Reproducing Android Vote Verification Application Builds for Estonian I-Voting System

The main objective of this work is to check whether the vote verification applications distributed in the app stores can be compiled from the source code that has been made publicly available by Estonian National Electoral Committee. The experiments were performed using the Vote Verification application versions that were distributed in the I-voting period of the Estonian municipal council election held in October 2017.
The report will go through the different steps that were done during this experiment – monitoring the binaries, building the app from the source code, comparing build result with the distributed version and trying to reproduce it based on the differences found.

This is the report for UT course “Research Seminar in Cryptography (MTAT.07.022)”. The work deals with reproducible build problem of vote verification software used in Estonian i-voting held in October 2017.

The TL;DR; is that the source code available in GitHub is outdated and apparently was not the source code which was used to build the applications that were distributed to Android devices in Google Play Store.

Links:
https://courses.cs.ut.ee/MTAT.07.022/2017_fall/uploads/Main/annika-report-f17.pdf

Estonian cryptographer rejects claims of being Bitcoin’s creator

Los Angeles lawyer Justin Sobaje is convinced that Helger Lipmaa, senior researcher of the University of Tartu’s computer science institute, is Satoshi Nakamoto – the creator of bitcoin, and says he has analyses and studies that prove it.

Sobaje writes that he is convinced – based on an article in which Nakamoto first describes the nature of bitcoin – that the author or authors of the piece had to have been experts of timestamping technology and hash trees. That is the focus of Helger Lipmaa’s doctoral thesis and scientific papers published in the late 1990s. Lipmaa has cited another two articles the original creator of the bitcoin also cites on his homepage. Conclusion: Lipmaa knows five out of eight articles.

Sobaje continues: “Satoshi was an experienced C++ programmer. Lipmaa created timestamping software while working at Cybernetica.” He lists the years Lipmaa spent working for the company until two years before the birth of bitcoin. How was the name Satoshi Nakamoto created? Sobaje has found three Japanese cryptographers mentioned on Lipmaa’s website – Satoshi Obana, Junko Nakajima, Takeshi Okamoto – and concludes that the name of the world’s most wanted man is a combination of the three.

Helger Lipmaa, commenting on the matter to Postimees, rejects the idea. “I’m certainly not Satoshi and I don’t understand how he got to my name of all things,” he said, adding that bitcoin’s original creator wasn’t a cryptographer.

Professor of software science at the Tallinn University of Technology Ahto Buldas, who worked with Lipmaa on timestamping technology in the late 1990s, laughs out loud when told an American lawyer believes Lipmaa to be Nakamoto. “The number of scientists that worked on it at the time was not great, while there are other candidates for Nakamoto. I don’t want to say that Lipmaa is not Satoshi Nakamoto; even though I don’t really believe it, it cannot be ruled out either,” he says. “We could all have been Nakamotos.

This could be a potential topic for BSc/MSc thesis, to use open source intelligence to verify if there is some correlation between public activities of Satoshi and Helger/Ahto.

Links:
https://news.err.ee/652328/estonian-cryptographer-rejects-claims-alleging-he-created-bitcoin
https://news.postimees.ee/4365547/hunt-for-the-world-s-most-wanted-man-reaches-estonia
http://novaator.err.ee/648962/tartu-ulikooli-vorguteenused-sattusid-pahatahtliku-runnaku-alla

 

TallinnSec meetup: HW Crypto, RCE and Bug Bounty programs

Tuesday, February 20, 2019, 17:00 to 20:00 at k-space.ee.

Agenda:
17:15 – Stefano Alberico (Crip.to): Communication solution based on end-to-end hardware encryption
18:00 – Silvia Väli (Clarified Security): Only an Electron away from code execution
18:45 – Joakim Tauren (Visma): Stories from a bugbounty program

Links:
https://www.meetup.com/TallinnSec/events/245824754/

Personnel changes in RIA cyber security division


Anto Veldre, a legendary Estonian security specialist leaves RIA:

From the beginning of the year, the State Information System Authority (RIA) discharged an experienced IT security expert and promoter Anto Veldre. Veldre has worked as an analyst at the incident handling department at CERT-EE and in the Communications Department.

Helen Uldrich, head of RIA Communications Department, explained the discharge of Anto Veldre by the change in the structure of their unit from 2018. The analyst’s place where Veldre previously worked was changed into a spokesperson’s position and, as a result, his duties changed.

“Unfortunately, RIA did not have another position to offer Anto that would correspond to his professional profile. The whole staff of the State Information System Agency highly appreciates Anto and his contribution, for example, to explaining the functioning of the e-state,” added Uldrich.


Klaid Mägi, the head of CERT-EE leaves RIA:

Klaid Mägi, head of CERT-EE will leave the state office and continue to work at CybExer Technologies, a private Estonian company promoting cyber hygiene. Mägi has led the unit since autumn 2014. Previously, he has worked at the Ministry of Finance, Elisa and Elion.

Uku Särekanno, the new Deputy Director General of RIA Cyber Security Branch:

The authority organised a public competition last October to find a director for the Cyber Security Branch. About ten people applied for the position. The Director General of the Information System Authority chose the suitable candidate in early December.

Previously, Uku Särekanno has worked at different positions in the European Commission, the Government Office, and the Ministry of Foreign Affairs, led the Public Order and Criminal Policy Department of the Ministry of the Interior, and represented Estonia in Brussels regarding issues of migration and police cooperation.

Before, since September 2011, this responsibility has been borne by Toomas Vaks, who previously worked as a risk manager for bank cards in Swedbank, before he was employed at Hansapank.

Links:
https://tehnika.postimees.ee/4367831/ria-koondas-legendaarse-eesti-turvaspetsialisti-anto-veldre
https://geenius.ee/uudis/ria-koondas-eesti-turvaspetsialisti-anto-veldre/
https://www.err.ee/654409/ria-uks-juhivtootaja-klaid-magi-lahkub-toole-erasektorisse
https://geenius.ee/uudis/riast-lahkus-toolt-jargmine-tippekspert-certi-juht-klaid-magi/
https://geenius.ee/uudis/peterkop-me-ei-suuda-erasektoriga-voistelda-aga-pakume-erilist-tood/
https://www.ria.ee/en/uku-sarekanno-is-the-deputy-director-general-of-the-information-system-authority.html
https://geenius.ee/uudis/uus-eesti-kuberkaitse-juht-meie-maine-hoidmiseks-ei-piisa-enam-ainult-raakimisest-ja-konverentsidel-kaimisest/
http://arileht.delfi.ee/news/uudised/ria-endine-kuberturbejuht-macgyveri-teibiga-e-riiki-ei-ehitata?id=79908056

President to decorate persons who helped to solve ID card crisis

The President decided to recognize with decorations three people who helped to solve the crisis of the ID-card that struck Estonia last year. The Order of the White Star, 5th Class will be handed to Margus Arm, the head of the State Information System Agency eID field, Kaija Kirch, who led the crisis management team at the Police and Border Guard Board, and Kaarel Raspel, a Nortal employee, who helped RIA to develop a solution to solve the ID-card crisis:

Margus Arm, promoter of information society. Margus Arm, as head of the eID field of the State Information System Authority, played a key role in removing the security risk of ID-card. He worked out key proposals for resolving the crisis and led the work of the team who developed the technical solutions.

Kaija Kirch, promoter of internal security. Kaija Kirch was in charge of a crisis team formed to eliminate the security card ID card at the Police and Border Guard Board. Under her leadership, both the completion of the new ID-card production line and PPA’s customer service, as well as cooperation with other public authorities, the private sector and citizens took place.

Kaarel Raspel, promoter of field of e-services. Kaarel Raspen, as a staff member of AS Nortal, made a great personal contribution preventing the security risk of the ID-card from realizing. He had a leading role in developing a fundamental solution that allowed the ID-card ecosystem to be replaced with elliptical curve encryption algorithms, which prevented the ID-card chip from encountering security risk.

The Order of the White Star, 4th Class will be also handled to:

Raimo Peterson, promoter of cybersecurity cooperation. Raimo Peterson has helped the NATO Cyber ​​Defense Center to become an internationally recognized center of expertise. Under his leadership, the Locked Shields cyber defense exercise has become one of the world’s largest among its kind. He has also developed a critical information infrastructure capability in the form of a laboratory that is used by both Estonian state authorities and large private companies.

Congratulations!

Links:
https://news.err.ee/679885/president-of-estonia-to-bestow-state-decorations-on-166-individuals
https://tehnika.postimees.ee/4398027/id-kaardi-kriisi-lahendaja-eesti-e-riiki-ei-saa-kinni-panna
https://president.ee/et/eesti-tanab/teenetemarkide-kavalerid-2018/14008-margus-arm/layout-decoration.html
https://president.ee/et/eesti-tanab/teenetemarkide-kavalerid-2018/14039-kaarel-raspel/layout-decoration.html
https://president.ee/et/eesti-tanab/teenetemarkide-kavalerid-2018/14015-kaija-kirch/layout-decoration.html
https://president.ee/et/eesti-tanab/teenetemarkide-kavalerid-2018/13972-raimo-peterson/layout-decoration.html

Let’s speak about cyber security @Elektrilevi

The first meetup will be brought to you in cooperation with Elektrilevi and will focus on cyber security issues in energetics sector. The goal of the first seminar is to map out the interest in cybersecurity topics in the field of energy and finding opportunities for collaborative projects in SmartGrid area. Elektrilevi supplies electricity to almost all households and companies in Estonia. Their role as the largest network operator is to ensure the constant supply of electricity to our customers. Elektrilevi manages a unique SmartGrid network that covers almost the whole country. The technology has brought many new solutions but also some new issues to be resolved in cyber security domain. In the meetup, we will discuss the different cyber security questions and challenges in energetics sector.

SCHEDULE
15:00 – 15:05 Moderator’s welcome to the Let’s speak about cyber security @ meetup series – Marily Hendrikson, Cyber Security project manager at Startup Estonia team
15:05 – 15:15 Introduction to Elektrilevi – Taavi Liivandi, Head of Smart Grid Development Center @Elektrilevi
15:15 – 16:15 Cyber security @Elektrilevi – Indrek Künnapuu, Information security manager @Elektrilevi
PAUSE
16:20 – 17:05 Klaid Mägi, Head of CERT EE @Information System Authority.
Networking until 17.30

Links:
https://www.meetup.com/Lets-speak-about-cyber-security/events/246449690/

MSc thesis: Security of Loyalty Cards Used in Estonia

Abstract
This thesis identifies the card technologies used in loyalty programs across Estonia. These technologies include magnetic-stripe cards, contactless cards (in the form of MIFARE Classic, MIFARE Ultralight, MIFARE DESFire EV1 and low frequency RFID cards) and a smart card known as the Estonian electronic identification card (ID card). Each card type implements its own security features to prevent cloning and/or unauthorized access to the content stored on the card. The contents of each card was read and the method in which it was used in the system analysed. In the cases where possible a clone of the card was created and tested against the real system to verify that it passed the authentication procedures.

This is MSc thesis from TUT Cyber Security curriculum. The thesis was defended in June 2017.

The thesis analyzed cloneability aspects of the loyalty cards used in Estonia. While the magnetic-stripe cards are known to be trivially cloneable, the study also analyzed bunch of contact-less cards: MyFitness, Elron, Tallinn Bus Card, ISIC, SEB ISIC, Tartu Bus Card, Rimi Card. Only the Rimi and Elron card was found to withstand known cloning attacks.

Links:
http://kodu.ut.ee/~arnis/loyalty_thesis.pdf
http://kodu.ut.ee/~arnis/loyalty_slides.pdf

Estonian Defence Forces to set up Cyber Command of 300 hackers

The Estonian Defence Forces next year will create Cyber Command, which, if necessary, will also take cyber attacks against both virtual and physical targets.

“It will begin to carry out cyber-attacks in the entire spectrum, which means both defense and, if necessary, attack,” explained the undersecretary of the Ministry of Defense Erki Kodar meeting today in Tallinn with the international press. Kodar pointed out that Estonia does not plan to use the cybersecurity’s capability to act only in cyberspace, but also, if necessary, in other areas of warfare, in other words to attack physical targets.

“All of this activity must, of course, be based on Estonian law and in accordance with international law,” Kodar confirmed.

The unit should begin work on August 1, 2018 and achieve full capacity for work by 2020. By that time, 300 people should serve the cyber command. The cyber command is not very common in the world or in NATO allied countries. A similar entity already works in the United States, the United Kingdom, Germany, France and the Netherlands. Next year Estonia will be added to the list.

The number 300 is a big number for the small Estonia. This will be very expensive for the Defence Forces, because these specialists are paid a lot in the private sector.

Links:
https://geenius.ee/uudis/eesti-kaitsevagi-loob-300-pealise-hakkerite-uksuse-mis-hakkab-vajadusel-ka-fuusilisi-sihtmarke-rundama/
https://www.youtube.com/watch?v=PKC-nWRfez4

Smart-ID paper: Server-Supported RSA Signatures for Mobile Devices

Abstract
We propose a new method for shared RSA signing between the user and the server so that: (a) the server alone is unable to create valid signatures; (b) having the client’s share, it is not possible to create a signature without the server; (c) the server detects cloned client’s shares and blocks the service; (d) having the password-encrypted client’s share, the dictionary attacks cannot be performed without alerting the server; (e) the composite RSA signature “looks like” an ordinary RSA signature and verifies with standard crypto-libraries. We use a modification of the four-prime RSA scheme of Damgård, Mikkelsen and Skeltved from 2015, where the client and the server have independent RSA private keys. As their scheme is vulnerable to dictionary attacks, in our scheme, the client’s RSA private exponent is additively shared between server and client. Our scheme has been deployed and has over 200,000 users.

The paper was published in proceedings of the conference ESORICS 2017, Oslo, Norway, September 11-15, 2017.

The paper contains several pages of cryptographic proofs. The RSA key generation involves “l-safe” primes, which is not a standard practice in generating RSA primes. This is worrisome, especially after it became known that the flaw in ID card was caused by other instance of nonstandard RSA prime generation.

Links:
https://link.springer.com/chapter/10.1007/978-3-319-66402-6_19

TallinnSec meetup: DevSec, 4G broadband modem pwning, Database Hoarding and Certbot

Tuesday, December 12, 2017, 17:00 to 20:00.
Technopolis Ülemiste, Lõõtsa 6, 2nd floor
Room name: Helsinki

Agenda:
17:10 – Sponsor greetings from Märt Ridala (Solita OÜ)
17:20 – Antti Virtanen: DevSec
17:50 – Iiro Uusitalo: WAN-to-LAN exploitation of 4G broadband modem
18:10 – Shamil Alifov: Database Hoarding. For fun and profit.
18:40 – Joona Hoikkala: Road ahead for encrypted web with Certbot and Let’s Encrypt
19:10 – Stefano Alberico: Communication solution based on end-to-end hardware encryption

Links:
https://www.meetup.com/TallinnSec/events/244711668/