Women in Cybersecurity Conference

NB! Our event is directed towards both men and women, already in the world of IT and also outside of it.

Speakers :
– Karina Egipt — Identity Impact Manager at Nortal, Estonian Information Technology College
– Sille Laks — CERT Estonia
– Karen K. Burns — Director, Consulting – Cybersecurity, AS CGI Eesti
– Anna-Maria Osula — Legal researcher at the NATO Cooperative Cyber Defence Centre of Excellence
– Jaanika Merilo — Vice Mayor of Dnipro, Advisor to Minister of Infrastructure and Transportation and Mayor of Lviv
– Birgy Lorenz — TTÜ teacher, general promoter of IT in Estonia, CyberOlympics organiser
– Kaie Maennel — Cybersecurity PhD student at TUT, Cyber forensics graduate, Deloitte auditor
– Shaymaa Mamdouh —TUT Cyber Security student, mother

The conference entitled Women in Cybersecurity, which will take place at Tallinn University of Technology on 11th of November 2017, will aim to draw attention to the disproportionately smaller amount of women compared to men in the field.

We will discuss the potential of women taking a leading role in addressing the problem. Panelists are invited to speak about the importance of gender equality in this very field, tell about women leadership, career perspectives in Cyber Security and how the environment supports women. They are also invited to share their fields of interests and research as professionals.

Our team would like to introduce these three branches of cybersecurity:
• Governance and NGO’s;
• Business and Technology;
• Academia.

Women studying Cyber Security in Estonia will be invited also and will be able to present their stories the same way the keynotes will be at the Poster Session. The poster of each woman will tell their story of how they came to cybersecurity, what inspires them the most, the difficulties they’ve met and their field of interest. Women presenting their posters will be granted a certificate and are more than welcome to share theri experience in their CVs in future. Participants will be able to interact with the story-tellers during the time allocated.

We believe that the mission for women in IT and Cyber Security is to help illuminate the path for progress.

Links:
https://www.facebook.com/events/293943887776558/

Legislation of criminal jurisdiction over online texts should be changed

The acquittal of writer Kaur Kender, accused of producing child pornography, because he wrote his text abroad that is therefore not subject to Estonian legislation shows that laws need to be taken into conformity with the digital age,” finds Jaan Ginter, professor of criminology at the University of Tartu.

Tallinn Circuit Court acquitted Kender a week ago because he was in Michigan, USA when his infamous short story “UNTITLED 12” was published, while the server of publisher nihilist.fm is located in the United Kingdom. Kender was beyond the reach of Estonian laws.

When a digital-age person with no knowledge of the law reads the court’s decision, they will find it very surprising Kaur Kender’s case does not fall in the jurisdiction of Estonian courts at all. Kender’s text was aimed at the Estonian market. [..] The location of a digital services provider – the location of computers used to offer the service – should not matter these days. [..] No one, including myself, has given comprehensive thought to what the criminal jurisdiction of online texts could be; however, it is clear laws are evolving, and that the location of the server cannot be the decisive factor.

Links:
https://news.postimees.ee/4281829/kender-s-case-points-to-necessity-of-changes

Liisa Past, Kaur Virunurm: E-State and Proactive Risk Management

The presentation was given in cybersecurity conference “Cyberchess 2017” held on October 5, 2017 in Riga. The presentation touched upon the recent events such as i-voting and the flaw found in the ID card chip.

The last question from the audience was worth a dime:

Is PPA considering any legal action against the vendor, because, as I understand, you have been informed by the researchers, but the vendor has not informed you.
And the second one: in the new procurement, what are are the lessons learned? Are you planing to change or include some clauses on liability?

The question was not answered in full, but the answer would be interesting indeed.

Links:
https://www.youtube.com/watch?v=6N_ZeFDNzvg
https://cert.lv/uploads/pasakumi/liisapastkaurvirunurm.pdf

 

Cybernetica’s Information Security Institute is looking for a senior researcher

Cybernetica’s Information Security Institute has an open position for a SENIOR RESEARCHER

We are looking for applicants that complement our existing competencies and at the same time have necessary abilities to lead an independent industrial research group. The list of potential topics of interest includes but is not limited to

• new directions in cryptography (especially post-quantum cryptography),
• cryptanalysis,
• formal methods (sociotechnical risk models, protocol analysis),
• privacy-preserving computations,
• data mining and/or machine learning for security,
• secure software and systems development,
• hardware-level and embedded systems security (Internet-of-Things, smart cards, side channel attacks).

We stress once more that the previous list is not exhaustive. We a looking for a candidate who creates synergies with our existing senior researchers.

Successful applicant has a
• PhD degree in computer science, mathematics, software engineering or in a closely related field, together with a
• proven track record showing academic and/or industrial performance in the field of computer security or cryptography.

We offer
• opportunity to integrate new research activities into Cybernetica’s R&D portfolio, as well as to contribute to existing themes;
• to work with, learn from, and teach highly qualified professionals, both in research and development;
• to be part of, and improve the Estonian e-society;
• (reasonable) funds to set up your research environment, should your research topics require the purchase or rent of specialized hardware, high-performance computing resources, etc;
• funds to hire a junior researcher working on your research topics;
• being part of a growing team either in our Tallinn or Tartu office;
• flexible working hours.

Links:
http://www.cv.ee/job-ad/cybernetica-as/senior-researcher-d3437988.html

PIN2 code not needed to make payments in Danske Bank

Most internet bank users using ID-card or Mobile-ID are used to first enter PIN1 and then confirm by PIN2 again when making a payment. Danske Bank, however, has solved the matter differently, and will only ask for PIN1 for both login and for payment confirmation.

Annika Maiste, head of Danske Bank’s e-banking, told that indeed the same PIN code should be used for both login and payment confirmation, and according to the bank, this does not have any effect on security. “In our risk assessment, we have analyzed various attacks and concluded that the use of the digital signing function in Internet Banking may not provide significant additional protection to the user in the case of modern malware,” Maiste said.

She added that the above principle is used for both Mobile-ID and ID-card, and that the company can confirm that, although compared to other banks, Danske Internet Bank does not ask PIN2 from users, it is safe for the users.

Katrin Talihärm, Managing Director of the Banking Association, said that what kind of security code to ask is the responsibility of each service provider and they have not made recommendations to their members about it. She added that both ID-card and Mobile-ID are categorized by their definition as strong authentication tools, when used in an electronic environment in addition to PIN.

If only the modern malware is considered in the threat model than indeed PIN2 does not provide any additional protection. However, there are other attacks where, while the compromise of one key is feasible, the compromise of both keys is not.

Links:
https://geenius.ee/uudis/danske-bankis-pin2-koodi-vaja-ei-lahegi/

RSA 2048-bit keys in Estonian ID cards issued after October 2014 are factorizable

On September 5, 2017, Estonian Information System Authority (RIA) informed about a security risk in ID cards:

On 30 August, an international team of researchers informed the Information System Authority (RIA) of a security risk affecting ID-cards issued in Estonia since October 2014 (including cards issued to e-residents), i.e. about 750,000 cards altogether. ID-cards issued before 16 October 2014 have a different chip and are not affected by this risk.

Now we have more details:

The flaw resides in the Infineon-developed RSA Library version v1.02.013, specifically within an algorithm it implements for RSA primes generation. [..] To boost performance, the Infineon library constructs the keys’ underlying prime numbers in a way that makes the keys prone to a process known as factorization. When generated properly, an RSA key with 2048 bits should require several quadrillion years—or hundreds of thousands of times the age of the universe—to be factorized with a general-purpose computer. Factorizing a 2048-bit RSA key generated with the faulty Infineon library, by contrast, takes [..] no more than 17 days and $40,300 using a 1,000-instance machine on Amazon Web Service. On average, it would require half the cost and time to factorize the affected keys. All that’s required is passing the public key through an extension of what’s known as Coppersmith’s Attack.

The researchers examined keys used in electronic identity cards issued by four countries and quickly found two—Estonia and Slovakia—were issuing documents with fingerprinted keys, both of which were 2048 bits in length, making them practically factorizable.[..] While it has closed its public key database, Estonian government officials have also announced plans to rotate all keys to a format that’s not vulnerable, starting in November.

Details from Infineon:

Due to application-specific requirements, it is common practice to employ acceleration algorithms in order to generate key pairs, especially if time resources are sparse. Infineon also utilizes such an acceleration algorithm in time-restricted cases, called “Fast Prime”. [..] The foundations of “Fast Prime” date back to the year 2000. Its use started around ten years later after thorough reviews. [..] this software function was certified by the BSI (Federal Office for Information Security) in Germany. No mathematical weaknesses were known, nor have been discovered during the certification processes. Recently, a research team from the of the Masaryk University, Czech Republic, developed advanced mathematical methods to analyze and exploit weaknesses in acceleration algorithms for prime number selection.

In a way these findings are a blessing for the practical security of Estonian eID. Up to now, at least publicly the chip of Estonian ID card was presumed infallible, and if someone approached these issues in the risk analysis, it was considered a heresy.

There are several lessons to be learned on different levels of management. The current practice of the plain hope that the vendor of the unauditable chip will get it right, may not be a sustainable approach for the state which so heavily relies on the secrecy of the private keys held therein.

Links:
https://crocs.fi.muni.cz/public/papers/rsa_ccs17
https://www.infineon.com/cms/en/product/promopages/rsa-update/rsa-background
https://arstechnica.com/information-technology/2017/10/crypto-failure-cripples-millions-of-high-security-keys-750k-estonian-ids/
https://www.ria.ee/en/possible-security-vulnerability-detected-in-the-estonian-id-card-chip.html
https://www.ria.ee/en/id-cards-affected-by-the-security-risk-can-be-renewed-from-november.html
http://news.postimees.ee/4258645/e-scare-cure-found-in-weeks
http://news.err.ee/634222/cracking-of-one-id-card-would-require-estonia-to-deactivate-750-000-cards
http://news.err.ee/619703/ria-recommends-state-officials-use-mobile-id-to-minimize-security-risks
http://news.err.ee/616732/potential-security-risk-could-affect-750-000-estonian-id-cards
http://news.err.ee/634560/estonia-to-provide-670-000-in-support-for-mobile-id-access-development
http://tehnika.postimees.ee/4243153/id-kaardi-tootja-oleme-eesti-vastu-kohtus-aga-teeme-turvariski-parast-koostood
https://geenius.ee/uudis/id-kaardi-vea-avastanud-teadlane-geeniusele-meid-ullatas-kui-tosiselt-eestis-seda-voeti/
http://www.err.ee/631731/hanso-id-kaardi-turvaprobleemid-saavad-uueks-aastaks-lahendatud

MyFitness self-service portal accounts created with weak default passwords

The self-service portal of the biggest Estonian sports club MyFitness has a major flaw, which allows for strangers to easily log in to the accounts and see people personal information. The club already knows the mistake for a month, but it has not been fixed so far.

The test showed that knowing the MyFitness client’s completely public information is possible to sign in to his account if he has not manually changed his password. Namely, the client will be assigned a default password when opening a self-service account, which is very easy to guess even to completely strangers. Another problem is that the client is not forced to change this password after logging in, which means that people will continue to use the unsecure password. Thirdly, the person’s password is sent to them in plain via e-mail, making it easy for it to leak.

Signing in to a person’s account will at least allow to see his contact details, contracts with MyFitness, training preferences, history and schedule.

The username is incremental number and the password is the first name of the account holder. MyFitness was informed about the flaw through CERT-EE already year ago.
This is another example that some flaws get fixed only after they are published in media.

Links:
https://geenius.ee/uudis/myfitnessi-iseteeninduses-laiutab-isikuandmeid-paljastav-ulilihtne-turvaauk-ettevote-pole-kuu-ajaga-seda-parandanud/

Contactless card payment limit rises to 25 EUR

All banks, which issue contactless credit cards in Estonia, starting from October 16 will raise the payment limit from 10 to 25 EUR.

“The ten euro limit established in Estonia initially proved that both consumers and merchants are interested in the new payment method and it is also safe, because only the special equipment for which a contract with the bank is necessary is required to pay the payment,” said Meelis Nurk, chairman of the banking union card working group.

15% of the bank cards used in Estonia are contactless cards. By the end of the year, 80% of payment terminals should support contactless payments; by 2020, all terminals must be able to provide pay-as-you-go payments.

In Estonia the contactless payment cards are issued by Swedbank, SEB Pank, LHV Bank, Krediidipank and Nordea Bank.

Links:
http://kasulik.delfi.ee/news/uudised/viipemakse-limiit-touseb-kumnelt-eurolt-25-euroni?id=79535098

SK Annual Conference 2017

E-identity event SK Annual Conference 2017 will take place on November 2, 2017, Baltic Station old waiting area (Toompuiestee 37, Tallinn).

Agenda:
09:00-09:30 Registration and morning coffee
09:30-10:30 Overview of SK 2017, Kalev Pihl, SK
10:30-11:00 Smart-ID: fast start and future plans, Kaido Irval and Georg Nikolajevski, SK
11:00-11:15 Cofee Break
11:15-11:45 The future of authentication in SEB. When will the code cards disappear? Ragnar Toomla, SEB
11:45-12:15 DeepScan, Lauri Ilison, Nortal
12:15-13:00 Lunch
13:00-14:00 Keynote: The Future of Technology Through the Mind of a Hacker, Pablos Holman
14:00-14:45 Panel discussion, Pablos Holman and Taavi Kotka
14:45-15:00 Cofee Break
15:00-15:30 RSA (implementations) attack history and lessons, Arne Ansper, Cybernetica
15:30-16:00 eID year in retrospect, Anto Veldre, RIA
16:10-16:40 Round of question and answers
16:40-17:00 Summary of the day by digital world enthusiasts
17:00-18:00 Evening snack

Registration till October 20.

Links:
https://www.sk.ee/ettevottest/sk-aastakonverents/aastakonverents-2017