SEB Estonia Internet bank ID card authentication bypass

SEB_Estonia_authentication_bypass

The flaw in SEB Estonia Internet bank allows to login just by knowing the victim’s username. The consequences of the flaw go beyond the read-only access to victim’s transaction history. The victim can be impersonated in any website that supports authentication through SEB (eesti.ee, mnt.ee, tele2.ee, etc.). The flaw can be abused to buy goods from online merchants (as shown in the video) since SEB does not require signature authorization for “banklink” transactions.

Timeline:
2015.05.11. 13:00 – reported to CERT-EE
2015.05.14. 12:00 – fixed by SEB Estonia

The time that was required for SEB to fix such a critical flaw surprises a bit.

SEB’s response:

SEB spokesman commented that “referred security issue existed in so-called laboratory conditions meaning that it needed several conditions to coincide and a specific knowledge”.

“Security issue got fixed and we also checked that the flaw was not maliciously exploited” said SEB’s spokesman and added that the problem got fixed faster than in an hour, after all the needed information was received.

Anto_Veldre_RIA_SEB_turvaauk

Anto Veldre (RIA): It is better that ethical people with academic degree are looking for security holes than cyber criminals doing it. People should understand that new technology is complicated, systems at home and servers need to have updates everyday there is no such a thing like secure system (security) but there are people and control methods, if there is a problem it will be handled and afterwards logs are checked if something really happened.

Silver_Vohu_SEB_turvaauk

Silver Vohu (SEB): It took less than an hour to make a fix. But reproducing the situation took most of the days and asking additional questions from CERT-EE was needed. In normal situation it was impossible to reproduce the problem.

Links:
https://www.youtube.com/watch?v=rRB8jZnS5nY
http://forte.delfi.ee/news/tarkvara/tosine-turvaauk-seb-internetipanka-sai-sisse-ainuuksi-kasutajanimega?id=72291205
http://tehnika.postimees.ee/3306453/seb-internetipangas-oli-tosine-turvaauk-sisenemiseks-piisas-vaid-kasutajanimest
http://seitsmesed.ee/eesti/uudis/2015/08/26/tosine-turvaauk-seb-internetipanka-sai-sisse-vaid-kasutajanimega/
http://www.tv3play.ee/sisu/seitsmesed-uudised-2015/648229

Health data forwarded to cancer screening register despite user’s will

health_data

In the second half of June, she had discovered in the digilugu.ee health portal that National Institute for Health Development (TAI) had made 16 inquiries regarding her during this year. Looking into it, turned out the queries came from the cancer screening register launched at the beginning of the year.

«I do not agree with the cancer screening register at TAI, or any other register, systematically collecting my health data. Health data are delicate and cannot be collected without permission by the individual. I request that my health data be immediately closed for TAI,» said Mr Sassian’s application to social ministry. However, as pursuant to Public Health Act data is forwarded to cancer screening register even when an individual has closed her data in the system.

Maarja Kirss, adviser, Data Protection Inspectorate:

Meanwhile, Public Health Act lays down rights of TAI to obtain data from health information system to perform tasks prescribed by law. Thus, an individual can only restrict access to health data when a health service provider is concerned, but not from other data processers who the law obligates to process certain data.

Katrin Merike Nyman-Metcalf, technological law professor at Tallinn University of Technology:

There is no basis to think that the ministry is misinterpreting the law; rather, this is a much broader issue: what’s the worth of an option to lock data if these can still be used? Isn’t the option then just an illusion? Simply put: they do provide the option of privacy of data but in reality they use them anyway.

Links:
http://news.postimees.ee/3296605/register-grabs-health-data-against-will-of-people

Estonian police to set up cyber crime unit

cybercrime

The Estonian Police and Border Guard Board is in a process of forming a dedicated cyber crime unit to deal with crimes that target information technology. The unit will start in 2016 and will employ 8 experts, working under the Central Criminal Police department. It will be put in charge of the cases where the criminal motive has been to harm computers or IT. The unit will also support other police departments with know-how and skills.

Links:
http://news.err.ee/v/scitech/911d2814-b121-4c59-9d39-2c7b5d8668a6

Estonian blocked as UN’s first digital privacy investigator

United_Nations_Logo

The Estonian picked as the United Nation’s first digital privacy investigator was blocked on Friday by the German president of the UN Human Rights Council, after activist groups said she would not be a strong enough critic of US surveillance.

Nyman-Metcalf said she also found it bizarre that she had been criticised for saying there was no such thing as total privacy. “We all see these surveillance scandals and of course that’s upsetting, but at the same time there’s more and more pressure to do something against terrorism. There are lots of things that are pushing in different directions.”

Estonian ambassador Juri Seilenthal told Reuters that there needed to be privacy guarantees but “terrorists and child pornographers” must not be able to benefit from a right to privacy.

It would be more prudent for Estonian policy-makers to change the rhetoric to the one laid down in the Keys Under Doormats report:

Lawmakers should not risk the real economic, geopolitical, and strategic benefits of an open and secure Internet for law enforcement gains that are at best minor and tactical.

Links:
http://www.theguardian.com/world/2015/jul/04/estonian-blocked-as-uns-first-digital-privacy-investigator

Interdisciplinary Cyber Research workshop 2015

TTU_centre_for_digital_forensics_and_cyber_security

18th of July, 2015 — Tallinn, Estonia

The aim of the workshop is to bring together young as well as established scholars undertaking research in various disciplines related to information and communication technologies such as computer sciences, political and social sciences, and law. Attending the ICR workshop is free of charge and also open for participants who have not submitted an abstract (registration for non-authors is here). Travel to/from Tallinn and accommodation is to be covered by the participants.

Agenda:
9:30​ – Opening words, ​Tallinn University of Technology
9:35​ – Keynote presentation, ​“Data Sovereignty, Data Flow, and International Jurisdiction in Cloud Computing, ​Prof Christopher Millard​, Queen Mary University of London
10:05​ -Keynote presentation, ​“Gnawing Away at Internet of Things Silos”, ​Prof Jon Crowcroft​, University of Cambridge
Session 1: State and Cyber (Room 1)
“Governance of Cyber-Security in Elections”, ​Prof Robert Krimmer​, Tallinn University of Technology
“E-Estonia under an Actor Network Theory Perspective”, ​Carlos Vargas Alvarez Del Castillo​, Tallinn University
Session 2: Education and Digital Safety (Room 2)
“Representation of Snowden ́s Scandal in Estonian Media: Semiotic Logic of Fear”, Mari-Liis Madisson​, University of Tartu
Session 3: Privacy (Room 1)
“Tor Does Not Stink: Use and Abuse of the Tor Anonymity Network from the Perspective of Law”, Tomas Minarik​, NATO CCD COE
Session 4: Tech I (Room 2)
Session 5: Law (Room 1)
“ISP Liability & the Delfi case”, Karmen Turk​, University of Tartu
Session 6: Tech II (Room 2)

Registration deadline for non-authors: 10th of July 2015

Links:
http://cybercentre.cs.ttu.ee/en/icr2015/

National Cyber Security Organisation: Estonia

ccdcoe_logo

The study outlines the division of cyber security tasks and responsibilities between different agencies, describes their mandate, tasks and competences, and the coordination among them. In particular, it describes the mandates of political and strategic management; operational cyber security capabilities and cyber incident management; military cyber defence; and cyber aspects of crisis prevention and crisis management. It also offers a summary of the national information society setting and e-government initiatives as well as the national cyber security strategy objectives in order to clarify the context for the organisational approach in a particular nation.

Agencies mentioned: Ministry of Economic Affairs and Communications, Ministry of Defence, Cyber Security Council of the Security Committee of the Government, Estonian Information System Authority (EISA (RIA)), Estonian Computer Emergency Response Team (CERT-EE), Estonian Defence Forces, Strategic Communication Centre, NATO CCD COE, Estonian Defence League, National Crisis Management Committee, Ministry of the Interior, Estonian Internal Security Service (ISS (KAPO)).

Links:
https://ccdcoe.org/sites/default/files/multimedia/pdf/CS_organisation_ESTONIA_032015_1.pdf

 

Open Vacancy: Security Engineer in Guardtime R&D division

guardtime_logo

About The Role
The security engineer is part of a team of highly skilled, dedicated individuals who support research and software/security architecture for new product developments. This role will be based in Estonia (Tallinn/Tartu) and be a part of an international organization where most of the clients and market is growing overseas.
Responsibilities:
* Research/develop new technologies applicable to our products/services
* Software/security architecture for prototypes, new product developments
* Integration of KSI with various technologies like virtualization platforms, Internet of Things, PKI-based systems, code repositories, networking platforms, big data and others.
* Document and present research results
* Participate/present in security conferences, publish research papers, follow current trends in the information security world

Profile:
* Strong background in cryptography engineering information security
* Eloquent in formal methods, mathematics and statistics
* Familiarity with security infrastructure and protocols
* Experience with distributed systems, networking, cloud deployment and virtualization
* Strong background in programming – C/C++/Java/JS
* Strong experience with Unix Scripting: shell, perl, python or equivalent
* Result oriented and eager to learn

Links:
https://guardtime.com/about/jobs/security-engineer

Open Vacancy: Officer in Swedbank Security Incident Response (SIRT) Team

swedbank_logo

Your tasks will consist of:
* Gathering and analyzing of information about potential threats to Swedbank,
* Discovery and management of security incidents, including computer fraud and post-incident’s investigation,
* Proactive work to prevent security incidents.

Skills and qualities important to possess as a SIRT Officer in order to be successful in the role:
* University degree or practical IT working experience of at least 4 years,
* Ability to gather and analyse information,
* Knowledge and experience at least one of the following: Windows, Unix, or databases.
* Fundamentals of computer networks, network protocols, and applications,
* Knowledge of basic information security principles, including risks and threats to computers and networks, security vulnerabilities and attacks,
* Knowledge and experience of Java and Python programming languages would be seen as an advantage
* Software reverse engineering, or cryptography knowledge, or penetration testing (OWASP), and demonstrated computer forensics skills would be seen as an advantage,
* Knowledge of basic digital electronics would be seen as an advantage, and
* Good verbal and written communication skills in Estonian and  English is a necessity; knowledge of Russian would be seen as advantage

Links:
http://swedbank.easycruit.com/intranet/ee_homepage/vacancy/1411080/70633?iso=ee

 

Estonian Police to start collecting personal data of air passengers

passenger_name_record_PNR

On January 1, 2016, Estonian Police and Border Guard Board (PPA) will start collecting booking information for all flights to and from Estonia.

“The main reason for collecting PNR data is to fight cross-border crime, because drug and human traffickers, smugglers and the rest all make use of the broadened opportunities for free movement,” PNR project leader Kristi Laul said. “The PNR system will have a direct effect on public safety and have a positive effect on state’s internal security and its ability to counter serious crimes.” The data will only be used to investigate terror threats and other serious crime. The database serves as a tool to find people who could pose a risk to public safety.

PNR, or Passenger Name Records, are, in essence, data about your flight details. Every time we travel by plane, either the airline or the travel agent needs a series of data to proceed with our reservation, including itinerary, contact details, forms of payment, accompanying guests, and sometimes food preferences.

Meanwhile, civil society groups, the European Parliament and the EU data protection watchdog, the European Data Protection Supervisor, have repeatedly highlighted the lack of evidence regarding the necessity and proportionality of this “massive and routine processing of data of non-suspicious passengers for law enforcement purposes.”

Links:
http://news.err.ee/v/politics/72da111e-be78-4c6f-9cb3-196a18b4ff24
https://www.accessnow.org/blog/2014/11/26/wishing-bon-voyage-to-pnr-agreements-in-europe

Study on the lifecycle of cryptographic algorithms 2015

crypto_primitive_strength

Commissioned by Estonian Information System Authority (RIA), a new study has been completed on the lifecycle of encryption algorithms. According to Toomas Vaks, Deputy Director-General of RIA, it is important to abolish 1024-bit keys as soon as possible everywhere. For the next five years, 2048-bit keys and, in the long-term, 3072-bit keys at a minimum should be used.

Links:
https://www.ria.ee/ee/it-lahendustesse-ehitada-voimalus-asendada-kruptoalgoritmid.html