Cyber Security master’s theses defense in TalTech/UT (August 2021)

Defence of master theses of Cyber Security curriculum on August 10th 2021 online

Time: 09:00
Student: Ilker Furkan Kahyalar
Title: A Comparative Study of Virtualization Solutions for Cybersecurity Labs
Supervisor: Risto Vaarandi
Reviewer: Toomas Lepik

Time: 09:40
Student: Martin Välbe
Title: Benchmarking of Android Applications’ System Calls Behavior: Implications for Malware Detection
Supervisor: Alejandro Manzanares, Tarmo Oja
Reviewer: Risto Vaarandi

Time: 10:20
Student: Mohamed Nasef Ibrahim Mohamed
Title: Towards a new method for teaching malware analysis for Cyber Security students
Supervisor: Toomas Lepik
Reviewer: Pavel Tšikul

Time: 11:30
Student: Thilina Nenathunga
Title: Identity and Access Management, and Audit trails for Continuous Delivery infrastructure on Amazon Web Services platform
Supervisor: Toomas Lepik
Reviewer: Risto Vaarandi

Time: 12:10
Student: Bisrat Woldeyes Ambaye
Title: Adversarial Machine Learning Poisoning Attacks on Mobile Check Deposits
Supervisor: Alejandro Manzanares
Reviewer: Matthew Sorell

Time: 12:50
Student: Md Forhad Hossain
Title: Adapting Active Learning for Intrusion Detection Within Security Operation Center Context
Supervisor: Hayretdin Bahsi
Reviewer: Alejandro Manzanares

Time: 14:00
Student: Muhammad Junaid Farrukh
Title: Evaluation of Agile Threat Modeling Methods to Identify Threats to Privacy in Robotic Systems
Supervisor: Andrew Roberts
Reviewer: Shaymaa Khalil

Time: 14:40
Student: Raigo Vilur
Title: Evaluation of Secure Channel Communication for Cloud-Based Autonomous Vehicle Telematics
Supervisor: Andrew Roberts, Nikita Snetkov
Reviewer: Olaf Maennel

Defence of master theses of Cyber Security curriculum on August 11th 2021 online

Time: 12:00 (closed defence)
Student: Wellington Oscar Alves De Souza
Title: Cybercrime knowledge of identity theft investigators in Estonian FinTech
Supervisor: Maria Claudia Solarte Vasquez, Sten Mäses
Reviewer: Toomas Vaks

Time: 12:40
Student: Abhisek Ojha
Title: Cybersecurity Awareness among Engineering students of West Bengal , India
Supervisor: Sten Mäses
Reviewer: Kaido Kikkas

Time: 13:40
Student: Alex Bindevald
Title: Cyber Security at schools – challenges, opportunities and needs for CTF-solution
Supervisor: Birgy Lorenz
Reviewer: Sten Mäses

Time: 14:20
Student: Orkhan Rustamli
Title: Analysis of Cyber Security Awareness Level of Secondary High-school Students: The Case of Azerbaijan
Supervisor: Kaie Maennel
Reviewer: Sten Mäses

Defence of master theses of Cyber Security curriculum on August 12th 2021 online

Time: (withdrawn)
Student: Anupam Rakshit
Title: Pragmatic Comparison of Machine Learning Models to Detect The Type Of Attacks In An IoT Network Traffic
Supervisor: Pelle Jakovits
Reviewer: Alejandro Manzanares

Time: 10:00
Student: Vasile Tarlev
Title: Compatibility of the European Blockchain Service Infrastructure with the European Union General Data Protection Regulation
Supervisor: Anna-Maria Osula, Andres Ojamaa, Vladimir Rogojin
Reviewer: Eneken Tikk

Time: 10:40
Student: Henry Ochieng’ Dola
Title: Cyber Threat Modeling of A Water Quality Monitoring System
Supervisor: Hayretdin Bahsi, Jeffrey Andrew Tuhtan
Reviewer: Andrew Roberts

Time: 11:20
Student: Andris Männik
Title: Cyber Awareness Verification Using Phishing Assessments
Supervisor: Kaido Kikkas
Reviewer: Kaie Maennel

Time: 12:30
Student: Oluwatosin Soremekun
Title: Method for cyber threat modelling and validation of public transportation systems
Supervisor: Hayretdin Bahsi, Andrew Roberts
Reviewer: Liivar Luts

Time: 13:10
Student: Tino Apostolovski
Title: Design of a system for secure communication between ATC and Drone Pilot
Supervisor: Olaf Maennel, Dariana Khisteva
Reviewer: Andrew Roberts, Nikita Snetkov

Time: 13:50
Student: Gulkhara Babayeva
Title: Domain Ontology for Cyber Defense Exercises
Supervisor: Olaf Maennel, Kaie Maennel
Reviewer: Rain Ottis

August 12, 2021 online:

Time: 09:00
Student: Olorunshe Temilola Esther (Cyber Security MSc)
Title: Recognition of Phishing Attacks and its Impact: A Case Study
Supervisor: Raimundas Matulevicius
Reviewer: Abasi-Amefon Affia

Cybersecurity related bachelor’s and master’s theses in University of Tartu 2021 (June)

Leave a reply

The defences are taking place on the first and second week of June.

June 2, 2021:

Time: 09:45
Student: Toomas Aleksander Veromann (Software Engineering MSc)
Title: WYSIWYS Extensions to the Estonian ID Card Browser Signing Architecture
Supervisor: Arnis Paršovs
Reviewer: Mart Sõmermaa

Time: 10:30
Student: Sébastien René Baptistin Boire (Computer Science MSc)
Title: Credential Provisioning and Peer Configuration with Extensible Authentication Protocol
Supervisor: Tuomas Aura, Dominique Unruh
Reviewer: Arnis Paršovs

Time: 10:30
Student: Mariia Bakhtina (Innovation & Technology Management MA)
Title: Securing Passenger’s Data in Autonomous Vehicles
Supervisor: Raimundas Matulevičius, Mari Seeba
Reviewer: Abasi-Amefon Obot Affia

Time: 11:30
Student: Burak Can Kus (Cyber Security MSc)
Title: Use of Electronic Identity Documents for MultiFactor Authentication
Supervisor: Arnis Paršovs
Reviewer: Inguss Treiguts

Time: 12:15
Student: Priit Põdra (Cyber Security MSc)
Title: Web tracking in the most popular Estonian websites
Supervisor: Arnis Paršovs
Reviewer: Raimundas Matulevičius

Time: 13:00
Student: Mikus Teivens (Cyber Security MSc)
Title: Analysis of Security and Privacy Issues in Common Smart Home Products
Supervisor: Arnis Paršovs
Reviewer: Alo Peets

June 4, 2021:

Time: 11:30
Student: Magnus Valgre (Computer Science BSc)
Title: Tracking And Privacy: The Case of News Site Delfi
Supervisor: Arnis Paršovs
Reviewer: Mari Seeba

June 7, 2021:

Time: 09:00
Student: Hain Luud (Computer Science BSc)
Title: An Analysis of the HID® Indala and Seos™ Protocols
Supervisor: Danielle Morgan
Reviewer: Kristjan Krips

Time: 09:30
Student: Geio Illus (Computer Science BSc)
Title: Wi-Fi Positioning System
Supervisor: Danielle Morgan
Reviewer: Jakob Mass

Time: 11:00
Student: Peeter Vahe (Computer Science BSc)
Title: Tartu Smart Bike Share Access Cards Authentication Analysis
Supervisor: Danielle Morgan
Reviewer: Alo Peets

June 11, 2021:

Time: 09:30
Student: Jan Erik Kriisk (Computer Science BSc)
Title: Security Analysis of RIA’s Authentication Service TARA
Supervisor: Arnis Paršovs
Reviewer: Kristjan Krips

Time: 11:00
Student: Siim Markus Marvet (Computer Science BSc)
Title: Collecting Statistics and Security Data on Estonian Domains
Supervisor: Alo Peets
Reviewer: Kristjan Krips

Links:
https://www.cs.ut.ee/sites/default/files/cs/defence_schedule_01-11.06.2021.pdf
https://comserv.cs.ut.ee/ati_thesis/index.php?year=2021&language=en

Cyber Security master’s theses defense in TalTech (May 2021)

Leave a reply

Cyber Security curriculum MSc theses defences on May 27th 2021 (online):

Time: 10:00
Student: Tarvo Arikas
Title: Streaming event correlation and complex event processing using open-source solutions
Supervisor: Risto Vaarandi
Reviewer: Mauno Pihelgas

Time: 10:40
Student: Janno Arnek
Title: Improving cybersecurity level of Estonian small and medium sized enterprises through coordination with national level
Supervisor: Sille Laks
Reviewer: Anna-Maria Osula

Time: 11:50
Student: Tedel Baca
Title: Critical infrastructure protection in the Republic of Kosovo: A policy-analysis on the protection of electric-energy and water-supply sectors
Supervisor: Mika Kerttunen, Kristine Hovhannisyan
Reviewer: Adrian Venables

Time: 12:30
Student: Risto Kasepuu
Title: Designing an artifact to support cybersecurity policy development in small and medium enterprises
Supervisor: Mika Kerttunen, Andro Kull
Reviewer: Adrian Venables

Time: 13:20
Student: Dariana Khisteva
Title: A proposal of integrating open-source IDS into vessel’s bridge network
Supervisor: Olaf Maennel, Gabor Visky
Reviewer: Risto Vaarandi

Time: 14:00
Student: Stanislav Mekinulashvili
Title: Sniffing encrypted BLE traffic after changing connection parameters, using low-cost hardware that captures only one channel at a time
Supervisor: Olaf Maennel
Reviewer: Toomas Lepik

Time: 14:40
Student: Yazeed Basim Aeadah Alhaddad
Title: Ghost Injection Attack on Automatic Dependent Surveillance-Broadcast Equipped Drones Impact on Human Behavior
Supervisor: Erwin Orye
Reviewer: Jaan Priisalu

Cyber Security curriculum MSc theses defences on May 28th 2021 (online):

Time: 10:00
Student: Juan Manuel Delgado Garcia
Title: Forensic Analysis of Privacy-Oriented Cryptocurrency Wallets
Supervisor: Hayretdin Bahsi
Reviewer: Pavel Tsikul

Time: 10:40
Student: Faisal Sumaila
Title: Extraction and Analysis of Forensic Artifacts from Automotive Maintenance Applications
Supervisor: Hayretdin Bahsi
Reviewer: Matthew Sorell

Time: 11:50
Student: Yoshihisa Furushita
Title: Sources of artifacts in video
Supervisor: Matthew Sorell, Pavel Tšikul
Reviewer: Richard Matthews

Time: 12:30
Student: Kärte Pärend
Title: Forensic Traces of Messaging Applications on Android and iOS Mobile Phones
Supervisor: Sten Mäses, Priit Lahesoo
Reviewer: Matthew Sorell

Time: 13:20
Student: Karoliina Koppel
Title: Securing Software Supply-Chain Using OWASP Application Security Verification Standard: A SimplBooks Case Study
Supervisor: Toomas Lepik
Reviewer: Andrew Roberts

Time: 14:00
Student: Rooya Karimnia
Title: Culturally-Sensitive Instructional Design Of A Cybersecurity Awareness Program For High School Students In Iran, Hormozgan
Supervisor: Kaie Maennel, Mahtab Shahin
Reviewer: Stefan Sütterlin

Cyber Security curriculum MSc theses defences on May 31th 2021 (online):

Time: 10:00
Student: Jelizaveta Vakarjuk
Title: Converting a post-quantum signature scheme to a two-party signature scheme
Supervisor: Ahto Buldas, Jan Willemson
Reviewer: Ahto Truu

Time: 10:40
Student: Esteban Josue Ramirez Rojas
Title: Preserving Information’s Integrity and Confidentiality with Blockchain in the Service Supply Chain
Supervisor: Jaan Priisalu, Alex Norta
Reviewer: Nikita Snetkov

Time: 11:50
Student: Ali Ghasempour
Title: HTTP based Network Intrusion Detection System by Using Machine Learning-Based Classifier
Supervisor: Risto Vaarandi, Alejandro Manzanares
Reviewer: Hayretdin Bahsi

Time: 12:30
Student: Mauricio Antonio Duarte Lara
Title: Prototyping A Serious Game On Information Manipulation
Supervisor: Maria Claudia Solarte Vasquez, Adrian Venables
Reviewer: Rain Ottis

Time: 13:20
Student: Madis Männik
Title: Smart meter threat detection based on log analysis
Supervisor: Gabor Visky
Reviewer: Risto Vaarandi

Time: 14:00
Student: Alex Bindevald
Title: Cyber security at schools – challenges, oppurtunities and needs for CTF-solution
Supervisor: Birgy Lorenz
Reviewer: Tiia Sõmer

Cyber Security Newsletter 2021-02-22

Leave a reply

[2021-02-18] The Ministry of Economic Affairs and Communications (MKM) will establish a new state cyber security department joining the current state information systems department (RISO) and the information society services development department.
https://digi.geenius.ee/rubriik/uudis/valitsus-korrastab-digiriiki-luuakse-uus-riiklik-kuberturvalisuse-osakond/
[2021-02-18] The LokiBot malware is being distributed using a spoofed e-mail address of the TalTech rector. The phishing email is written in good Estonian and as a pretext invites recipients to participate in a procurement. As a response, TalTech has enabled DMARC so that recipients could detect emails from spoofed @taltech.ee addresses.
https://www.taltech.ee/uudised/tahelepanu-tallinna-tehnikaulikooli-rektori-nime-alt-tulnud-hinnaparingud-petukirjad-ja
https://taltech.ee/en/news/attention-price-inquiries-sent-under-name-rector-taltech-are-e-mail-scam-and-university-asks
https://forte.delfi.ee/artikkel/92598139/kustuta-kohe-petukiri-korgel-tasemel-tehnikaulikooli-rektori-tiit-landi-nime-alt-laks-tana-teele-massiliselt-libaparinguid
[2021-02-17] An information security specialist of Viljandi Hospital raised a privacy issue of PDF and DDOC signature files being sent for validation to RIA validation service SiVa. According to RIA, data is not permanently stored on RIA servers and the DigiDoc4 client explicitly asks for permission before the file is sent to RIA. The DDOC file validation logic has been moved server side to simplify the DigiDoc4 client-side software. On a side note, people have forgotten that a few years ago, all documents signed using Mobile-ID were sent to the SK DigiDocService.
https://www.ohtuleht.ee/1026090/paranoia-voi-suure-venna-sund-digiallkirja-kehtivuse-kontrollimiseks-laheb-dokument-kogu-taiega-riigi-katte-miks
[2020-02-16] At the end of 2020, an ID card authentication bypass flaw was found in the Coop Pank’s internetbank environment. Since Coop Pank also provides a bank link authentication service, the eesti.ee e-service and other e-services supporting the bank link option were also affected. A similar flaw was also found in elisa.ee, printincity.ee and arved.ee.
https://www.youtube.com/watch?v=cObPmkK7zaY
https://www.youtube.com/watch?v=IQ5UK2VwN4w
https://digi.geenius.ee/rubriik/uudis/coopi-internetipangas-oli-turvaauk-mis-voimaldas-ligipaasu-voora-inimese-kontole/
https://digi.geenius.ee/rubriik/uudis/coop-pank-turvaviga-sai-operatiivselt-parandatud-interneti-ja-mobiilipanga-kasutamine-on-taiesti-turvaline/
https://digi.geenius.ee/rubriik/uudis/turvaauk-elisa-iseteeninduses-ning-arved-ee-keskkonnas-voimaldas-paaseda-voorale-kontole/
[2021-02-12] In January 2021, Estonian banks lost more than 200 thousand euros in Smart-ID and Mobile-ID phishing attacks.
https://majandus24.postimees.ee/7178741/pangakelmustega-peteti-eesti-inimestelt-jaanuaris-valja-ule-200-000-euro
[2021-02-10] The personal data of 5000 persons was leaked from the Mineral Garden (mineralgarden.org – Living Minerals OÜ) online store. The names, email addresses, phone numbers, home addresses, and shopping cart information of thousands of Mineral Garden customers were searchable on Google. The Data Protection Inspectorate initiated a supervisory procedure. The shop is controversial as it distributes a harmful substance advertised as a miracle cure. Postimees published the name of a parliament member, who was found in the leak to have purchased the substance.
https://digi.geenius.ee/rubriik/uudis/hiiglaslik-andmeleke-mmsi-tellinud-klientide-andmed-rippusid-avalikult-internetis/
https://leht.postimees.ee/7176185/nimed-telefoninumbrid-aadressid-tuhandete-eesti-veebipoe-klientide-andmed-rippusid-avalikult-internetis
[2021-02-10] From March 2021, RIA will stop supporting bank link in the state authentication service TARA, because the security of bank link authentication mechanisms has not been assessed according to eIDAS regulation. The change will affect approximately 7000 people, which accounts for about 1% of all authentications in TARA. This move has been long awaited as the use of banks as authentication providers has never had legal basis and security flaws in banking systems have put personal data, that is accessible through the bank link, at risk.
https://www.ria.ee/et/uudised/1-martsist-ei-saa-teatud-riiklikesse-e-teenustesse-pangalingi-kaudu-siseneda.html
https://www.ria.ee/en/news/1-march-it-will-no-longer-be-possible-access-certain-public-e-services-bank-link.html
https://www.ria.ee/et/uudised/osasse-riiklikesse-e-teenustesse-ei-saa-alates-martsist-pangalingi-kaudu-siseneda.html
https://forte.delfi.ee/artikkel/92520083/alates-1-martsist-ei-paase-pangalingiga-enam-38-e-teenusesse-sh-riigiportaali
https://digi.geenius.ee/rubriik/uudis/riigiteenustesse-ei-saa-pangalingiga-martsist-enam-siseneda-pohjuseks-euroopa-liidu-seadus/
https://news.err.ee/1608104449/some-public-e-services-cannot-be-accessed-via-a-bank-link-from-march
[2021-02-05] The litigation between PPA and the Estonia ID card manufacturer Gemalto has reached a compromise with Gemalto paying the state 2.2 million EUR in compensation. While the press release only mentions the ID card security incident in 2017, the compromise also covers the claim against Gemalto regarding private key generation outside the ID card.
https://www.politsei.ee/en/news/a-settlement-agreement-has-been-signed-between-the-police-and-border-guard-board-and-gemalto-ag-tallinn-2021
https://forte.delfi.ee/artikkel/92482559/politsei-loobus-hiigelhagist-gemalto-vastu
https://forte.delfi.ee/artikkel/92191151/see-pole-enam-isegi-naljakas-moodunud-on-kaks-aastat-ja-kohus-pole-joudnud-politsei-ja-gemalto-kohtuasjas-mitte-kuskile
https://digi.geenius.ee/rubriik/uudis/vigaste-id-kaartide-tootja-gemalto-maksab-eesti-riigile-22-miljonit-eurot-huvitist/
https://www.err.ee/1608099706/ppa-ja-gemalto-joudsid-kokkuleppele-ettevote-maksab-2-2-miljonit-eurot
https://news.err.ee/1608100102/gemalto-ppa-reach-compromise-over-id-card-security-weakness
[2021-02-03] RIA fixed an authentication man-in-the-middle flaw in the ID card browser signing extension. The flaw (a feature to sign raw values using the authentication key) was quietly introduced in 2017 without a proper security analysis. Swedbank began using the feature to authenticate their clients at the end of 2020, because it was considered to be more reliable than TLS client certificate authentication.
https://www.youtube.com/watch?v=Qr638sbaZ_M
https://www.ria.ee/en/news/information-system-authority-ria-and-its-partners-fixed-critical-bug-id-card-browser-extension.html
https://digi.geenius.ee/eksklusiiv/swedbank-kasutas-turvanorkusega-id-kaardi-laiendust-kaks-aastat-pank-pidas-seda-tookindlamaks/
[2021-02-03] Geenius wrote an article about the recent repeated failures of revoking ID cards of deceased persons. RIA in 2019 initiated a supervisory procedure which still has not been completed.
https://digi.geenius.ee/eksklusiiv/teist-korda-jaid-hulga-surnud-inimeste-id-kaartide-sertifikaadid-kehtetuks-tunnistamata/
[2021-01-25] CERT-EE reported that in December 2020, an ID card authentication bypass flaw was found in the website of quick loan provider (credit24.ee), which would have provided the opportunity to take a quick loan on behalf of a stranger.
https://www.ria.ee/et/uudised/detsembris-lahendati-oluline-turvanorkus-kiirlaenu-pakkuja-veebilehel.html
https://forte.delfi.ee/artikkel/92359667/kiirlaenu-pakkuja-veebilehel-avastati-ohtlik-turvanorkus
[2021-01-26] Liisa Past and Jan Willemson from Cybernetica, in the Digital Government podcast (30min), talk about the historical and cognitive aspects of i-voting and explain how technology and math ensure a secure and trustworthy solution.
https://www.buzzsprout.com/1191800/7491415-what-makes-online-voting-secure
[2021-01-25] Estonian server hosting company Zone.ee experienced a DDoS attack. The attack lasted a total of five hours and affected the company’s operations.
https://digi.geenius.ee/rubriik/uudis/eesti-serverimajutusettevote-on-aktiivse-ddos-runnaku-all/
[2021-01-25] The Ministry of Economic Affairs and Communications (MKM), the State Information System Authority (RIA) and the State Electoral Service (RVT) signed a cooperation agreement to define the division of tasks between the agencies for organizing i-voting security. MKM will organize a security audit. RVT undertakes the development of the i-voting system and organization of security testing and risk analysis. RIA will provide hosting services and perform security testing and logging. RVT and RIA will undertake the procurement of a technical and legal analysis of the possibility of voter identification by facial biometrics. The analysis should be conducted by 1 June 2021.
https://www.ria.ee/et/uudised/mkm-ria-ja-rvt-solmisid-koostoolepingu-e-valimiste-kuberturvalisuse-korraldamiseks.html
[2021-01-24] The Estonian government recently fell and a new one was formed with a new Minister of Foreign Trade and IT: Andres Sutt (Reform). The political position on i-voting has now significantly changed as the coalition agreement seeks to develop a mobile app for i-voting.
https://news.err.ee/1608084379/who-s-who-estonia-s-new-government
https://news.err.ee/1608086476/coalition-agreement-center-reform-government-2021-2023
https://twitter.com/ikubjas/status/1353315211571294213
[2021-01-14] The Ministry of Economic Affairs and Communications (MKM) announced a public procurement tender for the audit of the i-voting system. The purpose of the audit is to get a reasoned assessment of the security of the election information systems and proposals for improvements that can raise the level of security. The audit shall be performed by internationally renowned auditors and information security specialists. The deadline for presenting the project’s final report is October 1, 2021.
https://news.err.ee/1608073477/ministry-seeking-international-auditor-to-check-security-of-e-elections
[2021-01-05] On 2021-01-05, Smart-ID, Mobile-ID and ID-card authentication and signing services were disrupted for a few hours. The state does not know the reason behind the failures and did not answer whether the question of whether a supervisory procedure will be initiated against SK ID Solutions AS.
https://majandus24.postimees.ee/7147961/riiklikud-autentimisteenused-olid-hairitud
https://news.err.ee/1228642/disruptions-in-use-of-mobile-id-still-possible
https://digi.geenius.ee/rubriik/uudis/riik-ei-tea-pohjust-miks-oli-mobiil-id-ja-id-kaardi-too-korraga-hairitud/
[2021-01-04] On 2021-01-04, SK ID Solutions AS failed to rotate the OCSP signer’s certificate, as a result, for 10 hours OCSP responses were signed with an expired certificate.
https://www.skidsolutions.eu/en/News/certifier-esteid2018-validity-information-responses-were-signed-with-an-expired-certificate/
[2020-12-22] A research article by Valeh Farzaliyev, Kristjan Krips and Jan Willemson (Cybernetica): “Developing a Personal Voting Machine for the Estonian Internet Voting System”. The article describes a proof-of-concept i-voting client implemented on a microcontroller. The client only supports Mobile-ID for casting an i-vote. The source code of the client and build instructions have been published in GitHub.
https://research.cyber.ee/~janwil/publ/votingclient-final.pdf
https://github.com/Valeh2012/PersonalVotingMachine
[2020-12-18] RIA has published a technical report produced by Cybernetica: “Analysis of planned architectural changes in Open-eID”. The work analyzes the proposed alternative to TLS certificate authentication – authentication using a new web browser extension that RIA is currently developing.
https://web-eid.gitlab.io/analysis/webextensions-main.pdf
[2020-12-04] The Data Protection Inspectorate (AKI) initiated a supervisory procedure against the Health Board (TA) in connection with the COVID-19 data leak of 9158 persons. However, the Health Board will not be fined, because AKI does not have the power to fine another state agency.
https://digi.geenius.ee/rubriik/uudis/suur-isikuandmete-leke-ei-too-terviseametile-trahvi-kaela/

Cybersecurity related master’s theses in University of Tartu 2021 (January)

Leave a reply

Student: Jayavarshini Thirumalai (Cyber Security MSc)
Title: An integrated approach for certification and re-certificationbased on the case study
Supervisor: Liina Kamm, Mari Seeba
Reviewer: Raimundas Matulevičius

Student: Valeh Farzaliyev (Computer Science MSc)
Title: Towards Practical Post-Quantum Voting Protocol: Shorter Exact Lattice-Based Proof of a Shuffle
Supervisor: Dominique Unruh, Jan Villemson
Reviewer: Janno Siim

Student: Jamil Gurbanzade (Computer Science MSc)
Title: Malicious Android app for security testing
Supervisor: Alo Peets
Reviewer: Denizalp Kapisiz

Cyber Security master’s theses defense in TalTech (January 2021)

Leave a reply

Cybersecurity curriculum MSc theses defences on January 11th 2021 (online):

Time: 9:30
Student: Electra Zoe Karamargin
Title: Going dark: a Forensic Analysis of Biometric Asset Management within Smart Eyewear, toward the Rising Conflict Between Security Through Privacy by Design and Forensic Investigation
Supervisor: Hayretdin Bahsi
Reviewer: Matthew Sorell

Time: 10:10
Student: Siim Sarv
Title: Using Event Correlation to Detect Security Incidents from Windows Workstations
Supervisor: Risto Vaarandi
Reviewer: Toomas Lepik

Time: 10:50
Student: Alvaro-Wim Schuller Fernandez
Title: Developing a Scada Testbed from a Design Science Approach
Supervisor: Hayretdin Bahsi
Reviewer: Andrew Roberts

Time: 12:00
Student: Jaanus Kääp
Title: Hyper-V VMBus Based Traffic Interception and Fuzzing
Supervisor: Sille Laks
Reviewer: Bernhards Blumbergs

Time: 12:40
Student: Kapil Yadav
Title: Information Security Management for Teleworking in Small and Medium Enterprises during the COVID-19 Crisis
Supervisor: Kaie Maennel
Reviewer: Adrian Venables

Time: 13:20
Student: Ivo Malve
Title: Dark Triad in Central Route to Persuasion: a Personality-based Phishing Susceptibility Study
Supervisor: Kieren Lovell
Reviewer: Stefan Sütterlin

Time: 14:15
Student: Anastasiya Kornitska
Title: Exploring How to Establish Cross-functional Teams for Cybersecurity of Industrial Control Systems
Supervisor: Hayretdin Bahsi
Reviewer: Rain Ottis

Time: 14:55
Student: Arefeh Fathollahi Kalkhoran
Title: A Systematic Process to Improve Data Loss Prevention in a Large Organization
Supervisor: Hayretdin Bahsi
Reviewer: Tiia Sõmer

Time: 15:35 (withdrawn)
Student: Furkan Atlas
Title: A Comparative Study: Evaluating the Efficiency of Looking Glasses in Helping Monitor BGP Attacks
Supervisor: Olaf Maennel
Reviewer: Toomas Lepik

Cyber Security Newsletter 2021-01-04

Leave a reply

[2020-12-30] A new version of the Election Information System (VIS) is being developed which will introduce an electronic list of voters making it possible to cancel an already given i-vote on election day with a paper vote. News portal Geenius tried to establish whether the authorities are performing background checks on the employees of private companies, Nortal and Cybernetica, involved in the development of the information systems for elections. Not clear whether such checks are needed as the security of the elections should not depend on the integrity of the developers.
https://digi.geenius.ee/rubriik/uudis/kas-valimiste-infosusteemide-arendajate-taust-on-riigile-teada-riigiasutused-keerutavad/
[2020-12-29] Äripäev’s Russian-language website dv.ee experienced a large-scale DDoS attack. Äripäev’s editor-in-chief believes that the attacks are related to the published story about cryptocurrency millionares in Ida-Viru.
https://digi.geenius.ee/rubriik/uudis/aripaev-sattus-parast-ida-viru-kruptomiljonaride-uurimise-kajastamist-kuberrunnaku-ohvriks/
[2020-12-28] Arnis Parsovs (UT) has published the draft of his PhD dissertation “Estonian Electronic ID card and its Security Challenges”.
https://cybersec.ee/storage/phd_idcard.pdf
[2020-12-22] An anonymous interview was given for the Kanal 2 television channel where the coronavirus vaccine plan was criticized. The Health Board used a freeware program downloaded from the Internet to remove the voice distortion added to anonymize the source. As a result, the whistle blower was identified and asked to resign from the Health Board.
https://leht.postimees.ee/7139982/terviseametist-vallandatud-simmo-saar-naitab-napuga-sotsiaalministeeriumi-suunas
https://news.err.ee/1215910/health-board-comms-chief-asked-to-resign-after-criticizing-vaccine-plan
[2020-12-18] The Minister of Finance Martin Helme (EKRE) said that Estonian e-elections are not verifiable. The head of the state electoral service refuted the statements of the minister.
https://digi.geenius.ee/rubriik/uudis/martin-helme-eesti-e-valimised-ei-ole-kontrollitavad-ning-neil-puudub-vaatlemise-voimalus/
[2020-12-16] Sten Mäses (TalTech) defended his PhD thesis “Evaluating Cybersecurity-Related Competences through Simulation Exercises”.
https://digikogu.taltech.ee/et/Item/b4c33d3b-e7ce-48ad-98ad-a0add5e571a3
[2020-12-16] For years, an IT employee with a state secret permit mined cryptocurrency at the Ämari air base, bought expensive equipment with the Estonian defense budget and smuggled computer components out of the base to sell them in online forums. The purchased goods were not accounted for in the air monitoring division. From 2015 until his arrest in January 2019, the man illegally used devices belonging to the Defense Forces to extract cryptocurrencies worth 30,404 euros and misappropriated at least 190 devices with the total value of 48,935 euros.
https://ekspress.delfi.ee/artikkel/91976323/it-mees-armaani-tegi-eesti-kaitserahaga-osturallit-ja-avas-amaris-salajase-kruptorahakaevanduse
[2020-12-08] The Ministry of Interior sells the residence addresses entered in the population register to commercial enterprises for the purpose of sending advertisements or invitations to participate in surveys. Names, e-mail addresses, dates of birth and personal identification codes are not disclosed to the companies, but the addresses can be purchased by specifying the characteristics such as age, gender and mother tongue. People can opt-out by restricting access to their data in the e-service at rahvastikuregister.ee. In 2019, the data was sold to five customers and the state earned 8,205 EUR.
https://forte.delfi.ee/news/digi/riik-muutis-inimeste-aadressid-ariks-siseministeerium-muub-rahvastikuregistri-andmeid-otsepostitusfirmadele?id=91904305
[2020-12-07] The Estonian Foreign Intelligence Service (EFIS) allowed an active intelligence officer to give an interview to Postimees. The interview followed strict secrecy rules and Postimees did not learn the agent’s identity. This activity is likely related to the job ads recently put out by the Estonian Foreign Intelligence Service.
https://news.postimees.ee/7127281/estonian-intelligence-operative-our-special-tool-is-our-brain
[2020-12-07] The 6th Interdisciplinary Cyber Research conference took place in a semi-online format. The video recordings and proceedings are available.
https://www.taltech.ee/en/icr2020
[2020-12-02] By exploiting a flaw in the content management software Drupal, attackers compromised servers of the Ministry of Economic Affairs and Communications, the Ministry of Social Affairs and the Ministry of Foreign Affairs. The attackers downloaded 350GB of data from a total of 11 servers. The data mostly consisted of the data in the document management system. However, the attackers were also able to download a database containing data about 9158 corona-positive persons and their close contacts, that was stored as a LimeSurvey database in the Drupal instance of the Health and Welfare Information Systems Center (TEHIK). RIA initiated supervision proceedings, the Data Protection Inspectorate initiated its own proceedings and the Central Criminal Police initiated criminal proceedings of obtaining illegal access to the systems. Members of Parliament suspected that data from the national car registry had also been leaked, but this information was not confirmed.
https://news.err.ee/1192411/three-government-ministries-came-under-cyber-attack-in-november
https://news.postimees.ee/7123666/cybercriminals-attack-three-ministries
https://news.err.ee/1193476/november-s-cyber-attack-left-foreign-ministry-intranet-unmolested
https://www.err.ee/1192309/riigi-vastu-toimusid-kuberrunded-katte-saadi-9158-koroonapatsiendi-andmed
https://digi.geenius.ee/rubriik/uudis/ria-mkm-ei-kasutanud-infoturbe-osas-parimaid-praktikaid-algatasime-jarelevalvemenetluse/
https://digi.geenius.ee/eksklusiiv/koroonapositiivsete-andmed-lekkisid-limesurvey-teenusest-terviseamet-lopetas-selle-kasutamise/
https://digi.geenius.ee/rubriik/uudis/ministeerium-lukkab-riigikogulase-kahtlustuse-umber/
https://digi.geenius.ee/rubriik/uudis/riigikogulaseni-joudis-info-et-kuberrunnaku-kaigus-saadi-katte-rohkem-infot-kui-seni-on-oeldud/
[2020-12-01] RIA is developing an environment which will provide the possibility of installing additional smart card applications on the ID card. There are about four companies working on the creation of apps. The proof of concept will be completed by March 2021. RIA will not charge for apps, but it is possible that the use of the app will require a certain fee to be paid to the companies providing the apps.
https://digi.geenius.ee/rubriik/uudis/tulevast-aastast-saab-id-kaardile-appe-installida/
[2020-12-01] Internet shops of pharmacies Apotheka, Südameapteek and Azeta.ee allowed anyone to query another person’s prescriptions by entering their personal ID code. The Data Protection Inspectorate issued a precept-warning with a one-day compliance deadline and a penalty payment of 100,000 euros to these three pharmacy chains. The chains complied with the precept by the deadline and suspended the possibility for buying a prescription drug for another person from the e-pharmacy.
https://www.aki.ee/et/uudised/andmekaitse-inspektsioon-kohustas-e-apteeke-lopetama-koheselt-ligipaas-teise-inimese
https://www.err.ee/1196452/e-apteekidest-enam-teistele-inimestele-retseptiravimeid-osta-ei-saa
https://arileht.delfi.ee/news/uudised/vooraste-inimeste-retseptiinfot-avaldavad-apteegid-said-riigilt-hoiatuse?id=91845429
[2020-12-01] Citizen Lab reported that the Estonian Education and Research Network (EENet) hosts Circles surveillance technology that exploits weaknesses in the global mobile phone system SS7 to track people’s phone calls, text messages and location, from anywhere. The technology is sold only to governments, therefore the best guess is that it has been purchased by the Estonian Foreign Intelligence Service to spy on targets abroad. RIA, who are the end-users of the IP addresses, acknowledged that they were used by RIA’s “contract partners”, but refused to name them. Since RIA refused to clarify whether the use of these IPs complied with the EENet’s network policy, EENet blocked traffic to these IPs.
https://citizenlab.ca/2020/12/running-in-circles-uncovering-the-clients-of-cyberespionage-firm-circles/
https://epl.delfi.ee/artikkel/91851591/suur-vend-jalgib-aga-keda-uurijad-paljastasid-hamarat-nuhkimissusteemi-kasutavad-valitsused-nimekirjas-on-ka-eesti
https://www.delfi.ee/news/paevauudised/eesti/voimalikule-eesti-nuhkimissusteemile-tombasid-kriipsu-peale-haridusametnikud?id=91877113
https://twitter.com/ikubjas/status/1333861285725921292
https://digi.geenius.ee/rubriik/uudis/ekspert-nuhkvarast-circles-riigil-on-tagauksed-niigi-olemas-tuvastamisel-piiraksid-telekomid-selle-kasutamist/
https://digi.geenius.ee/eksklusiiv/ria-keeldus-teisele-riigiametile-utlemast-miks-nad-jooksutavad-nende-susteemides-salajast-nuhkvara/
[2020-11-27] EveryPay AS, which offers payment solutions for Estonian e-shops (used by mTasku), made a mistake which resulted in the bank accounts for a few hundred people being emptied. According to the company, it was a human error in the development which the automatic tests did not catch. All affected customers have received a refund.
https://raha.geenius.ee/rubriik/uudis/eesti-maksevahendaja-eksitus-tuhjendas-monesaja-inimese-pangakonto/
[2020-11-21] Õhtuleht journalists tailed a ministerial car to reveal its misuse. The Minister of Justice asked the Prosecutor General to have the journalists’ activities investigated on the basis of section 137 of the Penal Code – the section on unauthorized surveillance. The Minister of Justice later claimed that this was a misunderstanding.
https://news.err.ee/1161772/journalists-association-justice-minister-reps-probe-a-press-freedom-threat
https://news.err.ee/1162648/prosecutor-s-office-will-not-open-proceedings-against-ohtuleht-journalists
[2020-11-21] A book chapter by Kärt Salumaa-Lepik (TalTech), Tanel Kerikmäe (TalTech) and Nele Nisu (Ministry of Social Affairs): “Data Protection in Estonia”.
https://link.springer.com/chapter/10.1007/978-94-6265-407-5_3
[2020-11-20] IT minister Raul Siem (EKRE) proposed using face recognition in i-voting to cut out voter fraud. The Electoral committee responded that the idea is not bad, but may be expensive. RIA supports the idea of using biometrics to identify a person, but acknowledged that this requires in-depth analysis.
https://www.err.ee/1161445/raul-siem-tahab-e-valimistel-hakata-inimesi-kaameraga-tuvastama
https://news.err.ee/1161488/it-minister-smartphone-camera-verification-would-cut-out-voter-fraud
https://news.err.ee/1162239/electoral-committee-face-verification-idea-not-bad-but-expensive
https://news.err.ee/1164544/kaimar-karu-face-recognition-could-be-added-to-e-voting-but-should-it
https://news.err.ee/1196515/it-entrepreneur-doubts-over-e-voting-reliability-is-political-issue
https://twitter.com/ikubjas/status/1329733968099299328
https://digi.geenius.ee/rubriik/uudis/ria-toetab-biomeetria-kasutamise-motet-isiku-tuvastamisel/
https://digi.geenius.ee/rubriik/uudis/itli-president-krull-naotuvastusega-e-valimised-ei-ole-rahvahaaletuse-ajaks-realistik-soov/
https://digi.geenius.ee/rubriik/uudis/it-minister-siem-e-haaletamine-peab-koigile-kattesaadav-olema/
https://digi.geenius.ee/rubriik/uudis/kaimar-karu-naotuvastusega-e-valimiste-teema-tostatus-juba-sel-ajal-kui-mina-olin-minister/
[2020-11-17] RIA held an online information day. Among the topics covered: new ID card browser extension; new CDOC 2.0 encryption format; new Mobile-ID solution; remote ID card certificate update and remote applet loading; the states authentication service TARA; the new information security standard. The video recordings and the transcribed Q&A are available.
https://blog.ria.ee/kusimused-ja-vastused-ria-infopaeva-esimene-paev-17-11-2020/
https://blog.ria.ee/kusimused-ja-vastused-ria-infopaeva-teine-paev-18-11-2020/
[2020-11-16] The Ministry of Economic Affairs and Communications (MKM) is planning an independent audit and security analysis on i-voting, however, the details of the audit are still unclear. The ministry plans to propose a model where the security management of i-voting will be two-stage – RIA organizes cyber security and MKM checks the whole process and gives the National Electoral Committee an opinion on whether cyber security is organized at a sufficient level to use electronic systems for conducting elections.
https://news.err.ee/1159591/economics-affairs-ministry-looking-to-tighten-up-e-voting-security
https://mkm.ee/et/uudised/siem-e-valimiste-turvalisus-riikliku-julgeoleku-kusimus
https://digi.geenius.ee/rubriik/uudis/e-valimistele-tehakse-it-ministri-juhtimisel-esimene-rahvusvaheline-audit/
https://digi.geenius.ee/rubriik/uudis/e-valimiste-auditi-osas-valitseb-veel-teadmatus/
[2020-11-12] SK ID Solutions AS annual conference was replaced with a video presentation. Among the topics covered: SK team has grown; Smart-ID solution is to be implemented in Iceland; SK has teamed up with TalTech to pre-emptively identify and counter phishing scams.
https://www.youtube.com/watch?v=2BBgScfRy0k
[2020-11-08] Minister of the Interior Mart Helme (EKRE) made a statement (without providing any evidence) that election results are falsified in favor of a particular political party by those with access to i-votes. The head of the state electoral service refuted all statements of the minister. The Minister of the Interior later resigned due to other unfounded claims in the context of the U.S. presidential elections.
https://digi.geenius.ee/rubriik/uudis/siseminister-mart-helme-seadis-eesti-e-valimiste-susteemi-ilma-toendeid-esitamata-kahtluse-alla/
https://news.err.ee/1157305/koppel-electoral-committee-does-not-falsify-election-results-in-estonia
https://forte.delfi.ee/news/varia/riigi-valimisteenistuse-juht-lukkab-umber-koik-mart-helme-vaited?id=91621201
https://digi.geenius.ee/rubriik/uudis/riigi-valimisteenistus-lukkab-kategooriliselt-umber-eksminister-helme-e-valimiste-teemalised-vaited/
[2020-11-01] A cyber defense exercise “Cyber Battle of Tartu” for pupils and students was held at the Delta Center in Tartu. The competition was organized by CybExer Technologies. The participants had to find vulnerabilities in the school’s information system, stop the attack on the hospital’s vital systems and prevent a cyber attack aimed at opening the museum’s treasury.
https://tartu.postimees.ee/7100809/kuberkaitsespetsialist-hans-lougas-internetis-peab-motlema-nagu-hakker
https://tartu.postimees.ee/7099309/tartu-ja-poltsamaa-gumnasistid-esindavad-eestit-rahvusvahelisel-kuberkaitsevoistlusel
[2020-10-29] In the second half of July this year, a new way of banking fraud began to spread – telephone phishing calls. As of the beginning of October, the police has reported 90 cases in which fraudsters have been able to cause damage totaling 200,000 euros. Criminals spoof a bank’s Caller ID, use waiting music, read out the customer’s personal identification code or other personal data, and use all means to create the illusion that the victim is indeed talking to a bank employee. The criminals create fear and state that an action is urgently needed. The victim’s phone receives Mobile-ID or Smart-ID authentication requests and the victim thinks that he is being identified by a bank employee. Scammers are speaking Russian and the victims are mainly the Russian-speaking customers. From the audio recording of the fraudulent call to Swedbank, it is possible to hear that the scammers operate a call center – in the background similar calls can be heard being made to other potential victims. Also the phishing e-mails sent on behalf of banks are once again spreading.
https://tarbija24.postimees.ee/7063755/pank-hoiatab-petukonede-ja-petusonumite-eest
https://www.ria.ee/et/uudised/sagenenud-venekeelsed-telefonikoned-raha-valja-petmiseks.html
https://www.err.ee/1153036/pangapettuste-ohvriks-langevad-enamasti-venekeelsed-kliendid
https://news.err.ee/1153654/ppa-ria-warn-against-phishing-letters-spread-on-behalf-of-banks
[2020-10-28] Draft regulation specifies requirements for handling interruptions in vital services. The telecommunications operator must ensure that the service is restored within 24 hours if 1000 to 30 000 end users are affected and within 8 hours if more than 200,000 users are affected by the failure.
https://digi.geenius.ee/rubriik/uudis/riik-paneb-paika-kui-pikad-voivad-olla-elutahtsate-teenuste-katkestused/
[2020-10-26] Cybercriminals stole patient data from a Finnish psychotherapy center. Worries are that the same could happen in Estonia.
https://www.err.ee/1151658/ria-hinnangul-kasutavad-turvalisi-kuberteenuseid-umbes-pooled-perearstid
[2020-10-25] The Ministry of Finance plans to register the loans of residents in a central database.
https://www.err.ee/1151293/riik-kogub-inimeste-kohta-aina-enam-infot
[2020-10-22] A 20-year old man in Tartu had repeatedly ridden a bicycle from the Tartu Bike Share System without authorization by using a friend of a friend’s password. It was only discovered after the bike was ridden for more than an hour in one session resulting in the 1 EUR fee being sent to the account holder. The man was identified using security camera footage. He pleaded guilty and promised to compensate for the damage caused. The police imposed a financial penalty on the man in misdemeanor proceedings.
https://tartu.postimees.ee/7076171/sartsuratas-tegi-supilinlase-nime-all-annelinnas-fantoomsoite
https://tartu.postimees.ee/7091433/politsei-tabas-voora-kontoga-sartsurattaid-laenanud-noormehe
[2020-10-21] The Ministry of Economic Affairs and Communications and the Ministry of Interior have made amendments to ban the use of anonymous SIM cards, requiring identification verification for using pre-paid SIM cards. The amendments are needed to help solve drug offenses as well as other organized crime, where anonymous calling cards are often used. The amendments would also affect messaging app services like Skype, WhatsApp and Viber, requiring them to register as communications service providers and require the same degree of ID verification for their users.
https://news.err.ee/1149511/ministry-wants-to-tighten-identification-regulations-on-pre-paid-sim-cards
https://www.err.ee/1149441/mkm-tahaks-turvakaalutlustel-keelata-isikustamata-konekaardid
https://news.err.ee/1149796/legal-expert-anonymous-pre-paid-sim-card-ban-could-violate-privacy-rights
https://news.postimees.ee/7100007/bill-to-obligate-data-collection-and-personalize-prepaid-sim-cards
https://forte.delfi.ee/news/digi/valitsus-toukab-eesti-mitme-pika-sammu-vorra-kontrollimisuhiskonna-poole-likvideeritakse-isikustamata-konekaardid-ja-suhtlusprogrammid-lahevad-voimu-k?id=91396045
https://forte.delfi.ee/news/varia/eksperdid-valitsus-plaanib-olulist-sekkumist-eestlaste-internetivabadusse?id=91408841
[2020-10-16] Estonia holds the second place in the world in terms of internet freedom after Iceland. Estonia did not receive all the points because, among other things, the Tax and Customs Board can oblige Estonian service providers to block illegal gambling sites.
https://novaator.err.ee/1147918/raport-koroonapandeemia-kiirendab-internetivabaduse-vahenemist
https://news.err.ee/1147145/estonia-ranks-second-in-global-internet-freedom-index
https://mkm.ee/et/uudised/eesti-internetivabaduse-poolest-maailmas-esirinnas
[2020-10-16] A recent audit conducted by the Data Protection Inspectorate (AKI) finds that local municipality governments often unjustifiably mark documents as “information intended for internal use”. Most commonly the wage of employees and their vacation information is hidden. There are rumors that when signing an agreement, some personal information is included on purpose so that access restrictions could be applied. At the same time, there are plenty documents available to the public, containing the full names and contacts of private persons. Sometimes personal data leaks by including personal data in the public title of a non-public document.
https://news.err.ee/1147941/data-protection-inspectorate-local-governments-cover-for-officials
[2020-10-09] The Mobile-ID service was disrupted from 11:20 to 14:30.
https://news.err.ee/1145136/mobile-id-experiencing-disruptions-friday
[2020-10-06] The Ministry of Justice has made amendments to prevent mass-download of personal data from the public databases of court decisions and court calendars. Already on 2020-05-08, before the amendments were passed, a robot trap unexpectedly appeared on the website of Rigi Teataja without a legal basis. Previously, journalists had mass-processed the data to inform the public about the candidates of Riigikogu and municipality elections that have been criminally sentenced.
https://news.err.ee/1143685/law-change-to-stop-personal-legal-information-remaining-open-data
https://news.err.ee/1116586/reduced-accessibility-of-open-data-would-complicate-courts-work
https://news.err.ee/1115164/ministry-of-justice-wants-to-reduce-accessibility-of-court-data
[2020-10-01] CERT.LV organized the online conference “Cybershock 2020”. Among the participants were Estonians Jaanus Kääp (Clarified Security) and Hans Lõugas (CybExer Technologies).
https://cert.lv/lv/2020/09/technical-online-conference-cybershock-2020
https://www.youtube.com/watch?v=JuzAsFakHec
[2020-09-30] The Ministry of Economic Affairs and Communications has finished a regulation bill which will restrict the use of non-EU telecoms tech in Estonia, including those from Huawei. Initially, these requirements will affect the providers of vital services such as the communication companies, which have at least 10,000 clients – Telia, Elisa, Tele2, Levikom and STV. Huawei says it will challenge the bill. Elisa CEO claims that there is no real risk from Chinese tech and that the ban on Huawei’s equipment will cost Elisa tens of millions of euros.
https://news.err.ee/1117620/elisa-ceo-hits-out-at-ministry-huawei-tech-ban-draft
https://www.mkm.ee/et/uudised/mkm-alustas-sidevorkude-turvalisuse-maaruse-eelnou-avalikku-konsultatsiooni
https://www.err.ee/1142482/uus-sidevorkude-turvakontroll-hakkab-hindama-tootjaid
https://news.err.ee/1143507/huawei-plans-to-challenge-estonia-5g-ban-in-court
https://news.err.ee/1147922/huawei-asks-government-to-review-communications-networks-regulation
https://news.err.ee/1146282/estonia-to-limit-officials-choice-of-network-devices-and-software
https://www.err.ee/1161191/elisa-juht-riigi-analuusi-jargi-maarab-vorguseadmete-valjavahetamise-kulud-kohus
[2020-09-29] Three Romanian nationals were arrested in Romania for being suspected of organizing the Mobile-ID and Smart-ID phishing attacks that started in 2019. The aggregate sum stolen from close to 40 victims totals over €100,000. Estonian police detectives took part in the operation that was carried out in Bucharest. The prosecutor’s office is applying for the suspects to be extradited to Estonia for court proceedings.
https://news.err.ee/1140977/police-apprehend-suspects-in-cyberattacks-against-estonia
https://tehnika.postimees.ee/7073958/rumeenias-peeti-kinni-eesti-vastastes-kuberrunnakutes-kahtlustatavad
[2020-09-29] The procurement of a new Mobile ID solution is in process. An offer was received from two companies: the first applicant is the current partner SK ID Solutions that wants to continue providing the service, but the second applicant is the Belgian company Belgian Mobile ID, which was set up in 2016 by seven mobile operators and banks. The procurement doesn’t constrain technology too much and assesses the proposals individually. The solution must allow the change of crypto algorithms without going to a service office (i.e., remotely). For the enrollment it can support face-to-face identification, digital identification and biometric identification. Suspension of the certificates must not be supported.
https://riigihanked.riik.ee/rhr-web/#/procurement/2063672/general-info
https://riigihanked.riik.ee/rhr-web/#/procurement/2063672/applications
https://twitter.com/ikubjas/status/1297196116358897665
https://forte.delfi.ee/news/digi/belgia-ettevote-tahab-eestile-pakkuda-uut-mobiil-idd?id=91411201
https://forte.delfi.ee/news/digi/id-kaart-ja-mobiil-id-vajavad-uuenduskuuri?id=89736991
[2020-09-25] A research article by Mihkel Solvak (UT): “Does vote verification work: usage and impact of confidence building technology in Internet voting”. The study finds that: i-vote verifiers are younger males and Linux users with the verification rate especially high in the 18 to 40 age group; voting from abroad clearly leads to more verification; the cast-as-intended verification leads to higher confidence that ones vote was taken into account.
https://link.springer.com/chapter/10.1007/978-3-030-60347-2_14
[2020-09-18] From August, RIA started monitoring procedures for the implementation of information security measures for all critical databases in Estonia. A total of ten critical databases have been defined: e-file (e-toimik), land register, commercial register, Riigi Teataja information system, land cadastre, state treasury information system, taxpayer register, population register, register of identity documents and state pension insurance register.
https://www.ria.ee/et/uudised/olukord-kuberruumis-august-2020.html
[2020-09-17] The investigative journalism show “Pealtnägija” investigated a scam of fictitious real estate ads targeted at foreign students. While the victims believed that they were transferring money as a deposit for an apartment, they effectively paid an Estonian Bitcoin trader for the scammer’s purchase of bitcoins.
https://news.err.ee/1136558/pealtnagija-foreign-students-falling-victim-to-fictitious-real-estate-ads
[2020-09-17] Government will revoke 10 citizenships acquired illegally as the result of a widespread fraud that was committed during the years of 2013-2015 by a criminal group involving PPA employees. Previously, Estonian citizenship has only been revoked once by a government decision in 2016.
https://news.err.ee/1136097/government-to-revoke-10-citizenships-acquired-illegally
[2020-09-16] A research article by Sven Heiberg (SCCEIV), Kristjan Krips (Cybernetica/UT) and Jan Willemson (Cybernetica/STACC): “Planning the next steps for Estonian Internet voting”. The authors mostly reiterate the discussion points in the report of feasibility of i-voting on smart devices.
https://research.cyber.ee/~janwil/publ/planning.pdf
https://digikogu.taltech.ee/en/Download/38e36fd7-1428-42a1-ac6b-30d561bf849c
https://twitter.com/ikubjas/status/1306178995747250179
[2020-09-06] A research article by Valentyna Tsap (TalTech), Silvia Lips (TalTech) and Dirk Draheim (TalTech): “Analyzing eID Public Acceptance and User Preferences for Current Authentication Options in Estonia”. The study finds that the ID card is used the most to access e-services; Smart ID holds the second position; username/password and Mobile-ID shares the third choice.
https://link.springer.com/chapter/10.1007/978-3-030-58957-8_12
[2020-09-01] Kaija Kirch, previously a document expert at the Estonian Police and Border Guard Board (PPA), now works for Cybernetica.
[2020-08-28] After two years, the court has not yet started to resolve the case of PPA vs Gemalto. In August 2019, a preliminary hearing was held where the possibility of finding a compromise was discussed. However, as of 2020-08-28 no compromise has been reached and both parties have submitted a number of different requests that the court has to resolve.
https://forte.delfi.ee/news/tehnika/politsei-vs-gemalto-kaks-aastat-kohtuveskeid-ja-ei-tuhjagi?id=90871257
[2020-08-25] CERT-EE identified almost twenty websites that did not check the certificate revocation information when authenticating users with an ID card. In two cases, there was also no check on whether the certificate was signed by SK ID Solutions. This effectively allowed ID card authentication bypass in these services.
https://www.ria.ee/et/uudised/olukord-kuberruumis-juuli-2020.html
https://jarvateataja.postimees.ee/7046443/mitmed-eesti-veebilehed-ei-kontrollinud-autentimisel-sertifikaatide-kehtivust
[2020-08-25] BSc thesis by Sander-Karl Kivivare (UT): “Secure Channel Establishment for the NFC Interface of the New Generation Estonian ID Cards”. The thesis describes the cryptographic protocol that is used to communicate with the Estonian ID card over the contactless interface and provides detailed instructions with code examples in Python, to help software developers create applications that can make use of the new NFC interface introduced in the ID cards issued since December 2018.
https://comserv.cs.ut.ee/ati_thesis/datasheet.php?id=70557&year=2020&language=en
https://github.com/Kivivares/estid-nfc
[2020-08-25] BSc thesis by Jekaterina Gorohhova (UT): “Malicious Android app for security testing”. In the context of this thesis, an Android app was developed to demonstrate how a malicious app with a given set of Android permissions can abuse them to collect personal data stored on a user’s device and then send it out.
https://comserv.cs.ut.ee/ati_thesis/datasheet.php?id=70525&year=2020&language=en
[2020-08-21] RIA has banned the social media app TikTok on all phones belonging to RIA employees and has also recommended the ban to other state institutions. The app is considered a security threat as it is collecting far more information about its users than necessary.
https://news.err.ee/1126180/information-system-authority-in-essence-tiktok-a-security-threat
[2020-08-20] July statistics from the state authentication service TARA show that Smart-ID became the most popular identification tool outperforming the ID card. The number of government agencies using TARA in their e-services is currently between 30-40, but RIA expects it to grow to over a hundred. RIA plans to remove the banklink authentication option from TARA at the end of 2020, as the banks are accessed by the same ID card, Mobile-ID and Smart-ID that are directly supported by TARA as well.
https://forte.delfi.ee/news/digi/smart-id-tousis-koige-populaarsemaks-tuvastusvahendiks-eesti-riigi-e-teenustes?id=90789775
[2020-08-20] Estonia launched the coronavirus exposure notification app “HOIA” (Keep). The app was created in cooperation with 12 Estonian companies – Cybernetica, Fujitsu Estonia, Guardtime, Icefire, Iglu, Mobi Lab, Mooncascade, Velvet, FOB Solutions, Heisi IT OÜ, Bytelogics and ASA Quality Services OÜ. The development was done at the companies’ own expense. The state only paid for an independent security audit that cost 30,000 EUR. The Data Protection Inspectorate and Chancellor of Justice deems the app suitable as the privacy of its users is protected. RIA also recommends using the app, but notes that the requirement for bluetooth to be constantly on creates additional risks.
https://digi.geenius.ee/rubriik/uudis/aki-peab-eestlaste-koroonaappi-sobilikuks-oiguskantsleri-buroo-jagab-tunnustust/
https://news.err.ee/1125119/feature-estonia-launches-coronavirus-exposure-notification-app-hoia
https://forte.delfi.ee/news/digi/eesti-koroonaapp-maksis-30-000-eurot?id=90849441
https://www.ria.ee/et/uudised/trendid-ja-tahelepanekud-kuberruumis-iii-kvartal-2020.html
[2020-08-14] Research article by Arnis Parsovs (UT): “Estonian Electronic Identity Card: Security Flaws in Key Management”. The article, among other things, provides details about the malpractice of the Estonian ID card manufacturer Gemalto in generating private keys outside the ID card.
https://www.usenix.org/conference/usenixsecurity20/presentation/parsovs
[2020-08-13] Tartu County Court convicted Dennis Einasto of computer fraud that caused nearly €28,500 in damages, of illegally obtaining access to computer systems and of large-scale money laundering. Overall, he was sentenced to 4.5 years in jail. Einasto’s computer contained cryptocurrency and web hosting databases hosting large numbers of usernames and passwords, but which did not belong to him. The cyber crimes were committed on an international scale.
https://news.err.ee/1123315/tartu-county-court-convicts-man-of-cyber-crime-money-laundering
[2020-08-05] The passwords and e-mail addresses of 27,000 users of an unnamed Estonian advertising portal was leaked. The data was accessible for almost a year without the portal being aware of it. The portal has informed users about the leak and the same account data can no longer be used to enter the environment. Although the portal did not inform the Personal Data Inspectorate (AKI) in time, AKI has not yet made a decision on whether supervision proceedings should be initiated.
https://digi.geenius.ee/rubriik/uudis/27-000-eestlase-paroolid-lekkisid-portaal-kuulis-lekkest-aasta-parast-selle-toimumist/
[2020-07-28] Due to a human error, the Ministry of Justice made a report in their document register public that contaied personal data of approximately 1000 people who sought legal advice. The information listed names and the reason the person had obtained legal aid. The Ministry of Justice has not informed the affected persons about the leak as this would have meant further processing of the data, which was intended to be avoided. According to the ministry, the article published by the media is enough.
https://www.err.ee/1117570/justiitsministeerium-jattis-avalikuks-oigusabi-saanud-inimeste-andmed
https://news.err.ee/1117589/justice-ministry-glitch-leaks-legal-aid-personal-data-online
https://news.err.ee/1129734/ministry-of-justice-has-not-informed-people-of-data-breach
[2020-07-27] BSc thesis by Silver Maala (UT): “A Proof of Concept Malware for Interacting with the Smart-ID Android Application”. The thesis presents a proof-of-concept Android malware that can take over the Smart-ID app running on a rooted Android device.
https://comserv.cs.ut.ee/ati_thesis/datasheet.php?id=69678&year=2020
https://digi.geenius.ee/rubriik/uudis/loputoo-pahavaraga-saab-varastada-smart-id-pin-koode-ja-neid-automaatselt-sisestada/
[2020-07-23] The National Audit Office has published the audit report “Effectiveness of the e-Residency programme”. The report finds that foreigners with a criminal background and/or business ban have become e-Residents, as PPA does not have the capability to perform sufficient background checking for foreigners. Another noteworthy finding is that only 10% of e-Residents have renewed their digital IDs after expiration.
https://news.err.ee/1117934/audit-criminals-have-become-e-residents-better-background-checks-needed
https://www.err.ee/1117824/riigikontroll-kriminaalid-saavad-liialt-lihtsalt-eesti-e-residendiks
https://www.err.ee/1118255/ott-vatter-kahtlase-paritoluga-e-residentide-suhtarv-on-vaga-vaike
https://mkm.ee/et/uudised/valiskaubandus-ja-it-minister-varske-audit-selge-kinnitus-e-residentsuse-programmi
https://www.err.ee/1118243/ministeerium-eesti-teeb-koik-et-e-residentsust-ei-saaks-ohtu-kujutavad-valismaalased
[2020-07-23] The Ministry of the Interior proposed a bill that would give law enforcement organizations backdoor access to encrypted messaging applications. The idea faced sharp criticism and later the Ministry of Justice rejected the proposal due to the lack of a thorough analysis of the consequences.
https://news.err.ee/1116325/interior-ministry-looking-for-backdoor-into-encrypted-messaging-apps
https://www.err.ee/1115645/siseministeerium-soovib-krupteeritud-sonumirakendustesse-tagaust
https://www.err.ee/1116295/kuberoiguse-ekspert-tagauste-lubamine-muudaks-eesti-digiriigi-aluseid
https://digi.geenius.ee/rubriik/uudis/vandeadvokaat-turk-tagaust-toetavad-inimesed-ei-saa-tegelikult-aru-mida-nad-soovivad/
https://digi.geenius.ee/rubriik/uudis/eesti-e-riigi-endine-peaarhitekt-tehniliselt-ei-ole-voimalik-tagada-et-tagauksest-tulevad-sisse-ainult-oilsad/
https://www.err.ee/1116665/peeter-p-motskula-tagauksega-kruptoside-rumal-ja-oigusvastane-idee
https://www.err.ee/1116669/rainer-ratnik-neli-pohjust-miks-tagaukse-lubamine-pole-moistlik
https://www.err.ee/1127157/kaimar-karu-kuberturbeteatri-kordusetendus
https://www.err.ee/1149441/mkm-tahaks-turvakaalutlustel-keelata-isikustamata-konekaardid
https://twitter.com/ikubjas/status/1295653952554438656
https://twitter.com/ikubjas/status/1329455387683250179
[2020-07-21] The government has made amendments to the “Statutes of the Health Information System” allowing the authentication of subjects using “ID card, Mobile-ID, Smart-ID or other equivalent device”. Historically, access to the Health Information System has only been granted based on authentication using the ID card. The security requirements have likely been relaxed due to the pressing coronavirus situation.
https://www.riigiteataja.ee/akt/118072020004
[2020-07-21] Kert Kingo (EKRE), a member of the Riigikogu’s Legal Affairs Committee, explained why EKRE is so worried about i-voting. According to her, the distrust is created by the fact that it is possible to give an i-vote using another person’s ID card and that i-voting data is destroyed immediately after the elections.
https://uueduudised.ee/uudis/eesti/miks-erke-e-valimiste-parast-nii-palju-muretseb-kert-kingo-sest-need-tekitavad-usaldamatust/
[2020-07-10] Research article by Kaido Kikkas (TalTech) and Birgy Lorenz (TalTech): “Training Young Cybersecurity Talents – The Case of Estonia”. The paper describes the Estonian experience with the CyberOlympics/CyberSpike program from 2017–2019 and reflects on the lessons learned about talent building in cybersecurity.
https://link.springer.com/chapter/10.1007/978-3-030-50729-9_36
[2020-07-07] Research article by Laura Kask (UT/Proud Engineers) and Kristiina Laanest (RIA): “Determining the Time of Electronic Signing: Legal Requirements and Technological Possibilities”. The authors suggest establishing the time from the timestamp as the time of signing, but fail to address the issues raised in the original article “Time of signing in the Estonian digital signature scheme” by T.Mets and A.Parsovs.
https://www.juridica.ee/article.php?uri=2020_4_elektroonilise_allkirjastamise_aja_tuvastamine_iguslikud_n_uded_ja_tehnilised_v_imalused
https://www.id.ee/wp-content/uploads/2020/10/j_20_4_294.pdf
https://cybersec.ee/timesign/
[2019-12-19] A research paper by Abasi-amefon Affia (UT): “Assessing the NFC Unlock Mechanism of the Tartu Smart Bike Share System”. The paper describes a flaw in the Tartu Smart Bike Share System that can be exploited to create a clone of a victim’s Tartu bus card, which can then be used to unlock the bikes. To create the clone, only the card number printed on the victim’s Tartu bus card is needed (valid numbers can be guessed). The flaw has now been partially mitigated as cloning is still possible, but the task is not that trivial.
https://kodu.ut.ee/~arnis/bikeshare_nfc.pdf

Cyber Security master’s theses defense in TalTech/UT (August 2020)

Leave a reply

Defences of master theses of Cyber Security curriculum on August 17th 2020. The defences will take place online.

Time: 9:30
Student: Tarmo Oja
Title: X-ROAD TRUST MODEL AND TECHNOLOGY THREAT ANALYSIS
Supervisor: Ahto Buldas, Mari Seeba
Reviewer: Aleksandr Lenin

Time: 10:10
Student: Nikita Snetkov
Title: PRACTICAL IMPLEMENTABILITY OF TWO-PARTY ECDSA SIGNATURE SCHEMES
Supervisor: Ahto Buldas
Reviewer: Aleksandr Lenin

Time: 10:50
Student: Liubomyr Kushnir
Title: BENCHMARKING OF POST-HOC LOCAL INTERPRETABILITY METHODS FOR CLASSIFYING MALICIOUS TRAFFIC
Supervisor: Hayretdin Bahsi, Sven Nõmm
Reviewer: Pavel Tšikul

Time: 12:00
Student: Timm Jeff E Luyten
Title: RAISING CYBER AWARENESS WITH NON-IT PROFESSIONALS WORKING IN A HOME OFFICE ENVIRONMENT USING A PILOT VIDEO GAME CONCEPT
Supervisor: Birgy Lorenz
Reviewer: Sten Mäses

Time: 12:40
Student: Andrew J Roberts
Title: Development of a cybersecurity evaluation test bed for autonomous self-driving vehicles
Supervisor: Olaf Maennel
Reviewer: Tobias Eggendorfer

Time: 13:20
Student: Ilkin Huseynov
Title: THE ANALYSIS OF THE CURRENT CYBER SECURITY ACTIONS TAKEN IN THE E-GOVERNMENT OF AZERBAIJAN AND PROPOSAL OF THE IMPROVEMENT PLAN
Supervisor: Mika Kerttunen
Reviewer: Adrian Venables

Time: 14:15
Student: Andres Pihlak
Title: CONTINUOUS DOCKER IMAGE ANALYSIS AND INTRUSION DETECTION BASED ON OPEN-SOURCE TOOLS
Supervisor: Mauno Pihelgas
Reviewer: Kristian Kivimägi

Time: 14:55
Student: Eduard Iltšuk
Title: Two-Party ECDSA Protocol for Smart-ID
Supervisor: Arnis Paršovs
Reviewer: Jan Villemson

Time: 15:35
Student: Aivo Toots
Title: Zero-Knowledge Proofs for Business Processes
Supervisor: Peeter Laud
Reviewer: Marlon Dumas, Janno Siim

Cyber Security Newsletter 2020-07-16

Leave a reply

[2020-07-15] MKM is studying the possibility to notify citizens via alternative channels such as WhatsApp and Facebook.
https://news.err.ee/1113020/government-seeking-to-create-communication-system-through-mobile-phone-apps
[2020-07-02] The Estonian Ministry of Foreign Affairs organized an open master class on cyber diplomacy with experts from around the world. Video recording is available on Youtube.
https://vm.ee/et/virtuaalne-kuberdiplomaatia-meistriklass-2020
[2020-07-01] SK intermediate CA certificates have been issued with the “OCSP sign” extension which means that revoking these intermediate CA certificates in the event the key gets compromised will be problematic. According to CA/B Baseline Requirements these certificates have been misissued and SK should revoke them. SK has responded that it does not plan to revoke the certificates and is ready to leave Mozilla CA program earlier than planned (the last 4 still valid TLS server certificates issued by SK will expire by September 29, 2020).
https://www.mail-archive.com/dev-security-policy@lists.mozilla.org/msg13607.html
https://bugzilla.mozilla.org/show_bug.cgi?id=1649942
[2020-07-01] The work of Smart-ID and Mobile-ID was disrupted for about ten minutes.
https://digi.geenius.ee/rubriik/uudis/mobiil-id-ja-smart-id-kasutamine-on-hairitud/
[2020-06-30] The state has stalled plans to include information from all guests who stay in accommodation establishments in Estonia in a single police database.
https://news.err.ee/1107522/state-pauses-plans-for-hotel-guests-e-database
[2020-06-29] The Interdisciplinary Cyber Research (ICR) conference 2020 has been rescheduled to December. The Cyber Security Summer School has been renamed to Cyber Security Winter School and moved to December. The theme for the winter school will be “Transport as a Service”.
https://old.taltech.ee/institutes/centre-for-digital-forensics-cyber-security/events-19/interdisciplinary-cyber-research-icr-workshop/
http://www.studyitin.ee/c3s2020
[2020-06-29] In the period of COVID emergency, Elisa for more than 1,700 people provided a solution for automated Mobile-ID issuance using a self-service portal. The solution was accepted by SK and their auditors.
https://www.ria.ee/et/ris-infokiri-juuni-2020.html
https://forte.delfi.ee/news/digi/tehisintellekt-aitas-eriolukorra-ajal-vormistada-mobiil-id-rohkem-kui-1700-inimesele?id=90685697
[2020-06-27] The 50 EUR limit on contactless card payments put in place during the coronavirus emergency situation will remain in place.
https://news.err.ee/1106688/50-contactless-card-payment-limit-to-remain-in-place
https://news.err.ee/1068231/contactless-payment-limit-increased-to-50-to-limit-spread-of-coronavirus
https://raha.geenius.ee/rubriik/uudis/pangad-kahekordistavad-kriisi-ajaks-viipemakse-limiidi-et-inimesed-ei-peaks-pin-klaviatuuri-nappima/
[2020-06-22] In May fraudsters persuaded a victim to create a Smart-ID account over the phone. The created Smart-ID account was used by fraudsters to purchase services from several financial service providers.
https://www.ria.ee/et/uudised/eesti-arvutikasutajad-olid-ka-mais-ongitsuskampaaniate-hambus.html
https://www.ria.ee/et/uudised/olukord-kuberruumis-mai-2020.html
[2020-06-17] Research article by Valentyna Tsap (TalTech), Silvia Lips (TalTech) and Dirk Draheim (TalTech): “eID Public Acceptance in Estonia: towards Understanding the Citizen”. The researchers conducted a survey among Estonian eID users to find out which of the existing eID authentication options are preferred and why.
https://dl.acm.org/doi/pdf/10.1145/3396956.3397009
[2020-06-04] The use of eID increased in the period of COVID emergency. As of May, 35 institutions with as many as 114 different applications had joined the state authentication service.
https://blog.ria.ee/e-riik-eriolukorras/
[2020-06-09] Lithuanian Cyber Security Center found 61 vulnerabilities in Chinese security cameras Hikvision and Dahua used by PPA. According to PPA, the cameras are not available on the public network and PPA has verified that the cameras do not communicate with servers that are not located in NATO or EU member states.
https://digi.geenius.ee/eksklusiiv/leedu-kuberturvalisuse-keskus-leidis-hulgaliselt-turvanorkusi-kaameratest-mida-kasutab-laialdaselt-eesti-politsei/
https://www.nksc.lt/doc/biuleteniai/2020-05-27%20Hikvision%20ir%20Dahua%20kameru%20kibernetinio%20saugumo%20vertinimas.pdf
[2020-06-02] Thanks to IT Academy funding, TalTech has established the “Centre for Hardware Security” led by professor Samuel Pagliarini. The main research directions include the design of reliable microelectronics, measures to prevent reverse engineering, side-channel attacks, the deployment of cryptographic hardware, secure system design tools, and hardware Trojans and backdoors. The long term goal is to build all the right competences to put Estonia “on the map” of Hardware Security and IC design in general.
https://digi.geenius.ee/rubriik/teadus-ja-tulevik/taltechi-riistvara-turvalisusega-tegelev-uurimisgrupp-aitab-valtida-tuleviku-id-kaardi-kriise/
https://old.taltech.ee/ttu-uudised/uudised/mente-et-manu-5/varske-veri-samuel-nascimento-pagliarini/?id=196261&year=2019
[2020-06-01] Research article by Arnis Parsovs (UT): “Solving the Estonian ID Card Crisis: the Legal Issues”. The study analyzes to what extent, while solving the 2017 ID card crisis, the involved parties were able to precisely follow the applicable laws and regulations in the field.
https://papers.ssrn.com/sol3/papers.cfm?abstract_id=3644664
[2020-05-28] Ahto Truu (TalTech) defended his PhD thesis “Hash-Based Server-Assisted Digital Signature Solutions” and gave an interview in Geenius about universal digital signing and its dangers.
https://digikogu.taltech.ee/en/Item/a972cc4b-53ec-4c82-8de0-b3e941cce345
https://digi.geenius.ee/rubriik/teadus-ja-tulevik/taltechi-doktor-millal-jouame-universaalse-digiallkirjastamiseni-ja-mis-ohud-seda-varitsevad/
[2020-05-28] RIA provided an explanation for why they recommended that the National Electoral Committee not enable Smart-ID for i-voting in the 2021 elections. To summarize: (1) Smart-ID has been used in successful attacks; (2) Smart-ID is not a state provided eID solution – if allowing i-voting with Smart-ID, there is no reason to not enable i-voting with other private eID solutions; (3) not enough experience to say if Smart-ID biometrical enrollment is secure enough; (4) the state does not have enough control over Smart-ID to intervene in case of emergency;
https://blog.ria.ee/smart-id-ja-valimised/
[2020-05-20] The Estonian National Electoral Committee has reviewed 25 suggestions from the i-voting working group and has provided their decision on each suggestion. The most important decisions included not enabling i-voting with Smart-ID and i-voting with a mobile app for the 2021 elections.
https://www.riigikogu.ee/download/8eb9f7ff-8838-4cc8-a52a-ee9f481dd89e
https://twitter.com/ikubjas/status/1266014478388396032
https://digi.geenius.ee/rubriik/uudis/mobiiliga-haaletamist-jargmistel-valimistel-ei-tule/
[2020-05-27] SK had a scheduled maintenance on May 28 and 29 due to which the use of ID card, Mobile-ID and Smart-ID was affected.
https://news.err.ee/1095129/id-cards-mobile-id-and-smart-id-to-be-interrupted-during-maintenance
[2020-05-27] The Estonian Students Society organized a public discussion about cyber security. Participants in the discussion: Siim Alatalu (Head of EU CyberNet), Märt Hiietamm (Head of RIA Analysis and Prevention Department), Uku Särekanno (European Union IT Agency), Ragnar Õun (Head of RIA Critical Information Infrastructure Protection Department) and Ilmar Üle (CERT-EU).
https://www.youtube.com/watch?v=qpr3IQCRSp8
[2020-05-26] Dan Bogdanov (Cybernetica) in an interview explains the privacy principles behind the Estonian coronavirus app.
https://news.postimees.ee/6981981/is-tech-giants-coronavirus-app-technology-safe
https://digi.geenius.ee/rubriik/uudis/aki-peadirektor-pille-lehis-mulle-teeb-muret-euroopa-trend-ja-soov-koroonaappe-arendada/
https://digi.geenius.ee/rubriik/uudis/eestis-on-nuud-esimene-koroona-kontaktijalgimise-app-aga-sa-ei-peaks-seda-kasutama/
[2020-05-26] Research article by Anne Veerpalu (UT), Liisi Jürgen (UT), Eduardo da Cruz Rodrigues e Silva (TalTech) and Alex Norta (TalTech): “The hybrid smart contract agreement challenge to European electronic signature regulation”, assesses whether the signature on a smart contract used in an ICO process is functionally equivalent to the qualified electronic signature under eIDAS.
https://academic.oup.com/ijlit/advance-article-abstract/doi/10.1093/ijlit/eaaa005/5846238
[2020-05-25] A research article by Mart Oruaas (Cybernetica) and Jan Willemson (Cybernetica/STACC): “Developing requirements for the new encryption mechanisms in the Estonian eID infrastructure”.
https://research.cyber.ee/~janwil/publ/NewEstCDOC.pdf
https://link.springer.com/chapter/10.1007/978-3-030-57672-1_2
[2020-05-21] Sorainen’s partner, lawyer Kaupo Lepasepp, writes that the digital signature is essentially unforgeable.
https://digi.geenius.ee/rubriik/uudis/advokaat-e-allkiri-on-sisuliselt-voltsimatu-aga-tahvelarvuti-ekraanile-tehtud-kritselduse-seostamiseks-kindla-isikuga-ei-ole-selget-viisi/
https://www.youtube.com/watch?v=bV-HwuhGKO8
[2020-05-20] RIA has compiled a comprehensive overview of cyber security in Estonia titled “Cyber Security in Estonia 2020”. The compilation mostly consists of excerpts from annual reports of different public sector organizations.
https://www.ria.ee/en/news/cyber-security-estonia-2020-comprehensive-look-estonian-cyber-landscape.html
https://www.ria.ee/sites/default/files/content-editors/RIA/cyber_security_in_estonia_2020_0.pdf
[2020-05-20] UT student Siim-Alexander Kütt in his BSc research found a flaw in the Tartu Bike Share system which allowed anyone to query the location of any bike and the user ID of the person riding the bike. Turns out that Tartu City previously paid 12 960 EUR to Estonian company SecTeam for a black-box security audit of the system.
https://ee.linkedin.com/in/arvo-saalits took a credit for discovring the previous leak in July 2019.
https://epl.delfi.ee/uudised/tudeng-leidis-tartu-rattaringluse-apist-jarjekordsed-turvavead?id=89909901
https://comserv.cs.ut.ee/ati_thesis/datasheet.php?id=69774&year=2020
[2020-05-18] The Data Protection Inspectorate released its yearbook describing in more detail the data leak in Tartu Bike Share system discovered in July 2019. Arvo Saalits in his Linkedin profile has taken the credit for the discovery of the flaw.
https://aastaraamat.aki.ee/sites/default/files/inline-files/AKI%20aastaraamat%202019.pdf
https://aastaraamat.aki.ee/aastaraamat-2019-aastast-peadirektori-pilgu-labi/rikkumine-ei-toonudki-suurt-trahvi
https://ee.linkedin.com/in/arvo-saalits
[2020-05-19] LHV bank accidentally leaked names of 200 LHV customers by sending a mass email with the recipients in the CC field. According to the Data Protection Inspectorate, the data controller must notify the Inspectorate of a personal data breach within 72 hours of the incident, but whether it is a breach or not, the bank must assess it itself.
https://forte.delfi.ee/news/varia/suur-eksitus-lhv-lekitas-kogemata-sadade-laenusaajate-nimed?id=89906591
[2020-05-14] From May 14 to 16 a Smart-ID phishing campaign was run imitating SEB bank page.
https://kasulik.delfi.ee/news/uudised/seb-panga-nimel-levib-taas-ohtlik-ongitsuskiri-mida-ei-tohiks-mingil-juhul-avada?id=89862581
https://www.ria.ee/et/uudised/olukord-kuberruumis-mai-2020.html
[2020-05-14] MKM plans to hire an official who will focus on the i-voting risks. In order to apply, the applicants had to write an essay on the topic “Problems of risk management related to e-elections”. Five people applied but the results are not yet known.
https://digi.geenius.ee/rubriik/uudis/endise-ministri-otsusel-palkab-riik-e-valimiste-riskidele-keskenduva-ametniku/
https://www.mkm.ee/sites/default/files/kuberriskide_nounik.pdf
[2020-05-12] KAPO released their annual review describing a flaw in the free email provider’s mail.ee website (opening an email triggers XSS). By opening a specially crafted email, mail.ee user account was automatically configured to enable an email redirect to the attacker’s email address. The flaw was exploited against a small number of mail.ee users who were of interest to a foreign country. Another attack described in the review is a phishing email used to try to gain access to some email accounts of the University of Tartu. According to KAPO, the attack was organized at the instructions of the government of Iran.
https://kapo.ee/sites/default/files/public/content_page/Annual%20Review%202019.pdf
https://news.err.ee/1076983/russian-youth-engagement-migration-china-flagged-in-kapo-s-2019-yearbook
https://news.postimees.ee/6950229/iss-iran-intelligence-attempted-to-access-university-of-tartu-e-mail-accounts
https://www.postimees.ee/6949265/iraani-luure-uritas-ligipaasu-tartu-ulikooli-e-posti-kontodele
https://twitter.com/SadEstonianIT/status/1256610514614050816
https://securityaffairs.co/wordpress/102471/hacking/estonian-provider-mail-ee-hacked.html
[2020-05-12] Riigikogu amended the Electronic Communications Act providing that in order to ensure national security, the government may, by a regulation, impose an obligation on a communications undertaking to notify the hardware and software used in the communications network and to apply for a permit to use the hardware and software of the communications network. These amendments are most likely targeted to exclude Huawei from 5G deployment.
https://www.riigikogu.ee/istungi-ulevaated/riigikogu-muutis-elektroonilise-side-seadust/
[2020-05-07] RIA’s new yearbook provides a good overview of the current and upcoming work of RIA – the state network, DigiDoc4 software, e-voting, critical information infrastructure protection and CERT-EE activities. Some highlights:
– Starting from July 2021, the ID card chip will contain the cardholder’s picture and fingerprints in addition to their personal data file.
– RIA is considering enabling a single sign-on service (SSO) to be used for the state authentication service.
– RIA is introducing a consent service to allow citizens to share their health and other data with service providers (e.g., health insurers).
https://www.ria.ee/et/uudised/varske-aastaraamat-tutvustab-ria-tood-ja-2019-aasta-sundmusi-eesti-kuberruumis.html
https://www.ria.ee/sites/default/files/content-editors/ria_aastaraamat_2020_48lk_eng.pdf
https://github.com/e-gov/NT/
[2020-05-06] TalTech and Estonian Maritime Academy received 2.5 million euro funding to establish a maritime cyber security center. The five-year project plans to supplement the existing master’s and doctoral study programs, organize trainings and conferences.
https://digi.geenius.ee/rubriik/teadus-ja-tulevik/taltech-eesti-mereakadeemia-ja-it-teaduskond-loovad-merenduse-kuberturbe-keskuse/
https://old.taltech.ee/institutes/centre-for-digital-forensics-cyber-security/&id=200834
https://vikerraadio.err.ee/1084657/uudis-lauri-varik/1049735
[2020-04-22] Cybernetica released the report “Mobile voting feasibility study and risk analysis”, which found that introducing a mobile i-voting application has its risks but is possible. The National Electoral Committee, however, in their 2020-05-20 meeting decided not to introduce it in the 2021 elections.
https://www.valimised.ee/sites/default/files/uploads/eng/2020_m-voting-report.pdf
https://www.ria.ee/et/uudised/analuus-nutiseadmega-e-haaletamine-teostatav.html
https://news.err.ee/1082021/ria-mobile-voting-could-be-launched-in-2021
https://digi.geenius.ee/rubriik/uudis/riigi-tellitud-analuus-leiab-et-telefoniga-e-haaletamine-on-voimalik/
https://digi.geenius.ee/rubriik/uudis/ria-loodetavasti-saab-mobiiliga-haaletada-juba-jargmistel-valimistel/
[2020-04-21] EKRE has formed a committee in riigikogu with the aim to make i-voting transparent. Former minister of IT and foreign trade Kert Kingo is chairman of the committee.
https://news.err.ee/1080422/ekre-forms-e-voting-transparency-committee-in-riigikogu
https://www.ituudised.ee/uudised/2020/04/21/ekre-loi-riigikogus-e-haaletamise-labipaistvaks-muutmise-toetusruhma-kuhu-kuulub-terve-fraktsioon
[2020-04-18] According to RIA, in April 18 denial-of-service attacks sharing a similar handwriting were executed against the e-services eesti.ee, id.ee, emta.ee, elron.ee and elisa.ee. RIA was also notified about DoS attacks against eKool.eu and SK ID Solutions. On April 22, the availability of Luminor’s bank website was disrupted as a result of a DDoS attack on a Lithuanian service provider.
https://www.ria.ee/et/uudised/olukord-kuberruumis-aprill-2020.html
[2020-04-17] RIA has made its internal chat and file sharing platform publicly available. The services were built using open source solutions Rocket.Chat and Nextcloud. The solutions have been pentested by the order of RIA. A Twitter user noticed that the chat service has a public list of its users with their last names, birth dates and personal ID codes.
https://digi.geenius.ee/rubriik/uudis/ria-annab-aru-kui-palju-laksid-riiklikud-suhtlus-ja-failivahetuskeskkonnad-maksumaksjale-maksma/
https://digi.geenius.ee/rubriik/uudis/tana-avati-riiklikud-veebisuhtluse-ja-failivahetuse-keskkonnad/
https://forte.delfi.ee/news/tarkvara/ria-avas-testiks-turvalised-veebisuhtluse-ja-failivahetuse-keskkonnad?id=89427961
https://twitter.com/SadEstonianIT/status/1246168005396115456
[2020-04-15] A UT professor obtained information from UT about the student who left negative feedback about the professor in the anonymous study information system (OIS) feedback form.
https://news.err.ee/1077745/university-of-tartu-professor-demanding-2-000-from-alum-over-word-usage
[2020-04-15] The pensioner who organized document forgery in PPA was sentenced to long-term imprisonment.
https://www.delfi.ee/news/paevauudised/eesti/dokumendivoltsijate-jouku-vedanud-pensionar-moisteti-aastateks-trellide-taha?id=89563595
https://www.err.ee/1077522/kohus-moistis-mahuka-passiari-korraldaja-pikaks-ajaks-vangi
https://cybersec.ee/2017/02/02/document-counterfeiting-case-maarika-comes-to-court/
[2020-04-15] The use of Smart-ID was disrupted between 11:18 and 23:00. The error was caused by a problem with the database.
https://www.postimees.ee/6950878/smart-id-too-oli-kolmapaeval-hairitud
[2020-04-13] The Cyber Defense Unit of the Defense League provided support for the Health Board by processing and visualizing COVID data using various data sources.
https://www.ituudised.ee/uudised/2020/04/13/kaitsevae-kubervaejuhatus-aitab-terviseametil-luua-uut-infosusteemi
https://forte.delfi.ee/news/tehnika/kubervagi-tegi-terviseametile-olulise-infosusteemi?id=89876695
[2020-04-06] According to RIA a fraud scheme is becoming popular, where criminals send a convincing e-mail to HR managers in the name of the employee requesting their salary to be transfered to a new bank account from the coming month.
https://www.ituudised.ee/uudised/2020/04/06/ria-hoiatus-levimas-on-palgakonto-pettused
[2020-03-26] Podcast with Marko Belzetski (Clarified Security) discussing Android and web application penetration testing.
https://testguild.com/podcast/security/s14-marko/
[2020-03-24] The state has analyzed the spread of the coronavirus by analyzing mobile phone location data. This raised privacy concerns and the Chanchellor of Justice examined the constitutionality of the use of data. Aggregate data was prepared by mobile operators and sent to Statistics Estonia. Google used its data to provide similar mobility analysis.
https://digi.geenius.ee/rubriik/uudis/mobiilidelt-kogutud-asukohaandmed-naitavad-et-eestlased-on-eriolukorra-ajal-jaanud-paiksemaks/
https://news.err.ee/1068209/statistics-estonia-to-study-people-s-movements-during-emergency-situation
https://news.err.ee/1069467/mobility-analysis-planned-by-statistics-estonia-not-to-use-real-time-data
https://news.err.ee/1069764/mobility-analysis-to-be-finalized-next-week
https://digi.geenius.ee/rubriik/uudis/oiguskantsler-uurib-mobiiltelefonidelt-kogutud-andmete-statistilise-kasutamise-kooskola-pohiseadusega/
https://www.err.ee/1071113/mobiilioperaator-liikumismustrite-jalgimine-ei-tugine-gps-i-andmetel
https://www.google.com/covid19/mobility/
https://news.err.ee/1073762/opinion-why-is-government-pursuing-extensive-surveillance-law-in-crisis
[2020-03-23] Research article by Luukas Ilves (Guardtime) and Anna-Maria Osula (Guardtime/TalTech), “The Technological Sovereignty Dilemma – and How New Technology Can Offer a Way Out”, discusses 5G and related topics.
https://cybersecforum.eu/media/ECJ_vol6_issue1.pdf
[2020-03-12] Statistics from the state authentication service shows the usage popularity of eID tools: ID cards are used 44% of the time, Smart-ID 30% and Mobile-ID 22%.
https://forte.delfi.ee/news/tarkvara/uus-seis-smartid-seljatas-mobiilid?id=89203485
[2020-02-04] MKM has published the report “Estonian Cybersecurity R&D Concept” prepared by TalTech. The report gives a good overview of the research institutions and people conducting cybersecurity related research in Estonia.
https://www.mkm.ee/sites/default/files/content-editors/failid/E_riik/estonian_cybersecurity_rd_concept.pdf
[2020-02-04] A US journalist wrote an article about Estonia and cybersecurity featuring Cyber Defense League and others.
https://www.csmonitor.com/World/Europe/2020/0204/Cybersecurity-2020-What-Estonia-knows-about-thwarting-Russians
[2019-12-18] A member of the i-voting working group, Heldur-Valdek Seeder, published video recordings of the working group’s meetings on a personal blog. Initially, the minister Kert Kingo wanted to classify the content of the working group, but the majority of members did not support this idea, hence there may be no basis to request removal of the published videos.
https://digi.geenius.ee/rubriik/uudis/e-valimiste-tooruhma-liige-avalikustas-omavoliliselt-koosolekute-videosalvestisi/
[2019-06-05] MSc thesis by Gregor Johannson (TalTech): “Technical Prerequisites for Enabling Third-Party Applications on the New Estonian ID-card”.
https://digikogu.taltech.ee/et/Item/64c83d8f-8f2d-4311-b548-b07c9b58a6cb
[2019-06-06] BSc thesis by Pavel Kargin (TalTech): “Testing the Compliance of the Estonian Electronic Document to the Technical Specification”.
https://digikogu.taltech.ee/et/Item/66881079-2923-42df-acfe-e5dacf3ccad7
[2018-05-31] BSc thesis by Kristel Merilain (TalTech): “Business and Risk Analysis of Electronic Identity Tools Used in Estonia”.
https://digikogu.taltech.ee/et/Item/73c5fa5a-8d43-4548-83f3-78d8dea388a0

Cybersecurity related bachelor’s and master’s theses in University of Tartu 2020 (June)

Leave a reply

Cybersecurity related bachelor’s and master’s theses in University of Tartu 2020 (June)

The defences are taking place on the first and second week of June.

Student: Eric Cornelissen (Computer Science MSc)
Title: Cryptographic Analysis of the Message Layer Security Protocol in the Static Corruption Model
Supervisor: Chris Brzuska, Dominique Unruh
Reviewer: Behzad Abdolmaleki

Student: Risto Pärnapuu (Computer Science MSc)
Title: Verifiable Photo Snapshots
Supervisor: Sven Laur, Ahto Truu
Reviewer: Arnis Paršovs

Student: Anita Onyinye Nwaokolo (Cyber Security MSc)
Title: A Comparison of Privacy Enhancing Technologies in Internet of Vehicle Systems
Supervisor: Raimundas Matulevicius, Abasi-amefon Obot Affia
Reviewer: Pille Pullonen

Student: Rando Tõnisson (Software Engineering MSc)
Title: Security Risk Management in Autonomous Driving Vehicles: Architecture Perspective
Supervisor: Raimundas Matulevičius, Abasi-Amefon O. Affia
Reviewer: Danielle Morgan

Student: Silver Maala (Computer Science BSc)
Title: A Proof of Concept Malware for Interacting with the Smart-ID Android Application
Supervisor: Arnis Paršovs
Reviewer: Mart Oruaas

Student: Kärt Ilja (Computer Science BSc)
Title: Intercepting Network Traffic of the Smart-ID Android Application
Supervisor: Arnis Paršovs
Reviewer: Mart Oruaas

Student: Siim-Alexander Kütt (Computer Science BSc)
Title: Security Analysis of Tartu Smart Bike Share Android Application
Supervisor: Arnis Paršovs
Reviewer: Kristjan Krips

Student: Gregor Eesmaa (Computer Science BSc)
Title: Authorization of Web Requests Based on Merkle Trees
Supervisor: Kristjan Krips
Reviewer: Arnis Paršovs

Student: Hendrik Eerikson (Computer Science BSc)
Title: Privacy Preserving Fingerprint Idenfication
Supervisor: Riivo Talviste, Kristjan Krips
Reviewer: Jan Villemson

Student: Sergei Kuštšenko (Computer Science BSc)
Title: Implementation of election bulletin board using HyperLedger Fabric
Supervisor: Ivo Kubjas
Reviewer: Jan Villemson

Student: Markus Punnar (Computer Science BSc)
Title: Cryptosystem for Post-Quantum Age Based on Moderate-Density Parity Check (MDPC) Codes
Supervisor: Vitaly Skachek, Irina Bocharova
Reviewer: Raul Martin Rebane

Links:
https://www.cs.ut.ee/sites/default/files/cs/kaitsmised_-_defences_ver04-06-20.pdf
https://comserv.cs.ut.ee/ati_thesis/index.php?year=2020