EISA Cyber Security Report 2014

RIA-Kyberturbe-aruanne-2014_ENG

Interesting quotes from the report:

In 2014, RIA aggregated its functions related to guaranteeing cyber security in the cyber security branch. Incident response, risk control and regulation supervision, as well as research and development activities are now determined more clearly, which also allows for a more efficient use of resources.

Skilful phishing of cloud service accounts (e.g. Gmail, Hotmail), which has continued at unprecedented levels at the beginning of 2015 as well. E-mails seem to be coming from a seemingly trustworthy source and have significantly improved in quality both content and Estonian language wise, which means that the receiver of the e-mail has to be even more attentive and critical in order to detect the fraud.

Intrusion into websites is more difficult to identify. It is becoming more common that the infector uploads the malware for a very short time period and takes into consideration, which IP-address is used to visit the site. For instance, if users visit the website from Estonia, they receive a different type of malware than the users who access the website from the USA.

In 2014, there was a slight increase in the percentage of incidents that had actual consequences for the institutions and users. For instance, the use of document management system was disabled or, in more severe cases, digital prescription or Schengen information systems were down.

The incidents at the end of the year were mainly virus outbreaks and well-aimed phishing letters, but also distributed denial of service attacks, many of which did not last for a very long time, but according to RIA’s estimate, seemed to be mapping the resilience of systems.

As the life cycle of all algorithms is limited, the time to act in order to update all the cryptographic methods of services is even more limited. At some point, it might appear that smooth transition period has not been sufficient; e.g., when powerful quantum computers are used to break the cryptography. We need to have an action plan for the scenario when any of the algorithms important for some Estonian e-service has been broken. RIA sees a clear need to have such plans and to rehearse them.

The results of the Eurobarometer 2014 survey showed that Estonians trust the state as the guard of personal data more than in Europe on the average. Estonians are also less worried about the consequences of cyber-attacks and claim to be good at identifying fake e-mails.

On 1 July 2014, the Act for the Amendment and Application of the Law Enforcement Act entered into force. Pursuant to this act, starting from summer 2014, RIA is a law enforcement body. According to the changes, the Technical Regulatory Authority’s supervisory competency of guaranteeing the security and integrity of communication networks and services set in the Electronic Communications Act was transferred to RIA. The same draft also established RIA’s supervisory competency in the Emergency Act and the Public Information Act.

On 11 September, the government approved the “Cyber Security Strategy for 2014–2017” and its implementation plan. The strategy continues to target several goals set in the previous cyber security strategy, but there have also been new risks and requirements added. The dependency of the functioning of the state on information technology has increased and cross-dependencies have also increased, meaning that the provision of several critical services is no longer dependent on the functioning of Estonian IT-systems but also on the infrastructure and e-services in other countries.

In 2014, RIA, in cooperation with its partner organisations, developed common principles of readiness for emergency and cooperation in case of large-scale cyber incidents. An interagency working group lead by RIA prepared the draft for the Government of the Republic’s order “Plan for solving a large-scale cyber incident emergency”.

In addition to reacting to everyday vulnerabilities and risks, the key words for RIA in 2015 are improving the monitoring and resilience of the government network, cooperation with the field of medicine and solutions and risks related to the e-residents programme.

Links:
https://www.ria.ee/public/Kuberturvalisus/RIA-Kyberturbe-aruanne-2014_ENG.pdf
http://news.err.ee/v/scitech/1c0f2c7b-8f3d-49cf-9cf3-c04b4f0a4171

BSA Report: Estonia one of most cyber-secure countries in EU

BSA_cybersecurity_dashboard

According to the recently published Business Software Alliance (BSA) report, Estonia, Austria and Netherlands are the most cyber-secure countries in Europe.

Although there are no overall rankings or scores in the study, Estonia comes out on top in terms of having in place the legal foundations and operational entities for tackling cyber-security issues. What it could do next is create sector specific cyber-security plans.

The report also found that while no formalized public-private partnerships exist, public entities do work closely with relevant private sector organisations.

Links:
http://news.err.ee/v/scitech/eab19675-680b-48c3-ba0b-e9296c4ad5ce

Estonian IT College offers “Cyber Security Engineering” curriculum in English

Cyber-Security-Engineering_Estonian-IT-College

Education: professional higher education
Language of instruction: English
Official length of programme: 3 years, 180 ECTS credits
Study form: daily study
Tuition fee: 2400 € per academic year
Start of studies: September 2015
Admission period: 11th of March – 7th of April 2015

Curriculum comprises the following modules:

  • Basic Skills and Competences (16 ECTS)
  • Basics of Information Technology (24 ECTS)
  • IT Systems Development (38 ECTS)
  • IT Systems Administration (22 ECTS)
  • Cyber Security (16 ECTS)
  • Elective subjects (32 ECTS)
  • Internship (27 ECTS)
  • Diploma Thesis (5 ECTS)

Links:
http://www.itcollege.ee/en/admission/

SignWise Chrome plugin leaks ID card certificate to arbitrary web sites

signwise_privacy_leak

If you have installed the SignWise plugin (available for Windows and OSX, up to at least version 1.10) to your computer, beware of privacy considerations. SignWise Chrome extension forwards the end-user certificate of the inserted eID smart card without any user interaction to any website, in plain text!

A malicious web site has to embed only a few lines of JavaScript code to collect certificate information from its visitors:

var s = new SignWiseChromePlugin();
s.getAuthenticationCertificate(function(v, e) {…

Similar flaw in 2010 was observed in the official EstEID browser plugin. Will see how much time it will take for SignWise to fix this flaw.

Update from the SignWise Team:

SignWise is happy that our software and services are used by the experts who value the high level security. We are sorry that our provided software had such a problem as described in your post. As of today (12.03.2015) we are happy to inform that your described problem is solved and user information is not shared anymore as described in your post. Our products: SignWise Services (https://www.signwise.org) and SignWise Portal (https://portal.signwise.org) have been built following highest standards of security and strict confidentiality in mind and following the business and security requirements and demands to e-sign high-value electronic documents both in-country and cross borders.

Links:
http://martinpaljak.net/sign/swhack.html
http://id.anttix.org/leak/leak.html

Attacks against Gemalto do not endanger the security of Mobile-ID

gemalto_ceo

Gemalto, which is the largest manufacturer of SIM cards in the world, launched an internal investigation after The Intercept six days ago revealed that the NSA and its British counterpart GCHQ hacked the company and cyberstalked its employees. In the secret documents, provided by NSA whistleblower Edward Snowden, the intelligence agencies described a successful effort to obtain secret encryption keys used to protect hundreds of millions of mobile devices across the globe.

Some mobile operators in Estonia use Mobile-ID SIM cards supplied by Gemalto. Here is Estonian Certification Centre response:

Attacks against Dutch SIM card manufacturer Gemalto which became public yesterday does not endanger Mobile-IDs. AS SK (Certification Centre) confirmed that the attacks against the world’s largest SIM card manufacturer Gemalto does not threaten the security of Estonian Mobile-ID.

“We analyzed the information available to us about the attack and verified that the Mobile-ID security is not affected, Mobile-ID is still secure, and users do not need to make adjustments to their normal behavior in any way,” said the head of the Certification Center Kalev Pihl.

Gemalto has released a public report where the company tries to downplay the significance of NSA and GCHQ hack. But that is understandable:

The company was eager to address the claims that its systems and encryption keys had been massively compromised. At one point in stock trading after publication of the report, Gemalto suffered a half billion dollar hit to its market capitalization. The stock only partially recovered in the following days.

Fortunately, the exploitation of the stolen symmetric keys requires the attacker to be in close proximity of the victim’s mobile phone and requires to perform active MITM attack at the moment when the victim performs Mobile-ID transaction.

Update about Estonian mobile network operators’ use of Gemalto SIM cards:

Estonian National Electoral Commission’s e-voting commission’s deputy chairwoman Epp Maaten said that among Estonian mobile operators, only EMT uses SIM cards issued by Gemalto, but only as pre-paid call cards and Gemalto is not the only vendor of the cards.

Links:
https://theintercept.com/2015/02/25/gemalto-doesnt-know-doesnt-know/
https://sk.ee/uudised/runnakud-gemalto-vastu-ei-ohusta-mobiil-id-turvalisust/
http://democracychronicles.com/estonian-internet-voting-safety/

New director general of EISA Taimar Peterkop

Taimar-Peterkop

Minister of Economic Affairs and Infrastructure Uve Palo signed a decree to appoint Taimar Peterkop for the Estonian Information System Agency (EISA) director-general. Taimar Peterkop is currently working in Ministry of Defence as Undersecretary for Legal and Administrative Affairs. He begins his work at EISA this May.

From the CV:

Taimar Peterkop was born on 20th January 1977 in Tallinn. He has graduated from the University of Tartu Faculty of Law and he has completed many in-service trainings, including the Higher Command Studies Course in Baltic Defence College. Mr Peterkop holds a Master`s degree in Strategic Studies from the United States Army War College. He is also a reserve officer.

During 2000–2001 Taimar Peterkop worked as a lawyer in the Government Office. During 2001–2005 Mr Peterkop worked in the Ministry of Defence as the Director of International Law Office and during 2005–2008 as the Director of Operations and Crisis Management Department. From 2008 until July 2010 he worked as a Defence Counsellor in the Estonian Embassy in Washington.

Taimar Peterkop has also worked as a national defence teacher in several high schools and as an international law lecturer at Estonian Business School.

Links:
http://uudised.err.ee/v/eesti/c9740dca-b127-49e1-923b-71be3b8bbf3f
https://www.ria.ee/ria-peadirektoriks-saab-taimar-peterkop/

Estonian ID card users detected Lenovo’s malware months ago

lenovo_mitm_malware

Lenovo’s been caught going a bit too far in its quest for bloatware money, and the results have put its users at risk. The company has been preloading Superfish, a “visual search” tool that includes adware that fakes the encryption certificates for every HTTPS-protected site you visit, on its PCs since at least the middle of 2014. Essentially, the software conducts a man-in-the-middle attack to fill the websites you visit with ads, and leaves you vulnerable to hackers in its wake.

While the rest of the world is just starting to talk about Lenovo’s malware, it turns out that Estonians have detected it already in the beginnning of 2015. This is due to the TLS client certificate authentication used by Estonian ID card, which has protection against these kind of MITM attacks.

Congratulations to Estonian ID card!
Unfortunately, Mobile-ID users are not protected against these MITM attacks.

Links:
http://id.ee/index.php?id=37045
http://www.pcworld.com/article/2886278/how-to-remove-the-dangerous-superfish-adware-presintalled-on-lenovo-pcs.html

PhD thesis: “Privacy-preserving statistical analysis using secure multi-party computation”

liina_kamm_PhD_thesis

Linna Kamm PhD thesis: “Privacy-preserving statistical analysis using secure multi-party computation”
Defense date: 09.03.2015 – 16:15 to 17:45 (J. Liivi 2-404, Tartu, Estonia)

Thesis supervisor: Senior Research Fellow Sven Laur

Opponents:
PhD Rebecca N. Wright Rutgers University (USA)
PhD George Danezis University College London

Summary:
This work focuses on how to perform statistical analyses in a way that preserves the privacy of the individual. To achieve this goal, we use secure multi-party computation. This cryptographic technique allows data to be analysed without seeing the individual values. Even though using secure multi-party computation is a time-consuming process, we show that it is feasible even for large-scale databases.

Links:
http://www.ut.ee/en/events/liina-kamm-privacy-preserving-statistical-analysis-using-secure-multi-party-computation

CyCon 2015 Call for Student Papers

cycon_logo

We are seeking novel and previously unpublished short paper which would provide an overview of a recent Master thesis in the field of cyber security. Students from various disciplines such as computer sciences, law and political sciences are invited to participate. Submissions will be evaluated based on their originality and significance to the conference’s theme “Architectures in Cyberspace”.

Best submissions will be presented and prizes awarded at CyCon 2015. The awards comprise of a free conference pass for all invited candidates and the following cash prizes for the top three student papers:
1st place: 1000 Euro
2nd place: 600 Euro
3rd place: 400 Euro

And as it turns out – under the meaningless “Architectures in Cyberspace” title falls pretty much anything.

Links:
https://ccdcoe.org/cycon/student-awards-0.html
https://ccdcoe.org/cycon-2015.html

President of Estonia gives state awards to cyber security people

president_decorations

President Toomas Hendrik Ilves will hand out 99 state decorations, same number as last year, with Siim Kallas, Andrus Ansip and Timothy John Berners-Lee receiving high honors.

In the field of IT the decoration is awarded to internationally renowned computer scientist John Berners-Lee, who invented the internet underlying network technologies such as HTTP and the first browser; Computer Doctor Dan Bogdanov, Cybernetica researcher who led the privacy preserving Sharemind system and its application development; Cybernetica researcher and company GuardTime creator, Tallinn University of Technology professor Ahto Buldas; Free WIFI spread leader Veljo hammer.

Dan Bogdanov is known for his work on secure multi-party computation. Ahto Buldas on digital timestamping and other topics.

Congratulations!

Links:
http://www.president.ee/et/meediakajastus/pressiteated/11027-2015-02-04-08-51-57/
http://www.president.ee/et/ametitegevus/otsused/11028-576-riiklike-autasude-andmine/index.html
http://news.err.ee/v/society/6665f69e-592c-45e3-94eb-a773e38ae433