified and thus the basis for all the rest of the case would fall off.

In Estonia, security agencies are allowed to eavesdrop on people and institutions outside criminal procedure to prevent danger and in the interests of security. For this, special permission is granted by an expert administrative judge. All related information and related issues (such as statistics) is state secret.

Years of eavesdropping without having a right to ever find it out, and overall statistics being a state secret. As EFF says: When electronic searches are done in secret, we lose our right to challenge the legality of law enforcement invasions of privacy.

Links:
http://news.postimees.ee/3785723/lawyers-of-savisaar-see-ray-of-hope

Estonian Internet voting system to be rewritten from scratch

e-voting_estonia

The new system should provide end-to-end verifiability features:

The current software, created in 2004, needs overhaul as the gradual updates (such as adding the Mobile-ID capacity and others) have rendered the grasp on the source code structure challenging. “The new system will be more universal, allowing more possible applications, in addition to using it for Estonian nation-wide elections and referendums – such as internal elections of large corporations, local government polls and also abroad,” said Tarvi Martens, chairman of Estonian Electronic Voting Committee.

The voting procedure will remain the same for the voter and the source code will remain open. “The planned changes will allow the observers to keep an eye on how the stored e-votes will become election results more efficiently, based on mathematical proof,” Martens explained. “In other words, mathematics will prevail over the human factor. Technical proof allows us to control the system with much more efficiency,” he added.

The full cost of the first contract is 236 800 euros (VAT excluded). The bid was open to all EU entities and received bids from three companies. Cybernetica has won the bid for developing the Estonian electronic voting system, entailing a renewal of the system for the local government elections in October 2017.

Links:
http://uudised.err.ee/v/eesti/fe86efd4-9811-48cc-ae2b-234acd4e6c60/vabariigi-valimiskomisjon-soovib-e-haaletamise-susteemi-uuesti-ules-ehitada
https://cyber.ee/en/news/cybernetica-selected-to-renew-estonian-internet-voting-software/

Database with non-anonymized judicial decisions available online

Riigi_Teataja_anonymization_failure

Estonia features a punishments register with misdemeanours and crimes listed by all people. For the benefit of potential employers, for instance. Then there is a judicial decisions database where expired crimes can often still be detected. In these two, names and other data of victims and witnesses are almost never found – the occasional typo excluded. Turns out, there is a third database with judicial decisions prior to 2006. In it, glaring problems are obvious regarding personal data protection, as it holds details of entire criminal acts as well as names of criminals, victims, witnesses and experts. At times, names of close relatives are included, and home addresses at the time.

Estonian Data Protection Inspectorate PR-adviser Maire Iro agrees and says and claims people responsible at State Gazette (Riigi Teataja) database have repeatedly been notified of the problem. The justice ministry press rep Maria-Elisa Tuulik said the data has been uploaded pursuant to old legislation and the people had the right, and still do, to apply to relevant courts for removal of their data in such instances. Ms Tuulik admits people might have difficulty doing that and have insufficient knowledge. She cites the excessive amount of manual labour required to sort out the data. They may thus take it all offline as public interest is waning anyway, with time passing.

For some of the decisions State Gazette has tried to anonymize personal data, but using ineffective technical means (see picture above).

Links:
http://news.postimees.ee/3762007/the-national-victims-register
https://www.riigiteataja.ee/kohtuteave/kohtulahendite_otsing/kriminaalasjad.html
https://www.riigiteataja.ee/docs//public/dokument_279468.pdf

Privacy concerns over fingerprint collecting from e-residents

Biometric data of all individuals who have applied for or own Estonian identity cards, irrespective of whether they are national identity documents or digital identity documents meant exclusively for e-identification, are stored in digital database, archived and retained for 50 years (in case of e-residency, this is done to avoid conferring duplicate identities to one person).

From the perspective of e-residents, this is immaterial — the digital identity documents issued do not serve as travel documents, as has been established above. Nevertheless, due to the fact that under the Estonian Identity Documents Act the term “digital identity card” denotes both the e-IDs of nationals as well as e-residents’ e-ID cards, the requirement of biometric identifiers also applies to both.

Drawing on the aforementioned, the authors of the given chapter claim that the failure to differentiate between the two types of documents leads to unnecessary collection of biometric data that is in contradiction with the Data Protection Directive Article 6 principles of purpose and proportionality.

Biometrics as security technology cannot be “thrown in” for good measure, as Estonia seems to have done, without proper analysis of risks for the protection of fundamental rights and freedoms, not considering whether the purpose to be achieved could not be achieved by less intrusive means.

The practice is indeed questionable, since in case EU citizen applies for Estonian residency, the objective of “avoiding conferring duplicate identities to one person” is achieved by less intrusive means without fingerprints being collected.

Links:
http://link.springer.com/chapter/10.1007%2F978-3-319-26896-5_4

Kapo ex-employee convicted for allowing access to state secrets

kapo_state_secrets

A former employee of the Internal Security Service (ISS) was given a prison sentence for enabling illegal access to state secrets, spokespeople for ISS said. The man had taken home confidential documents.

The verdict against Aleksandr Gontšarov, 54, entered into force on Wednesday. Gontšarov, who had retired five years ago, was detained on Jan. 6 and taken into custody two days later. He admitted his guilt during the pre-trial investigation.

The first-tier Harju County Court found him guilty of enabling illegal access to state secrets and sentenced him to two years and four months, six months of which were to be served immediately and the rest not required if he did not commit a new offense within a probation period of two years and six months. Gontšarov didn’t appeal.

Gontšarov had worked in different positions in the security police between 1994 and 2011. In September 2011 he took home various documents and data storage media that were in his hands in connection with his job. He kept them in the apartments he owned in Tallinn, thereby allowing the materials to be unlawfully accessed by persons not cleared for access to state secrets.

From the wording it reads that Gontšarov did not deliberately leak state secrets to third persons. Then the question is who were the persons that got the access. Random relatives of Gontšarov or Russian intelligence officers?

KAPO annual review 2016 mentions the case:

According to the court judgement, before leaving employment in September 2011, he took documents and data media containing state secrets, which he had in his possession for work-related purposes, out of the Internal Security Service’s secure area. He kept them outside of the secure area, in the apartments he owns in Tallinn, thus enabling unauthorised people without a need to know to have illegal access to state secrets.

And provides picture of boxes full of Estonian state secrets lying about the household of Alexander Goncharov:

Links:
http://news.err.ee/v/news/0df30636-2772-459e-9f1f-2d7147d5efe2/ex-iss-member-convicted-for-allowing-access-to-state-secrets
https://kapo.ee/sites/default/files/public/content_page/Annual%20Review%202016.pdf

Interdisciplinary Cyber Research (ICR) workshop 2016

TTU_centre_for_digital_forensics_and_cyber_security

2nd of July, 2016 — Tallinn, Estonia

The aim of the workshop is to bring together young as well as established scholars undertaking research in various disciplines related to information and communication technologies such as computer sciences, political and social sciences, and law.

Agenda:
09:00 – Opening words, Ms Anna-Maria Osula & Prof Olaf Maennel
09:10 – Keynote, “On Artificial Intelligence and Steering the Future”, Mr Jaan Tallinn
10:05 – Keynote, “Artificial Intelligence: Will Judges and Lawyers Ever Enter the 20th Century (Never Mind the 21st Century)?”, Mr Stephen Mason
11:00 – Coffee Break

11:30 – 13:00 SESSION 1: Use and Abuse of the Internet
Maarja Pild, “Liability for Posting, Liking, Tagging, Sharing or Doing Nothing at All on Facebook”
Lolita Berzina, “Application of the Right to Be Forgotten and the Jurisdiction in Internet”
Eva Vīksna, “Taming the Online Environment – Protection of Copyright on the Internet”
Mari Kert-Saint Aubyn, “Case Study: Ukrainian Electrical Grid Hack”

11:30 – 13:00 SESSION 2: Technology and Emerging Threats
Hayretdin Bahsi, “Mission Impact Assessment of Cyber Threats”
Ismail Melih Tas, Basak Gencer Unsalver, “Our Proposed SIP – Based Distributed Reflection Denial of Service (DRDoS) Attacks & Effective Defense Mechanism”
Johann David Krister Andersson, “Using Internet Protocol Packet Visualization to Support Defence Exercise Debriefing”
Huishi Yin, “Implementation and Evaluation of Kano-like Models Using Data from Online Sources”

13:00 – Lunch
14:00 – 15:30 SESSION 3: Crime and Digital Technologies
Andra Siibak, “”People Who Defend Their Homeland”: Reasons and Motivations for Joining an Anti-Immigration Group on Facebook”
Tõnu Mets, “Admissibility of Digital Evidence”
Tiia Sõmer, “Visualising Cyber Crime based on the E-Crime Project: Mapping the Journeys of Cyber Criminals”
Margus Ernits, “How to Educate the Defenders of Cyberspace”

14:00 – 15:30 SESSION 4: Internet of Things
Michael Hua, “Security Analysis: NFC Tags and Signature RTD”
Petko Stefanov, “An Analysis of Security Flaws in the NFC Communication Protocol of Modern Mobile Devices”
Prescient Kannampuzha, “Security Investigation of a CAN Bus IoT Network Implementation and its Interface to the Internet”
Michael Bassi, “Engineering Change Management for Industrial Control System Security”

15:30 – Coffee break
15:50 – 17:00 SESSION 5: E-Governance
Gerli Aavik, “The Electronic Identification and Trust Service Regulation (EIDAS): An Analysis of its Compatibility with the Estonian E-Government System (EES)”
Sandra Särav, “E-Residency as the Estonian E-Government Éclat: How More Security Can Result in Less Privacy”
Nenin Hadzic, “Determining Specifications of Secure Database Architecture for Use within Australian Online Government”
Osura Jayasundara, “Recommendation of a Unified ID System for E-Government of Australia”

15:50 – 17:00 SESSION 6: Identity Theft and Verification
Torsten Schmickler, “Biometrics: the Future of Identity Verification”
Adrian Daniele, “Ethernet Device Anomaly Detection Using a Digital Fingerprint”
Olga Rodionova, “Medical Data Security of Wearable Fitness Devices”
Arnis Paršovs, “Security Analysis of Instant Messenger TorChat”

Registration deadline for non-authors is 27th of June 2016.

Links:
http://cybercentre.cs.ttu.ee/en/icr2016/