Workshop about smart card programming in Tartu hackerspace

Leave a reply

hakkerikoda_hackEST

In 20 January, 2015 16:00 at Tartu Hackerspace there will be a workshop (in Estonian) about JavaCard development, with focus on EstEID and open eID software.

Introduction of smart card programming, a practical example.

  • Programmable smart cards (JavaCard) – what, why, how and from where
  • JavaCard development lifecycle overview
  • Related technologies, standards (from ISO 7816-3 to PKCS#11)
  • Opensource development tools in the development process: javacard.pro
  • Hands on! Estonian ID-card “clone” in your computer!

EUR 30 participation fee (for the white plastic). The necessary skills are to orientate in the Linux command line, average level of Java programming, and the ability to distinguish hashing from encryption.

Registration: martin@martinpaljak.net

Links:
http://javacard.pro/#news
https://hackest.org/syndmused:2015-01-20-platskaart-vol2

Jaan Priisalu director general of EISA resigns

1 Reply

Jaan_Priisalu

Estonian Information System Authority (EISA) director general Jaan Priisalu submitted an application to leave for personal reasons from his office on 19 January 2015.

“Jaan Priisalu is a reputable international cyber expert who has built up a cyber capacity to world level. I thank him for that,” said the Secretary General of the Ministry of Economic Affairs and Communications Merike Saks via a press release.

The contest will be announced to find a new head of EISA.

Estonian Information System Authority (RIA in Estonian) organizes activities related to cyber security in Estonia.

Links:
http://majandus24.postimees.ee/3048297/ria-juht-lahkus-ametist
http://www.delfi.ee/news/paevauudised/eesti/riigi-infosusteemi-ameti-peadirektor-lahkub-ametist?id=70513357

The hacker who attacked the website of “Meie Maa” newspaper fined EUR 455

1 Reply

meiemaa.ee_DoS

A 22-year-old hacker has been fined 455 euros for breaching the Meie Maa media website and disabling the comments section, which then diverted readers to a rival site. The attack took place in May, forcing Meie Maa, a media outlet in Saare County, to temporarily shut down its comments section, Meie Maa reported. Readers entering the section were told the site is unsafe and were directed to Saarte Hääl, a rival news site.

The Western District Prosecutor’s Office fined the man 455 euros, of which 100 euros, which has already been paid, will go to Meie Maa as compensation for damages and 355 euros will go to state coffers. Head of Meie Maa, Priit Rauniste, said they are yet to decide whether they will pursue civil action against the man.

Escaped criminal punishment – Western District Prosecutor’s Office closed the criminal proceedings in this case.

Apparently, meimemaa.ee had a XSS vulnerability in the comments section, which was exploited by adding a HTML code which displayed the message and redirected visitor’s browser to other news site.

Not clear how the fine was calculated and what section under Estonian Penal Code was originally imposed against the attacker.

Links:
http://news.err.ee/v/society/e0f267a5-b8f5-45e0-baac-584a1fd61360
http://uudised.err.ee/v/eesti/cbe747dc-22e2-4b9b-ab05-a8d90a1a50b0

31C3 talk: Security Analysis of Estonia’s Internet Voting System

1 Reply

Halderman_Tarvi

Estonia is the only country in the world that relies on Internet voting in a significant way for legally-binding national elections — up to 30% of all voters cast their ballots online. This makes the security of Estonia’s Internet voting system of interest to technologists and citizens the world over. Over the past year, I helped lead the first rigorous, independent security evaluation of the system, based on election observation, code review, and laboratory testing. The findings are alarming: there are staggering gaps in Estonia’s procedural and operational security, and the architecture of the system leaves it open to cyberattacks from foreign powers. Our investigation confirmed the viability of these attacks in the lab, but the Estonian government has chosen to downplay them. We urgently recommend that Estonia discontinue use of the system before the country suffers a major attack.

The presentation contains good technical overview of Estonian i-voting. The presenter argues that Estonian i-voting has weak operational security. Some of the arguments used by the presenter are quite questionable:

Harri Hursti, one member of our team who is a very large Finnish man and known as a prodigious drinker, went out for serious drinking with this very nice Russian fellow, who is the head of security for the election operations team. During this dinner, I am told, each man consumed two bottles of Vodka, after witch nothing can be hidden from the truth. So, Hursti reports that by the end of this evening he had dranked that root password out of the head of security.

Links:
https://events.ccc.de/congress/2014/Fahrplan/events/6344.html
https://www.youtube.com/watch?v=JY_pHvhE4os

Sniffing real world EMV payment card protocol transaction

1 Reply

emv_sniffing_simtrace

Abstract
The objective of this report is to observe and describe a real world online transaction made between a debit card issued by an Estonian bank and a payment terminal issued by a Estonian bank. In this process we can learn how the EMV protocol works and which protocol features are used in a Chip-and-PIN card issued by an Estonian bank.

The transaction analyzed in this report was captured using a terminal from a friendly merchant in Tartu and using a Visa Electron debit card issued by SEB Estonia. The amount of transaction was 0.99 EUR. The transaction was performed in September, 2014. The full output (all requests and responses) with annotation can be found from the appendix.

The report has been published for UT course “Research Seminar in Cryptography (MTAT.07.022)”.

Links:
https://courses.cs.ut.ee/2014/cryptoseminar/fall/uploads/Main/mart-report-f14.pdf

Summary of master’s theses: Attack-tree based risk analysis of Estonian i-voting

Leave a reply

attack_tree_vote_publishing_attack

This report analyzes two independent works published in 2014 that model security threats of Estonian i-voting scheme using attack trees. The first one, the master’s thesis of Tanel Torn [11] constructs several realistic attack trees for various types of attacks on Estonian i-voting system and evaluates them using three different state-of-the-art methodologies proposed in attack-tree literature. The second work, the master’s thesis of Ruud Verbij [13], proposes a general framework to allow comparison of different internet voting schemes. Verbij evaluates the proposed framework by applying it on Estonian i-voting protocol.

Despite using different approaches, both Torn and Verbij agree on some of the results. First, they both consider attacks on the Central System to be much more expensive, involving more risk and thus less probable. Second, results of both authors’ analyzes show that revocation attacks are more profitable than vote modification attacks. This in mainly due to the fact that in the former case the attack does not have to go through undetected.

The report has been published for UT course “Research Seminar in Cryptography (MTAT.07.022)”.

Links
https://courses.cs.ut.ee/2014/cryptoseminar/fall/uploads/Main/riivo-report-f14.pdf

Two criminal investigations are underway related to Bitcoin

2 Replies

bitcoin_logo

They warned the mediator that in case anyone operates in said area without licence, this could spell violation as treated by Penal Code come under activity without licence. Following the correspondence, Fiscal Intelligence Unit issued a precept in which they demanded data to determine if the person came under Money Laundering and Terrorist Financing Prevention Act.

«He contested the precept and meanwhile our goal was to get him to give the data and say whether he had deals exceeding €1,000. With this we are now in court and we won at first instance,» explained Mr Paul.

Representative of mediator Priit Lätt said Fiscal Intelligence Unit had no right to require the data.

Links:
http://news.postimees.ee/3028413/bitcoin-offers-options-to-launder-money

PhD thesis: “Deriving Security Requirements from Business Process Models”

Leave a reply

ahmed_naved_PhD_thesis

Naved Ahmed PhD thesis: “Deriving Security Requirements from Business Process Models”
Defense date: 16.12.2014 – 16:15 to 17:45 (J. Liivi 2-404, Tartu, Estonia)

Thesis supervisors:
Assoc. Prof. PhD. Raimundas Matulevicius, University of Tartu
Prof. PhD. Marlon Dumas, University of Tartu

Opponents:
Prof. PhD. Andreas L. Opdahl, University of Bergen, Norway
Assoc. Prof. PhD. Rafael Accorsi, University of Freiburg, Germany

Summary:
To consider this need, the approach taken in this thesis is to analyse the business process models from a security perspective to derive security objectives and requirements. The thesis has proposed three complementary contributions: Firstly, security risk-oriented patterns that integrate the security risk analysis into business process models. These patterns supports security risk concepts in business process models that business analyst can understand easily. Secondly, the taxonomy for assessing security in business processes. This taxonomy is used to classify the security risk-oriented patterns and helps analysts to apply these patterns in business process models. Finally, these contributions form a foundation for a method, security requirements elicitation from business processes (SREBP) that performs a systematic elicitation of security requirements for their business processes.

Links:
http://www.ut.ee/en/events/naved-ahmed-deriving-security-requirements-business-process-models
http://dspace.utlib.ee/dspace/bitstream/handle/10062/44267/ahmed_naved.pdf

Estonian journalists discover global leak of mobile telelephone numbers

Leave a reply

The site www.whocall.info enables to search for unlisted mobile numbers from all over the world. One can search by phone numbers: entering a number with the international dialing code (such as 372 in Estonia) will prompt the programme to produce the name of the owner of the number. The article’s author Piret Reiljan said that she found many numbers of high-ranking politicians, including Estonian prime minister Mr Taavi Rõivas.

The site does not perform the opposite search: it does not provide numbers of persons if one searches by name, so one has to previously know the number to get the owner’s name. Even so, it is scary to imagine that the search could also be made to work the other way around. It is not known how all these personal number and names might be used. All we know is that it provides numbers, which have been unlisted by their owners and which are not published anywhere.
The owner of the website is not known. The site itself does not provide any contact information besides the name Whocall Ltd.

“This domain name was registered on October 30 of this year, and its owners are not identifiable from public sources,” said RIA expert Veldre.

According to Veldre it is really possible that someone in various ways collected telephone numbers published on Internet and put them in super database. “The situation is complicated by the fact that under the law of another country may be the case that such information gathering and serving is legal activity. I believe that the Data Protection Inspectorate have their say on this issue,” said the expert.

Veldre added, however, that if it is confirmed that the database contains numbers that should not be publicly available and their owners confirm that they did not made their numbers public, them it maybe be possible to find out how these numbers were leaked.

Links:
http://www.balticbusinessnews.com/?PublicationId=ac63e73d-4922-4f28-9675-a2629bb087c7
http://www.aripaev.ee/uudised/2014/11/26/ekspert-ehk-isegionnestub-lekkimise-koht-tuvastada-
http://www.aripaev.ee/uudised/2014/11/26/uks-lekkekoht-facebook

Estonians arrested in cybercrime-related raids across Europe

Leave a reply

cybercrime

Europol reports that at least one arrest has been made in Estonia as part of an international operation against computer highjacking by Remote Access Trojans (RATs), led by the French police and coordinated through Europol.

Apart from Estonia, people suspected of misusing remote access Trojans were also detained in the UK, France, Romania, Latvia, Italy and Norway.

The UK’s National Crime Agency (NCA) said that criminals who successfully deploy RATs, can gain complete control over target computers. RATs are often deployed to spy on people via webcams, access banking or other personal information, download new and potentially illegal content, and use the victim’s computer to launch criminal Distributed Denial of Service (DDOS) attacks.

Links:
http://news.err.ee/v/scitech/992e2269-0d18-4742-9b2b-cc96b39cd90f