Cyber Security Newsletter 2020-07-16

[2020-07-15] MKM is studying the possibility to notify citizens via alternative channels such as WhatsApp and Facebook.
https://news.err.ee/1113020/government-seeking-to-create-communication-system-through-mobile-phone-apps
[2020-07-02] The Estonian Ministry of Foreign Affairs organized an open master class on cyber diplomacy with experts from around the world. Video recording is available on Youtube.
https://vm.ee/et/virtuaalne-kuberdiplomaatia-meistriklass-2020
[2020-07-01] SK intermediate CA certificates have been issued with the “OCSP sign” extension which means that revoking these intermediate CA certificates in the event the key gets compromised will be problematic. According to CA/B Baseline Requirements these certificates have been misissued and SK should revoke them. SK has responded that it does not plan to revoke the certificates and is ready to leave Mozilla CA program earlier than planned (the last 4 still valid TLS server certificates issued by SK will expire by September 29, 2020).
https://www.mail-archive.com/dev-security-policy@lists.mozilla.org/msg13607.html
https://bugzilla.mozilla.org/show_bug.cgi?id=1649942
[2020-07-01] The work of Smart-ID and Mobile-ID was disrupted for about ten minutes.
https://digi.geenius.ee/rubriik/uudis/mobiil-id-ja-smart-id-kasutamine-on-hairitud/
[2020-06-30] The state has stalled plans to include information from all guests who stay in accommodation establishments in Estonia in a single police database.
https://news.err.ee/1107522/state-pauses-plans-for-hotel-guests-e-database
[2020-06-29] The Interdisciplinary Cyber Research (ICR) conference 2020 has been rescheduled to December. The Cyber Security Summer School has been renamed to Cyber Security Winter School and moved to December. The theme for the winter school will be “Transport as a Service”.
https://old.taltech.ee/institutes/centre-for-digital-forensics-cyber-security/events-19/interdisciplinary-cyber-research-icr-workshop/
http://www.studyitin.ee/c3s2020
[2020-06-29] In the period of COVID emergency, Elisa for more than 1,700 people provided a solution for automated Mobile-ID issuance using a self-service portal. The solution was accepted by SK and their auditors.
https://www.ria.ee/et/ris-infokiri-juuni-2020.html
https://forte.delfi.ee/news/digi/tehisintellekt-aitas-eriolukorra-ajal-vormistada-mobiil-id-rohkem-kui-1700-inimesele?id=90685697
[2020-06-27] The 50 EUR limit on contactless card payments put in place during the coronavirus emergency situation will remain in place.
https://news.err.ee/1106688/50-contactless-card-payment-limit-to-remain-in-place
https://news.err.ee/1068231/contactless-payment-limit-increased-to-50-to-limit-spread-of-coronavirus
https://raha.geenius.ee/rubriik/uudis/pangad-kahekordistavad-kriisi-ajaks-viipemakse-limiidi-et-inimesed-ei-peaks-pin-klaviatuuri-nappima/
[2020-06-22] In May fraudsters persuaded a victim to create a Smart-ID account over the phone. The created Smart-ID account was used by fraudsters to purchase services from several financial service providers.
https://www.ria.ee/et/uudised/eesti-arvutikasutajad-olid-ka-mais-ongitsuskampaaniate-hambus.html
https://www.ria.ee/et/uudised/olukord-kuberruumis-mai-2020.html
[2020-06-17] Research article by Valentyna Tsap (TalTech), Silvia Lips (TalTech) and Dirk Draheim (TalTech): “eID Public Acceptance in Estonia: towards Understanding the Citizen”. The researchers conducted a survey among Estonian eID users to find out which of the existing eID authentication options are preferred and why.
https://dl.acm.org/doi/pdf/10.1145/3396956.3397009
[2020-06-04] The use of eID increased in the period of COVID emergency. As of May, 35 institutions with as many as 114 different applications had joined the state authentication service.
https://blog.ria.ee/e-riik-eriolukorras/
[2020-06-09] Lithuanian Cyber Security Center found 61 vulnerabilities in Chinese security cameras Hikvision and Dahua used by PPA. According to PPA, the cameras are not available on the public network and PPA has verified that the cameras do not communicate with servers that are not located in NATO or EU member states.
https://digi.geenius.ee/eksklusiiv/leedu-kuberturvalisuse-keskus-leidis-hulgaliselt-turvanorkusi-kaameratest-mida-kasutab-laialdaselt-eesti-politsei/
https://www.nksc.lt/doc/biuleteniai/2020-05-27%20Hikvision%20ir%20Dahua%20kameru%20kibernetinio%20saugumo%20vertinimas.pdf
[2020-06-02] Thanks to IT Academy funding, TalTech has established the “Centre for Hardware Security” led by professor Samuel Pagliarini. The main research directions include the design of reliable microelectronics, measures to prevent reverse engineering, side-channel attacks, the deployment of cryptographic hardware, secure system design tools, and hardware Trojans and backdoors. The long term goal is to build all the right competences to put Estonia “on the map” of Hardware Security and IC design in general.
https://digi.geenius.ee/rubriik/teadus-ja-tulevik/taltechi-riistvara-turvalisusega-tegelev-uurimisgrupp-aitab-valtida-tuleviku-id-kaardi-kriise/
https://old.taltech.ee/ttu-uudised/uudised/mente-et-manu-5/varske-veri-samuel-nascimento-pagliarini/?id=196261&year=2019
[2020-06-01] Research article by Arnis Parsovs (UT): “Solving the Estonian ID Card Crisis: the Legal Issues”. The study analyzes to what extent, while solving the 2017 ID card crisis, the involved parties were able to precisely follow the applicable laws and regulations in the field.
https://papers.ssrn.com/sol3/papers.cfm?abstract_id=3644664
[2020-05-28] Ahto Truu (TalTech) defended his PhD thesis “Hash-Based Server-Assisted Digital Signature Solutions” and gave an interview in Geenius about universal digital signing and its dangers.
https://digikogu.taltech.ee/en/Item/a972cc4b-53ec-4c82-8de0-b3e941cce345
https://digi.geenius.ee/rubriik/teadus-ja-tulevik/taltechi-doktor-millal-jouame-universaalse-digiallkirjastamiseni-ja-mis-ohud-seda-varitsevad/
[2020-05-28] RIA provided an explanation for why they recommended that the National Electoral Committee not enable Smart-ID for i-voting in the 2021 elections. To summarize: (1) Smart-ID has been used in successful attacks; (2) Smart-ID is not a state provided eID solution – if allowing i-voting with Smart-ID, there is no reason to not enable i-voting with other private eID solutions; (3) not enough experience to say if Smart-ID biometrical enrollment is secure enough; (4) the state does not have enough control over Smart-ID to intervene in case of emergency;
https://blog.ria.ee/smart-id-ja-valimised/
[2020-05-20] The Estonian National Electoral Committee has reviewed 25 suggestions from the i-voting working group and has provided their decision on each suggestion. The most important decisions included not enabling i-voting with Smart-ID and i-voting with a mobile app for the 2021 elections.
https://www.riigikogu.ee/download/8eb9f7ff-8838-4cc8-a52a-ee9f481dd89e
https://twitter.com/ikubjas/status/1266014478388396032
https://digi.geenius.ee/rubriik/uudis/mobiiliga-haaletamist-jargmistel-valimistel-ei-tule/
[2020-05-27] SK had a scheduled maintenance on May 28 and 29 due to which the use of ID card, Mobile-ID and Smart-ID was affected.
https://news.err.ee/1095129/id-cards-mobile-id-and-smart-id-to-be-interrupted-during-maintenance
[2020-05-27] The Estonian Students Society organized a public discussion about cyber security. Participants in the discussion: Siim Alatalu (Head of EU CyberNet), Märt Hiietamm (Head of RIA Analysis and Prevention Department), Uku Särekanno (European Union IT Agency), Ragnar Õun (Head of RIA Critical Information Infrastructure Protection Department) and Ilmar Üle (CERT-EU).
https://www.youtube.com/watch?v=qpr3IQCRSp8
[2020-05-26] Dan Bogdanov (Cybernetica) in an interview explains the privacy principles behind the Estonian coronavirus app.
https://news.postimees.ee/6981981/is-tech-giants-coronavirus-app-technology-safe
https://digi.geenius.ee/rubriik/uudis/aki-peadirektor-pille-lehis-mulle-teeb-muret-euroopa-trend-ja-soov-koroonaappe-arendada/
https://digi.geenius.ee/rubriik/uudis/eestis-on-nuud-esimene-koroona-kontaktijalgimise-app-aga-sa-ei-peaks-seda-kasutama/
[2020-05-26] Research article by Anne Veerpalu (UT), Liisi Jürgen (UT), Eduardo da Cruz Rodrigues e Silva (TalTech) and Alex Norta (TalTech): “The hybrid smart contract agreement challenge to European electronic signature regulation”, assesses whether the signature on a smart contract used in an ICO process is functionally equivalent to the qualified electronic signature under eIDAS.
https://academic.oup.com/ijlit/advance-article-abstract/doi/10.1093/ijlit/eaaa005/5846238
[2020-05-25] A research article by Mart Oruaas (Cybernetica) and Jan Willemson (Cybernetica/STACC): “Developing requirements for the new encryption mechanisms in the Estonian eID infrastructure”.
https://research.cyber.ee/~janwil/publ/NewEstCDOC.pdf
https://link.springer.com/chapter/10.1007/978-3-030-57672-1_2
[2020-05-21] Sorainen’s partner, lawyer Kaupo Lepasepp, writes that the digital signature is essentially unforgeable.
https://digi.geenius.ee/rubriik/uudis/advokaat-e-allkiri-on-sisuliselt-voltsimatu-aga-tahvelarvuti-ekraanile-tehtud-kritselduse-seostamiseks-kindla-isikuga-ei-ole-selget-viisi/
https://www.youtube.com/watch?v=bV-HwuhGKO8
[2020-05-20] RIA has compiled a comprehensive overview of cyber security in Estonia titled “Cyber Security in Estonia 2020”. The compilation mostly consists of excerpts from annual reports of different public sector organizations.
https://www.ria.ee/en/news/cyber-security-estonia-2020-comprehensive-look-estonian-cyber-landscape.html
https://www.ria.ee/sites/default/files/content-editors/RIA/cyber_security_in_estonia_2020_0.pdf
[2020-05-20] UT student Siim-Alexander Kütt in his BSc research found a flaw in the Tartu Bike Share system which allowed anyone to query the location of any bike and the user ID of the person riding the bike. Turns out that Tartu City previously paid 12 960 EUR to Estonian company SecTeam for a black-box security audit of the system.
https://ee.linkedin.com/in/arvo-saalits took a credit for discovring the previous leak in July 2019.
https://epl.delfi.ee/uudised/tudeng-leidis-tartu-rattaringluse-apist-jarjekordsed-turvavead?id=89909901
https://comserv.cs.ut.ee/ati_thesis/datasheet.php?id=69774&year=2020
[2020-05-18] The Data Protection Inspectorate released its yearbook describing in more detail the data leak in Tartu Bike Share system discovered in July 2019. Arvo Saalits in his Linkedin profile has taken the credit for the discovery of the flaw.
https://aastaraamat.aki.ee/sites/default/files/inline-files/AKI%20aastaraamat%202019.pdf
https://aastaraamat.aki.ee/aastaraamat-2019-aastast-peadirektori-pilgu-labi/rikkumine-ei-toonudki-suurt-trahvi
https://ee.linkedin.com/in/arvo-saalits
[2020-05-19] LHV bank accidentally leaked names of 200 LHV customers by sending a mass email with the recipients in the CC field. According to the Data Protection Inspectorate, the data controller must notify the Inspectorate of a personal data breach within 72 hours of the incident, but whether it is a breach or not, the bank must assess it itself.
https://forte.delfi.ee/news/varia/suur-eksitus-lhv-lekitas-kogemata-sadade-laenusaajate-nimed?id=89906591
[2020-05-14] From May 14 to 16 a Smart-ID phishing campaign was run imitating SEB bank page.
https://kasulik.delfi.ee/news/uudised/seb-panga-nimel-levib-taas-ohtlik-ongitsuskiri-mida-ei-tohiks-mingil-juhul-avada?id=89862581
https://www.ria.ee/et/uudised/olukord-kuberruumis-mai-2020.html
[2020-05-14] MKM plans to hire an official who will focus on the i-voting risks. In order to apply, the applicants had to write an essay on the topic “Problems of risk management related to e-elections”. Five people applied but the results are not yet known.
https://digi.geenius.ee/rubriik/uudis/endise-ministri-otsusel-palkab-riik-e-valimiste-riskidele-keskenduva-ametniku/
https://www.mkm.ee/sites/default/files/kuberriskide_nounik.pdf
[2020-05-12] KAPO released their annual review describing a flaw in the free email provider’s mail.ee website (opening an email triggers XSS). By opening a specially crafted email, mail.ee user account was automatically configured to enable an email redirect to the attacker’s email address. The flaw was exploited against a small number of mail.ee users who were of interest to a foreign country. Another attack described in the review is a phishing email used to try to gain access to some email accounts of the University of Tartu. According to KAPO, the attack was organized at the instructions of the government of Iran.
https://kapo.ee/sites/default/files/public/content_page/Annual%20Review%202019.pdf
https://news.err.ee/1076983/russian-youth-engagement-migration-china-flagged-in-kapo-s-2019-yearbook
https://news.postimees.ee/6950229/iss-iran-intelligence-attempted-to-access-university-of-tartu-e-mail-accounts
https://www.postimees.ee/6949265/iraani-luure-uritas-ligipaasu-tartu-ulikooli-e-posti-kontodele
https://twitter.com/SadEstonianIT/status/1256610514614050816
https://securityaffairs.co/wordpress/102471/hacking/estonian-provider-mail-ee-hacked.html
[2020-05-12] Riigikogu amended the Electronic Communications Act providing that in order to ensure national security, the government may, by a regulation, impose an obligation on a communications undertaking to notify the hardware and software used in the communications network and to apply for a permit to use the hardware and software of the communications network. These amendments are most likely targeted to exclude Huawei from 5G deployment.
https://www.riigikogu.ee/istungi-ulevaated/riigikogu-muutis-elektroonilise-side-seadust/
[2020-05-07] RIA’s new yearbook provides a good overview of the current and upcoming work of RIA – the state network, DigiDoc4 software, e-voting, critical information infrastructure protection and CERT-EE activities. Some highlights:
– Starting from July 2021, the ID card chip will contain the cardholder’s picture and fingerprints in addition to their personal data file.
– RIA is considering enabling a single sign-on service (SSO) to be used for the state authentication service.
– RIA is introducing a consent service to allow citizens to share their health and other data with service providers (e.g., health insurers).
https://www.ria.ee/et/uudised/varske-aastaraamat-tutvustab-ria-tood-ja-2019-aasta-sundmusi-eesti-kuberruumis.html
https://www.ria.ee/sites/default/files/content-editors/ria_aastaraamat_2020_48lk_eng.pdf
https://github.com/e-gov/NT/
[2020-05-06] TalTech and Estonian Maritime Academy received 2.5 million euro funding to establish a maritime cyber security center. The five-year project plans to supplement the existing master’s and doctoral study programs, organize trainings and conferences.
https://digi.geenius.ee/rubriik/teadus-ja-tulevik/taltech-eesti-mereakadeemia-ja-it-teaduskond-loovad-merenduse-kuberturbe-keskuse/
https://old.taltech.ee/institutes/centre-for-digital-forensics-cyber-security/&id=200834
https://vikerraadio.err.ee/1084657/uudis-lauri-varik/1049735
[2020-04-22] Cybernetica released the report “Mobile voting feasibility study and risk analysis”, which found that introducing a mobile i-voting application has its risks but is possible. The National Electoral Committee, however, in their 2020-05-20 meeting decided not to introduce it in the 2021 elections.
https://www.valimised.ee/sites/default/files/uploads/eng/2020_m-voting-report.pdf
https://www.ria.ee/et/uudised/analuus-nutiseadmega-e-haaletamine-teostatav.html
https://news.err.ee/1082021/ria-mobile-voting-could-be-launched-in-2021
https://digi.geenius.ee/rubriik/uudis/riigi-tellitud-analuus-leiab-et-telefoniga-e-haaletamine-on-voimalik/
https://digi.geenius.ee/rubriik/uudis/ria-loodetavasti-saab-mobiiliga-haaletada-juba-jargmistel-valimistel/
[2020-04-21] EKRE has formed a committee in riigikogu with the aim to make i-voting transparent. Former minister of IT and foreign trade Kert Kingo is chairman of the committee.
https://news.err.ee/1080422/ekre-forms-e-voting-transparency-committee-in-riigikogu
https://www.ituudised.ee/uudised/2020/04/21/ekre-loi-riigikogus-e-haaletamise-labipaistvaks-muutmise-toetusruhma-kuhu-kuulub-terve-fraktsioon
[2020-04-18] According to RIA, in April 18 denial-of-service attacks sharing a similar handwriting were executed against the e-services eesti.ee, id.ee, emta.ee, elron.ee and elisa.ee. RIA was also notified about DoS attacks against eKool.eu and SK ID Solutions. On April 22, the availability of Luminor’s bank website was disrupted as a result of a DDoS attack on a Lithuanian service provider.
https://www.ria.ee/et/uudised/olukord-kuberruumis-aprill-2020.html
[2020-04-17] RIA has made its internal chat and file sharing platform publicly available. The services were built using open source solutions Rocket.Chat and Nextcloud. The solutions have been pentested by the order of RIA. A Twitter user noticed that the chat service has a public list of its users with their last names, birth dates and personal ID codes.
https://digi.geenius.ee/rubriik/uudis/ria-annab-aru-kui-palju-laksid-riiklikud-suhtlus-ja-failivahetuskeskkonnad-maksumaksjale-maksma/
https://digi.geenius.ee/rubriik/uudis/tana-avati-riiklikud-veebisuhtluse-ja-failivahetuse-keskkonnad/
https://forte.delfi.ee/news/tarkvara/ria-avas-testiks-turvalised-veebisuhtluse-ja-failivahetuse-keskkonnad?id=89427961
https://twitter.com/SadEstonianIT/status/1246168005396115456
[2020-04-15] A UT professor obtained information from UT about the student who left negative feedback about the professor in the anonymous study information system (OIS) feedback form.
https://news.err.ee/1077745/university-of-tartu-professor-demanding-2-000-from-alum-over-word-usage
[2020-04-15] The pensioner who organized document forgery in PPA was sentenced to long-term imprisonment.
https://www.delfi.ee/news/paevauudised/eesti/dokumendivoltsijate-jouku-vedanud-pensionar-moisteti-aastateks-trellide-taha?id=89563595
https://www.err.ee/1077522/kohus-moistis-mahuka-passiari-korraldaja-pikaks-ajaks-vangi
https://cybersec.ee/2017/02/02/document-counterfeiting-case-maarika-comes-to-court/
[2020-04-15] The use of Smart-ID was disrupted between 11:18 and 23:00. The error was caused by a problem with the database.
https://www.postimees.ee/6950878/smart-id-too-oli-kolmapaeval-hairitud
[2020-04-13] The Cyber Defense Unit of the Defense League provided support for the Health Board by processing and visualizing COVID data using various data sources.
https://www.ituudised.ee/uudised/2020/04/13/kaitsevae-kubervaejuhatus-aitab-terviseametil-luua-uut-infosusteemi
https://forte.delfi.ee/news/tehnika/kubervagi-tegi-terviseametile-olulise-infosusteemi?id=89876695
[2020-04-06] According to RIA a fraud scheme is becoming popular, where criminals send a convincing e-mail to HR managers in the name of the employee requesting their salary to be transfered to a new bank account from the coming month.
https://www.ituudised.ee/uudised/2020/04/06/ria-hoiatus-levimas-on-palgakonto-pettused
[2020-03-26] Podcast with Marko Belzetski (Clarified Security) discussing Android and web application penetration testing.
https://testguild.com/podcast/security/s14-marko/
[2020-03-24] The state has analyzed the spread of the coronavirus by analyzing mobile phone location data. This raised privacy concerns and the Chanchellor of Justice examined the constitutionality of the use of data. Aggregate data was prepared by mobile operators and sent to Statistics Estonia. Google used its data to provide similar mobility analysis.
https://digi.geenius.ee/rubriik/uudis/mobiilidelt-kogutud-asukohaandmed-naitavad-et-eestlased-on-eriolukorra-ajal-jaanud-paiksemaks/
https://news.err.ee/1068209/statistics-estonia-to-study-people-s-movements-during-emergency-situation
https://news.err.ee/1069467/mobility-analysis-planned-by-statistics-estonia-not-to-use-real-time-data
https://news.err.ee/1069764/mobility-analysis-to-be-finalized-next-week
https://digi.geenius.ee/rubriik/uudis/oiguskantsler-uurib-mobiiltelefonidelt-kogutud-andmete-statistilise-kasutamise-kooskola-pohiseadusega/
https://www.err.ee/1071113/mobiilioperaator-liikumismustrite-jalgimine-ei-tugine-gps-i-andmetel
https://www.google.com/covid19/mobility/
https://news.err.ee/1073762/opinion-why-is-government-pursuing-extensive-surveillance-law-in-crisis
[2020-03-23] Research article by Luukas Ilves (Guardtime) and Anna-Maria Osula (Guardtime/TalTech), “The Technological Sovereignty Dilemma – and How New Technology Can Offer a Way Out”, discusses 5G and related topics.
https://cybersecforum.eu/media/ECJ_vol6_issue1.pdf
[2020-03-12] Statistics from the state authentication service shows the usage popularity of eID tools: ID cards are used 44% of the time, Smart-ID 30% and Mobile-ID 22%.
https://forte.delfi.ee/news/tarkvara/uus-seis-smartid-seljatas-mobiilid?id=89203485
[2020-02-04] MKM has published the report “Estonian Cybersecurity R&D Concept” prepared by TalTech. The report gives a good overview of the research institutions and people conducting cybersecurity related research in Estonia.
https://www.mkm.ee/sites/default/files/content-editors/failid/E_riik/estonian_cybersecurity_rd_concept.pdf
[2020-02-04] A US journalist wrote an article about Estonia and cybersecurity featuring Cyber Defense League and others.
https://www.csmonitor.com/World/Europe/2020/0204/Cybersecurity-2020-What-Estonia-knows-about-thwarting-Russians
[2019-12-18] A member of the i-voting working group, Heldur-Valdek Seeder, published video recordings of the working group’s meetings on a personal blog. Initially, the minister Kert Kingo wanted to classify the content of the working group, but the majority of members did not support this idea, hence there may be no basis to request removal of the published videos.
https://digi.geenius.ee/rubriik/uudis/e-valimiste-tooruhma-liige-avalikustas-omavoliliselt-koosolekute-videosalvestisi/
[2019-06-05] MSc thesis by Gregor Johannson (TalTech): “Technical Prerequisites for Enabling Third-Party Applications on the New Estonian ID-card”.
https://digikogu.taltech.ee/et/Item/64c83d8f-8f2d-4311-b548-b07c9b58a6cb
[2019-06-06] BSc thesis by Pavel Kargin (TalTech): “Testing the Compliance of the Estonian Electronic Document to the Technical Specification”.
https://digikogu.taltech.ee/et/Item/66881079-2923-42df-acfe-e5dacf3ccad7
[2018-05-31] BSc thesis by Kristel Merilain (TalTech): “Business and Risk Analysis of Electronic Identity Tools Used in Estonia”.
https://digikogu.taltech.ee/et/Item/73c5fa5a-8d43-4548-83f3-78d8dea388a0

Cybersecurity related bachelor’s and master’s theses in University of Tartu 2020 (June)

The defences are taking place on the first and second week of June.

Student: Eric Cornelissen (Computer Science MSc)
Title: Cryptographic Analysis of the Message Layer Security Protocol in the Static Corruption Model
Supervisor: Chris Brzuska, Dominique Unruh
Reviewer: Behzad Abdolmaleki

Student: Risto Pärnapuu (Computer Science MSc)
Title: Verifiable Photo Snapshots
Supervisor: Sven Laur, Ahto Truu
Reviewer: Arnis Paršovs

Student: Anita Onyinye Nwaokolo (Cyber Security MSc)
Title: A Comparison of Privacy Enhancing Technologies in Internet of Vehicle Systems
Supervisor: Raimundas Matulevicius, Abasi-amefon Obot Affia
Reviewer: Pille Pullonen

Student: Rando Tõnisson (Software Engineering MSc)
Title: Security Risk Management in Autonomous Driving Vehicles: Architecture Perspective
Supervisor: Raimundas Matulevičius, Abasi-Amefon O. Affia
Reviewer: Danielle Morgan

Student: Silver Maala (Computer Science BSc)
Title: A Proof of Concept Malware for Interacting with the Smart-ID Android Application
Supervisor: Arnis Paršovs
Reviewer: Mart Oruaas

Student: Kärt Ilja (Computer Science BSc)
Title: Intercepting Network Traffic of the Smart-ID Android Application
Supervisor: Arnis Paršovs
Reviewer: Mart Oruaas

Student: Siim-Alexander Kütt (Computer Science BSc)
Title: Security Analysis of Tartu Smart Bike Share Android Application
Supervisor: Arnis Paršovs
Reviewer: Kristjan Krips

Student: Gregor Eesmaa (Computer Science BSc)
Title: Authorization of Web Requests Based on Merkle Trees
Supervisor: Kristjan Krips
Reviewer: Arnis Paršovs

Student: Hendrik Eerikson (Computer Science BSc)
Title: Privacy Preserving Fingerprint Idenfication
Supervisor: Riivo Talviste, Kristjan Krips
Reviewer: Jan Villemson

Student: Sergei Kuštšenko (Computer Science BSc)
Title: Implementation of election bulletin board using HyperLedger Fabric
Supervisor: Ivo Kubjas
Reviewer: Jan Villemson

Student: Markus Punnar (Computer Science BSc)
Title: Cryptosystem for Post-Quantum Age Based on Moderate-Density Parity Check (MDPC) Codes
Supervisor: Vitaly Skachek, Irina Bocharova
Reviewer: Raul Martin Rebane

Links:
https://www.cs.ut.ee/sites/default/files/cs/kaitsmised_-_defences_ver04-06-20.pdf
https://comserv.cs.ut.ee/ati_thesis/index.php?year=2020

Cyber Security master’s theses defense in TalTech (May/June 2020)

Leave a reply

Defence of master theses of Cyber Security curriculum on May 28th 2020 online

Time: 10:00
Student: Cheng-Yu Lu
Title: Analyse Journal of XFS Filesystem for Assisting in Event Reconstruction
Supervisor: Pavel Laptev
Reviewer: Hayretdin Bahsi

Time: 10:40
Student: Simon Victor Jean Laurent Brun
Title: Comprehensive Digital Forensics Analysis of Smart Home Environment
Supervisor: Hayretdin Bahsi, Pavel Tšikul
Reviewer: Matthew Sorell

Time: 11:20
Student: Shaymaa Mamdouh Mohammed Radwan Khalil
Title: Analysis of Windows 10 Hibernation File
Supervisor: Hayretdin Bahsi, Pavel Tšikul
Reviewer: Matthew Sorell

Time: 12:40
Student: Kevin Patric Schmidt
Title: EXTRACTION OF FORENSIC ARTIFACTS FROM HOME ROUTERS
Supervisor: Hayretdin Bahsi
Reviewer: Matthew Sorell

Time: 13:20
Student: Weerarathna Patabendige Samoda Abeydeera
Title: Fileless Malware Detection in Cloud Environment Using Machine Learning Techniques
Supervisor: Alejandro Guerra Manzanares
Reviewer: Sven Nõmm

Defence of master theses of Cyber Security curriculum on May 29th 2020 online

Time: 10:00
Student: Andreas Jürimäe
Title: The Effectiveness of DMARC and Usage of DMARC in Estonian Government Institutions
Supervisor: Kieren Lovell
Reviewer: Dan Heering

Time: 10:40
Student: Liubomyr Kushnir
Title: Benchmarking of Post-hoc Local Interpretability Methods for Classifying Malicious Traffic
Supervisor: Hayretdin Bahsi, Sven Nõmm
Reviewer: Alejandro Manzanares

Time: 11:20
Student: Huu Phuc Nguyen
Title: Research Method in Detecting Swapped Face Image and Video Forgery
Supervisor: Matthew Sorell
Reviewer: Pavel Tšikul

Time: 12:40
Student: Rohin Sambath Kumar
Title: Analyzing the Face Value of Fake Accounts in Online Social Networks
Supervisor: Birgy Lorenz
Reviewer: Adrian Venables

Time: 13:20
Student: Mykyta Zaitsev
Title: Developing learning pathways for massive open online courses by the example of the rangeforce cyberskills training platform
Supervisor: Olaf Maennel, Margus Ernits
Reviewer: Birgy Lorenz

Time: 14:00
Student: Martin Chmelař
Title: Utilizing Mitre att&ck to Create Adversary Reports of Live-fire Cybersecurity Exercises for Feedback Purposes
Supervisor: Olaf Maennel
Reviewer: Rain Ottis

Time: 14:40
Student: Ilkin Huseynov
Title: The Analysis of the Current Cyber Security Actions Taken in the e-Government of Azerbaijan and Proposal of the Improvement Plan
Supervisor: Mika Juha Kerttunen
Reviewer: Adrian Venables

Time: 15:20
Student: Belgin Tastan
Title: Comparing the Security Assessment Models on the Detection of Critical Vulnerabilities in Web Services
Supervisor: Mika Kerttunen, Andro Kull
Reviewer: Pavel Tšikul

Defence of master theses of Cyber Security curriculum on June 1st 2020 in ICT-315 (closed defences) & online

Time: 10:00
Student: Juri Kononov
Title: Network Policy Management is Service Rich Environment
Supervisor: Olaf Maennel, Jaan Priisalu
Reviewer: Mart Järvi, Uko Valtenberg

Time: 10:40
Student: Maria Toomsalu
Title: Vulnerability Analysis of an Organisation on the basis of a Semi-Formal Model
Supervisor: Peeter Laud, Jaan Priisalu
Reviewer: Aleksandr Lenin

Time: 11:20
Student: Kaarel Allemann
Title: Effects of the New Integration Design on the KOLT Security
Supervisor: Ahto Buldas
Reviewer: Aleksandr Lenin

Time: 14:00
Student: Fernando Gonzalo Bauzá Sáinz De Baranda
Title: How to Mess with Log Collectors and Analyze their Response in Microsoft Networks with an Example of the Elk Stack
Supervisor: Toomas Lepik
Reviewer: Risto Vaarandi

Time: 14:40
Student: Andres Pihlak
Title: Continuous Docker Image Analysis and Intrusion Detection Based on Open-source Tools
Supervisor: Mauno Pihelgas
Reviewer: Kristian Kivimägi

Time: 15:20
Student: Maarja-Liisa Tammepõld
Title: Securing the centralized logging system by the example of Elasticsearch
Supervisor: Toomas Lepik
Reviewer: Risto Vaarandi

Defence of master theses of Cyber Security curriculum on June 2nd 2020 online

Time: 10:00
Student: Kadri Cahani
Title: Aligning Information Security Risks with Strategic Goals
Supervisor: Hayretdin Bahsi
Reviewer: Kaie Maennel

Time: 10:40
Student: Martin Leppik
Title: Improving AWS S3 Security at a Medium-sized Company: Challenges and Solutions
Supervisor: Hayretdin Bahsi
Reviewer: Tiia Sõmer

Time: 11:20
Student: Karl Lubja
Title: Systematic Generation of Cyber Attack Scenarios Against A Ship
Supervisor: Hayretdin Bahsi
Reviewer: Olaf Maennel

Time: 12:40
Student: Illia Petrash
Title: User Behaviour During Covid-19 from the Perspective of a Telco Server
Supervisor: Olaf Maennel
Reviewer: Toomas Lepik

Time: 13:20
Student: Rishikesh Ram Shankaran
Title: Comparative Study on Perception and Preparedness of a User Towards Cybersecurity Threats in IoT and Mobile Devices
Supervisor: Stefan Sütterlin
Reviewer: Eneken Tikk

Time: 14:00
Student: Ilja Šmarjov
Title: OWASP secure coding practices checklist and training: assessment of effectiveness in a technology company
Supervisor: Olaf Maennel
Reviewer: Margus Ernits

Time: 14:40
Student: Marvin Uku
Title: Evaluation method for smart home and smart grid authentication protocols
Supervisor: Olaf Maennel
Reviewer: Hayretdin Bahsi

Time: 15:20
Student: Sania Akif Malik
Title: The Effect of Interindividual Differences in Metacognitive Accuracy on Cybersecurity Decisions
Supervisor: Stefan Sütterlin
Reviewer: Mika Juha Kerttunen

Cyber Security Newsletter 2020-03-19

Leave a reply

[2020-03-10] The company Unicount has developed an e-service which allows companies to be registered in Estonia using Smart-ID. Companies in the Estonian Business Register can only be directly registered using an ID card or Mobile-ID. The Smart-ID company registration service provided by Unicount is using the company registration API that has been offered since 2017 by the Estonian Business Register.
https://www.ituudised.ee/uudised/2020/03/10/tanasest-saab-ettevotteid-asutada-smart-idga
https://news.err.ee/1061645/estonian-companies-can-now-be-established-using-only-smart-id
https://www.baltictimes.com/estonia__1st_company_founded_with_use_of_smart-id_registered_on_tuesday/
[2020-03-06] A large-scale cyber attack simulation exercise developed by CybExer Technologies was conducted bringing together 12 Estonian companies and institutions.
https://news.err.ee/1060615/cyber-exercise-brings-together-defense-league-public-and-private-sector
[2020-03-03] Yet another cybersecurity index has placed Estonia in the 58th position. According to the study, 1.59% of mobiles and 13.2% of computers in Estonia are infected with malware.
https://www.comparitech.com/blog/vpn-privacy/cybersecurity-by-country/
[2020-02-26] For several years, the Estonian ID card software recognized digital signatures created with revoked certificates as valid signatures. Software libraries used by Estonian e-service providers are likely still affected. The EU-developed eSignature DSS library and libraries used in other EU countries are also affected.
https://www.delfi.ee/news/paevauudised/eesti/tartu-ulikooli-turvaspetsi-jarjekordne-avastus-id-kaardi-tarkvaras-oli-aastaid-kriitiline-auk?id=89080065
https://www.youtube.com/watch?v=eYG17IGOCi0
[2020-02-26] A Smart-ID account can now be created using biometrics. In the enrollment process the Smart-ID app over NFC retrieves person’s photo from their biometrical passport and uses phone’s camera to perform face recognition. For biometrical passport reading Smart-ID uses Dutch company’s InnoValor NFC-based ReadID software, but for face recognision a cloud service provided by UK company iProov. Contrary to the claims, the security guarantees provided by this technology are quite weak, since the facial verification technology at best can verify only the presence of the person and not their intent to create a Smart-ID account. Fortunately, the person is required to confirm their intent either using previous Smart-ID account (including non-qualified) or a security code sent over email or SMS.
https://digi.geenius.ee/rubriik/uudis/riik-vottis-biomeetriliste-passide-toega-smart-id-labivaatamiseks-ajapikendust/
https://tehnika.postimees.ee/6884293/smart-id-kasutajad-peavad-olema-valmis-uuenduseks
https://digi.geenius.ee/rubriik/uudis/smart-id-kasutajaks-saab-nuud-biomeetriaga-kuidas-see-kaib/
https://news.err.ee/1056955/biometric-registration-made-available-to-users-of-smart-id
https://www.iproov.com/newsroom/blog/estonian-digital-identity-with-iproov
[2020-02-26] Self-censorship at UT. The university decided not to publish an article in the University of Tartu magazine, Universitas Tartuensis, about a cooperation agreement between the university and Huawei. Since the Chinese company Huawei is perceived as a potential threat to national security, the Huawei topic has become sensitive.
https://ekspress.delfi.ee/kuum/tartu-ulikool-keelas-ajakirjanikul-huawei-teemalise-artikli-avaldamise?id=89042773
https://www.err.ee/1058339/tartu-ulikool-lubab-huaweiga-koostood-tehes-jargida-eesti-julgeolekuhuve
https://news.err.ee/1056839/paper-university-of-tartu-refused-to-publish-article-on-huawei
[2020-02-25] Teachers and system owners of e-school environments are discussing the acceptable duration of an authenticated session after which the user is automatically logged out. According to RIA, session length is not specified in the ISKE implementation guide and it is up to the system owner.
https://digi.geenius.ee/rubriik/uudis/opetajate-protest-e-opilaspaevikiku-kasutusmugavuse-osas-toi-kaasa-turvariski/
[2020-02-20] The e-shop reset.ee closed its doors leaving at least 275 customers without money. The police do not consider it a scam but a a civil offense, inviting victims to file a claim in the bankruptcy proceedings.
https://digi.geenius.ee/rubriik/uudis/tarbijakaitse-saatis-politseisse-reseti-asjus-kuriteoteate-aga-politsei-ei-alusta-uurimist/
[2020-02-12] The state pays for Smart-ID on a per use basis – the more users use Smart-ID, the more the state will have to pay (SK offers volume discounts). Smart-ID users outnumber Mobile-ID users two-to-one today. At the end of 2019, there were 230,000 Mobile-ID users and 430,000 Smart-ID users.
https://news.postimees.ee/6898254/estonia-to-create-new-digital-identification-tool
[2020-02-12] The state’s Mobile-ID contract will expire in 2022. RIA and PPA will announce the procurement for a new eID solution this year. The state does not want to copy Smart-ID, but instead use something else possibly based on biometrics.
https://news.postimees.ee/6898254/estonia-to-create-new-digital-identification-tool
https://tehnika.postimees.ee/6897706/eesti-asub-looma-uut-inimeste-tuvastamise-vahendit
[2020-02-12] The Estonian Foreign Intelligence Service has published their 2020 report. It contains a section on Russian cyber operations in 2019 and mentions potential Chinese threats including Huawei.
https://www.valisluureamet.ee/pdf/raport-2020-en.pdf
[2020-02-12] A ridiculous incident was reported which highlighted the core weakness in Mobile-ID (and Smart-ID). A customer of Luminor Bank unexpectedly logged into a stranger’s bank account. The customer accidentally entered the wrong username and the correct owner of the username confirmed the login with his Mobile-ID. The bank acknowledged that similar incidents have happened before. SEB bank also confirmed similar incidents.
https://epl.delfi.ee/uudised/kogemata-voorale-kontole-turvarisk-toob-netipanka-uue-lahtri?id=88906895
[2020-02-12] RIA is analyzing the risks of enabling i-voting on iOS and Android mobile devices. It will also have to be decided whether to allow voting using Smart-ID in the next elections. The final decision will rest with the National Electoral Committee.
https://news.postimees.ee/6898254/estonia-to-create-new-digital-identification-tool
https://digi.geenius.ee/rubriik/uudis/riik-otsustab-juba-jargmisel-kuul-kas-valimistel-saab-e-haalt-anda-smart-id-ga/
[2020-02-11] RIA and PPA launched a cybercrime information website (cyber.politsei.ee) where people are asked to report suspicious emails, account hijacking, money stolen from accounts, etc. The data will be used to inform the public about new crime schemes and to help investigate cases.
https://news.err.ee/1033928/police-launch-cybercrime-information-website
[2020-02-10] After the Tartu Smart Bike Share website had a security flaw which gave access to personal data of registered users, the Data Protection Inspectorate conducted a proceeding on the activities of the Tartu City Government over a longer period of time and concluded that the data leak did not pose a risk to users.
https://digi.geenius.ee/rubriik/uudis/tartu-rattaringluse-andmeleke-ei-kujutanud-kasutajatele-ohtu/
[2020-02-05] The Estonian ID software introduced an option to sign documents with Smart-ID. Smart-ID signing in DigiDoc4 client uses the additional security measure of the Smart-ID app – the users have to choose the right verification code out of three (similar to LHV bank). Smart-ID support is also planned for Android and iOS DigiDoc apps.
https://digi.geenius.ee/rubriik/uudis/riik-lisab-digiallkirjastamise-tarkvarale-smart-id-toe-soov-on-see-lisada-ka-mobiiliappidele/
https://www.id.ee/index.php?id=39777
https://www.ria.ee/et/uudised/ria-id-tarkvara-voimaldab-nuudsest-smart-idga-digiallkirjastada.html
[2020-02-04] Remote verification will be launched in the e-Notary self-service portal enabling notarial acts to be carried out at Estonia’s foreign representations without physically visiting a notary’s office. In order to perform remote verification, the customer will need an Estonian ID-card, digital ID, Mobile-ID or an e-resident’s digital ID. The personal identification system of the participants will use Veriff’s biometric face recognition technology.
https://news.err.ee/1031373/notary-acts-can-be-carried-out-in-foreign-embassies-from-february
https://www.err.ee/1034421/eesti-notarite-koda-loi-voimaluse-sooritada-toiminguid-interneti-kaudu
https://news.err.ee/1063131/estonian-embassies-join-e-notar-distant-authentication-pilot-project
[2020-01-30] RIA introduced a state signing service (SiGa) to replace DigiDocService. The service allows the creation of documents digitally signed with ID card and Mobile-ID and the validation of signatures. The service is provided to all persons performing public tasks. The software used by the service is public and allows anyone to run a similar service themselves.
https://www.ria.ee/et/uudised/ria-vastvalminud-riigi-allkirjastamisteenus-hoiab-asutuse-kulusid-kokku.html
[2020-01-17] UT, CybExer Technologies, NATO CCDCOE, Thinnect and Elisa Eesti will create a cyber defense environment in the simulation of critical information infrastructure protection on a cyber training ground (whatever it is).
https://news.err.ee/1025354/project-started-to-make-cyberdefense-for-public-and-private-infrastructure
[2020-01-16] A draft bill initiated by MKM would require telecoms to seek state permission when introducing new hardware and software. The security of any new tech will additionally be monitored by RIA, the Internal Security Service (ISS) and the state’s foreign intelligence agency. The restrictions are likely motivated to keep 5G networks away from the Chinese company Huawei, which is suspected of being controlled by the communist Chinese government.
https://tehnika.postimees.ee/6826879/eesti-sidetehnika-hakkab-labima-julgeolekukontrolli
https://tehnika.postimees.ee/6859100/it-minister-karu-esimene-tagasilook-oluline-eelnou-tunnistati-pohiseaduse-vastaseks
https://www.ituudised.ee/uudised/2020/01/28/valitsus-tahab-oigust-lubada-ning-keelata-eesti-sidevorkudes-kasutatavat-tehnoloogiat
https://tehnika.postimees.ee/6873351/minister-karu-noudis-huaweilt-aru
https://tehnika.postimees.ee/6871738/eesti-hakkab-tehnikat-politiseerima
https://www.ituudised.ee/uudised/2020/03/16/sidevorkude-turvalisust-puudutav-eelnou-sai-taiendust-ja-saadeti-teisele-lugemisele
https://news.err.ee/1020859/telecoms-security-bill-may-exclude-huawei-from-estonian-market-firm-says
[2020-01-15] Estonian-based web security company WebARX found a critical vulnerability in the popular WordPress plugin InfiniteWP Client and WP Time Capsule.
https://digi.geenius.ee/rubriik/uudis/eesti-veebiturbe-ettevote-leidis-kriitilise-haavatavuse-mis-mojutab-poolt-miljonit-veebilehte/
[2020-01-14] Cybernetica will create an automated threat information system between the US Air Force and the Estonian Defense Forces. The US-Estonian cyber-security alert information exchange system will cost €3.54 million. The contract was granted to Cybernetica without competition.
https://tehnika.postimees.ee/6873957/cybernetica-sai-riigilt-magusa-miljonilepingu-ilma-konkurentsita
https://www.err.ee/1023814/eesti-ja-usa-alustasid-kuberkaitsealast-koostood-ohuteabe-vahetamiseks
https://news.err.ee/1023833/estonia-and-the-us-to-build-joint-cyber-threat-intelligence-platform
[2020-01-14] In 2019, PPA instituted 12 disciplinary proceedings due to police officers making non-work related inquiries to the police information system. The police officer who made 35 queries was fired.
https://digi.geenius.ee/rubriik/uudis/politsei-karistas-uheksat-ametnikku-andmebaaside-vaarkasutamise-eest-uks-kaotas-too/
[2020-01-10] Due to technical issues at RIA, the notification service using @eesti.ee email address was disrupted between December 19 and January 7. In total 85,000 emails were not delivered in this period.
https://tehnika.postimees.ee/6869462/rikke-tottu-ei-joudnud-85-000-riigi-ametlikku-teadet-inimesteni
[2020-01-10] Geenius has contacted the biggest banks in Estonia, asking whether they have enabled security features to prevent criminals using their domain names in e-mail spoofing attacks. Danske Bank, Svenska Handelsbanken, Citadele, SEB and Bigbank has introduced DMARC to prevent e-mail spoofing attacks. Swedbank is still (already for a half a year) considering implementing DMARC. In LHV’s opinion, DMARC implementation is too complicated.
https://digi.geenius.ee/rubriik/uudis/eesti-pangad-on-hakanud-agaramalt-kasutama-tehnoloogiat-millega-e-kirja-pettuseid-valtida/
[2020-01-08] A family doctor helpline service has been opened offering personalized advice. The hotline staff will have access to a patient’s medical records if the caller grants consent authenticating with Mobile-ID or Smart-ID.
https://news.err.ee/1021433/family-doctors-advice-helpline-cannot-issue-repeat-prescriptions
[2020-01-07] The court denied the early release of Aleksei Vasilev, a 20-year-old student from Kingisepp convicted for finding flaws in the computer networks of Estonian state agencies on the orders of FSB. His 4-year sentence will end on November 4, 2021.
https://news.err.ee/1021428/court-denies-early-release-to-russian-man-convicted-of-working-for-fsb
https://news.err.ee/1010629/court-to-discuss-releasing-juvenile-convicted-of-spying-for-fsb-early
[2020-01-04] The Minister of the Interior was asked how many cases of illegal surveillance have been investigated by authorities. According to the response, 17 cases of private surveillance were registered in 2016, 71 cases in 2017, 22 cases in 2018 and 24 cases in 2019. There was one confirmed case of illegal surveillance and covert listening in 2017.
https://news.err.ee/1020497/authorities-not-interested-in-former-minister-s-bugged-office-claims
[2020-01-03] The database leakage of e-shop charlot.ee will be investigated by Latvian Data Protection Inspectorate, as the leaked database contained more data about clients in Latvia.
https://digi.geenius.ee/rubriik/uudis/eesti-ajaloo-suurimat-e-poe-andmeleket-uurivad-edasi-latlased/
[2020-01-03] SK ID Solutions has paid a contractual penalty to AS LHV Pank for disruptions in the functioning of the Mobile-ID service, as the maximum permitted downtime of 45 minutes was exceeded in 2019. SEB, Swedbank and Luminor refused to disclose whether they have sought contractual penalties from SK ID Solutions.
https://news.err.ee/1020240/sk-id-solutions-pays-penalty-to-lhv-for-disruptions-in-mobile-id-service
[2020-01-01] Personnel rotation in RIA. In December, Andrus Kaarelson, Deputy Director General of the State Information System Branch at the RIA has left RIA returning to work in the private sector. Margus Arm, previously the head of the Electronic Identity Department has been appointed Deputy Director General of the State Information System Branch. The new head of RIA’s Electronic Identification Department is now Mark Erlich. In December, Lauri Aasmann took over as the new RIA Deputy Director General for Cybersecurity. Aasmann came to RIA from the NATO CCD COE, where he led a team of lawyers. Previously, he worked as a lawyer at Swedbank AS and as a prosecutor at the Northern District Prosecutor’s Office and Tallinn Prosecutor’s Office, where he dealt with white-collar crime and cybercrime.
https://www.err.ee/1010537/ria-kuberturvalisuse-teenistuse-juhiks-sai-lauri-aasmann
https://news.err.ee/1020294/margus-arm-appointed-state-information-system-chief-at-ria
https://www.ria.ee/et/uudised/ria-peadirektori-asetaitjaks-sai-margus-arm.html
https://digi.geenius.ee/rubriik/uudis/riigi-infosusteemi-ameti-uks-tippjuhte-suundub-toole-erasektorisse/
https://www.ria.ee/et/uudised/olukord-kuberruumis-detsember-2019.html
[2019-12-31] A software engineer found a flaw in the Elisa home router which gives access to the management password and access to the router over SSH. Elisa claims that this flaw can only be used by clients themselves, but cannot be used to access other client’s devices.
https://digi.geenius.ee/rubriik/uudis/elisa-koduinterneti-ruuterist-avastati-turvaauk-mis-voimaldab-saada-ligipaasu-tehnilise-kasutaja-paroolile/
[2019-12-28] Märt Põder gave the presentation “DEBRIEF ON E-VOTING IN ESTONIA” at the 36th Chaos Communication Congress (36C3), explaining his view on the i-voting in Estonia.
https://events.ccc.de/congress/2019/wiki/index.php/Projects:Netizen_index_of_e-voting_requirements
https://docs.google.com/presentation/d/1ON01Fej5w7cnBmTsTIxnaoWFIh_LhuuaoAGkKFAZ0EE/edit?folder=0AKv1cHIDbJwmUk9PVA
https://twitter.com/trtram/status/1211007098194219009
[2019-12-23] A fraud case involving fake tara deposit checks caused €12,925 in damages. The fake checks were printed with a cashier printer on the same paper as the real checks. The criminals understood the composition of the bar code and configured the printer so that the printout would deceive the Maxima checkout system that prevents the use of a copy of a check receipt. It turned out that the checks were printed by IT specialist from the company that serviced tara vending machines at Maxima stores. The criminals were tracked down using CCTV footage that is stored by the store for 30 days.
https://ekspress.delfi.ee/kuum/aasta-krimiullatus-voltsitud-taaratsekkidega-raha-kokku-ajanud-kelmid-tootasid-nagu-mafioosod?id=88435809
[2019-12-23] The Supreme Court expressed its position in the case where a woman gave her ID card and PIN codes voluntarily to a man who ordered some merchandise in her name from Telia e-shop using ID card authentication. The case has been sent back to district court. According to the Supreme Court, in case the owner voluntarily gives his ID card with PIN codes to another person who uses the ID card to enter into a transaction, the transaction (or digital signature) may be valid based on the provisions of “entry into transaction through representative” (General Part of the Civil Code Act – GPoCCA – Chapter 8). As the court referenced GPoCCA § 131, this construction can still be attacked and the signed contract later annulled.
https://ekspress.delfi.ee/sisuturundus/e-identimise-vahendite-turvalisest-hoidmisest-ja-tehingutest?id=88465617
https://www.riigikohus.ee/et/lahendid?asjaNr=2-16-124450/77
[2019-12-21] MyHits radio uploaded, on Google Docs, a publicly available document containing names, phone numbers and email addresses of all participants in their prize game. The link was embedded in the source code of the prize game website. The subjects and Data Protection Inspectorate have been informed.
https://digi.geenius.ee/rubriik/uudis/myhitsi-auhinnamangu-osalejate-andmed-olid-koigile-huvilistele-kattesaadavad/
[2019-12-20] A group of Estonians used blank chip and PIN cards containing stolen credit card data to empty bank accounts of Indian, Bangladeshi and Pakistani victims. The criminals also attempted to order 17 phones in total from Klick using a Japanese credit card, but were reported to the police.
https://news.postimees.ee/6855114/estonian-gang-emptied-indian-bank-accounts
[2019-12-19] The Supreme Court of Estonia ruled that the bill expanding EDF surveillance rights is unconstitutional. The court said that the covert collection and processing of personal data may be necessary for the effective defense of domestic and external peace, however, legislation should establish efficient procedural guarantees similar to those set out in the Code of Criminal Procedure, in order to eliminate the possibility of the person against whom surveillance is conducted not being informed of the EDF having processed their data.
https://news.err.ee/1015626/top-court-bill-seeking-to-expand-edf-surveillance-rights-unconstitutional
[2019-12-18] A secret camera was found at a metal company AKG Loots. The high-tech camera was installed under the ceiling of the production workshop and was in constant communication. Industrial espionage is suspected, as the company has several international clients with classified contracts.
https://ekspress.delfi.ee/teateid-elust/metallifirmas-leiti-salajane-jalgimisseade?id=88407489
[2019-12-17] From 2020 PPA will introduce a 5 EUR fee for obtaining a new ID card PIN envelope.
https://raha.geenius.ee/rubriik/uudis/uuest-aastast-saab-id-kaardi-ja-passi-soodsamalt-tellida/
[2019-12-16] Mobile-ID was down for two hours.
https://digi.geenius.ee/rubriik/uudis/selgus-eilse-mobiil-id-kahetunnise-katkestuse-pohjus/
https://news.err.ee/1014529/mobile-id-service-in-estonia-disrupted-now-back-online
[2019-12-14] A Viljandi hospital patient learned that a hospital nurse had viewed her health information and shared it in Facebook messages with her friend. The nurse has been fined for data breach.
https://leht.postimees.ee/6849818/medode-nuhkis-sobranna-mahitusel-voora-inimese-terviseinfo-jarele
[2019-12-12] The i-voting workgroup published the full report with 25 proposals to improve the i-voting system enhancing credibility and managing risks. In the IT Minister’s opinion, several important directions have been outlined and following working groups should be set up to go deeper into the more specific topics. In Märt Põder’s opinion, the report is a failure as the verifiability(?) issue has not been addressed.
https://www.mkm.ee/sites/default/files/content-editors/e-valimiste_tooruhma_koondaruanne_12.12.2019_0.pdf
https://digi.geenius.ee/rubriik/uudis/e-valimiste-tooruhma-liige-loppraport-on-minu-jaoks-labikukkumine/
https://digi.geenius.ee/rubriik/uudis/it-minister-karu-moodustab-e-valimiste-tooruhma-osas-uued-toogrupid/
https://digi.geenius.ee/rubriik/uudis/e-valimiste-tooruhm-ei-soovi-e-valimisi-ara-lopetada-hoopis-voimalusi-juurde-lisada/
https://tehnika.postimees.ee/6844891/kingo-tooruhm-annab-aru-kas-e-valimised-on-eesti-habiplekk
https://news.postimees.ee/6849632/e-voting-task-force-finishes-report-including-25-proposals-for-improving-system
https://news.err.ee/1013585/e-election-taskforce-report-complete-includes-25-improvement-proposals
https://www.err.ee/1013627/tooruhm-tegi-25-ettepanekut-e-valimiste-parendamiseks
https://news.err.ee/1015470/ria-does-not-have-funds-to-implement-e-election-workgroup-s-proposal
[2019-12-12] Florian Hartleb wrote an article “e-Estonia. Europe´s Silicon Valley or a new 1984?”. The article mentions X-Road, personal ID code, DDoS attacks in 2007, Infineon ID card crisis in 2017 and data embassy project. Contrary to the title, the privacy aspects are not discussed in depth.
https://link.springer.com/chapter/10.1007/978-3-030-27957-8_16
[2019-12-06] Former Minister of Rural Affairs Mart Järvik claimed that he had detected “bugs” in his office in one section of the ceiling. He tried two eavesdropping detection devices borrowed from his friends. Later, according to an unnamed source, the detected device turned out to be a device for amplifying Wi-Fi signals.
https://news.err.ee/1010579/prosecution-we-do-not-know-what-jarvik-is-talking-about
https://news.err.ee/1011075/mart-jarvik-s-letter-to-helme-about-alleged-eavesdropping
https://news.err.ee/1010506/former-minister-says-he-found-listening-device-in-ministry-of-rural-affairs
https://news.err.ee/1011048/rural-affairs-ministry-no-bugging-device-found-in-former-minister-s-office
https://news.err.ee/1012483/reform-mp-asks-mart-helme-about-alleged-illegal-surveillance-of-jarvik
https://news.err.ee/1011441/jarvik-i-haven-t-seen-a-bug-but-the-equipment-detected-it
https://news.err.ee/1011608/paper-jarvik-bugging-device-a-simple-wifi-signal-amplifier
[2019-12-05] A cryptographer from the Republic of Senegal published a subtle attack against the Smart-ID clone detection mechanism described in the original Smart-ID paper. The flaw allows an attacker who has cloned a victim’s Smart-ID app instance to forge signatures before the victim has used his instance, such that when the victim uses his Smart-ID instance, the attacker’s clone which was used to forge signatures is not detected by the server. The flaw lies in the fact that according to the protocol description, the next expected request ID is set by the client and not the server, which means that after the attack the attacker can reset the next request ID to match the request ID stored in the victims Smart-ID instance, thereby leading to the victim’s next request to be accepted by the Smart-ID server. SK has responded that the actual Smart-ID implementation uses an updated clone detection mechanism which is not affected by this flaw.
https://eprint.iacr.org/2019/1412
https://twitter.com/doomsdaysoup/status/1204399972231331846
https://www.skidsolutions.eu/en/News/iacr-published-smart-ids-cryptanalysis/
[2019-12-03] Toomas Vaks, former RIA Deputy Director General for Cybersecurity, wrote an opinion piece about cyber risks.
https://leht.postimees.ee/6840530/toomas-vaks-kas-ja-kes-peaks-kartma-kuberohtu
[2019-12-02] Agu Kivimägi wrote his thoughts about the recently highlighted issue that the time of signing of a digitally signed file can be changed.
https://digi.geenius.ee/rubriik/uudis/agu-kivimagi-kas-digiallkirja-aega-saab-usaldada/
[2019-12-02] SEB has made an update to its Android mobile app, which now allows SEB customers to make payments by touching a payment terminal with their mobile phone. The app can be used to pay for mobile purchases up to €150 if NFC has been enabled on the phone.
https://tehnika.postimees.ee/6839851/seb-apiga-saab-ka-nuud-poes-maksta
[2019-11-29] Phishing attacks against Smart-ID users have advanced. Now attackers are performing active attacks and displaying to victims the correct Smart-ID verification code. The usual defense of comparing verification codes does not work anymore. Now the only defense is to verify that the authentication is performed in the expected web site.
https://www.ria.ee/et/uudised/petturite-ongitsuslehed-muutumas-inimeste-jaoks-usutavamaks.html
[2019-11-29] CERT-EE warned about scam emails sent in the name of SEB bank. A victim from Tartu lost €4,777 in the scam. Security specialists have pointed out that SEB is endangering their clients by not configuring SPF+DMARC to prevent email spoofing using seb.ee domain.
https://kasulik.delfi.ee/news/uudised/hoiatus-tartlane-langes-ohtliku-seb-nimel-leviva-kelmuse-ohvriks-ja-kaotas-pangakontolt-ligi-5000-eurot?id=88072693
https://twitter.com/SadEstonianIT/status/1200422642639130625
https://twitter.com/SadEstonianIT/status/1195009181826404358
[2019-11-27] Registration of marriage is one of the few things that cannot be concluded digitally. The state is now analyzing the possibility of making marriage registration easier and partly accessible through the state portal eesti.ee.
https://news.err.ee/1007521/state-analyzing-online-marriage-registration
[2019-11-26] People sent letters to the Ministry of Justice and the Chancellor of Justice expressing their dissatisfaction with the fact that the real estate owned by them can be searched in the electronic land register by anyone. The land register has now been modified such that only an authenticated user would be able to search for real estate by name or personal identification code leaving an audit trail.
https://tehnika.postimees.ee/6835333/riik-asus-piirama-kinnistusraamatus-tuhnimist
[2019-11-20] A communication channel has been set up between the police and Facebook, allowing police officers to access Facebook account holders’ information in minutes if police the estimates that there is a real risk to human life. If there is no immediate threat, the request will take longer, sometimes a couple of days. In 2019, PPA asked Facebook about 88 accounts, requiring quick response nine times. Account freezes have been requested for 14 accounts.
https://digi.geenius.ee/rubriik/uudis/kuidas-ja-kui-kiiresti-saab-politsei-facebookist-katte-kaja-kallase-ahvardajate-ja-teiste-kahtlusaluste-andmed/
[2019-11-20] Using a fake Facebook account, death threats were made towards Reform Party leader Kaja Kallas. According to PPA, the perpetrators are based in Sweden and therefore Kallas’ life was in no immediate danger.
https://news.err.ee/1006702/paper-estonian-and-swedish-police-to-cooperate-over-kaja-kallas-threat
https://news.err.ee/1005823/police-not-opening-criminal-proceedings-into-kaja-kallas-online-threats
https://news.err.ee/1004931/paper-death-threats-against-reform-party-leader-made-in-sweden
[2019-11-20] Rats seriously damaged RIA’s underground optical cable affecting the operation of eesti.ee and the services of the Health Insurance Fund. Although physical network connections are duplicated, these e-services failed to automatically move to another channel.
https://www.ria.ee/et/uudised/olukord-kuberruumis-november-2019.html
https://www.ria.ee/et/uudised/rotid-pohjustasid-riigivorgu-osalise-katkestuse.html
https://www.ria.ee/et/uudised/riigivorgu-oine-kaablivahetus-sujus-torgeteta.html
https://m.arileht.delfi.ee/article.php?id=88126529
https://news.err.ee/1005397/ria-hopes-to-remedy-cable-disruptions-with-automatic-devices-in-future
https://news.err.ee/1005241/e-services-inaccessible-after-rats-chew-through-wires
[2019-10-30] The Estonian Research Council has financed the creation of a programmable USB device with a RGB LED and button, which can be programmed, for example, to emulate a keyboard and send key strokes after it is plugged into the computer. The device was given out to high school students in the Robotex event.
https://hackest.org/usb/
[2019-09-25] The requirement for an age check when ordering alcohol online is not enforced by all e-shops. Some parcel terminals require the ID card of an adult to be inserted, but the terminal does not ask for a PIN code (which means that the process does not involve any cryptography).
https://epl.delfi.ee/uudised/e-poest-alkoholi-tellides-piisab-taisealise-id-kaardist?id=87524573
[2019-04-26] TalTech in cooperation with others have created a High School Cyber Security Selection Course Digital Textbook. The textbook contains material on various topics and includes a lot of unseen video materials.
https://web.htk.tlu.ee/digitaru/kyberkaitse/
[2017-01-27] In Tallinn Circuit Court, defendants contested the integrity of an electronic evidence (a virtual machine image containing Skype logs), based on the fact that the integrity of the disk image was provided by calculating the hash using the outdated MD5 hash function. The defendants demonstrated a practical MD5 collision attack by showing that when opening two visually different image files the calculated MD5 hash value of the files was the same. The court correctly noted that while the MD5 function is not collision resistant, it is still second pre-image resistant guaranteeing the integrity of the collected evidence.
https://journals.sas.ac.uk/deeslr/article/view/5081

Defence of Cyber Security Engineering Diploma Theses at TalTech IT College (January 2020)

Leave a reply

January 22nd at 15-17, TalTech IT College, Raja 4C, Tallinn at room 217:

Chairman of the Defence Committee: Priidu Paomets
The Defence Committee: Mohammad Tariq Meeran, Kaido Kikkas, Aleksei Talisainen, Toomas Lepikult

Title: Countermeasures to Deepfakes
Student: Gabriel Apeh Adoyi

Title: Implementing Authentication and Authorization in Dynamic Web Applications
Student: Christian Cataldo

Title: Windows User Simulation for Scalable Cybersecurity Training Platform
Student: Kustas Kurval

Grades (in random order): 5, 2, 1

Links:

Cyber Security master’s theses defense in TalTech (January 2020)

Leave a reply

January 9th, 2020, Akadeemia Tee 15a, room ICT-411.

Time: 10:00
Student: Deniz Basar
Title: Uniqueness Criteria for Blockchain Type Distributed Ledgers
Supervisor: Ahto Buldas
Reviewer: Aleksandr Lenin

Time: 10:40
Student: Kristian Kivimägi
Title: Predicting students’ success using technical labs as part of university admission to a cyber security program
Supervisor: Kaie Maennel, Olaf Maennel
Reviewer: Stefan Sütterlin

Time: 11:20
Student: Alessandro Mirani
Title: User Behavior Analysis for Predictive Virtual Reality Applications: An Ethical and Data Security Perspective
Supervisor: Aleksei Tepljakov, Hayretdin Bahsi
Reviewer: Eduard Petlenkov

Cyber Security Newsletter 2019-11-14

Leave a reply

[2019-11-12] RIA organized information day. The topics covered: new Mobile-ID procurement, closure of DigiDocService, authentication gateway, developments in eID field, signature service, X-Road and others. Full video recording available online (in Estonian).
https://www.ria.ee/et/uudised/tana-toimub-ria-koostoopartnerite-infopaev.html
https://riainfopaev2019.publicon.ee/paevakava/
[2019-11-11] RIA decided to support with EUR 5,550 grant the association for the visually impaired as a compromise for RIA’s failure to support screen readers in DigiDoc4 client.
https://www.ria.ee/et/uudised/ria-solmis-nagemispuudega-inimestega-hea-tahte-margiks-kompromissi.html
https://digi.geenius.ee/rubriik/uudis/kohus-hakkab-vaagima-kas-riik-peab-nagemispuudega-inimestele-vigase-tarkvara-parast-maksma-10-000-eurot/
[2019-11-11] Supreme Court is discussing EDF law expanding surveillance rights. Chancellor of Justice Ülle Madise has found that the amendments are constitutional, because they do not allow for the restriction of individuals’ fundamental rights any more than the legislation currently in force.
https://news.err.ee/1001642/supreme-court-discussing-edf-law-expanding-surveillance-rights
https://news.err.ee/982963/justice-chancellor-law-expanding-edf-surveillance-rights-constitutional
[2019-11-11] Telia offers NFC-enabled SIM card that can be used in the phone to validate ride on public transport in Tallinn.
https://digi.geenius.ee/rubriik/uudis/tallinna-bussis-saad-nuud-oma-soidu-valideerida-ka-nutitelefoniga-viibates/
https://digi.geenius.ee/rubriik/uudis/juhend-kuidas-kaib-labi-nutitelefoni-uhiskaardiga-valideerimine-ja-palju-see-teenus-maksab/
https://news.err.ee/1001643/what-the-papers-say-accessible-tartu-baby-boom-in-paide
[2019-11-07] SK ID Solutions annual conference was held second time in English. Presentation slides available.
https://www.skidsolutions.eu/en/about/sk-annual-conference/sk-annual-conference-2019
[2019-11-04] Estonia is planning a system that would collect data from hotels to alert the authorities when somebody on a watchlist checks in. Dan Bogdanov discussed how to build a totally anonymous electronic accommodation card.
https://twitter.com/danbogdanov/status/1189805333146935296
https://digi.geenius.ee/rubriik/uudis/andmeteadlane-kuidas-ehitada-taiesti-anonuumset-elektroonset-majutuskaarti/
https://digi.geenius.ee/rubriik/uudis/testimisse-jouab-riiklik-e-majutuskaart-mis-informeerib-politseid-tagaotsitavatest/
[2019-11-04] UT researchers performed interdisciplinary research studying Estonian digital signature compliance to national and EU legal requirements. The finding is that the “Signed on” time displayed by DigiDoc software cannot be trusted to establish the actual time of signing. Other finding is that due to the certificate validity suspension option, vast majority of digital signatures created as of now cannot be verified according to legal requirements.
https://cybersec.ee/timesign/
[2019-10-31] From next year, the Consumer Protection and Technical Surveillance Authority (TTJA) will have the rights to restrict access to e-shops and mobile apps, and will have the right to find out who are the customers of the telecom operators.
https://digi.geenius.ee/rubriik/uudis/ttja-hakkab-e-poodide-ja-appide-kasutust-piirama-kui-muud-meetmed-ei-aita/
https://digi.geenius.ee/rubriik/uudis/riik-saab-hakata-piirama-ligipaasu-e-poodidele-ja-appidele-ning-naeb-operaatorite-klientide-andmeid/
[2019-10-28] Storm caused extensive power outage that disrupted internet connection in south of the country. Border crossing was disrupted for several hours. Better preparation for next storm needed.
https://news.err.ee/996771/storm-disrupts-agencies-internet-connection-in-south-of-country
[2019-10-25] Justice ministry conducted an audit into whether judges had accessed documents in the court information system regarding cases in which they do not take part. Judges warned that such audits would undermine judges’ confidence in and willingness to use the information systems.
https://news.err.ee/995904/judges-protest-justice-ministry-court-information-inspection
[2019-10-25] Märt Põder shared a photo from IT minister’s i-voting work group and discussed the risk of i-vote selling.
https://gafgaf.infoaed.ee/posts/myya-v3hekasutatud-kryptogramm/
[2019-10-23] Tele2 blocked foreign phone numbers associated with massive fraudulent call wave. By contrast, Telia and Elisa are not yet blocking the numbers, claiming that intervention of a regulatory body is required.
https://digi.geenius.ee/rubriik/uudis/ootamatu-kaik-tele2-blokeerib-massilise-petukonede-lainega-seotud-valismaised-telefoninumbrid/
[2019-10-23] IT and foreign trade minister Kert Kingo submited resignation. MKM workgroups will keep working. The new IT minister is Kaimar Karu. In his view the transparency of i-voting should be improved.
https://news.err.ee/995118/it-and-foreign-trade-minister-kert-kingo-submits-resignation
https://digi.geenius.ee/rubriik/uudis/endise-it-ministri-kert-kingo-algatatud-tooruhmad-jatkavad-tood/
https://news.err.ee/1002119/new-ekre-minister-kaimar-karu-in-first-interview-the-weak-need-protection
[2019-10-21] Full list of all concerns raised by the IT Minister Kingo’s i-voting working group has been published.
https://digi.geenius.ee/rubriik/uudis/taispikk-nimekiri-it-minister-kingo-e-valimiste-tooruhma-koik-valja-toodud-murekohed/
[2019-10-18] The Estonian state will form a large cyber security policy council. MKM wishes to involve 32 different parties. The tasks of the council will include sharing information on sectoral developments and challenges, building situational awareness on cyber security, and addressing cyber security policies.
https://digi.geenius.ee/rubriik/uudis/eesti-riik-moodustab-suure-kuberturvalisuse-poliitika-noukogu/
[2019-10-09] Data Protection Inspectorate issued memorandom inviting public authorities to not store data on public cloud services, because the confidentiality of the data may not be guaranteed and also the access to data in case of emergency may not be provided.
https://digi.geenius.ee/rubriik/uudis/ameti-margukiri-eesti-riigiasutused-ei-tohi-andmeid-hoiustada-avalikes-pilveteenustes/
https://www.aki.ee/et/uudised/it-kulutohususest-olulisem-turvalisus
[2019-10-05] Research article by TalTech researchers: On Positive Feedback Loops in Digital Government Architecture. The case of Estonia is presented.
https://www.researchgate.net/publication/336362287_On_Positive_Feedback_Loops_in_Digital_Government_Architecture
[2019-10-03] The state wants to reduce the dependency on a single trust service provider and considers running their own trust service provider. Currently ID card and Mobile-ID both depend on SK ID Solutions. SK is ready for competition – Smart-ID provides them with alternative markets.
https://digi.geenius.ee/rubriik/uudis/riik-soovib-vabaneda-riskist-et-id-kaart-mobiil-id-ja-smart-id-on-soltuvad-uhest-firmast/
https://digi.geenius.ee/rubriik/uudis/sk-tahame-enda-valdkonnas-rohkem-konkurentsi-naha/
[2019-09-30] In September, Smart-ID downtime exceeded the allowed limits due to the problems with failing hardware. This year, three Mobile ID interruptions have exceeded allowed limits.
https://digi.geenius.ee/rubriik/uudis/sel-aastal-on-kolm-mobiil-id-katkestust-uletanud-lubatu-piire/
https://forte.delfi.ee/news/digi/mobiil-id-torkus-jalle-kas-ppa-kehtestab-lopuks-sanktsioonid?id=87888275
https://forte.delfi.ee/news/digi/smart-id-teenusega-esines-torkeid?id=87389433
https://forte.delfi.ee/news/tarkvara/mobiil-id-teenus-hetkel-ei-toota?id=87357159
[2019-09-30] DigiDocService will be shut down in October 2020. Mobile-ID service will be provided over REST API similar to Smart-ID. Other services (signature and certificate validation) will not be supported.
https://www.skidsolutions.eu/en/News/the-digidocservice-service-will-be-shut-down-in-2020/
https://digi.geenius.ee/rubriik/uudis/mobiil-id-on-vaikselt-saanud-selle-kasutust-mojutavaid-uuendusi-ja-neid-tuleb-veel-juurde/
[2019-09-26] LHV bank decided to enable Smart-ID API call that requires their clients to choose in mobile app the correct Smart-ID verification code from the three suggested ones. The change is aimed to force their clients to compare the verification codes shown by the Smart-ID application. Unfortunately, such measure helps only against phishing attacks using static phishing pages.
https://www.lhv.ee/et/uudised/2019/29
https://tehnika.postimees.ee/6787356/enneolematu-lhv-pani-smart-id-kasutamisele-lisakontrolli-peale
https://raha.geenius.ee/blogi/lhv-blogi/lhv-muutis-smart-id-kasutamise-veelgi-turvalisemaks/
[2019-09-25] The state is looking for next generation Mobile-ID. This is partly motivated by the eIDAS requirement for expensive security certification of currently non-certified SIM card platforms.
https://digi.geenius.ee/rubriik/uudis/riik-tahab-mobiil-id-paremaks-muuta-laual-on-mitu-varianti/
[2019-09-24] Software error disrupted emergency calls for 20-minute period. In total, 26 people called emergency services during the affected period but were called back later.
https://news.err.ee/993893/ria-number-of-cyber-incidents-in-september-slightly-above-annual-average
https://www.ria.ee/et/uudised/olukord-kuberruumis-september-2019.html
[2019-09-19] Researchers discovered “Simjacker” vulnerability that exploits technology embededed on SIM cards used over the world. According to representatives of Tele2, Elisa and Telia, the SIM cards issued in Estonia do not use technology that would enable the attack.
https://www.adaptivemobile.com/newsroom/press-release/adaptivemobile-security-uncovers-sophisticated-hacking-attacks-on-mobile-phones-exposing-massive-network-vulnerability
https://digi.geenius.ee/rubriik/uudis/mobiilioperaatorid-kinnitavad-sim-kaartide-pohine-haavatavus-ei-mojuta-eestlasi/
[2019-09-13] RIA plans to eventually remove the bank link as an authentication option in government e-services.
https://digi.geenius.ee/rubriik/uudis/ria-plaanib-riigiteenustes-autentimisvoimalusena-pangalingi-ara-kaotada/
[2019-09-13] RIA finished price negotiations with SK ID Solutions and have introduced Smart-ID for authentication to government e-services. RIA has assessed that Smart-ID authentication solution provides eIDAS security level “high”. Support for signing using DigiDoc client will come in the future.
https://www.ria.ee/et/uudised/ria-votab-riiklikes-teenuses-kasutusele-smart-id.html
https://news.err.ee/980219/public-services-can-soon-be-accessed-using-smart-id
https://leht.postimees.ee/6776871/eesti-vottis-ametlikult-kasutusele-smart-id
[2019-09-12] Ministry of Foreign Affairs will launch a cyber diplomacy department headed by Heli Tiirmaa-Klaar, a diplomatic representative with special powers in the field of cybersecurity.
https://news.err.ee/979941/department-of-cyber-diplomacy-to-launch-later-this-year
[2019-09-10] EuroPark has obtained the details of 6000 vehicle owners who have not paid the parking fee. Previously the court ordered Estonian Road Administration to share car owner personal data with EuroPark.
https://kasulik.delfi.ee/news/uudised/europark-on-katte-saanud-6000-soidukiomaniku-andmed-kellel-on-parkimistrahv-tasumata?id=87391211
[2019-07-09] Research article by Emin Caliskan, Risto Vaarandi, Birgy Lorenz (TalTech): Improving Learning Efficiency and Evaluation Fairness for Cyber Security Courses: A Case Study. They present a case study on the Cyber Defense Monitoring Solutions course from TalTech Cyber Security MSc program.
https://link.springer.com/chapter/10.1007/978-3-030-22868-2_45

Cyber Security Newsletter 2019-09-05

Leave a reply

[2019-09-03] OSCE assessed Estonian 2019 parliamentary elections and have produced report containing recommendations for i-voting. According to OSCE, the Election Service should develop a strategy to reduce the risk of internal attack before the next election, and should also publish third-party risk assessments, audits and other reports before the next election.
https://digi.geenius.ee/rubriik/uudis/rahvusvahelise-ekspertruhma-raport-leidis-eesti-e-valimiste-osas-mitu-kriitilist-kohta/
https://www.osce.org/odihr/elections/estonia/424229
[2019-09-03] Uku Särekanno, head of cyber security at RIA, starting October will take up duty at the European Union’s IT agency eu-LISA, where he will coordinate the deployment of new large-scale databases in the Schengen area. RIA will be looking for new Deputy Director General.
https://www.err.ee/976328/ria-tippametnik-liigub-el-i-it-agentuuri-juhtima-andmebaaside-rakendamist
https://www.ria.ee/et/uudised/uku-sarekanno-asub-toole-euroopa-liidu-it-agentuuri-eu-lisa.html
[2019-09-03] Estonian passports will be manufactured by ID Global Solutions Limited. They will provide all the templates and equipment but PPA will print them. Currently Gemalto OY provides the service (until 2021). To mitigate the risks the state prefers to purchase ID-1 format documents and travel documents from different companies (source: Lips et al.).
https://news.err.ee/976363/id-global-solutions-awarded-estonian-passport-contract-from-2021
https://www.err.ee/976324/eesti-passe-asub-tootma-id-global-solutions-limited
[2019-08-29] I-voting workgroup members have submitted 30 suggestions for improvements. Among them is the proposal that the number of people involved in conducting and supervising elections should increase and to raise the number of independent observers at election counts.
https://news.err.ee/974715/e-voting-workgroup-recommends-more-audits-and-observers
[2019-08-23] MoD announced MSc thesis scholarship competition in categories: cryptography; situational awareness; accounting of defense material; planning and management of defense infrastructure; drones. The Master’s thesis scholarship competition is aimed primarily at students entering the Master’s program, but applications may also be submitted by second-year students who have not yet chosen a Master’s Thesis.
http://www.kaitseministeerium.ee/et/eesmargid-tegevused/teadus-ja-arendustegevus/kaitsealaste-magistritoode-stipendiumikonkurss
[2019-08-15] Minister of Finance showed Director General of PPA printout with the line that the document has been digitally signed. It turned out that the document was only a draft which has not been signed. This created a discussion on whether the printout was a forgery.
https://www.postimees.ee/6754513/lauri-lugna-mina-ei-ole-allkirjastanud-elmar-vaheri-toolepingu-peatamist
https://digi.geenius.ee/rubriik/teadus-ja-tulevik/taltechi-professor-selgitab-mis-on-digiallkiri-ja-ajatempel-ja-kas-neid-saab-voltsida/
https://digi.geenius.ee/rubriik/uudis/advokaat-pelgalt-allkirjastatud-digitaalselt-kirjutamine-dokumendile-pole-allkirja-voltsimine/
[2019-08-06] The Estonian government approved objectives to simplify processing of identity documents at foreign representations by introducing online applications and streamlining of passport deliveries by mail. Contrary to government proposal, PPA thinks that mailing documents has security risks and is currently not working on such plan.
https://news.err.ee/968060/police-think-delivering-passports-id-documents-via-courier-not-safe
https://news.err.ee/966949/applying-for-receiving-estonian-passports-ids-abroad-to-be-simplified
[2019-08-07] Microsoft Security Response Center published the list of 75 most valuable security researchers who have contributed to securing the Microsoft’s customers and the broader ecosystem this year. Estonian Jaanus Kääp is among them. He was there also last year.
https://msrc-blog.microsoft.com/2019/08/07/announcing-2019-msrc-most-valuable-security-researchers
[2019-08-07] Gemalto left Estonia without paying to PPA legal expenses of litigation process.
https://tehnika.postimees.ee/6747591/gemalto-lasi-eestist-jalga-aga-suur-volg-jai-maha
[2019-07-31] Visually impaired people claimed 10 000 EUR from RIA due to faulty DigiDoc4 software that did not support screen readers for nearly a year. RIA refused to pay.
https://digi.geenius.ee/rubriik/uudis/nagemispuudega-inimesed-esitasid-vigase-id-kaardi-tarkavara-tottu-riigile-10-000-eurose-noude/
https://digi.geenius.ee/rubriik/uudis/ria-jatab-puuetega-inimestele-10-000-eurot-maksmata/
[2019-07-28] Silvia Lips, Krista Aas, Ingrid Pappel and Dirk Draheim wrote an article “Designing an Effective Long-Term Identity Management Strategy for a Mature e-State” where they analyze the process of developing identity management strategy white paper.
https://link.springer.com/chapter/10.1007/978-3-030-27523-5_16
https://www.ria.ee/sites/default/files/content-editors/EID/valge-raamat-2018.pdf
[2019-07-26] Head of SK ID Solutions reported about a scam where criminals promise several thousands of euros in earnings. During a Skype call people are asked to share access to their computer. After making the connection, people are prompted to insert ID card into the computer and criminals use it to create a Smart-ID account on behalf of the person. This is quite extreme scam which is hard to prevent with technological means. Nevertheless, these scams should not be used as an excuse for the scams that rely on the poor security design choices of Mobile-ID/Smart-ID.
https://digi.geenius.ee/rubriik/uudis/levib-veel-uks-uus-pettus-nuud-luuakse-inimestele-arvutist-ule-kauguhenduse-smart-id-kontosid/
https://news.err.ee/971425/ria-more-cyber-incidents-than-average-registered-in-july
[2019-07-23] IT minister to establish cybersecurity working group whose task will be to coordinate the implementation of the 2019-2022 cybersecurity strategy. This is the third strategy document for the cybersecurity and safety field that defines a longer-term vision for the sector, the objectives to be achieved, and priority courses of action, roles and responsibilities for achieving it.
https://news.err.ee/964005/it-minister-to-establish-cybersecurity-working-group
[2019-07-22] The first-ever Tallinn Summer School of Cyber Diplomacy was held in Estonia, bringing to Estonia approximately 80 diplomats, researchers and experts engaged in cyber issues.
https://vm.ee/en/news/diplomats-eu-and-nato-countries-will-discuss-essential-cyberspace-issues-tallinn-week
[2019-07-22] Cyber Security Summer School 2019 took place. This time it was organized by UT on the bockchain topic.
https://blog.cs.ut.ee/2019/07/22/summary-of-the-cyber-security-summer-school-2019/
[2019-07-17] Estonian Juhan Lepassaar was elected from among 80 candidates to become the next executive director of the European Union Agency for Cybersecurity (ENISA).
https://blog.ria.ee/juhan-lepassaar-kuberpotis-oleme-koik-koos/
https://news.err.ee/962076/juhan-lepassaar-elected-director-of-eu-agency-for-cybersecurity
[2019-07-12] Olerex had it’s customer transaction database stolen. The leak affects about 100 000 transactions concluded in the previous month and a half. It consisted mostly of business client’s names, personal identification numbers, fueling limits and other undisclosed pieces of data. The database was freely available online for a month and a half. Olerex claims that the data was downloaded only by an IT security expert who has confirmed to Olerex that the data has been deleted.
https://news.postimees.ee/6730265/client-information-leaked-from-olerex
https://news.err.ee/961211/information-authority-urges-attention-to-cybersecurity-following-breaches
https://digi.geenius.ee/rubriik/uudis/ria-tunnistab-et-olerexi-andmelekke-avalikustamisel-tehti-viga/
https://majandus24.postimees.ee/6727953/hiigelleke-olerexis-patid-said-katte-kuni-100-000-kliendi-andmed
https://digi.geenius.ee/rubriik/uudis/olerexi-it-juht-hoiatas-eile-it-spetsialiste-veebiserveritest-norkusi-otsivate-bottide-eest/
https://digi.geenius.ee/rubriik/uudis/uus-suur-andmeleke-olerexi-andmebaasi-turvaaugu-tottu-lekkis-kuni-100-000-tehingu-info/
[2019-07-10] Tartu Smart Bike Share website maintained by Bewegen Technologies had a security flaw which allowed to access personal data of registered users (contact details and usage history). Bewegen fixed the flaw in few hours and claimed that nobody except the person who reported the flaw had accessed the data.
https://digi.geenius.ee/rubriik/uudis/tartu-rattaringluse-infosusteemist-leiti-turvaviga-mis-lubas-ligi-paaseda-laenutajate-andmetele/
https://www.tartu.ee/en/node/10640
[2019-07-10] Smart-ID account creation using Mobile-ID has been augumented with SMS notification containing security code that has to be entered when creating Smart-ID instance. This should prevent Mobile-ID phishing attacks towards Smart-ID account creation. To date, there are 42 cases in Estonia where Smart-ID counterfeit accounts were created, in 10 cases it was actually used. Unfortunately, this does not address Mobile-ID/Smart-ID phishing attacks against other services.
https://www.id.ee/index.php?id=39509
https://digi.geenius.ee/rubriik/uudis/smart-id-tegemisel-on-nuud-suur-muudatus-mis-peaks-valistama-voltskontode-loomise/
https://digi.geenius.ee/rubriik/uudis/kalev-pihl-meie-meede-maandab-smart-id-riske-paremini-kui-ria-pakutud-lahendus/
https://digi.geenius.ee/rubriik/uudis/smart-id-petuskeemi-ohvriks-langes-tervelt-28-inimest/
https://digi.geenius.ee/rubriik/uudis/kurjategijad-proovisid-smart-id-kontosid-luua-ka-juunis-kummekond-korda-jouti-kontosid-ara-kasutada/
https://digi.geenius.ee/rubriik/uudis/uus-statistika-kurjategijad-jatkasid-smart-id-kontode-valja-petmist-ka-maikuus/
[2019-07-03] Web shop charlot.ee leaked usernames, home addresses and plaintext passwords of 14 000 users. The personal details were published as plain text documents and were easily found by googling. The manager of the company initially denied the leak, but later admitted it. So far, there have been no cases in Estonia where the Data Protection Inspectorate has fined some companies for data leakage.
https://digi.geenius.ee/rubriik/uudis/toimus-eesti-ajaloo-suurim-e-poe-andmeleke-ripakil-olid-14-000-eestlase-isikuandmed/
https://digi.geenius.ee/rubriik/uudis/andmekaitseinspektsioon-alustab-andmeid-lekitanud-e-poe-osas-menetlust/
https://news.err.ee/961211/information-authority-urges-attention-to-cybersecurity-following-breaches
[2019-07-02] At the National Defense Council meeting it was agreed that MKM would come out by the end of the year with proposals to strengthen the country’s cryptographic and information security areas. It also gave an overview of the current status of the agreed activities following the ID-card crisis of 2017.
https://www.ituudised.ee/uudised/2019/07/02/kaljulaid-peame-kuberturbe-alast-voimekust-suurendama
[2019-06-28] Email notices sent by the state to personal_ID_code@eesti.ee (but not name@eesti.ee) address will be stored on a virtual “mailbox” on eesti.ee, regardless of whether e-mail forwarding has been configured.
https://blog.ria.ee/eesti-ee-meiliaadressidest-ja-postkastist/
[2019-06-28] ICR2019 workshop took place. Video recordings of the presentations are online.
https://www.ttu.ee/institutes/centre-for-digital-forensics-cyber-security/events-19/interdisciplinary-cyber-research-icr-workshop/icr2019-3/agenda-6/
[2019-06-26] PPA found that due to a technical failure, for more than 15 000 automatically revoked ID cards the certificates were not revoked, which in 285 cases resulted in the ID card of the deceased person being electronically abused by other persons. The bug was discovered already in 2015, but investigated only in the begginning of 2019. Praise to the authorities for not sweeping the incident under the carpet!
https://news.err.ee/956106/thousands-of-id-cards-not-properly-deactivated-due-to-software-glitch
[2019-06-26] Father of i-voting Tarvi Martens made quite a strong statement saying that the i-voting system has no weaknesses and nothing depends on people or computers.
https://news.postimees.ee/6715816/e-voting-creator-the-system-is-bulletproof
[2019-06-22] Märt Põder wrote in his blog why he accepted invitation to take part in i-voting workgroup.
https://gafgaf.infoaed.ee/posts/linnamyyr/
[2019-06-21] The i-voting workgroup has been established and members have been listed. The working group is headed by MKM and includes RIA, the election service, research institutions and other experts. The task of this working group will be to analyze the security and transparency of electoral system processes and, if necessary, make suggestions for improvement. The workgroup will present its report by 12 December 2019 at the latest, which will include an assessment and proposals for system security and public awareness.
https://news.err.ee/958188/it-minister-convenes-inaugural-e-voting-working-group
https://digi.geenius.ee/rubriik/uudis/it-minister-kingo-kutsus-kokku-tooruhma-ja-votab-e-valimised-luubi-alla/
https://www.ituudised.ee/uudised/2019/06/07/it-minister-kingo-kutsub-kokku-e-valimiste-tooruhma
https://mkm.ee/et/uudised/kinnitati-e-valimiste-tooruhma-koosseis
https://www.mkm.ee/et/uudised/valiskaubandus-ja-it-minister-kutsub-kokku-elektroonilise-valimissusteemi-ja-elektroonilise
[2019-06-19] President has rejected the amended Defence Forces Organisation Act for the second time, the Supreme Court will look into the constitutionality of the act this fall. The bill of amendments would grant the Estonian Defence Forces (EDF) the right to secretly gain access to data of the state, municipalities, and legal as well as private persons. EDF argues that this is needed to improve background checks.
https://news.err.ee/953694/supreme-court-to-decide-on-military-surveillance-expansion-this-fall
[2019-06-17] RIA is preparing to implement a new national information security standard, which will replace the ISKE reference security system, which is currently mandatory for public authorities in Estonia. In May, the public procurement process was completed and KPMG Baltics, Cybernetica and TalTech will start assembling a new information security standard. The new standard and accompanying materials should be ready by the end of next year.
https://www.ria.ee/et/uudised/olukord-kuberruumis-mai-2019.html
[2019-06-06] RIA had annual conference. The slides are available.
https://www.ria.ee/et/uudised/ria-juht-peame-pingutama-et-digiriigi-sisu-ei-jaaks-mainest-maha.html
https://www.ria.ee/et/kalender/ria-aastapaeva-konverents-06-06-2019.html
[2019-06-04] PPA will not apply contractual sanctions against SK for Mobile-ID downtime in May.
https://digi.geenius.ee/rubriik/uudis/mobiil-id-teenusepakkuja-paases-politsei-sanktsioonidest/
[2019-05-14] The report “Development and application of cryptography in the Estonian public and private sectors” commissioned by the Ministry of Defence has been released. The report prepared by Cybernetica gives an overview of the state of art in development of cryptography in Estonia, and analyzes the technological and economic potential of the field. Among recommendations is establishment of a national cryptographic competence centre and improving math and science education in Estonia.
https://www.etag.ee/wp-content/uploads/2019/05/Krypto_KAM.pdf

Cybersecurity related bachelor’s and master’s theses in University of Tartu 2018/2019 (August)

Leave a reply

The defences took place on the last week of August.

Student: Aleksandr Tsõganov (Software Engineering MSc)
Title: Integrating User Identity with Ethereum Smart Contract Wallet
Supervisor: Orlenys López Pintado, Aivo Kalu, Kristjan Kuhi
Reviewer: Fredrik Payman Milani

Student: Rahul Puniani (Innovation and Technology Management MSc)
Title: Conceptualization of a Blockchain Based Voting Ecosystem in Estonia
Supervisor: Fredrik Payman Milani, Mihkel Solvak
Reviewer: Orlenys López Pintado

Student: Indrek Purga (Conversion Master in IT)
Title: Detection of forged PDF documents
Supervisor: Kristjan Krips
Reviewer: Alo Peets

Student: Shahla Atapoor (Computer Science MSc)
Title: On Privacy Preserving Blockchains and zk-SNARKs
Supervisor: Helger Lipmaa, Janno Siim, Karim Baghery
Reviewer: Ivo Kubjas

Student: Mart Simisker (Computer Science MSc)
Title: Security of Health Information Databases
Supervisor: Jan Willemson, Dominique Unruh
Reviewer: Meelis Roos

Links:
https://comserv.cs.ut.ee/ati_thesis/index.php?year=2019
https://www.cs.ut.ee/sites/default/files/www_ut/augusti_kaitsmiste_ajakava_28-08-2019.pdf

Cyber Security Engineering bachelor’s theses defense in TalTech (June 2019)

Leave a reply

Monday, June 3 at 9.00-15.00, room 217, curriculum Cyber Security Engineering
Chairman of the Defence Committee: Valdo Praust
The Defence Committee: Kaido Kikkas, Toomas Lepikult

• Steven Rugam, “Cyber Security Assessment for Panbaltic Information System”
• Mikus Teivens, “Detection of Web-based Malware in Linux Environment Using YARA”
• Farhan Nayeem Islam, “Testing and Comparing Android Based Penetration Testing Tools”
• Mark Parfeniuk, “Designing Effective Measures to Promote Secure Video Conferencing”
• Frank Korving, “Choosing and Implementing Continuous Integration: the Case of Certidude”
• Kirill Trunov, “Distributed Payment Automated Systems Risk Assessment and Management”
• Nika Ptskialadze, “Comparative Analysis of Open-source and Proprietary Security Information and Event Management (SIEM) Tools”
• Peep Kuulme, “Cybersecurity Awareness Training Program at Hansab Group OÜ”
• Christopher James Vallintine Carr, “Analysing the Security of Internet Facing Industrial Control Systems – Estonian Refrigeration Companies”
• Andris Männik, “Functionality and Efficiency of Modern Protection Software”

Links:
https://www.taltech.ee/itcollege/teated-8/diplomi-ja-magistritoode-kaitsmised-taltech-it-kolledzis-3-7-juuni-2019/