Cyber Security master’s theses defense in Tallinn University of Technology (January 2016)

TTU_peamine_logo_ENG

Monday, 18 January 2016, Akadeemia Tee 15a, Room ICT-411:

Time: 10:15
Student: Ennio Calderoni
Title: DNS Security: Analysis of Alternatives and an Android DNSSEC-Aware Browser
Supervisor: Truls Tuxen Ringkjob
Reviewer: Toomas Lepik

Time: 10:55
Student: Kadri Tahsildoost
Title: Usable Security of Two Factor Authentication Methods
Supervisor: Jaan Priisalu
Reviewer: Maria Claudia Solarte-Vasquez

Break 11:35 – 11:45

Time: 11:45
Student: Nisham Kizhakkedathil
Title: An Empirical Analysis of Current Estonian i-voting Model: Challenges and Prospects
Supervisor: Tanel Tammet
Reviewer: Jaan Priisalu

Time: 12:25
Student: Panagiotis Marzelas
Title: A Social Media Honeypot Method to Detect Spear Phishing
Supervisor: Olaf Manuel Maennel
Reviewer: Sten Mäses

Time: 13:05
Student: Seyedmorteza Zeinali
Title: Analysis of Security Information and Event Management
(SIEM) Evasion and Evasion Detection Methods
Supervisor: Bernhards Blumbergs
Reviewer: Hayretdin Bahsi

Break 13:45 – 14:00

Time: 14:05
Student: Jesse De Boise Wojtkowiak II
Title: Addressing Insider Threat Vectors in an Information Society
Supervisor: Alexander Horst Norta,
Supervisor: Mauno Pihelgas
Reviewer: Hayretdin Bahsi

Time: 14:40
Student: Alvar Ristikivi
Title: Failover Test Measurements of Load Balanced Infrastructure
Supervisor: Olaf Manuel Maennel
Reviewer: Risto Vaarandi

Defense committee: Risto Vaarandi, Rain Ottis, Olaf Maennel, Raimundas Matulevicius, Hayretdin Bahsi.

The grades received (in random order): 4, 3, 3, 2, 1, 0, 0.

Poorly secured WiFi router abused to sent SMS messages to paid numbers

Leave a reply

wifi_sms_abuse

Thanks to a poorly secured WiFi network, in a few days cyber-criminals where able to cause nearly EUR 1,000 bill to the dining place BURKS in Tallinn.

EMT WiFi router’s admin account was accessed and SMS messages were sent out to paid numbers (some Latvian numbers and Mobile parking). Seems like it was possible because router used mobile Internet and allowed to send out the messages.

Links:
http://tarbija24.postimees.ee/3456355/reporter-ee-video-kehvasti-turvatud-wifi-vork-toi-soogikohale-kopsaka-arve

Log Analysis of Estonian Internet Voting 2013 – 2015

Leave a reply

Conclusions
In this work we developed a systematic data analysis method that can be used to assess the state of an ongoing i-voting and to perform post-election analysis.
The log monitoring solution developed has been a useful tool for detecting software bugs and logging deficiencies, which might not have been otherwise detected.

Although the three elections analyzed in this study were different types of elections, we can see that most of the measured values are similar. Furthermore, taking into account all the observations, we can conclude that in KOV2013, EP2014 and RK2015, no large-scale attack against i-voters was carried out.

Links:
http://eprint.iacr.org/2015/1211.pdf
http://kodu.ut.ee/~arnis/slides_logmon.pdf

New cars stolen using smart key signal relay attack

Leave a reply

brel_signal_amplifier

This Tuesday night the next BMW X5 got stolen from near a home in Laagri, Harju County. Over these past few weeks, three pricey cars have been stolen in Southern Estonia with total value exceeding €100,000. The police suspects an international organised grouping – probably, auto thieves from Latvia or Lithuania.

At end of October, car thieves from Lithuania were apprehended by the police. While investigating their tools, their eyes fell upon a gadget they nicknamed a «bowl». This is a device that amplifies the signal of an electronic car key so as to open the doors of a vehicle hundreds of metres off in the parking lot opens its doors and starts the engine. As you read this story, a bowl like this is being studied by experts in Tartu, Estonia. The devices are obtained on the black market or over the web where at one site above €9,000 is asked for the thing.

Another example. An individual goes home and leaves the car keys close to the door, on a shelf or in coat pocket. «This the crooks know very well. They place the «bowl» i.e. the device seeking the radio signals behind the individual’s front door and the «bowl» finds out the smartkey signal. The smartkey send signals to about a metre and a half,» said Toomas Jervson of Northern police prefecture

Mr Jervson says the solution for dear wheels owners is simple: if you have a smartkey, add an extra immobiliser. It may costs hundreds of euros, though.

What prevents thieves from relaying also the immobiliser’s signal? There are some immobilisers that try to regularly ping the token and cut the engine if the signal is lost. However, because of driving safety reasons this feature is illegal by EU law.

Links:
http://news.postimees.ee/3432227/new-car-theft-now-historically-easy

Poltsamaa Gymnasium to offer cyber defence classes on its curriculum

Leave a reply

Poltsamaa_Gymnasium_cyber_defence_classes

At the Poltsamaa Gymnasium school in central Estonia, 17 boys and one girl signed up to study cyber defence and IT safety basics as well as cryptology, mechatronics and 3D modelling. One educator says the courses are an investment in the students’ futures’.

Tiia Mikson, Deputy Headteacher of Poltsamaa Gymnasium: “It is known that Estonia is an ‘e-country’ and there are lots of electronic systems that are in everyday use, but also used by the government and in school. People who can manage, protect and deal with them are needed.”

Artam Kivisild, cyber defence class student: “It is very important right now and it will continue to grow more important. Because society is increasingly based on technology and the Internet.”

In class the students learn drone construction, how to use a 3D printer and internet security basics – all meant to educate a generation more aware of cyber risks in a world ever-more dependent on technology. The education programme was introduced in cooperation with NATO and the Estonian government. After graduating from the class, students receive a certificate from the country’s paramilitary organisation, Defence League. That document is meant to help them in applying for university studies in cyber defence.

Links:
http://uatoday.tv/politics/estonia-549267.html
http://opleht.ee/26512-poltsamaa-uhis%C2%ADgumnaasium-hakkab-kuberkaitset-opetama/

Amendments to allow invasion of privacy without judicial approval

Leave a reply

kaitsepolitsei

The Ministry of the Interior is drawing up legislation to expand the rights of ISS, the Internal Security Service and the Information Board, the foreign intelligence agency. Current laws governing security agencies date back to 2001, when the security situation in Estonia and in the world was different, Eesti Päevaleht reported.

Another change would give ISS the right to breach home, family and private life sanctity without the approval of a judge, if officials are unable to reach a judge or the situation deems a quick response. The bill, if it enters force, would compel ISS officials to ask a judge for permission at the earliest possibility and if permission is rejected, the operation must be stopped immediately.

“The need for that has appeared in combating terrorism and in prevention of the movement of weapons, ammunition and explosives,” the motion reads.

Links:
http://news.err.ee/v/politics/9bd6fa2f-eff9-4122-bd12-fa4a513325ad/intelligence-agencies-to-get-more-powers
http://epl.delfi.ee/news/arvamus/juhtkiri-kapo-ei-vaja-voimu-juurde?id=73046971

Security system of president’s new residence publicly available on the Internet

Leave a reply

presidental_residence_err

Drawings of the security systems of Estonia’s new presidential residence in the Rocca al Mare district of Tallinn were for four days publicly available on the internet, news of the public broadcaster ERR reported.

The state real estate management company Riigi Kinnisvara AS (RKAS) that launched a tender for the renovation of the residence uploaded in the register of construction tenders the entire project documentation which among other things revealed the positions of movement sensors and surveillance cameras, how many household members would be given panic buttons with direct connection to the police, and where runs the cable the breaking of which would cut off electricity supply to the residence.

RKAS said in response to ERR news that surveillance cameras are only one part of the complex security system of the residence and that the project documentation did not include the part of the system classified as a state secret.

But spokeswoman for the Internal Security Service (ISS) Agnes Suurmets-Ots said such information definitely ought not to be publicly available. “We have to admit that it poses a security threat once such information has become public in a very regrettable way,” she said. The spokeswoman said she cannot at this point offer a comment on the measures that will be taken, but ISS certainly does not agree with RKAS chief’s opinion that the leak does not represent a security threat.

Access to the documents concerning the security of the residence has been restricted by now.

Links:
http://www.baltic-course.com/eng/real_estate/?doc=113253
http://uudised.err.ee/v/eesti/1e5083f8-df04-4afd-bbcf-b06eb8625208/presidendi-uue-residentsi-turvasusteem-rippus-avalikult-internetis
http://uudised.err.ee/v/eesti/9ba7d639-6d9f-4929-bdaf-915bcd85fecb/aeg-presidendi-uue-residentsi-plaanid-tuleb-nuud-umber-vaadata

Tax refund scammers use the name of the Estonian Tax and Customs Board

2 Replies

emta_tax_return_phishing

“Today I received an email from deklaratsioon@emta.ee. Already at the beginning it seemed doubtful that such letter would come in November. However, even more bizarre became the thing when I opened the link from this email. It is obvious that this email seeks to scam out of naive people their credit card details – card number, CVV2 code” a person who received the letter writes in her Facebook post.

Links:
http://kasulik.delfi.ee/news/uudised/hoiatus-tulumaksu-tagastusest-teavitav-e-kiri-voib-lihtsameelse-rahast-lagedaks-teha?id=72992171

Banks twisting client arms to draw out personal data

Leave a reply

danske_data_form

Nordea and Danske clients complained to Postimees that said banks withheld services related to transfers and purchase of shares as the individuals failed to fill fresh personal data declaration.

The banks told Postimees that they are not collecting the detailed data on their own initiative but are under obligation to fulfil diligence measures arising from laws and other regulations.

Danske Bank explained that the information collected about customers has become very detailed. «In addition to an individual’s personal and document data, a bank must identify the customer’s activity profile, field of activity, volume of activity (bank account turnover), main partners,» explained the bank’s communication chief Tõnu Talinurm. «Pursuant to Tax Information Exchange Act, Danske Bank A/S Estonian branch needs to provide Tax and Customs Board information regarding US tax residents known to it or presumed by it. Because of that, we need to ask all clients whether they are US tax residents.»

Data Protection Inspectorate’s main stand is that the bank presenting the questions must also ensure that the clients know why they need to declare the extra data.

Financial Supervision Authority said the laws do lay on banks the obligation to know their customers, but do not prescribe specific questions.

Links:
http://news.postimees.ee/3396503/banks-twist-client-arms-to-draw-personal-data
http://news.postimees.ee/3396619/editorial-need-to-know-or-nice-to-know

Public lecture at Estonian IT College by CyberOlympics winner Jaanus Kääp

Leave a reply

Jaanus_Kaap_kyberolumpia

On Thursday, 19 November at 15.00, the winner of CyberOlympics, Jaanus Kääp, will give a free public lecture at the IT College. The Olympic champion will share what he learned at world famous security conferences and talks about finding security errors and developing the necessary skills.

The first CyberOlympics were organised by the Information Technology Foundation for Education, the Ministry of Defence, the Estonian Information Technology College, and Vequrity Ltd and it was won by Jaanus Kääp, a second-year student of IT systems development at the Estonian Information Technology College and data security expert at Clarified Security. The grand prix was the opportunity to participate at the prestigious “Black Hat Europe 2015” information security conference in Amsterdam. At the public lecture, the Olympic champion Jaanus will share the more interesting tips and tricks for finding security errors that were presented at the Black Hat Europe and Defcon security conferences and talk about the application of skills to finding security errors during the CyberOlympics and elsewhere.

The public lecture will take place in the IT College building in Mustamäe (Raja 4C, Tallinn, lecture hall 316).

Cybersec.ee already informed about hacking competition CyberOlympics 2015.

Links:
https://www.facebook.com/events/1645832179012356/
https://www.youtube.com/watch?v=3hitj0R1bHY