Security system of president’s new residence publicly available on the Internet

presidental_residence_err

Drawings of the security systems of Estonia’s new presidential residence in the Rocca al Mare district of Tallinn were for four days publicly available on the internet, news of the public broadcaster ERR reported.

The state real estate management company Riigi Kinnisvara AS (RKAS) that launched a tender for the renovation of the residence uploaded in the register of construction tenders the entire project documentation which among other things revealed the positions of movement sensors and surveillance cameras, how many household members would be given panic buttons with direct connection to the police, and where runs the cable the breaking of which would cut off electricity supply to the residence.

RKAS said in response to ERR news that surveillance cameras are only one part of the complex security system of the residence and that the project documentation did not include the part of the system classified as a state secret.

But spokeswoman for the Internal Security Service (ISS) Agnes Suurmets-Ots said such information definitely ought not to be publicly available. “We have to admit that it poses a security threat once such information has become public in a very regrettable way,” she said. The spokeswoman said she cannot at this point offer a comment on the measures that will be taken, but ISS certainly does not agree with RKAS chief’s opinion that the leak does not represent a security threat.

Access to the documents concerning the security of the residence has been restricted by now.

Links:
http://www.baltic-course.com/eng/real_estate/?doc=113253
http://uudised.err.ee/v/eesti/1e5083f8-df04-4afd-bbcf-b06eb8625208/presidendi-uue-residentsi-turvasusteem-rippus-avalikult-internetis
http://uudised.err.ee/v/eesti/9ba7d639-6d9f-4929-bdaf-915bcd85fecb/aeg-presidendi-uue-residentsi-plaanid-tuleb-nuud-umber-vaadata

Tax refund scammers use the name of the Estonian Tax and Customs Board

emta_tax_return_phishing

“Today I received an email from deklaratsioon@emta.ee. Already at the beginning it seemed doubtful that such letter would come in November. However, even more bizarre became the thing when I opened the link from this email. It is obvious that this email seeks to scam out of naive people their credit card details – card number, CVV2 code” a person who received the letter writes in her Facebook post.

Links:
http://kasulik.delfi.ee/news/uudised/hoiatus-tulumaksu-tagastusest-teavitav-e-kiri-voib-lihtsameelse-rahast-lagedaks-teha?id=72992171

Banks twisting client arms to draw out personal data

danske_data_form

Nordea and Danske clients complained to Postimees that said banks withheld services related to transfers and purchase of shares as the individuals failed to fill fresh personal data declaration.

The banks told Postimees that they are not collecting the detailed data on their own initiative but are under obligation to fulfil diligence measures arising from laws and other regulations.

Danske Bank explained that the information collected about customers has become very detailed. «In addition to an individual’s personal and document data, a bank must identify the customer’s activity profile, field of activity, volume of activity (bank account turnover), main partners,» explained the bank’s communication chief Tõnu Talinurm. «Pursuant to Tax Information Exchange Act, Danske Bank A/S Estonian branch needs to provide Tax and Customs Board information regarding US tax residents known to it or presumed by it. Because of that, we need to ask all clients whether they are US tax residents.»

Data Protection Inspectorate’s main stand is that the bank presenting the questions must also ensure that the clients know why they need to declare the extra data.

Financial Supervision Authority said the laws do lay on banks the obligation to know their customers, but do not prescribe specific questions.

Links:
http://news.postimees.ee/3396503/banks-twist-client-arms-to-draw-personal-data
http://news.postimees.ee/3396619/editorial-need-to-know-or-nice-to-know

Public lecture at Estonian IT College by CyberOlympics winner Jaanus Kääp

Jaanus_Kaap_kyberolumpia

On Thursday, 19 November at 15.00, the winner of CyberOlympics, Jaanus Kääp, will give a free public lecture at the IT College. The Olympic champion will share what he learned at world famous security conferences and talks about finding security errors and developing the necessary skills.

The first CyberOlympics were organised by the Information Technology Foundation for Education, the Ministry of Defence, the Estonian Information Technology College, and Vequrity Ltd and it was won by Jaanus Kääp, a second-year student of IT systems development at the Estonian Information Technology College and data security expert at Clarified Security. The grand prix was the opportunity to participate at the prestigious “Black Hat Europe 2015” information security conference in Amsterdam. At the public lecture, the Olympic champion Jaanus will share the more interesting tips and tricks for finding security errors that were presented at the Black Hat Europe and Defcon security conferences and talk about the application of skills to finding security errors during the CyberOlympics and elsewhere.

The public lecture will take place in the IT College building in Mustamäe (Raja 4C, Tallinn, lecture hall 316).

Cybersec.ee already informed about hacking competition CyberOlympics 2015.

Links:
https://www.facebook.com/events/1645832179012356/
https://www.youtube.com/watch?v=3hitj0R1bHY

E-enabled elections in Estonia: Forum on research and development in 2015

Estonian_internet_voting

During the first half day, Estonian researchers will present the results of a 3-year scientific project that studied the Estonian flavour of verifiable Internet voting from both technical and social aspects. The second half of the first day will be devoted to the presentation of the development ideas of the Estonian solution. The second day holds additional interventions on the topic of remote online voting and offers brainstorming activity where feedback to the ideas of the first day will be gathered interactively.

Thursday (05.11.2015)
09:00 – 09:30 Registration
09:30 – 09:45 Opening keynote
09:45 – 10:30 Kristjan Vassil “Diffusion of Internet Voting in Estonia”
10:30 – 11:15 Mihkel Solvak “Impact of Verification on Trust toward Internet Voting”
11:15 – 11:45 Coffee break
11:45 – 12:15 Taavi Unt “Usage Patterns in Internet Voting Log Files”
12:15 – 13:45 Jan Willemson, Sven Heiberg and Arnis Paršovs “Log analysis of Estonian Internet
voting 2013-2015”
14:00 – 15:00 Lunch
16:00 – Coffee break
15:00 – 17:30 Tarvi Martens, Sven Heiberg and Jan Willemson “Estonian Internet voting 2017+”

Friday (06.11.2015)
10:00 – 10:30 Bingsheng Zhang “How to Achieve Unconditional Integrity in an End-to-end Verifiable E
voting System”
10:30 – 11:00 Kristjan Gjøsteen “A security usability study on the Norwegian e-voting system”
11:00 – 11:30 Carsten Schürmann “Creating Credible Elections”
11:30 – 12:00 Coffee break
12:00 – 12:30 Jurlind Budurushi “An Investigation into the Usability of Electronic Voting Systems with
Paper Audit Trails in the Context of Complex Elections”
12:30 – 13:00 Helger Lipmaa “Privacy and Accountability in Networks via Optimized Randomized Mixnets”
13:00 – 13:30 Filip Zagorski “Improving security of remote voting”
13:30 – 14:30 Lunch
15:00 – Coffee break
14:30 – 17:00 Argument game

Links:
http://cyber.ee/en/news/e-enabled-elections-in-estonia-forum-on-research-and-development-in-2015/

Data Protection Inspectorate allows to process personal data in privacy-preserving manner

sharemind-it-students-deployments

In Estonia, the Ministry of Education and Science keeps track of students and the Tax and Customs Board keeps track of working (by tracking income tax payments). If data scientists could access these databases, they could find the correlation between working during studies and not graduating in time. However, this data cannot be shared because of the Personal Data Protection Act and the Taxation Act (not to mention the relevant EU regulation). This prevents such studies from being performed.

Personal Data Protection Act actually permits processing of personal data for research purposes (see § 16), although data mining in privacy-preserving manner might have some advantages.

We used the Sharemind Application Server with its analytics package Rmind to perform the study in a privacy-preserving way. The privacy-preserving solution was checked by the Estonian Data Protection Inspectorate. Their response was that our solution does not process Personally Identifiable Information (PII) in the meaning of the law.

For actual privacy of the study the institutions are required to audit the code which is being run on the Sharemind server. In this case Tax and Customs Board had a person having skills and willingness to audit the code:

Furthermore, the Tax and Customs Board reviewed Sharemind’s source code to ensure that everything is performed according to the study plan.

The  findings of the study:

Our study showed relations between higher education and higher income, but we found no relation between working during studies and not graduating on time. Instead, it turned out that Estonian students of all fields work an equal amount. Also, our data showed clearly the reduction of employment during the financial crisis in 2008.

Links:
https://www.youtube.com/watch?v=Age06E1TWaA
http://sharemind.cyber.ee/stories_privacy-preserving-policy-decisions.html
http://news.err.ee/v/politics/education/01447de3-b5ef-4863-a42b-8275eb823cab/studies-majority-of-it-students-drop-out-of-university
http://eprint.iacr.org/2015/1159

DDoS attack against Omniva’s partner distrupts the work of parcel machines

omniva_parcel_machine

The DDoS (Distributed Denial of Service) attack that started yesterday (22.10) at 2.30 p.m. and is still ongoing, was directed at the Integer network of Omniva’s cooperation partner, and resulted in a global error in Integer systems. The attack was isolated and main functions of the system were restored by 7 p.m. yesterday evening. The functionality check of parcel machines was completed at 8 p.m. By now, the attack no longer jeopardizes Omniva’s systems. In addition, databases and customer data stored in Integer are definitely protected and are not affected by the attack in any way.

In connection with the attack, sending parcels from parcel machines and receiving paid parcels from the parcel machines was disrupted from 2.30 p.m. to 7 p.m. Customers were able to use parcel machines for receiving packages that were free of charge.

From the description it seems that Omniva accessed Integer’s databases from the same public channel which was attacked, but now Omniva has non-public access to Integer’s databases, which is not available to the attackers.

Links:
https://www.omniva.ee/about_us/news/all_news/parcel_machine_malfunctions_were_caused_by_a_cyber_attack
http://uudised.err.ee/v/eesti/9f133660-eb7d-4091-a199-9fa38942040b/omniva-pakiautomaadid-langesid-kuberrunnaku-ohvriks

SK Annual Conference 2015

sk_conference_2015

E-identity event SK Annual Conference 2015 will take place on November 5, 2015, Vabal Laval Telliskivi Loomelinnakus (Telliskivi 60a, C1-hoone)

09:00-09:30 Registration and morning coffee
09:30-09:45 Overview of SK 2015, Kalev Pihl, SK
09:45-10:45 Identification physically and digitally, Joseph Leibenguth, Gemalto
10:45-11:15 Coffee Break
11:15-11:55 eIDAS and international interoperability, Katrin Laas-Mikko, SK
11:55-12:25 New Mobile-ID and alternatives, Urmo Keskel, SK
12:25-12:45 NutiKaitse 2017: development of security, Andri Möll, Monday Calendar
12:45-13:30 Lunch
13:30-14:00 Life of cryptography, Anto Veldre, RIA
14:00-14:30 Underlying technologies of cryptocurrency, Asse Sauga, Eesti Krüptoraha Liit
14:30-15:40 Tech trends 2030 & company of the future, Richard van Hooijdonk
15:40-16:00 Coffee Break
16:00-16:35 Questions and answers
16:35-16:55 Summary of the day
16:55-17:30 Evening snack

Links:
https://www.sk.ee/ettevottest/aastakonverents-2015/

Webinar “Cybersecurity Risk Management: Estonia Experiences”

webinar_Estonia_Experiences_cybersecurity_risk_management

The Organization of American States (OAS) in partnership with the Estonian Information System Authority (RIA), would like to invite you to register for our next webinar on “Cybersecurity Risk Management: Estonia Experiences”.

Invited Expert: Sven Kivvistik, Head of Risk Control and Advisory Department, Estonian Information System Authority
Thu, Oct 8, 2015 17:00-18:00 EEST

Links:
https://www.sites.oas.org/cyber/EN/Pages/Events/eventsdet.aspx?docid=71
https://vimeo.com/141810655

Talk by IT law and data protection specialist professor Lee Bygrave

Lee A. Bygrave

The IT law programme invites you to a discussion with a distinguished IT law and data protection specialist professor Lee Bygrave from Oslo University. He will give his talk on Friday, October 9, 2015, from 14.15 to 17.30 at the University of Tartu, Faculty of Law, Näituse 20 room 103. The talk will cover the following topics:

  • the US-EU cleavage on data protection regulatory policy;
  • the extent to which data protection rules can and ought to apply to use of human biological material;
  • regulatory policy on privacy-enhancing technology and privacy/data protection by design.

Lee Bygrave’s visit to Estonia is organized by the IT Law Programme. Additional information: Helen Eenmaa-Dimitrieva, Director of the IT Law.

Links:
http://www.ut.ee/itlaw
http://www.jus.uio.no/ifp/english/people/aca/lee/