Cyber Security master’s theses defense in TalTech (January 2023)

January 13 (online):

Time: 10:00
Student: Janika Pirel Jasmin Hirvi
Title: An Analysis of the Impact of Common Crime Scene Errors in Mobile Phone Evidence Handling
Supervisor: Matthew James Sorell
Reviewer: Hayretdin Bahsi

Time: 11:00
Student: Siim-Alexander Kütt
Title: Stride-Based Black Box Penetration Testing Methodology for Micro-Mobility Services
Supervisor: Shaymaa Khalil
Reviewer: Hayretdin Bahsi

Time: 12:00
Student: Pavel Kargin
Title: Development of a Third Party Applet for the Estonian National ID
Supervisor: Juhan-Peep Ernits
Reviewer: Arnis Paršovs

Cybersecurity related bachelor’s and master’s theses in University of Tartu 2022 (June)

Leave a reply

The defences are taking place on the first and second week of June.

May 31 (online):

Time: 09:15
Student: Xuejun Wu (Computer Science MSc)
Title: Security in Remote Update of Medical Devices
Supervisor: Tuomas Aura, Arnis Paršovs
Reviewer: Denizalp Kapisiz

May 31 (online):

Time: 13:00
Student: Kert Tali (Computer Science BSc)
Title: Parallel and Cloud-Native Secure MultiParty Computation
Supervisor: Riivo Talviste, Pelle Jakovits
Reviewer: Eero Vainikko

Time: 13:45
Student: Karl Hannes Veskus (Computer Science MSc)
Title: Privacy-preserving data synthesis using trusted execution environments
Supervisor: Liina Kamm, Sven Laur
Reviewer: Arnis Parsovs

June 3 (online):

Time: 11:45
Student: Geitrud Pank (Computer Science BSc)
Title: Lab Package: Mobile application security testing
Supervisor: Dietmar Pfahl, Hina Anwar
Reviewer: Alejandra Duque-Torres

June 3 (online):

Time: 10:30
Student: Olivier Levasseur (Cyber Security MSc)
Title: Model-Driven Engineering of Blockchain Oracles
Supervisor: Mubashar Iqbal, Raimundas Matulevičius
Reviewer: Vimal Kumar Dwivedi

Time: 11:15
Student: Ekaterina Zhuchko (Cyber Security MSc)
Title: Formal Analysis of Non-Malleability for Commitment Schemes in EasyCrypt
Supervisor: Denis Firsov, Sven Laur
Reviewer: Peeter Laud

Time: 12:00
Student: Sanam Nisar (Cyber Security MSc)
Title: Defining Blockchain-Based Techniques for Privacy Conflict-Resolution in CrossOrganizational Processes for E-Health Systems
Supervisor: Aleksandr Kormiltsyn, Alex Norta, Vimal Dwivedi
Reviewer:

Time: 12:45
Student: Anel Abylkassymova (Cyber Security MSc)
Title: Machine Learning Method For Detecting Botnet Attacks Originated From The Iot Networks
Supervisor: Hayretdin Bahsi, Sven Nõmm, Raimundas Matulevicius
Reviewer: Risto Vaarandi

Time: 13:30
Student: Gediminas Milašius (Cyber Security MSc)
Title: Integration Analysis of Various eID Authentication Solutions Used in the Private Sector of Estonia
Supervisor: Arnis Paršovs
Reviewer: Kristjan Krips

Time: 14:15
Student: Elizabete Liene Šterna (Cyber Security MSc)
Title: Security Architecture of the Latvian eParaksts mobile
Supervisor: Arnis Paršovs
Reviewer: Inguss Treiguts

June 7:

Time: 12:15
Student: Anna Shamritskaya (Innovation and Technology Management MSc)
Title: Information security assessment in a startup
Supervisor: Mari Seeba, Raimundas Matulevičius
Reviewer: Juliia Trabskaja

Time: 9:15
Student: Anita Sarv (Computer Science BSc)
Title: Implementation of multifactor authentication in Bank of Estonia
Supervisor: Toomas Krips
Reviewer: Jürmo Mehine

Time: 10:45
Student: Mark Robin Kalder (Computer Science BSc)
Title: Bug bounty programs and ethical hacking
Supervisor: Alo Peets, Margus Niitsoo
Reviewer: Anne Villems

Time: 12:00
Student: Allan Alikas (Computer Science BSc)
Title: Privacy preserving anonymization software
Supervisor: Sulev Reisberg
Reviewer: Liina Kamm

June 8:

Time: 10:00
Student: Semjon Kravtšenko (Computer Science BSc)
Title: The Estonian Mobile-ID implementation on the SIM card
Supervisor: Arnis Paršovs
Reviewer: Jürgen Niinre

June 9:

Time: 13:00
Student: Kristjan Pühvel (Computer Science BSc)
Title: Password cracking and hashing functions on the example of UT accounts
Supervisor: Alo Peets
Reviewer: Kristjan Krips

June 10:

Time: 14:30
Student: Kalmer Keerup (Computer Science BSc)
Title: Implementation of an user access control respecting file server
Supervisor: Tarmo Oja, Heili Orav
Reviewer: Mart Oruaas

Links:
https://cs.ut.ee/sites/default/files/2022-06/Defence7.6.22.pdf
https://cs.ut.ee/sites/default/files/2022-06/Kaitsmine%2008.06.2022_0.pdf
https://cs.ut.ee/sites/default/files/2022-06/Kaitsmine%2010.06.2022_0.pdf

Cyber Security master’s theses defense in TalTech (May 2022)

Leave a reply

Cyber Security curriculum MSc theses defences on May 30th 2022 (online):

Time: 10:00
Student: Marek Koppelmann
Title: Estonian Defence League’s Cyber Defence Unit Enhancing Vital Service Providers’ Cyber Security (closed)
Supervisor: Rain Ottis
Reviewer: Andrew J. Roberts

Time: 11:00
Student: Frank Korving
Title: DACA:Automated Attack Scenarios and Dataset Generation
Supervisor: Risto Vaarandi
Reviewer: Andrew J. Roberts

Time: 11:40
Student: Jürgen Erm
Title: Hybrid Analysis of Vulnerability Management Practices in Organizations to Outline Success Factors
Supervisor: Hayretdin Bahsi
Reviewer: Adrian Venables

Time: 13:00
Student: Kristjan Kaunis
Title: Hypervisoor Agnostic Scenario Definition Language for Cyber Ranges
Supervisor: Dr Bernhards Blumbergs
Reviewer: Olaf Maennel

Time: 13:40
Student: Rait Leinus
Title: Cryptocurrency as a Replacement for Traditional Online Payment Methods
Supervisor: Dr Alexander Norta
Reviewer: Raimundas Matulevicius

Time: 14:20
Student: Tomoya Tanaka
Title: Development of IDS/IPS Specifically Designed for ETSI ITS-G5-Based V2X Communication
Supervisor: Olaf Maennel
Reviewer: Hayretdin Bahsi

Time: 15:00
Student: Michailas Ornovskis
Title: Secure Software Development Lifecycle Reference Meta-Architecture
Supervisor: Hayretdin Bahsi
Reviewer: Tiia Sõmer

Cyber Security curriculum MSc theses defences on May 31th 2022 (online):

Time: 10:00
Student: Mario Širic
Title: Feasible Route Mapping
Supervisor: Matthew Sorell
Reviewer: Hayretdin Bahsi

Time: 10:40
Student: Marje Salumets
Title: Threat Modeling of the Supplain.io Blockchain Protocol: Preserving Data Trust, Privacy and Security in Physical Supply Chains
Supervisor: Dr Kaido Kikkas
Reviewer: Hayretdin Bahsi

Time: 11:20
Student: Holger Rünkaru
Title: Method for Defending Against Living Off the Land Attacks with Built-In Features of Windows
Supervisor: Pavel Tšikul
Reviewer: Alejandro G. Manzanares

Time: 12:40
Student: Dominika Helena Jantas
Title: Strategic Considerations to Counter the Cyber Threat of Malicious Deepfakes in Greek Society
Supervisor: Adrian Venables
Reviewer: Rain Ottis

Time: 13:20
Student: Triin Viitmaa
Title: Forensic Analysis for Windows Subsystem for Linux on Windows 11
Supervisor: Shaymaa Khalil
Reviewer: Matthew Sorell

Time: 14:00
Student: Orkhan Gasimov
Title: Compare and Contrast Analysis of Log Parsin Algorythms: Perspective of Efficiency and Pattern Detection Rate
Supervisor: Risto Vaarandi
Reviewer: Toomas Lepik

Time: 14:40
Student: Pasquale Polverino
Title: NetFlow Anomalies Detector Using Prophet Forecasting Model
Supervisor: Kieren Nicolas Lovell
Reviewer: Risto Vaarandi

Cyber Security curriculum MSc theses defences on June 2nd 2022 (online):

Time: 10:00
Student: Marieke Jahn
Title: Forensic data Acquisition Software Development Framework for Integrated Smart Home Ecosystems
Supervisor: Pavel Tšikul
Reviewer: Matthew Sorell

Time: 10:40
Student: Fahad Alamgir
Title: A Risk Based Decision Approach for Handling Digital Device at a Crime Scene
Supervisor: Matthew Sorell
Reviewer: Pavel Tšikul

Time: 11:20
Student: Roman Šumaylov
Title: Evaluation of Resource-Constrained Transfer Learning Approaches for IoT BotNet Detection
Supervisor: Hayretdin Bahsi
Reviewer: Sven Nõmm

Time: 12:40
Student: Georgios Kontis
Title: Technical and Organizational Challenges on Enhancing Cybersecurity with Artificial Intelligence
Supervisor: Hayretdin Bahsi
Reviewer: Kave Salamantian

Time: 13:20
Student: Seyed Mohammad Hadi Mirsadeghi
Title: Deep Learning-Based Detection of DDoS Attacks in Software-Defined Networks
Supervisor: Hayretdin Bahsi
Reviewer: Sadok Ben Yahia

Time: 14:00
Student: Roberta Murniece
Title: Can We Trust the Google Maps Timeline?
Supervisor: Matthew Sorell
Reviewer: Shaymaa Khalil

Time: 14:40
Student: Olga Šenberg
Title: The Role of Individual and Organizational Factors on the Employees’ Information Security Awareness and Vulnerability Management Efficiency
Supervisor: Kaie Maennel
Reviewer: Stefan Sütterlin

Cyber Security master’s theses defense in TalTech (January 2022)

Leave a reply

Defence of master theses of Cyber Security curriculum on January 10th 2022 online:

Time: 09:00
Student: Anupam Rakshit
Title: PRAGMATIC COMPARISON OF MACHINE LEARNING MODELS TO DETECT THE TYPE OF ATTACKS IN AN IOT NETWORK TRAFFIC
Supervisor: Pelle Jakovits
Reviewer: Hayretdin Bahsi

Time: 09:40
Student: Diana Carolina Burbano Valencia
Title: EU Cybersecurity Certification: Case Study Analysis For Implementation in the transportation sector in the EU
Supervisor: Andrew Roberts
Reviewer: Kave Salamatian

Time: 10:20
Student: Kingshuk Chowdhury
Title: Cloud Incident Handling: Challenges and Best Practices
Supervisor: Kieren Nicolas Lovell
Reviewer: Adrian Venables

Time: 11:40
Student: Sanjina Ershad
Title: CASE PROBLEMS FOR TEACHING NEW SOC MEMBERS
Supervisor: Sten Mäses
Reviewer: Toomas Lepik

Cyber Security Newsletter 2021-12-10 (i-voting / KOV2021)

Leave a reply

[2021-10-16] The i-voting in the 2021 local municipality elections took place from October 11th to 16th. A new i-voting record was set with 273,620 votes (46%) being i-votes. Around 24,000 i-votes were revotes. The biggest share of i-votes went to the Reform Party. I-votes cast for the Center Party tripled in Tallinn. Several voting related incidents were observed and are covered below.
https://news.err.ee/1608372258/new-e-voting-record-set-at-2021-local-elections
https://news.err.ee/1608376163/reform-wins-local-elections-e-vote-again
https://www.ohtuleht.ee/1046409/keskerakonna-e-haaled-tallinnas-kolmekordistusid
https://forte.delfi.ee/artikkel/94877729/varske-raport-e-haaletamise-perioodil-motlesid-valijad-oma-otsuse-umber-ligi-24-000-korral
[2021-11-11] The State Electoral Committee (VVK) received an appeal from candidate Andrea Eiche demanding the i-voting results in Lüganuse municipality be annulled due to alleged vote buying activities. The complainant claimed that voters had been “persuaded” to cast an i-vote for a Center Party candidate, both at the Kiviõli Russian School and at a nearby store, with the latter providing gifts in return for doing so. The applicant requested VVK to ascertain how many i-votes had been cast from the store and also from the school’s IP address to specific candidates. The Supreme Court found that processing such data would breach the ballot secrecy. The court found that the allegations lacked sufficient proof, although the court ordered the police to investigate a potential criminal offense.
https://news.err.ee/1608398816/supreme-court-orders-ppa-investigation-into-alleged-luganuse-vote-buying
[2021-11-03] Police detained a politician (Sergei Gorlatš) who is suspected of vote buying. According to preliminary data, almost 40 Narva residents were offered a trip, which included a guided walk in the park, a visit to a SPA, a picnic and transport. The trip took place during the election week and people were instructed to bring their ID card to i-vote. The i-voting took place on the bus. People who could not vote due to the lack of an ID card or PIN codes were asked to do so later at the polling station. Almost half of the people were able to vote on that trip.
https://news.err.ee/1608390995/narva-councilor-suspected-of-vote-buying-suspended-for-at-least-3-months
https://news.err.ee/1608389642/ppa-investigating-narva-e-vote-buying-case
https://news.err.ee/1608390413/eesti-200-calls-for-narva-councilor-resignation-after-police-investigation
https://news.postimees.ee/7376895/member-of-katri-raik-election-coalition-caught-buying-votes
https://www.err.ee/1608389594/keskkriminaalpolitsei-kahtlustab-narva-poliitikut-haalte-ostmises
[2021-10-28] The international i-voting security audit procurement failed five times in a row as the companies that applied did not meet the conditions of the procurement. However, the state signed a contract for a total of 200,000 euro with KPMG Baltics OÜ to conduct a narrower scope procedural audit. The audit is supposed to assess all election-related information systems and has to be completed by April 2022. The audit is supposed to assess at minimum: (1) compliance to the OSCE/ODIHR report; (2) the implementation of the proposals made by the i-voting security working group in 2019; (3) compliance of the Council of Europe e-voting standard; and (4) current legislation and processes related to election information systems.
https://digi.geenius.ee/rubriik/uudis/riik-tellis-auditi-mis-selgitab-valja-kuidas-on-kert-kingo-e-valimiste-tooruhma-ettepanekuid-rakendatud/
https://digi.geenius.ee/rubriik/uudis/suurejooneline-e-valimiste-rahvusvaheline-audit-ebaonnestus-viis-korda-jarjest/
https://digi.geenius.ee/rubriik/uudis/riigihangete-vaidlustuskomisjon-ebaonnestunud-e-valimiste-hankest-ei-saa-valistada-vaidlustuse-esitamist/
https://digi.geenius.ee/rubriik/uudis/riigi-tugiteenuste-keskus-lukkab-umber-vaite-et-riik-oli-valmis-seadusevastaselt-e-valimiste-hanke-tahtaega-pikendama/
https://www.postimees.ee/7349546/e-valimiste-auditit-plaanitud-kujul-ja-ajal-ei-tule-too-tegijaid-lihtsalt-ei-ole
https://forte.delfi.ee/artikkel/95066489/ekre-kunagine-eesmark-saab-siiski-teoks-mkm-alustab-e-valimiste-auditeerimist-tegija-valiti-ilma-hanketa
https://forte.delfi.ee/artikkel/94752045/kas-raul-siemil-on-oigus-eesti-e-valimiste-susteemi-ei-suudagi-keegi-revideerida-ja-see-on-oht-eesti-julgeolekule
[2021-10-28] EKRE submitted a complaint asking for i-voting in the ongoing elections to be declared illegal, as the translation feature of the Google Chrome browser distorted (translated) candidate names listed in the election website kov2021.valimised.ee. On the night of October 13th, the developers of the website added the translate=”no” flag to the candidate list, instructing browsers to not apply translation on that part of the page. National Electoral Committee (NEC) rejected the complaint as the names of the candidates were displayed correctly in the i-voting application. The Supreme Court rejected the appeal assessing the impact of the translation problem as unlikely.
https://www.ohtuleht.ee/1047049/riigikohus-e-haaletamine-oli-seaduslik
https://news.err.ee/1608379718/ekre-goes-to-court-over-e-voting-translation-issue
https://news.err.ee/1608370794/ekre-seeks-annulment-of-e-voting-result
[2021-10-28] Virgo Kruve submitted a complaint asking for i-voting to be canceled for the local elections due to several issues: (1) the source code of the i-voting application was not publicly available; (2) the software was not audited and the i-voting server was not under the supervision of auditors; (3) paper voters and i-voters were not treated equally as i-voting was not possible on election day; (4) the i-voting application was signed after the i-voting trail; (5) VVK confirmed the results of the i-voting trail after the start of the i-voting period. NEC and the Supreme Court dismissed the complaint: (1) legislation does not require publication of the i-voting application source code or audit of the application; (2) the law does not impose an obligation to use the i-voting application provided by VVK; (3) the vote verification application can be used to check if the correct vote has been cast; (4) there are measures to verify the authenticity of the state-provided i-voting application.
https://www.ohtuleht.ee/1047049/riigikohus-e-haaletamine-oli-seaduslik
https://news.err.ee/1608364593/electoral-committee-dismisses-e-voting-organization-complaint
[2021-10-26] Jan Willemson (Cybernetica) used the unofficial proof-of-concept i-voting application to cast an i-vote in the local elections. The vote was accepted by the vote collector server and passed the mobile vote verification successfully. However, in the ballot box processing phase the vote was discarded as invalid. The cause of the bug is being investigated.
https://digi.geenius.ee/eksklusiiv/arvutiteadlane-tegi-kattesaadavaks-e-valimiste-koodi-mida-valimisteenistus-on-seni-kiivalt-varjanud/
https://digi.geenius.ee/rubriik/uudis/uks-valija-loi-endale-isikliku-e-haaletamise-tarkvara/
https://forte.delfi.ee/artikkel/94882233/kahtlus-uks-e-haaletaja-oli-loonud-oma-valimisrakenduse-tema-antud-haal-tunnistati-kehtetuks
https://forte.delfi.ee/artikkel/94898679/valimisteenistus-uksikuritajal-ei-onnestunud-e-valimiste-susteemi-ara-petta
[2021-10-23] Postimees wrote about indications that ID cards of nursing home customers are abused to cast i-votes. As an example, it was mentioned that a relatively unknown candidate, a close relative of the head of a nursing home, received as many votes as a well-known Estonian politician (nearly a hundred votes) and had an unnaturally high proportion of i-votes – four times as many as paper votes. However, so far none of the allegations that ID cards are being misused in nursing homes have been substantiated.
https://leht.postimees.ee/7368389/e-valimispettusi-avastada-aitav-info-havitatakse-enne-haaltelugemist
https://www.postimees.ee/7368573/riigi-valimisteenistus-koik-e-haaletamise-logid-ja-e-haaled-on-alles-ja-turvaliselt-hoiustatud
https://arvamus.postimees.ee/7370931/erkki-koort-e-haaled-ja-logid-on-alles-aga-pettusi-avastada-ei-aita
[2021-10-21] A hacker (Artur Boiko) was able to capture a signed i-vote produced by the voting application. The hacker informed the Estonian media that the i-votes cast in the elections are not valid as the DigiDoc4 client showed that the digital signature attached to his i-vote was not valid. RIA explained that the formed signed BDOC container is not a fully completed digital signature, as the OCSP response and timestamp are added on the server side.
https://ekspress.delfi.ee/artikkel/94929547/kurikuulus-hakker-artur-boiko-pakkus-lahkelt-abi-ka-e-haalte-analuusimisel
https://blog.ria.ee/kuidas-allkirjastatakse-e-haali/
[2021-10-19] Starting with the local elections this year, it is possible to cancel an i-vote in a polling station also on election day. Before 2021 this was not possible, because the voter lists were on paper. Electronic voter lists were used for the first time and it also enabled voters to vote in any polling station in their district as this information is now maintained in a central database. A total of 1,375 computers and 400 printers were used in polling stations all over Estonia. Most of the equipment was leased from Telia. Almost 2,000 people canceled their i-vote with a paper ballot.
https://news.err.ee/1608359610/e-votes-can-be-canceled-by-voting-at-polling-stations-on-election-day
https://news.err.ee/1608374297/almost-2-000-people-canceled-e-vote-with-paper-ballot
https://forte.delfi.ee/artikkel/94901777/1775-kasutatud-arvutit-ja-printerit-mis-saab-edasi-valimistel-kasutusel-olnud-tehnikast
[2021-10-16] On the sixth day of advance voting, voting in polling stations experienced issues from 12:00 to 12:45. The cause was in RIA’s authentication service TARA that is used by the Election Information System VIS3. For security reasons, the number of queries processed from a single IP address was restricted to prevent DoS attacks. During the inaccessibility of VIS3, voters were able to cast paper votes using double envelopes. The electronic list of voters was updated as soon as VIS3 became available again.
https://digi.geenius.ee/rubriik/uudis/ria-loodud-valimiste-infosusteem-tokestas-valimistel-fuusiliselt-haaletamist/
[2021-10-13] A designer (Stefan Hiienurm) criticized the design of the i-voting application as the application looks like “old-school pirated software” (has been largely the same for about ten years) and there is no indication that this is a service created by the Estonian state. The designer took 30 minutes and sketched how the i-voting application could look.
https://digi.geenius.ee/rubriik/uudis/disainer-stefan-hiienurm-e-haaletuse-tarkvara-naeb-valja-nagu-vanakooli-piraattarkvara/
https://epl.delfi.ee/artikkel/94879211/riigi-valimisteenistuse-juht-arne-koitmae-valijarakenduse-iganenud-kujundusest-sellel-on-teatud-positiivne-efekt
[2021-10-12] I-voters who had their computer time more than 5 seconds off got an error, although their vote was cast successfully.
https://www.facebook.com/eestivalimised/photos/a.158329754211315/4745406862170225/?type=3
[2021-10-11] During the first 11 minutes after i-voting started, a false message was shown to voters by the voting application, stating that it was a test vote that would not be counted. Around 900 of the first i-voters received such a message. The votes were actually counted, as this was a configuration error having effect only on the text displayed. The end time of the test vote was wrongly configured to be an hour later.
https://twitter.com/valimisedeestis/status/1447445220271009794
https://news.err.ee/1608366156/e-voting-glitch-which-gave-first-900-voters-inaccurate-information-fixed
https://digi.geenius.ee/rubriik/uudis/e-haaletamine-algas-suure-viperusega-inimesed-ei-tea-kas-nende-haal-laks-arvesse-voi-mitte/
https://blog.ria.ee/ria-analuutikud-e-haaletamise-torked-ei-avalda-kriitilist-moju-valimiste-labiviimisse/
https://digi.geenius.ee/rubriik/uudis/kaimar-karu-tanane-e-valimiste-prohmakas-oli-lubamatu-alusetud-spekulatsioonid-said-kutet-juurde/
https://digi.geenius.ee/rubriik/uudis/miks-oli-e-haaletamisega-sel-korral-nii-palju-probleeme/
[2021-10-11] Users of the latest version of MacOS were unable to i-vote with an ID card until a new voting application was released in the afternoon of the first day of i-voting. More than 30 complaints were registered by technical support service, but hundreds or more users could have been affected. The error was due to the fact that the application was not tested accordingly. I.e., before initially signing the application, the application was not given the right to communicate with the ID card software. The fault was discovered only after i-voting started as the combination of MacOS and ID card was not tested in the i-voting trial.
https://blog.ria.ee/ria-analuutikud-e-haaletamise-torked-ei-avalda-kriitilist-moju-valimiste-labiviimisse/
https://digi.geenius.ee/rubriik/uudis/e-haaletamist-vaevavad-prohmakad-valijad-ei-saanud-rakenduse-oiguses-veenduda-applei-arvutiga-ei-saanud-e-haalt-anda/
https://digi.geenius.ee/rubriik/uudis/riigi-valimisteenuste-juht-tanased-e-haaletuse-prohmakad-ei-ole-aktsepteeritavad/
https://digi.geenius.ee/rubriik/uudis/ronald-liive-kov-valimiste-e-haaletus-on-kobarkakk-mis-enam-kunagi-korduda-ei-tohi/
[2021-10-11] The documentation for the MacOS voting application on valimised.ee was inaccurate. The file name of the voting application was different (in the documentation “selection.dmg”, actually “KOV_2021_mac.dmg”), and the cryptographic checksum of the voting application file did not match the checksum in the documentation. The differences arose because the MacOS voting application was updated without it being timely reflected in the documentation.
https://twitter.com/silverk_/status/1447466479918665728
https://blog.ria.ee/ria-analuutikud-e-haaletamise-torked-ei-avalda-kriitilist-moju-valimiste-labiviimisse/
https://digi.geenius.ee/rubriik/uudis/e-haaletamist-vaevavad-prohmakad-valijad-ei-saanud-rakenduse-oiguses-veenduda-applei-arvutiga-ei-saanud-e-haalt-anda/
https://digi.geenius.ee/rubriik/uudis/tanel-tammet-e-haaletuse-eilsed-prohmakad-on-naeruvaarsed/
https://digi.geenius.ee/rubriik/uudis/ronald-liive-kov-valimiste-e-haaletus-on-kobarkakk-mis-enam-kunagi-korduda-ei-tohi/
[2021-10-10] The source code of the i-voting system was made public in GitHub only 10 hours before i-voting began.
https://twitter.com/silverk_/status/1447119983356567552
https://github.com/vvk-ehk/ivxv/commit/49160800174473502e0bee4c8fa87b7ec75bd6f6
https://blog.ria.ee/ria-analuutikud-e-haaletamise-torked-ei-avalda-kriitilist-moju-valimiste-labiviimisse/
[2021-10-04] Arne Koitmäe, the head of the State Electoral Service (VVK), discusses the possibility to i-vote using smart devices.
https://news.err.ee/1608358833/arne-koitmae-is-estonia-ready-for-m-voting
[2021-09-21] Postimees received sharp criticism for publishing a cartoon, which puts the Estonian i-voting system and the Russian i-voting system on the same stick. Postimees reacted by taking down the cartoon.
https://arvamus.postimees.ee/7342676/varastatud-valimised
https://arvamus.postimees.ee/7343276/margit-sutrop-eetiku-pilgu-labi-mis-on-postimehe-pilapildil-valesti
https://arvamus.postimees.ee/7342960/peatoimetaja-marti-aavik-postimees-ei-kahtle-e-valimiste-usaldusvaarsuses
https://objektiiv.ee/karikatuur-oravast-ja-karikatuurist/
[2021-09-09] A research article by Sven Heiberg (SCCEIV), Kristjan Krips (Cybernetica/UT), Jan Willemson (Cybernetica/STACC) and Priit Vinkel (Cybernetica/VVK): “Facial Recognition for Remote Electronic Voting – Missing Piece of the Puzzle or Yet Another Liability?”. The authors studied the applicability of facial recognition for verifying voter identities (not specifically for the Estonian i-voting context). The architectural aspects and the main technical and ethical issues were discussed.
https://eprint.iacr.org/2021/1143
https://twitter.com/krips_k/status/1437413997393874950
https://cyber.ee/resources/stories/facial-recognition-elections-biometrics/
[2021-09-05] A research article by Bingsheng Zhang (Zhejiang University), Zengpeng Li (Shandong University) and Jan Willemson (Cybernetica): “UC Modelling and Security Analysis of the Estonian IVXV Internet Voting System”. The authors claim that the Estonian i-voting system achieves end-to-end verifiability in practice despite the fact that only 4% (on average) of the i-voters verify their votes.
https://arxiv.org/pdf/2109.01994.pdf
[2021-08-28] A research article by Arne Koitmäe (VVK), Jan Willemson (Cybernetica) and Priit Vinkel (Cybernetica): “Vote Secrecy and Voter Feedback in Remote Voting – Can We Have Both?”. The authors discuss the possibility for introducing a feedback channel that would inform a person if someone (or the person themselves) has cast an i-vote in their name. The Estonian i-voting system is used as an example for discussing the possible feedback channel.
https://research.cyber.ee/~janwil/publ/Vote-Secrecy.pdf
https://link.springer.com/chapter/10.1007/978-3-030-86942-7_10
[2021-08-25] A Belgian cryptographer (Olivier Pereira) described a variant of the revoting attack for the vote verification feature of the Estonian i-voting. By forcing a voter to revote (e.g., by simulating a voting application crash before the verification QR code is shown), on revote a malicious voting application can display the verification QR code from the previous (non-modified) vote cast by the voter, while the revote is substituted with the attacker’s candidate. The benefit compared to the silent revoting is that malware does not have to interact with the ID card (or compromise the voter’s phone in the case of Mobile-ID). An obvious fix is for the i-voting system to allow the verification of the last vote only. The developers of the i-voting system have implemented such a feature, but this feature was not enabled by VVK for the local elections.
https://nitter.eu/ikubjas/status/1430875590677123072#m
https://eprint.iacr.org/2021/1098

Cyber Security Newsletter 2021-08-24

Leave a reply

[2021-08-13] Starting August 23, the Estonian identity cards will be issued containing the ePassport applet that will contain the cardholder’s photo and fingerprints. The residence permit cards have been issued with the ePassport applet already since 2011. The ePassport applet will not be installed on the digital identity cards, the e-resident’s digital identity cards and the diplomatic identity cards. The introduction of the ePassport applet on identity cards is required by an EU regulation.
https://news.err.ee/1608306396/fingerprint-recognition-to-be-added-to-new-id-cards
https://www.riigiteataja.ee/akt/114082021001
[2021-08-11] Mauno Pihelgas (TalTech) defended his PhD thesis “Automating Defences against Cyber Operations in Computer Networks”.
https://digikogu.taltech.ee/en/Item/beb3e841-9c6e-4496-a73a-17148bc941ef
[2021-08-09] The procurement for the next-generation SIM-less Mobile-ID solution has taken longer than originally planned. The winner should be announced in September and the new solution should be operational from July 1, 2022. The current Mobile-ID contract with SK has been extended by half a year.
https://news.err.ee/1608301968/state-hoping-to-introduce-new-solution-to-replace-mobile-id
https://digi.geenius.ee/rubriik/uudis/uudse-mobiil-id-riigihange-on-veninud-voitja-peab-lahenduse-saama-valmis-vaid-loetud-kuudega/
https://digi.geenius.ee/rubriik/uudis/uudse-mobiil-id-riigihange-on-veninud-voitja-peab-lahenduse-saama-valmis-vaid-loetud-kuudega/
[2021-08-08] A group of local cyber security enthusiasts are organizing the BSides Tallinn conference with a program committee consisting of well know Estonian cyber security experts. The conference is planned to take place on October 7 in Tallinn.
https://digi.geenius.ee/eksklusiiv/infoturbe-eksperdid-korraldavad-tallinnas-uritust-kuhu-oodatakse-valdkonna-esindajaid-sudant-puistama/
https://tallinn.bsides.ee/
[2021-08-07] The Data Protection Inspectorate (AKI) has stated that identification check of a person showing a vaccination certificate is allowed only if there is reasonable doubt. For example, if there are obvious discrepancies – the name of the certificate is of the opposite sex, the person’s appearance does not match the date of birth, and so on. Also, the applications used to verify vaccination certificates should not store or forward the data to third-parties. The Minister of Health and Labor suggested the inspection of vaccination certificate only “visually” as it is assumed that most people who live in Estonia are honest.
https://news.err.ee/1608300642/aki-personal-data-must-be-protected-when-checking-covid-19-certificates
https://news.err.ee/1608293448/kiik-vaccination-certificates-will-usually-not-be-scanned
[2021-08-05] RIA has proposed an idea to enable a vaccination status lookup using the document number of the cardholder’s ID card. This would effectively make a person’s vaccination status public, as the document number of a cardholder’s ID card cannot be considered secret. The Health and Welfare Information System (TEHIK) is looking into the legal side of this solution.
https://news.err.ee/1608298248/id-cards-could-be-used-as-vaccination-certificates
[2021-07-29] The web app kontroll.digilugu.ee created to check COVID certificates provides a misleading status response, as it verifies only the authenticity of the certificate and not whether the COVID certificate satisfies legal requirements (e.g., whether test results are not outdated). Currently, the certificate’s compliance to legal requirements have to be inspected manually.
https://digi.geenius.ee/rubriik/uudis/koroonapassi-apis-on-suur-puudus-riik-ei-tea-millal-see-ara-parandatakse/
[2021-07-28] Geenius journalist Ronald Liive proposes the introduction of a state-level bug bounty program to motive white hat hackers to report vulnerabilities.
https://digi.geenius.ee/rubriik/uudis/ronald-liive-kui-eesti-tahab-tugeva-e-riigi-mainet-hoida-siis-leitakse-otsejoones-raha-heade-hakkerite-premeerimiseks/
[2021-07-28] A hacker exploited a vulnerability in RIA’s service that allows people to download their document photos using the DigiDoc client. As a result, facial photos of 286,438 persons have been downloaded. The flaw allowed unauthorized retrieval of document photos by sending queries using a fake ID card certificate containing the document holder’s personal identification code. The queries were made from 9,000 different domestic and foreign IP addresses routed through a malware network. The flawed solution was created several years ago. The police has temporarily detained an Estonian citizen, a resident of Tallinn, whose computer was used to download the photos. The downloaded data has been confiscated and the police believes that the data was not transmitted further. The mass download of photos was detected after SK ID Solutions notified RIA of an abnormal number of (OCSP?) queries. The persons whose document photo was downloaded received a notification to their @eesti.ee email addresses. If the leak caused damage, the person can ask RIA for compensation. In RIA’s opinion no damage could have been caused. The government gave RIA 500,000 euros to improve the security of their legacy services.
https://news.err.ee/1608291072/hacker-downloads-close-to-300-000-personal-id-photos
https://www.ria.ee/en/news/police-and-border-guard-board-and-information-system-authority-stopped-illegal-downloading-data.html
https://www.ria.ee/en/news/further-explanation-information-system-authority-ria-data-theft.html
https://news.err.ee/1608294000/ak-ria-unlikely-to-be-fined-over-mass-photo-hack-victims-not-compensated
https://news.err.ee/1608306519/government-sets-aside-500-000-to-update-state-portal-following-july-hack
https://www.err.ee/1608290994/kuberrundaja-laadis-alla-ligi-300-000-dokumendifotot
http://cybersec.ee/storage/20210729_PPA_dokumendifoto_ebaseadusliku_allalaadimise_kohta.eml
https://digi.geenius.ee/eksklusiiv/e-valimiste-ja-lekkinud-dokumendifotode-infosusteemid-vastavad-samale-turvastandardile/
https://digi.geenius.ee/eksklusiiv/ria-juht-dokumendifotosid-varastanud-isik-uritas-radari-alt-labi-libiseda-see-onnestus-tal-suhteliselt-hasti/
https://digi.geenius.ee/rubriik/uudis/riigiportaalis-on-sadakond-komponenti-mille-turvalisuse-kohta-on-riigil-kusimusi/
[2021-07-24] The number of banking scams is growing. This year already more than 800,000 euros have been lost. If last summer there were 25-30 such cases in one month, then this year there are already more than 50 in one month.
https://www.err.ee/1608287943/telefonipetturite-ohvrite-arv-on-kasvuteel
https://www.err.ee/1608258774/viie-kuuga-on-petukonedega-kaotatud-ule-kahe-miljoni-euro
https://raha.geenius.ee/rubriik/uudis/kelmuse-ohvrid-saavad-tagasi-ule-34-000-euro/
https://www.err.ee/1608188950/pangakelmid-on-inimestelt-valja-petnud-ule-miljoni-euro
https://news.err.ee/1608158017/people-taken-to-the-cleaners-over-the-phone-and-on-dating-websites
[2021-07-22] Gert Auväärt became RIA’s director of the Cyber Security Branch. Lauri Aasmann, the current director of the Cyber Security Branch, will continue as an advisor to the Director General.
https://www.ria.ee/en/news/july-gert-auvaart-will-become-director-cyber-security-branch-information-system-authority.html
[2021-07-21] AS Morrison Invest (morrison.ee) approached the Data Protection Inspectorate (AKI) questioning the legality of kv.ee showing the name of real estate agents for advertisements posted on behalf of legal entities. AKI found it to be in line with good practice, but in turn found that the website morrison.ee that collects personal data does not use an HTTPS connection, the visitor is not informed about the use of Google Analytics cookies, and thirdly, the site does not have the required data protection conditions. AKI issued a precept requesting that these deficiencies be eliminated.
https://digi.geenius.ee/rubriik/uudis/kurioosne-juhus-portaali-tegevuse-kohta-kusimusi-esitanud-kinnisvarafirmal-terendab-kuni-20-miljoni-euro-suurune-sunniraha/
https://aastaraamat.prokuratuur.ee/prokuratuuri-aastaraamat-2020/kuberkuritegevuse-okosusteem-muutunud-teenusepohiseks
[2021-07-21] Estonian citizen Pavel Tsurkan (33) was extradited to the US where he pled guilty for building a botnet of more than 1000 routers and allowing his criminal clients to use them as proxies routing their malicious internet traffic through the compromised routers. He also pled guilty in a second case for operating the Crypt4U service since 2013 that allowed criminals to obfuscate their malware. The Estonian national faces two 10-year prison sentences.
https://www.justice.gov/usao-ak/pr/estonian-citizen-pleads-guilty-computer-fraud-and-abuse
https://ekspress.delfi.ee/artikkel/92169861/koroonaviirus-ei-paasta-eesti-kodanikku-valjaandmisest-usa-le
[2021-07-15] Cybernetica has completed the analysis of implementing facial recognition in the Estonian i-voting. The analysis points out problems with false negatives, the requirement for high quality video cameras, privacy issues related to the fact that the captured video may contain other persons and a voter’s home interior, and points out a list of legal challenges. The report concludes that facial recognition is still in its infancy and should be first piloted within other public services.
https://www.ria.ee/en/news/implementation-biometrics-e-voting-requires-prolonged-testing.html
https://www.ria.ee/sites/default/files/content-editors/publikatsioonid/biomeetria-aruanne.pdf
[2021-07-15] A Geenius journalist had a look at the mysterious information system SITIKAS created by the State Situation Center. The system is meant to help decision makers and almost 2.8 million euros have been spent on its development. The system uses mostly publicly available information, but the content of the system is classified. Allegedly, the system generates various reports and uses machine learning and neural networks.
https://digi.geenius.ee/eksklusiiv/esimest-korda-avalikkuse-ees-salaparane-infosusteem-sitikas-aitab-peaministril-paremaid-otsuseid-teha/
[2021-07-13] The Data Protection Inspectorate (AKI) has reprimanded the Health Board for its official contacting TalTech to ask whether one of the Health Board employees studies in TalTech. TalTech disclosed the information over phone without identifying the questioner and without the legal basis.
https://digi.geenius.ee/rubriik/uudis/uus-skandaal-terviseametis-osakonnajuhataja-nuhkis-tootaja-jarel-kes-hiljem-koondati/
https://digi.geenius.ee/rubriik/uudis/terviseametist-koondatud-ametnik-tegu-on-sustemaatilise-tookiusamisega/
[2021-07-13] For DDOC signatures that have been timestamped after 2018-07-01, the ID software will show a warning “The signature is valid (with a warning)”. Signatures in DDOC format use the outdated SHA-1 hash function whose collision resistance was practically broken in February 2017 and hence any DDOC signatures created since then could be challenged.
https://www.ria.ee/en/news/new-version-id-card-software-will-change-status-ddoc-signatures.html
https://www.ria.ee/et/uudised/id-kaardi-tarkvara-uus-versioon-muudab-ddoc-allkirjade-staatust.html
[2021-07-09] RIA has closed an information leak in the state portal eesti.ee, where personal data of 336,733 people could be accessed. The data contained the first and last names, personal identification codes, places of work and, in some cases, links to previous positions. The leak was in the self-service environment that gave representatives of companies the right to manage the access rights of their employees. The leak was part of the intended functionality that was introduced about ten years ago when the approach to data protection and privacy was different than today. The issue was reported by an attentive user. RIA has no information on whether anyone had saved the data.
https://www.ria.ee/en/news/data-more-300000-people-were-available-state-portal.html
https://digi.geenius.ee/rubriik/uudis/riigiportaalis-olid-kattesaadavad-ule-300-000-inimese-andmed/
[2021-07-01] Personal data of 96 drone pilots was visible in the website of the Transport Agency for two hours. The personal data contained the pilots’ home addresses, phone numbers, e-mail addresses and personal identification numbers. Due to the leak, the registration numbers issued to the pilots will be replaced. Piksel OÜ developed the flight safety monitoring information system (LOIS). The security of the system was tested, but the flaw was detected only after the information system went into production.
https://digi.geenius.ee/rubriik/uudis/ameti-vea-tottu-paases-iga-huviline-ligi-droonilennutajate-andmetele/
https://digi.geenius.ee/rubriik/uudis/transpordiameti-leke-puudutas-pea-sadat-droonilennutajat-juhtunust-informeeriti-andmekaitse-inspektsiooni/
[2021-06-29] MKM is using the EU structural funds to produce 60 thematic biographical video interviews to document the history of the Estonian digital state. The plan is to collect the memories and knowledge of the birth and formation of the digital state, including the development of eID, i-voting and cyber security. The work will be completed in the beginning of 2022.
https://mkm.ee/et/uudised/eesti-riik-hakkab-talletama-digiriigi-ajalugu
[2021-06-29] The UT computer science BSc student Peeter Vahe in his BSc research discovered a race condition flaw in the Tartu Smart Bike Share system, which allows a user to unlock 2 bikes at once using a single account.
https://www.youtube.com/watch?v=2tKBlegvGXY
https://comserv.cs.ut.ee/ati_thesis/datasheet.php?id=71618&year=2021&language=en
[2021-06-18] The Supreme Court decided that the procedure for storage and use of communications metadata is in conflict with the law of the EU and therefore the state cannot request this data for criminal investigations. The EU law forbids retaining the communication data of all users without distinction, regardless of whether they have any connection with serious crime (the current practice of the Electronic Communications Act). This decision will affect the proceedings where phone logs are the most substantial evidence. The Ministry of Justice is looking for a solution to agree on some kind of a new metadata keeping obligation.
https://www.isoc.ee/nuhkimishaav-sonavabaduse-sudames/
https://www.riigikohus.ee/et/uudiste-arhiiv/riigikohus-riik-ei-saa-sidefirmade-kogutud-andmeid-kuritegude-uurimiseks-valja-nouda
https://news.err.ee/1608251514/supreme-court-state-cannot-demand-telephone-communication-data
https://forte.delfi.ee/artikkel/93776527/riigikohus-keelas-riigil-sidefirmade-andmeid-kuritegude-uurimiseks-valja-nouda
https://news.err.ee/1608252387/prosecutor-supreme-court-phone-data-decision-may-stop-some-proceedings
https://news.err.ee/1608253017/samost-ja-sildam-supreme-court-communications-call-points-to-problems
https://www.err.ee/1608251964/vaher-sideandmeteta-laheb-kuritegude-uurimine-keerulisemaks
https://news.postimees.ee/7278096/interior-ministry-solving-some-crimes-will-become-impossible
https://news.err.ee/1608266760/justice-ministry-looking-for-ways-to-use-communications-data
[2021-06-16] Kaie Maennel (TalTech) defended her PhD thesis “Advancing Cybersecurity Education through Learning Analytics”.
https://digikogu.taltech.ee/en/Item/d01c0b17-3b4b-41c5-ae24-e75b6128a183
[2021-06-15] An MSc thesis defended at UT brought to light a security risk concerning signing documents with an ID card via a browser. More specifically, the fact that the signatories are not able to see what exactly the service provider is asking them to sign. The thesis provides the implementation of two solutions. RIA is looking to introduce a solution as well.
https://digi.geenius.ee/eksklusiiv/eesti-id-kaardil-on-kogu-aeg-olnud-allkirjastamisel-turvarisk-mida-selle-aastani-ei-peetud-oluliseks/
https://comserv.cs.ut.ee/ati_thesis/datasheet.php?id=72487&year=2021&language=en
[2021-06-15] A bill has been passed to create a central biometric database ABIS for storing facial images and fingerprints, as currently such data is scattered between several databases. No new data will be collected. The bill has raised concerns regarding cross use of biometric data, as it would allow fingerprints and facial images collected for identification purposes (when applying for an identity document) to be used in criminal proceedings. However, it turns out that since 2012 identity documents database has been used in criminal investigations. While it was possible to compare fingerprints against all fingerprints in the database, ABIS plans to provide the technological capability to match a person’s facial image against facial images stored in the database.
https://news.err.ee/1608162490/estonia-to-create-database-for-biometric-identification-system
https://news.postimees.ee/7272664/abis-holds-uncertainty-for-the-future
https://news.err.ee/1608241671/ekre-stalls-riigikogu-s-work-over-personal-identification-database-bill
https://news.err.ee/1608250773/interior-minister-right-to-decide-over-use-of-data-can-be-discussed
https://news.err.ee/1608260931/kaljulaid-promulgates-abis-cross-use-of-data-law
https://www.err.ee/1608247482/oiguseksperdid-naevad-probleemi-abis-e-info-ristkasutuses
https://www.err.ee/1608250389/uno-lohmus-abis-kui-pohiseaduslik-probleem
https://www.err.ee/1608262158/oiguskantsler-naeb-abis-es-mitut-tosist-probleemi
https://www.err.ee/1608261951/helme-inimesed-voiksid-kohtus-nouda-oma-andmete-kustutamist-abis-est
https://www.err.ee/1608240822/jaani-abis-e-eelnou-kooskolastas-siseminister-mart-helme
[2021-06-14] Cyber Security Summer School 2021 took place during June 14-16 in virtual format. The focus of this year’s summer school was on real-world internet voting systems.
https://www.cs.ut.ee/en/news/international-cyber-security-summer-school-focuses-online-voting-technologies-around-world
https://studyitin.ee/c3s2021
[2021-06-11] The Transport Administration is developing a database in which private parking lots from Helsinki and Riga can obtain personal data of car owners registered in Estonia. The Estonian vehicle owner database has now been opened to Estonia’s private parking lots for imposing fines.
https://news.err.ee/1608243435/parking-tickets-from-nearby-countries-will-soon-find-their-estonian-owners
[2021-06-04] The President of Estonia, Kersti Kaljulaid awarded ENISA’s Executive Director, Juhan Lepassaar, the Order of the White Star, 3rd Class state decoration for advancing EU cybersecurity.
https://news.err.ee/1608120073/president-awards-152-state-decorations
https://nitter.eu/enisa_eu/status/1400819371409297411
[2021-06-03] MSc thesis by Taavi Turu (TalTech): “The Role of Co-production in National Cyber Security and Cyber Resilience of Critical Infrastructures: the Case of Estonian Defence League’s Cyber Unit”
https://digikogu.taltech.ee/en/Item/b32ff254-b558-4571-8fc9-7127b1c5f408
[2021-06-02] A new Estonian information security standard (E-ITS) has been compiled to replace the voluminous information security standard ISKE. The standard contains data on security threats and provides measures for public sector authorities.
https://www.ria.ee/en/news/ria-has-compiled-information-security-guidebook-public-sector.html
https://eits.ria.ee/
[2021-06-02] RIA organized a seminar “Cyber Security in Estonia 2021” in English. Presentations by Gert Auväärt, Tõnu Tammer, Perit Kirkmann, Mark Erlich, Lauri Tankler and Märt Hiietamm are available in RIA’s youtube channel.
https://www.youtube.com/playlist?list=PLNPWRftK1TNr0A3WrxK05IOVCaDlsf6nh
[2021-05-31] Due to a database error, the health information system was not available for more than two and a half hours in the middle of the working day.
https://www.err.ee/1608230814/tervise-infosusteem-oli-esmaspaeval-tehnilise-vea-tottu-paar-tundi-maas
https://www.ria.ee/et/uudised/olukord-kuberruumis-mai-2021.html
[2021-05-28] Arnis Parsovs (UT) has published “Security Analysis of RIA’s Authentication Service TARA”. The analysis finds that the TARA protocol might be susceptible to man-in-the-middle and phishing attacks.
https://cybersec.ee/storage/20210528_tara_analysis.pdf
https://digi.geenius.ee/rubriik/uudis/loputoos-leiti-mitu-kohta-kuidas-riiklikku-autentimisteenust-veel-turvalisemaks-muuta/
[2021-05-26] The TV investigative program Pealtnägija has published materials and insights from the “passport mafia Marika” criminal case of running an illegal document business with insiders from PPA. A trap was set up with the help of a secret agent who was interested in a document. Video footage and other materials from covert police surveillance activities are demonstrated.
https://www.err.ee/1608225496/salajased-kaadrid-pealtnagijas-ulatuslik-passiari-toimis-kui-kellavark
[2021-05-21] Following a scheduled maintenance at SK ID Solutions, the issuance of Mobile-ID and Smart-ID certificates were disrupted.
https://news.err.ee/1608220819/issuing-of-digital-id-verification-services-encounters-glitches-friday
https://news.err.ee/1608221635/smart-id-and-mobile-id-new-registrations-back-online
https://digi.geenius.ee/rubriik/uudis/mobiil-idd-vaevavad-teist-paeva-jarjest-probleemid/
https://digi.geenius.ee/rubriik/uudis/ria-soovib-hiljutiste-mobiil-id-ja-id-kaardi-katkestuste-kohta-lisainfot/
https://www.skidsolutions.eu/en/News/mobile-id-and-smart-id-services-were-interrupted/
[2021-05-15] An Estonian accounting software company fell victim to a ransom attack and through it the attackers gained access to the systems of one of the Lääne County rural municipality governments. The attack was discovered by CERT-EE before the attackers were able to cause damage.
https://www.ria.ee/et/uudised/olukord-kuberruumis-mai-2021.html
https://www.ria.ee/et/uudised/mais-runnati-it-teenusepakkujat-ning-jouti-seelabi-tema-kliendini.html
https://forte.delfi.ee/artikkel/93831843/juhtub-ka-eestis-runnak-digiteenusepakkujale-joudis-selle-kliendini-valja
[2021-05-13] RIA refuses to disclose how many sessions at once the authentication service TARA can handle, as this would reveal too much of the e-Estonia capability to potential attackers. TARA has been used up to 150,000 times a day.
https://digi.geenius.ee/eksklusiiv/kui-palju-paaseb-korraga-e-valima-riigiportaali-voi-patsiendiportaali-amet-salatseb-ja-ei-tee-infot-avalikuks/
[2021-05-13] A court in the US convicted 3 IT specialists that were residing in Estonia for providing bulletproof hosting services to cyber criminals from 2009 to 2015.
https://news.postimees.ee/7247575/estonia-s-it-talents-sold-international-services-to-cybercriminals
https://www.justice.gov/opa/pr/four-individuals-plead-guilty-rico-conspiracy-involving-bulletproof-hosting-cybercriminals
https://therecord.media/botnet-operator-who-proxied-traffic-for-other-cybercrime-groups-pleads-guilty/
https://news.err.ee/1608213967/daily-estonia-based-cyber-criminals-active-for-years-to-face-us-trial
https://news.postimees.ee/7247575/estonia-s-it-talents-sold-international-services-to-cybercriminals
[2021-05-12] There is a plan to amend the Public Information Act that would allow for the classification of documents to last indefinitely. Currently, the access restriction limit for classified documents “information intended for internal use” (AK) is five years. This limit can be extended by another five years to a total maximum of 10 years.
https://news.err.ee/1608210079/defense-minister-documents-should-not-be-classified-for-over-10-years
[2021-05-11] The Data Protection Inspectorate (AKI) has released the 2020 yearbook.
https://aastaraamat.aki.ee/sites/default/files/aastaraamatud/aastaraamat_2020.pdf
[2021-05-05] The Estonian Digital Society Development Plan 2030 has been released. One of the areas is national cyber security. Among the plans is to: improve the personal data tracker service; develop the possibility to get all the data stored in the country from the state portal; create a national eID that is free of physical media; update the national cyber security governance model to clarify roles, responsibilities and tasks of organizations; increase the capacity of academic institutions and development centers to implement nationally important cyber security R&D projects.
https://news.err.ee/1608202027/it-minister-requesting-feedback-on-future-of-digital-society
https://mkm.ee/et/uudised/it-minister-saatis-konsultatsioonile-digiuhiskonna-tulevikuvisiooni-eesti-tais-digivage
[2021-05-03] Liisa Past (former employee of Cybernetica and RIA) has started working as an information security manager (CISO) at the Information Security Department of the Information Technology and Development Center (SMIT) of the Ministry of the Interior.
https://www.smit.ee/et/uudised/smiti-infoturbejuhina-alustas-toeoed-liisa-past-97
[2021-04-27] Over the last couple of years, most of the security testing procurements have been won by the company Clarified Security OÜ. Last year, procurements for up to 2 million and 3.5 million euros were won. Paevaleht looked at the similarities of the procurement specifications and discussed the need to introduce mandatory rotation of security testers.
https://epl.delfi.ee/artikkel/93253019/koik-munad-uhes-korvis-suure-osa-e-riigi-turvatestimise-hankeid-voidab-uksainus-ettevote
https://www.ria.ee/sites/default/files/content-editors/kuberturve/kuberturvalisuse_aastaraamat_2021_eng_final.pdf
[2021-04-22] Äripäev has published a special issue “Cyber security 2021” covering a variety of cyber security related topics: cyber hygiene, i-voting, cybercrime, training of cyber experts and other topics.
https://www.aripaev.ee/lisa/2021/04/22/kuberturvalisus-22042021
[2021-04-22] Due to a hardware failure, the state authentication service TARA was not available for 45 minutes, as a result of which it was not possible to log into any service that uses TARA.
https://www.ria.ee/et/uudised/olukord-kuberruumis-aprill-2021.html
[2021-04-15] The government introduced a draft legislation to strengthen rules for assessing eID system trustworthiness and delimiting institutional responsibilities. In addition, RIA will be able to check whether providers of public e-services fulfill the obligation of recognizing international eID solutions arising from the eIDAS regulation.
https://news.err.ee/1608178582/government-endorses-regulation-updates-to-e-identification
[2021-04-13] Due to a software error, the digital prescription service was not available for almost 7 hours.
https://www.ria.ee/et/uudised/olukord-kuberruumis-aprill-2021.html
[2021-04-09] Arnis Parsovs (UT) defended his PhD thesis “Estonian Electronic Identity Card and its Security Challenges”.
https://dspace.ut.ee/handle/10062/71481
https://www.uttv.ee/naita?id=31267
https://blog.cs.ut.ee/2021/04/07/phd-thesis-shows-that-id-card-issues-reoccur-because-they-are-not-learned-from/
https://digi.geenius.ee/rubriik/uudis/riik-valjastas-uheksa-aasta-jooksul-ule-miljoni-vigase-id-kaardi/
[2021-04-07] The Mobile-ID and Smart-ID phishing attackers who were detained in Romania last September, sent emails to 100,000 Estonians and managed to steal money from the accounts of nearly 40 people in the total amount to more than 100,000 euros.
https://digi.geenius.ee/rubriik/uudis/rumeenias-tabatud-kuberpattide-ohvriks-langes-ligi-40-eestlast-kahju-ule-100-000-euro/
https://www.ria.ee/sites/default/files/content-editors/kuberturve/kuberturvalisuse_aastaraamat_2021_eng_final.pdf
[2021-04-07] RIA released the yearbook “Cyber Security in Estonia 2021”. Some of the covered topics: DDoS ransom attacks, ransomware attacks, phishing attacks, E-ITS security standard, DigiTest cyber hygine training platform, cyber diplomacy, 5G security.
https://news.err.ee/1608168793/ria-yearbook-cyber-criminals-took-advantage-of-covid-19-fears
https://www.ria.ee/en/news/new-yearbook-information-system-authority-ria-cyber-security-summarises-most-influential.html
https://www.ria.ee/sites/default/files/content-editors/kuberturve/kuberturvalisuse_aastaraamat_2021_eng_final.pdf
[2021-04-05] Based on a precept issued by the Technical Supervision Authority (TTJA), Zone Media OÜ blocked access to the websites koroonavabaeesti.ee and kloordiioxidiinfokeskus.ee, which were used to spread misinformation about the anti-COVID drug. The websites were registered by a private person and used the web hosting service of Zone Media OÜ.
https://digi.geenius.ee/eksklusiiv/terviseamet-tahab-blokeerida-ligipaasu-eesti-veebilehtedele-mis-jagavad-koroonaviiruse-kohta-valeinfot/
https://digi.geenius.ee/rubriik/uudis/tarbijakaitseameti-mahitusel-peatati-ligipaas-lehele-mis-vaitis-et-koroonat-saab-ravida-mmsiga/
https://digi.geenius.ee/rubriik/uudis/veebimajutaja-zone-uurib-kuidas-piirata-ligipaasu-teiselegi-vaarinfot-levitavatele-veebilehele/
https://digi.geenius.ee/rubriik/uudis/zone-sulges-ttja-ettekirjutusel-mmsi-koroonaravimina-reklaaminud-veebilehe/
[2021-04-04] Personal data of 533 million Facebook users leaked online. The leak contains personal data of 87,533 users from Estonia. The data includes their phone numbers, Facebook IDs, full names, locations, birthdates, bios, and (in some cases) email addresses. The dataset was collected by crawling the data made public by users themselves.
https://www.theverge.com/2021/4/4/22366822/facebook-personal-data-533-million-leaks-online-email-phone-numbers
https://tehnika.postimees.ee/7220357/facebook-suudistab-kasutajaid-selles-et-nende-andmed-hakkerite-katte-sattusid
https://www.ria.ee/et/uudised/olukord-kuberruumis-aprill-2021.html
[2021-03-31] The government approved an amendment enabling automatic forwarding of a person’s @eesti.ee mailbox to their contact information in the population register. The population register has almost every person’s contact information (email address and phone number) as it is collected, for instance, when applying for an identity document. Before this change, around 413,000 people of 1.3 million had manually enabled forwarding for their @eesti.ee address. The opt-out in @eesti.ee forwarding was introduced after many elderly people missed invitations to be vaccinated.
https://www.ria.ee/en/news/state-will-link-persons-eestiee-mailbox-their-contact-information-population-register.html
https://www.ria.ee/en/news/information-system-authority-forwarded-state-portal-mailboxes.html
https://news.err.ee/1608146752/people-s-contact-information-to-be-used-to-send-eesti-ee-notifications
https://digi.geenius.ee/rubriik/uudis/karm-kusimus-mis-on-eesti-ee-meiliaadressi-mote-ja-kas-seda-on-uldse-vaja/
https://digi.geenius.ee/rubriik/uudis/eesti-ee-meiliaadressi-on-sel-kuul-ara-suunanud-ligi-16-000-inimest/
[2021-03-31] E-residency background checks will become more thorough. New data sought from applicants includes information about misdemeanor proceedings initiated against the applicant, prohibition on business as well as bank accounts owned by the applicant or their businesses. To improve user friendliness, PPA has created a new self-service environment for e-residents at https://eresident.politsei.ee.
https://news.err.ee/1608161419/e-residency-background-checks-to-become-more-thorough
[2021-03-26] The Latvian Data Protection Inspectorate did not apply sanctions to the company responsible for the e-shop charlot.ee database leak in which personal data of 14,000 Estonians was made publicly available. According to the Latvian inspectorate, they learned about the personal data of only 168 Latvians being compromised. The Estonian Data Protection Inspectorate (AKI) now regrets not initiating proceedings, as Charlot OÜ had appointed Estonia as the data controller and hence the server’s location in Latvia should not have played a role.
https://digi.geenius.ee/rubriik/uudis/aki-todeb-et-nad-eksisid-eesti-uhe-suurima-andmelekke-menetlemisel/
https://digi.geenius.ee/rubriik/uudis/latlased-ei-algatanud-eesti-ajaloo-suurima-andmelekke-osas-jarelevalvemenetlust/
[2021-03-19] The attackers who downloaded 350GB of data from government servers last November used the security testing tool Acunetix to discover the .git catalogue which had remained public by accident. By using information in the .git catalogue, the attackers were able to upload malicious code and gain access to the servers. The same scanning pattern has been observed lately against companies in the private sector. RIA has purchased a license to the Acunetix tool and is offering it to the public sector.
https://digi.geenius.ee/rubriik/uudis/hakkerid-leidsid-uue-sihtmargi-eesti-ettevotted-mis-teevad-riigiga-koostood/
https://www.ria.ee/sites/default/files/content-editors/kuberturve/kuberturvalisuse_aastaraamat_2021_eng_final.pdf
[2021-03-17] A former employee of the newspaper Raplamaa Sõnumid was convicted in court of illegally disrupting the operation of the newspaper’s computer system. The employee left the newspaper in 2015 and committed the crime four years later by using Google’s Search Console tool to hide the website https://sõnumid.ee in the Google search engine. The conviction of the county court and the circuit court has been appealed to the Supreme Court.
https://digi.geenius.ee/rubriik/uudis/googlei-otsingus-endise-tooandja-veebilehe-varjamine-toi-kaasa-kriminaalasja/
[2021-03-17] The Prosecutor’s Office has released a yearbook about 2020. In 2020, various covert surveillance operations were carried out on 729 people. There have been cases where criminals have compromised state systems to mine cryptocurrencies. One of the biggest achievements last year was the detention of three Romanian cyber criminals last September, which was possible thanks to direct contacts with foreign partners. In one criminal case, it was possible to seize 1 million worth of cryptocurrency by transferring it to a wallet held by police. It is not uncommon to see criminal cases being closed without gathering additional evidence if the identified IP address is located abroad.
https://aastaraamat.prokuratuur.ee/prokuratuuri-aastaraamat-2020/jalituse-jarelevalvest
https://aastaraamat.prokuratuur.ee/prokuratuuri-aastaraamat-2020/kuberkuritegevuse-okosusteem-muutunud-teenusepohiseks
https://digi.geenius.ee/rubriik/uudis/prokuror-meil-on-viiteid-et-kurjategijad-kaevandasid-riigi-vahenditega-kruptoraha/
[2021-03-17] Due to an error on the SK ID Solutions side, 6000 Smart-ID users received a false SMS alert as if someone had just created a Smart-ID account on their behalf. Turns out the alert was not false, but was sent with a delay. Smart-ID users who created an account on 2021-02-27 or later received the alert on 2021-03-17.
https://forte.delfi.ee/artikkel/92868487/6000-inimest-said-tana-eksliku-hoiatusteate-smart-id-loomise-kohta
https://www.skidsolutions.eu/en/News/sms-notifications-for-smart-id-account-creation-were-sent-with-delay/
[2021-03-08] RIA has published a technical report produced by Cybernetica: “Cryptographic algorithms and their support in libraries and information systems”. The report looks at cryptographic primitives and protocols, federated authentication protocols (OAuth, OpenID), cryptographic libraries and crypto file containers. The use of PGP is not recommended anymore.
https://www.ria.ee/sites/default/files/content-editors/publikatsioonid/cryptoreport2021.pdf
https://www.ria.ee/et/kalender/kruptoalgoritmid-ning-nende-tugi-teekides-ja-infosusteemides.html
[2021-03-04] The birth registration service in the self-service portal of the population register (rahvastikuregister.ee) allows the lookup of a mother’s name and personal identification code by entering a newborn’s personal identification code. A Geenius journalist tried 50 random personal code combinations and in 9 cases was able to see the child’s mother’s name and personal identification code and was able to apply to be registered as the father of the child. A rate limit for number of queries is not present. The officials do not consider this a risk as it only reveals the fact that someone has given birth. The queries leave a trace that can be seen in the data tracker, but to see who exactly viewed the data the child’s mother must contact the Ministry of Interior. The Data Protection Inspectorate (AKI) sees no problem.
https://digi.geenius.ee/eksklusiiv/iga-huviline-saab-e-rahvastikuregistris-naha-vastsundinud-laste-emade-nimesid-ja-isikukoode/
[2021-03-02] The European Court of Justice ruled that the Prosecutor’s Office in Estonia should not grant access to communications metadata as it is not a fully independent party in the conduct of criminal investigations. A good deal of evidence in thousands of criminal cases may prove inadmissible.
https://curia.europa.eu/jcms/upload/docs/application/pdf/2021-03/cp210029en.pdf
https://news.err.ee/1608130099/thousands-of-pieces-of-evidence-could-disappear-from-criminal-cases
https://ekspress.delfi.ee/artikkel/92783317/advokaat-kas-moosivarguse-uurimine-oigustab-inimese-lausjalitamist
https://news.err.ee/1608191572/lawyers-prosecutor-s-office-riding-roughshod-over-ecj-data-stance
https://news.err.ee/1608209794/bill-initiated-to-use-communications-data-in-court-cases
https://www.err.ee/1608200386/ministeerium-ei-kavatse-piirata-mobiiliandmete-kasutamist
https://news.err.ee/1608231447/bill-aligning-prosecutor-data-collection-with-eu-law-passes-first-reading
[2021-03-02] MKM has submitted a draft regulation on the security of communications networks. The change mostly affects the radio equipment on the mobile operator masts. The transition away from Huawei equipment would cost Elisa up to 54 million euros over the next five years, for Telia up to 5 million euros, but for Tele2 there would be no additional costs. The government will vote on the draft bill in the autumn.
https://mkm.ee/et/uudised/minister-sutt-esitas-valitsusele-sidevorkude-turvalisuse-eelnou
https://www.err.ee/1608127927/huawei-seadmete-keelamine-voib-tuua-vorkudele-kumneid-miljoneid-kahju
https://www.err.ee/1608250608/huawei-seadus-lukkub-sugisesse-5g-sagedusalade-konkurssi-pole-seni-oodata
[2021-03-02] The National Audit Office (Riigikontroll) has raised several issues related to X-Road. The audit has found that in many cases X-Road data service providers did not enter into service agreements and the public authorities have not audited whether private operators were implementing adequate security risk mitigation measures. The regulation should clarify which security measures should be implemented at what level. The audit has found that there has been one significant disruption in X-Road services during the last three years due to the failure of key components.
https://news.err.ee/1608127567/audit-office-it-security-of-firms-using-x-road-not-sufficiently-checked
https://digi.geenius.ee/rubriik/uudis/riigikontroll-manitseb-keegi-ei-kontrolli-x-teed-kasutavate-eraettevotete-turvalisust/
https://www.ria.ee/et/uudised/riigikontroll-riigi-infosusteemi-amet-taganud-x-tee-tookindluse-kuid-x-teed-kasutavate.html
https://blog.ria.ee/x-tee-liikmete-ule-tuleb-tohustada-kontrolli/
[2021-03-01] A research article by Sven Heiberg, Kristjan Krips and Jan Willemson (Cybernetica): “Mobile Voting – Still Too Risky?”. The article is mainly based on the report “Mobile voting feasibility study and risk analysis” that was released by Cybernetica in April 2020.
https://research.cyber.ee/~janwil/publ/mvoting-design.pdf
[2021-02-01] Denial-of-service extortion attack took place against one of the banks in Estonia. As a result, online banking, card payments and internal bank services were disrupted.
https://www.ria.ee/et/uudised/olukord-kuberruumis-veebruar-2021.html
[2021-01-22] Thousands of .ee domains were unavailable for a few hours due to an administrative error made by the Zone Media in their name server solution.
https://www.ria.ee/et/uudised/olukord-kuberruumis-jaanuar-2021.html
[2021-01-18] For a few hours hundreds of websites hosted at Zone Media were not available due to a network switch failure.
https://www.ria.ee/et/uudised/olukord-kuberruumis-jaanuar-2021.html
https://blog.zone.ee/2021/01/20/katkestuse-post-mortem/
[2021-01-15] Denial-of-service attacks took place against Estonian financial institutions and technology companies, accompanied by blackmail letters. The ransom demands were between 0.5 to 10 bitcoins. The longest interruption lasted for about six hours. According to RIA, the attackers did not receive any ransom money from Estonia.
https://www.ria.ee/et/uudised/olukord-kuberruumis-jaanuar-2021.html
https://www.ria.ee/sites/default/files/content-editors/kuberturve/kuberturvalisuse_aastaraamat_2021_eng_final.pdf

Cyber Security master’s theses defense in TalTech/UT (August 2021)

Leave a reply

Defence of master theses of Cyber Security curriculum on August 10th 2021 online

Time: 09:00
Student: Ilker Furkan Kahyalar
Title: A Comparative Study of Virtualization Solutions for Cybersecurity Labs
Supervisor: Risto Vaarandi
Reviewer: Toomas Lepik

Time: 09:40
Student: Martin Välbe
Title: Benchmarking of Android Applications’ System Calls Behavior: Implications for Malware Detection
Supervisor: Alejandro Manzanares, Tarmo Oja
Reviewer: Risto Vaarandi

Time: 10:20
Student: Mohamed Nasef Ibrahim Mohamed
Title: Towards a new method for teaching malware analysis for Cyber Security students
Supervisor: Toomas Lepik
Reviewer: Pavel Tšikul

Time: 11:30
Student: Thilina Nenathunga
Title: Identity and Access Management, and Audit trails for Continuous Delivery infrastructure on Amazon Web Services platform
Supervisor: Toomas Lepik
Reviewer: Risto Vaarandi

Time: 12:10
Student: Bisrat Woldeyes Ambaye
Title: Adversarial Machine Learning Poisoning Attacks on Mobile Check Deposits
Supervisor: Alejandro Manzanares
Reviewer: Matthew Sorell

Time: 12:50
Student: Md Forhad Hossain
Title: Adapting Active Learning for Intrusion Detection Within Security Operation Center Context
Supervisor: Hayretdin Bahsi
Reviewer: Alejandro Manzanares

Time: 14:00
Student: Muhammad Junaid Farrukh
Title: Evaluation of Agile Threat Modeling Methods to Identify Threats to Privacy in Robotic Systems
Supervisor: Andrew Roberts
Reviewer: Shaymaa Khalil

Time: 14:40
Student: Raigo Vilur
Title: Evaluation of Secure Channel Communication for Cloud-Based Autonomous Vehicle Telematics
Supervisor: Andrew Roberts, Nikita Snetkov
Reviewer: Olaf Maennel

Defence of master theses of Cyber Security curriculum on August 11th 2021 online

Time: 12:00 (closed defence)
Student: Wellington Oscar Alves De Souza
Title: Cybercrime knowledge of identity theft investigators in Estonian FinTech
Supervisor: Maria Claudia Solarte Vasquez, Sten Mäses
Reviewer: Toomas Vaks

Time: 12:40
Student: Abhisek Ojha
Title: Cybersecurity Awareness among Engineering students of West Bengal , India
Supervisor: Sten Mäses
Reviewer: Kaido Kikkas

Time: 13:40
Student: Alex Bindevald
Title: Cyber Security at schools – challenges, opportunities and needs for CTF-solution
Supervisor: Birgy Lorenz
Reviewer: Sten Mäses

Time: 14:20
Student: Orkhan Rustamli
Title: Analysis of Cyber Security Awareness Level of Secondary High-school Students: The Case of Azerbaijan
Supervisor: Kaie Maennel
Reviewer: Sten Mäses

Defence of master theses of Cyber Security curriculum on August 12th 2021 online

Time: (withdrawn)
Student: Anupam Rakshit
Title: Pragmatic Comparison of Machine Learning Models to Detect The Type Of Attacks In An IoT Network Traffic
Supervisor: Pelle Jakovits
Reviewer: Alejandro Manzanares

Time: 10:00
Student: Vasile Tarlev
Title: Compatibility of the European Blockchain Service Infrastructure with the European Union General Data Protection Regulation
Supervisor: Anna-Maria Osula, Andres Ojamaa, Vladimir Rogojin
Reviewer: Eneken Tikk

Time: 10:40
Student: Henry Ochieng’ Dola
Title: Cyber Threat Modeling of A Water Quality Monitoring System
Supervisor: Hayretdin Bahsi, Jeffrey Andrew Tuhtan
Reviewer: Andrew Roberts

Time: 11:20
Student: Andris Männik
Title: Cyber Awareness Verification Using Phishing Assessments
Supervisor: Kaido Kikkas
Reviewer: Kaie Maennel

Time: 12:30
Student: Oluwatosin Soremekun
Title: Method for cyber threat modelling and validation of public transportation systems
Supervisor: Hayretdin Bahsi, Andrew Roberts
Reviewer: Liivar Luts

Time: 13:10
Student: Tino Apostolovski
Title: Design of a system for secure communication between ATC and Drone Pilot
Supervisor: Olaf Maennel, Dariana Khisteva
Reviewer: Andrew Roberts, Nikita Snetkov

Time: 13:50
Student: Gulkhara Babayeva
Title: Domain Ontology for Cyber Defense Exercises
Supervisor: Olaf Maennel, Kaie Maennel
Reviewer: Rain Ottis

August 12, 2021 online:

Time: 09:00
Student: Olorunshe Temilola Esther (Cyber Security MSc)
Title: Recognition of Phishing Attacks and its Impact: A Case Study
Supervisor: Raimundas Matulevicius
Reviewer: Abasi-Amefon Affia

Cybersecurity related bachelor’s and master’s theses in University of Tartu 2021 (June)

Leave a reply

The defences are taking place on the first and second week of June.

June 2, 2021:

Time: 09:45
Student: Toomas Aleksander Veromann (Software Engineering MSc)
Title: WYSIWYS Extensions to the Estonian ID Card Browser Signing Architecture
Supervisor: Arnis Paršovs
Reviewer: Mart Sõmermaa

Time: 10:30
Student: Sébastien René Baptistin Boire (Computer Science MSc)
Title: Credential Provisioning and Peer Configuration with Extensible Authentication Protocol
Supervisor: Tuomas Aura, Dominique Unruh
Reviewer: Arnis Paršovs

Time: 10:30
Student: Mariia Bakhtina (Innovation & Technology Management MA)
Title: Securing Passenger’s Data in Autonomous Vehicles
Supervisor: Raimundas Matulevičius, Mari Seeba
Reviewer: Abasi-Amefon Obot Affia

Time: 11:30
Student: Burak Can Kus (Cyber Security MSc)
Title: Use of Electronic Identity Documents for MultiFactor Authentication
Supervisor: Arnis Paršovs
Reviewer: Inguss Treiguts

Time: 12:15
Student: Priit Põdra (Cyber Security MSc)
Title: Web tracking in the most popular Estonian websites
Supervisor: Arnis Paršovs
Reviewer: Raimundas Matulevičius

Time: 13:00
Student: Mikus Teivens (Cyber Security MSc)
Title: Analysis of Security and Privacy Issues in Common Smart Home Products
Supervisor: Arnis Paršovs
Reviewer: Alo Peets

June 4, 2021:

Time: 11:30
Student: Magnus Valgre (Computer Science BSc)
Title: Tracking And Privacy: The Case of News Site Delfi
Supervisor: Arnis Paršovs
Reviewer: Mari Seeba

June 7, 2021:

Time: 09:00
Student: Hain Luud (Computer Science BSc)
Title: An Analysis of the HID® Indala and Seos™ Protocols
Supervisor: Danielle Morgan
Reviewer: Kristjan Krips

Time: 09:30
Student: Geio Illus (Computer Science BSc)
Title: Wi-Fi Positioning System
Supervisor: Danielle Morgan
Reviewer: Jakob Mass

Time: 11:00
Student: Peeter Vahe (Computer Science BSc)
Title: Tartu Smart Bike Share Access Cards Authentication Analysis
Supervisor: Danielle Morgan
Reviewer: Alo Peets

June 11, 2021:

Time: 09:30
Student: Jan Erik Kriisk (Computer Science BSc)
Title: Security Analysis of RIA’s Authentication Service TARA
Supervisor: Arnis Paršovs
Reviewer: Kristjan Krips

Time: 11:00
Student: Siim Markus Marvet (Computer Science BSc)
Title: Collecting Statistics and Security Data on Estonian Domains
Supervisor: Alo Peets
Reviewer: Kristjan Krips

Links:
https://www.cs.ut.ee/sites/default/files/cs/defence_schedule_01-11.06.2021.pdf
https://comserv.cs.ut.ee/ati_thesis/index.php?year=2021&language=en

Cyber Security master’s theses defense in TalTech (May 2021)

Leave a reply

Cyber Security curriculum MSc theses defences on May 27th 2021 (online):

Time: 10:00
Student: Tarvo Arikas
Title: Streaming event correlation and complex event processing using open-source solutions
Supervisor: Risto Vaarandi
Reviewer: Mauno Pihelgas

Time: 10:40
Student: Janno Arnek
Title: Improving cybersecurity level of Estonian small and medium sized enterprises through coordination with national level
Supervisor: Sille Laks
Reviewer: Anna-Maria Osula

Time: 11:50
Student: Tedel Baca
Title: Critical infrastructure protection in the Republic of Kosovo: A policy-analysis on the protection of electric-energy and water-supply sectors
Supervisor: Mika Kerttunen, Kristine Hovhannisyan
Reviewer: Adrian Venables

Time: 12:30
Student: Risto Kasepuu
Title: Designing an artifact to support cybersecurity policy development in small and medium enterprises
Supervisor: Mika Kerttunen, Andro Kull
Reviewer: Adrian Venables

Time: 13:20
Student: Dariana Khisteva
Title: A proposal of integrating open-source IDS into vessel’s bridge network
Supervisor: Olaf Maennel, Gabor Visky
Reviewer: Risto Vaarandi

Time: 14:00
Student: Stanislav Mekinulashvili
Title: Sniffing encrypted BLE traffic after changing connection parameters, using low-cost hardware that captures only one channel at a time
Supervisor: Olaf Maennel
Reviewer: Toomas Lepik

Time: 14:40
Student: Yazeed Basim Aeadah Alhaddad
Title: Ghost Injection Attack on Automatic Dependent Surveillance-Broadcast Equipped Drones Impact on Human Behavior
Supervisor: Erwin Orye
Reviewer: Jaan Priisalu

Cyber Security curriculum MSc theses defences on May 28th 2021 (online):

Time: 10:00
Student: Juan Manuel Delgado Garcia
Title: Forensic Analysis of Privacy-Oriented Cryptocurrency Wallets
Supervisor: Hayretdin Bahsi
Reviewer: Pavel Tsikul

Time: 10:40
Student: Faisal Sumaila
Title: Extraction and Analysis of Forensic Artifacts from Automotive Maintenance Applications
Supervisor: Hayretdin Bahsi
Reviewer: Matthew Sorell

Time: 11:50
Student: Yoshihisa Furushita
Title: Sources of artifacts in video
Supervisor: Matthew Sorell, Pavel Tšikul
Reviewer: Richard Matthews

Time: 12:30
Student: Kärte Pärend
Title: Forensic Traces of Messaging Applications on Android and iOS Mobile Phones
Supervisor: Sten Mäses, Priit Lahesoo
Reviewer: Matthew Sorell

Time: 13:20
Student: Karoliina Koppel
Title: Securing Software Supply-Chain Using OWASP Application Security Verification Standard: A SimplBooks Case Study
Supervisor: Toomas Lepik
Reviewer: Andrew Roberts

Time: 14:00
Student: Rooya Karimnia
Title: Culturally-Sensitive Instructional Design Of A Cybersecurity Awareness Program For High School Students In Iran, Hormozgan
Supervisor: Kaie Maennel, Mahtab Shahin
Reviewer: Stefan Sütterlin

Cyber Security curriculum MSc theses defences on May 31th 2021 (online):

Time: 10:00
Student: Jelizaveta Vakarjuk
Title: Converting a post-quantum signature scheme to a two-party signature scheme
Supervisor: Ahto Buldas, Jan Willemson
Reviewer: Ahto Truu

Time: 10:40
Student: Esteban Josue Ramirez Rojas
Title: Preserving Information’s Integrity and Confidentiality with Blockchain in the Service Supply Chain
Supervisor: Jaan Priisalu, Alex Norta
Reviewer: Nikita Snetkov

Time: 11:50
Student: Ali Ghasempour
Title: HTTP based Network Intrusion Detection System by Using Machine Learning-Based Classifier
Supervisor: Risto Vaarandi, Alejandro Manzanares
Reviewer: Hayretdin Bahsi

Time: 12:30
Student: Mauricio Antonio Duarte Lara
Title: Prototyping A Serious Game On Information Manipulation
Supervisor: Maria Claudia Solarte Vasquez, Adrian Venables
Reviewer: Rain Ottis

Time: 13:20
Student: Madis Männik
Title: Smart meter threat detection based on log analysis
Supervisor: Gabor Visky
Reviewer: Risto Vaarandi

Time: 14:00
Student: Alex Bindevald
Title: Cyber security at schools – challenges, oppurtunities and needs for CTF-solution
Supervisor: Birgy Lorenz
Reviewer: Tiia Sõmer

Cyber Security Newsletter 2021-02-22

Leave a reply

[2021-02-18] The Ministry of Economic Affairs and Communications (MKM) will establish a new state cyber security department joining the current state information systems department (RISO) and the information society services development department.
https://digi.geenius.ee/rubriik/uudis/valitsus-korrastab-digiriiki-luuakse-uus-riiklik-kuberturvalisuse-osakond/
[2021-02-18] The LokiBot malware is being distributed using a spoofed e-mail address of the TalTech rector. The phishing email is written in good Estonian and as a pretext invites recipients to participate in a procurement. As a response, TalTech has enabled DMARC so that recipients could detect emails from spoofed @taltech.ee addresses.
https://www.taltech.ee/uudised/tahelepanu-tallinna-tehnikaulikooli-rektori-nime-alt-tulnud-hinnaparingud-petukirjad-ja
https://taltech.ee/en/news/attention-price-inquiries-sent-under-name-rector-taltech-are-e-mail-scam-and-university-asks
https://forte.delfi.ee/artikkel/92598139/kustuta-kohe-petukiri-korgel-tasemel-tehnikaulikooli-rektori-tiit-landi-nime-alt-laks-tana-teele-massiliselt-libaparinguid
[2021-02-17] An information security specialist of Viljandi Hospital raised a privacy issue of PDF and DDOC signature files being sent for validation to RIA validation service SiVa. According to RIA, data is not permanently stored on RIA servers and the DigiDoc4 client explicitly asks for permission before the file is sent to RIA. The DDOC file validation logic has been moved server side to simplify the DigiDoc4 client-side software. On a side note, people have forgotten that a few years ago, all documents signed using Mobile-ID were sent to the SK DigiDocService.
https://www.ohtuleht.ee/1026090/paranoia-voi-suure-venna-sund-digiallkirja-kehtivuse-kontrollimiseks-laheb-dokument-kogu-taiega-riigi-katte-miks
[2020-02-16] At the end of 2020, an ID card authentication bypass flaw was found in the Coop Pank’s internetbank environment. Since Coop Pank also provides a bank link authentication service, the eesti.ee e-service and other e-services supporting the bank link option were also affected. A similar flaw was also found in elisa.ee, printincity.ee and arved.ee.
https://www.youtube.com/watch?v=cObPmkK7zaY
https://www.youtube.com/watch?v=IQ5UK2VwN4w
https://digi.geenius.ee/rubriik/uudis/coopi-internetipangas-oli-turvaauk-mis-voimaldas-ligipaasu-voora-inimese-kontole/
https://digi.geenius.ee/rubriik/uudis/coop-pank-turvaviga-sai-operatiivselt-parandatud-interneti-ja-mobiilipanga-kasutamine-on-taiesti-turvaline/
https://digi.geenius.ee/rubriik/uudis/turvaauk-elisa-iseteeninduses-ning-arved-ee-keskkonnas-voimaldas-paaseda-voorale-kontole/
[2021-02-12] In January 2021, Estonian banks lost more than 200 thousand euros in Smart-ID and Mobile-ID phishing attacks.
https://majandus24.postimees.ee/7178741/pangakelmustega-peteti-eesti-inimestelt-jaanuaris-valja-ule-200-000-euro
[2021-02-10] The personal data of 5000 persons was leaked from the Mineral Garden (mineralgarden.org – Living Minerals OÜ) online store. The names, email addresses, phone numbers, home addresses, and shopping cart information of thousands of Mineral Garden customers were searchable on Google. The Data Protection Inspectorate initiated a supervisory procedure. The shop is controversial as it distributes a harmful substance advertised as a miracle cure. Postimees published the name of a parliament member, who was found in the leak to have purchased the substance.
https://digi.geenius.ee/rubriik/uudis/hiiglaslik-andmeleke-mmsi-tellinud-klientide-andmed-rippusid-avalikult-internetis/
https://leht.postimees.ee/7176185/nimed-telefoninumbrid-aadressid-tuhandete-eesti-veebipoe-klientide-andmed-rippusid-avalikult-internetis
[2021-02-10] From March 2021, RIA will stop supporting bank link in the state authentication service TARA, because the security of bank link authentication mechanisms has not been assessed according to eIDAS regulation. The change will affect approximately 7000 people, which accounts for about 1% of all authentications in TARA. This move has been long awaited as the use of banks as authentication providers has never had legal basis and security flaws in banking systems have put personal data, that is accessible through the bank link, at risk.
https://www.ria.ee/et/uudised/1-martsist-ei-saa-teatud-riiklikesse-e-teenustesse-pangalingi-kaudu-siseneda.html
https://www.ria.ee/en/news/1-march-it-will-no-longer-be-possible-access-certain-public-e-services-bank-link.html
https://www.ria.ee/et/uudised/osasse-riiklikesse-e-teenustesse-ei-saa-alates-martsist-pangalingi-kaudu-siseneda.html
https://forte.delfi.ee/artikkel/92520083/alates-1-martsist-ei-paase-pangalingiga-enam-38-e-teenusesse-sh-riigiportaali
https://digi.geenius.ee/rubriik/uudis/riigiteenustesse-ei-saa-pangalingiga-martsist-enam-siseneda-pohjuseks-euroopa-liidu-seadus/
https://news.err.ee/1608104449/some-public-e-services-cannot-be-accessed-via-a-bank-link-from-march
[2021-02-05] The litigation between PPA and the Estonia ID card manufacturer Gemalto has reached a compromise with Gemalto paying the state 2.2 million EUR in compensation. While the press release only mentions the ID card security incident in 2017, the compromise also covers the claim against Gemalto regarding private key generation outside the ID card.
https://www.politsei.ee/en/news/a-settlement-agreement-has-been-signed-between-the-police-and-border-guard-board-and-gemalto-ag-tallinn-2021
https://forte.delfi.ee/artikkel/92482559/politsei-loobus-hiigelhagist-gemalto-vastu
https://forte.delfi.ee/artikkel/92191151/see-pole-enam-isegi-naljakas-moodunud-on-kaks-aastat-ja-kohus-pole-joudnud-politsei-ja-gemalto-kohtuasjas-mitte-kuskile
https://digi.geenius.ee/rubriik/uudis/vigaste-id-kaartide-tootja-gemalto-maksab-eesti-riigile-22-miljonit-eurot-huvitist/
https://www.err.ee/1608099706/ppa-ja-gemalto-joudsid-kokkuleppele-ettevote-maksab-2-2-miljonit-eurot
https://news.err.ee/1608100102/gemalto-ppa-reach-compromise-over-id-card-security-weakness
[2021-02-03] RIA fixed an authentication man-in-the-middle flaw in the ID card browser signing extension. The flaw (a feature to sign raw values using the authentication key) was quietly introduced in 2017 without a proper security analysis. Swedbank began using the feature to authenticate their clients at the end of 2020, because it was considered to be more reliable than TLS client certificate authentication.
https://www.youtube.com/watch?v=Qr638sbaZ_M
https://www.ria.ee/en/news/information-system-authority-ria-and-its-partners-fixed-critical-bug-id-card-browser-extension.html
https://digi.geenius.ee/eksklusiiv/swedbank-kasutas-turvanorkusega-id-kaardi-laiendust-kaks-aastat-pank-pidas-seda-tookindlamaks/
[2021-02-03] Geenius wrote an article about the recent repeated failures of revoking ID cards of deceased persons. RIA in 2019 initiated a supervisory procedure which still has not been completed.
https://digi.geenius.ee/eksklusiiv/teist-korda-jaid-hulga-surnud-inimeste-id-kaartide-sertifikaadid-kehtetuks-tunnistamata/
[2021-01-25] CERT-EE reported that in December 2020, an ID card authentication bypass flaw was found in the website of quick loan provider (credit24.ee), which would have provided the opportunity to take a quick loan on behalf of a stranger.
https://www.ria.ee/et/uudised/detsembris-lahendati-oluline-turvanorkus-kiirlaenu-pakkuja-veebilehel.html
https://forte.delfi.ee/artikkel/92359667/kiirlaenu-pakkuja-veebilehel-avastati-ohtlik-turvanorkus
[2021-01-26] Liisa Past and Jan Willemson from Cybernetica, in the Digital Government podcast (30min), talk about the historical and cognitive aspects of i-voting and explain how technology and math ensure a secure and trustworthy solution.
https://www.buzzsprout.com/1191800/7491415-what-makes-online-voting-secure
[2021-01-25] Estonian server hosting company Zone.ee experienced a DDoS attack. The attack lasted a total of five hours and affected the company’s operations.
https://digi.geenius.ee/rubriik/uudis/eesti-serverimajutusettevote-on-aktiivse-ddos-runnaku-all/
[2021-01-25] The Ministry of Economic Affairs and Communications (MKM), the State Information System Authority (RIA) and the State Electoral Service (RVT) signed a cooperation agreement to define the division of tasks between the agencies for organizing i-voting security. MKM will organize a security audit. RVT undertakes the development of the i-voting system and organization of security testing and risk analysis. RIA will provide hosting services and perform security testing and logging. RVT and RIA will undertake the procurement of a technical and legal analysis of the possibility of voter identification by facial biometrics. The analysis should be conducted by 1 June 2021.
https://www.ria.ee/et/uudised/mkm-ria-ja-rvt-solmisid-koostoolepingu-e-valimiste-kuberturvalisuse-korraldamiseks.html
[2021-01-24] The Estonian government recently fell and a new one was formed with a new Minister of Foreign Trade and IT: Andres Sutt (Reform). The political position on i-voting has now significantly changed as the coalition agreement seeks to develop a mobile app for i-voting.
https://news.err.ee/1608084379/who-s-who-estonia-s-new-government
https://news.err.ee/1608086476/coalition-agreement-center-reform-government-2021-2023
https://twitter.com/ikubjas/status/1353315211571294213
[2021-01-14] The Ministry of Economic Affairs and Communications (MKM) announced a public procurement tender for the audit of the i-voting system. The purpose of the audit is to get a reasoned assessment of the security of the election information systems and proposals for improvements that can raise the level of security. The audit shall be performed by internationally renowned auditors and information security specialists. The deadline for presenting the project’s final report is October 1, 2021.
https://news.err.ee/1608073477/ministry-seeking-international-auditor-to-check-security-of-e-elections
[2021-01-05] On 2021-01-05, Smart-ID, Mobile-ID and ID-card authentication and signing services were disrupted for a few hours. The state does not know the reason behind the failures and did not answer whether the question of whether a supervisory procedure will be initiated against SK ID Solutions AS.
https://majandus24.postimees.ee/7147961/riiklikud-autentimisteenused-olid-hairitud
https://news.err.ee/1228642/disruptions-in-use-of-mobile-id-still-possible
https://digi.geenius.ee/rubriik/uudis/riik-ei-tea-pohjust-miks-oli-mobiil-id-ja-id-kaardi-too-korraga-hairitud/
[2021-01-04] On 2021-01-04, SK ID Solutions AS failed to rotate the OCSP signer’s certificate, as a result, for 10 hours OCSP responses were signed with an expired certificate.
https://www.skidsolutions.eu/en/News/certifier-esteid2018-validity-information-responses-were-signed-with-an-expired-certificate/
[2020-12-22] A research article by Valeh Farzaliyev, Kristjan Krips and Jan Willemson (Cybernetica): “Developing a Personal Voting Machine for the Estonian Internet Voting System”. The article describes a proof-of-concept i-voting client implemented on a microcontroller. The client only supports Mobile-ID for casting an i-vote. The source code of the client and build instructions have been published in GitHub.
https://research.cyber.ee/~janwil/publ/votingclient-final.pdf
https://github.com/Valeh2012/PersonalVotingMachine
[2020-12-18] RIA has published a technical report produced by Cybernetica: “Analysis of planned architectural changes in Open-eID”. The work analyzes the proposed alternative to TLS certificate authentication – authentication using a new web browser extension that RIA is currently developing.
https://web-eid.gitlab.io/analysis/webextensions-main.pdf
[2020-12-04] The Data Protection Inspectorate (AKI) initiated a supervisory procedure against the Health Board (TA) in connection with the COVID-19 data leak of 9158 persons. However, the Health Board will not be fined, because AKI does not have the power to fine another state agency.
https://digi.geenius.ee/rubriik/uudis/suur-isikuandmete-leke-ei-too-terviseametile-trahvi-kaela/