8th of July, 2017 — Tallinn, Estonia
The aim of the workshop is to bring together young as well as established scholars undertaking research in various disciplines related to information and communication technologies such as computer sciences, political and social sciences, and law.
You can participate as a speaker (submitting an abstract+delivering a presentation) or simply join our wonderful audience. Speakers are requested to submit a 1000-word abstract.
Agenda:
08:30 – Registration
09:00 – Opening words, Dr Anna-Maria Osula & Prof Olaf Maennel
09:10 – Keynote, “The Triangle of Impossibility: Strategic Decision-Making and Cyber Security”, Mr Lauri Almann
10:05 – Keynote, “The Truth about Hacking. From Russia to Hollywood.”, Mr Ralph Echemendia
11:00 – Coffee break11:30 – 13:00 SESSION 1: Big Data & Privacy
Ms Kärt Pormeister, “The GDPR as an Enabler for Big Data: What Does it Mean for the Data Subject?”
Ms Maris Männiste, “Social Media and Big Data”
Ms Julija Terjuhana, “Right to Data Portability”
Mr Alexander Mois Aroyo, “Bringing Human Robot Interaction towards Trust and Social Engineering – Slowly & Secretly Invading People’s Privacy Settings”11:30 – 13:00 SESSION 2: Security
Mr Alessandro Borrello, Mr Sioli O’Connell & Mr Yuval Yarom, “Is Dynamic Analysis of Android Applications More Effective Than Mass Static Analysis at Detecting Vulnerabilities?”
Mr Ben Agnew, “Security Applications of Additive Analogue Memory”
Mr Richard Matthews, “Isolating Lens Aberrations within Fixed Pattern Noise”
Mr Muhammad Imran Khan, “On Detection of Anomalous Query Sequences”13:00 – Lunch
14:00 – 15:30 SESSION 3: Privacy (cont) & Cyber Crime
Dr Xingan Li, “Social Networking Services and Privacy: An Evolutionary Notion”
Mr Sten Mäses, “Gone Phishin’ (But Not to Jail)”
Mr Kristjan Kikerpill, “Cybercrime Against Business: Who Draws the Short Straw?”
Ms Anne Veerpalu, “Blockchain Technologies”14:00 – 15:30 SESSION 4: Applied IT-Security
Prof Tobias Eggendorfer, “Using Process Mining to Identify Attacks”
Ms Belgin Tastan, “Electronic Identification System – How to Adopt, Expanding and Provide One Card for All”
Mr Aykan Inan, “Project IVA”
Mr Ayden Aba & Mr Jackson Virgo, “Equity Crowdfunding with Blockchain”15:30 – Coffee break
15:50 – 17:00 SESSION 5: State and Cyber
Ms Maarja Toots, “Why Do e-Participation Projects Fail? The Case of Estonia’s Osale.ee”
Mr Georgios Pilichos, “Securitization of Cyberspace”
Mr Madis Metelitsa, “Addressing the Security Dilemma in Cyberspace”
Ms Somaly Nguon, “Cambodia’s Effort on Cybersecurity Regulation: Policy and Human Rights’ Implications”15:50 – 17:00 SESSION 6: eGovernment & Security
Mr Harish Gowda & Mr Matt Reynolds, “Real-Time Video Stream Substiution”
Mr Nicolas Mayer, “The ENTRI Framework: Security Risk Management Enhanced by the Use of Enterprise Architectures”
Mr David Hubczenko, “Investigation into Twitterbot Identification Techniques”
Mr Lachlan Gunn, “Geolocation of Tor Hidden Services: Initial Results”18:00 – Social snacks at “August”, Väike-Karja 5
SK ID Solutions declared provider of vital services
The Identity Documents Act was amended declaring the provider of certification services a vital service provider:
(31) The provider of certification service that enables digital identification and digital signing with the certificate which is entered in the documents issued on the basis of this Act is the provider of vital service specified in clause 36 (1) 8) of the Emergency Act.
[RT I, 03.03.2017, 1 – entry into force 01.07.2017]
In practice, at least currently the new status does not introduce significant new requirements, since for SK as a qualified trust service provider the operational requirements set by law were quite high anyway.
Links:
https://www.riigiteataja.ee/en/eli/521062017003/consolide
Personal data tracker service allows to infer activities of other persons
From the March of this year everyone is able to check on the eesti.ee portal, which state agencies have reviewed their data from the population register. The new service is a matter of grave concern to notaries who are required to make inquiries into the population register, for example, if it is necessary to find out whether real estate may be the joint property of spouses or former spouses, or if it is necessary to organize succession proceedings based on data, including identifying potential heirs. According to Eve Strangi, Chief Executive Officer of the Chamber of Notaries, after the Data Tracker service came into being, people who did not use the notarial service themselves, but whose parents, children or spouse had done this, also came to the notice that personal data was viewed.
In most cases, people can get information that their data has been viewed, but not always. “An exception, for example, is the situation where heir data is required to make a will. However, the will until the death of the maker is secret, and the existence and content of the act can not be disclosed to the heir earlier than specified by the law.
Heiko Vainsalu, Head of the State Information System Agency X-Road, said that the Data Tracker highlighted weaknesses in information systems, which should now be addressed by the authorities themselves. “It is now up to the authorities to eliminate them – to improve the logic of data services and to find data services better suited to specific needs. Besides the ability to track the use and processing of the data in the state information system, the Data Tracker helps to highlight and correct the design mistakes of information systems.”
Some filters are needed. For example, the queries made by law enforcement institutions in investigating the crimes must not show up to the subjects in the Data Tracker service.
Links:
http://arileht.delfi.ee/news/uudised/andmejalgija-paljastas-notarite-salajased-toimingud?id=78131976
Possible to apply for new ID card online using bank authentication
The Police and Border Guard (PPA) have a new online portal where citizens can apply for ID cards based on previously issued identification. Beyond their existing ID cards, people could also log in using their Mobile ID or Internet bank, which is good news for Apple users, as the state’s systems typically don’t work to the full extent for anyone coming in using Apple devices. That people could use their bank to log in meant that also those could apply for a new ID whose existing one had already lost its validity, Abram added.
The solution likely to be very welcome, as PPA has limited the number of offices where people can apply for documents to just a handful of service centers, and queues have been a constant problem. There are plans to extend the portal’s services to include passport applications as well other processes that are currently limited to PPA’s service centers, and to include all residents of Estonia that have a personal identification code (isikukood).
The law was changed to remove the requirement for the application to be digitally signed:
§ 5. Electronic filing of application
(1) Upon submission of an application electronically, the documents specified in the Regulation shall be attached to the application electronically.
(2) An electronically filed application shall be signed digitally or submitted uniquely via an electronic channel that allows verification of identity.
(3) If an application is submitted via an electronic channel specified in paragraph 2, the applicant shall, upon issuing his identity document, confirm with the signature that the data and documents submitted by him in the application are correct.
Links:
http://news.err.ee/602902/police-opens-new-internet-environment-for-simplified-id-application
https://www.riigiteataja.ee/akt/114012017014
http://forte.delfi.ee/news/tarkvara/veebi-teel-id-kaardi-taotlemine-on-populaarne?id=79758000
Sensitive personal data published in document registers of state agencies
During a Garage48 hackathon held in Tallinn over the weekend, one participating team announced that they could not publish the results of their work as it contained too much personal data they had accidentally come across in state document registers. There are hundreds of such registers across Estonia, as each ministry, agencies, local governments and schools all have their own digital document registers.
The paper noted that while the Estonian Data Protection Inspectorate does check the security of document registers, it does so by hand, and checks are often followed by monitoring procedures and, less frequently, even fines for register administrators.
A similar problem was discovered back in April by Estonian startup Texta that created its own document registers analysis tool. Co-founder of Texta Silver Traat said they discovered a lot of highly detailed personal information in the documents register of the education ministry.
„We held a workshop as part of a language technology conference where we did what the state lacks the capacity to do itself. We downloaded 150,000 documents from the ministry’s document register and discovered that they held, among other things, people’s personal identification numbers, bank account numbers, addresses. We even came across some passport numbers,“ Traat described. He added that most of the information was from employment contracts.
This is the unfortunate side-effect of open data. For that data to be useful it actually has to contain at least some bits of personal data.
Links:
http://news.postimees.ee/4123431/stacks-of-sensitive-data-lying-unprotected
http://news.err.ee/597791/sensitive-personal-data-exposed-in-state-registers
Estonian “data embassy” to open in Luxembourg
Data of the Estonian administration may be stored on servers in Luxemburg as well as in Estonia already towards the end of this year. The “data embassy” created this way will contain information vital to the functioning of the state, and make an attack on the country’s systems more difficult.
As cyber security expert of Tallinn’s NATO Cyber Defence Centre of Excellence, Jaan Priisalu, says, “If an operator is planning to occupy another country, one of their objectives is going to be to take over the existing institutions, or to suppress them, and if you can make these institutions ex-territorial, take them out of reach of the potential attacker, you increase the political price of the attack.”
According to advisor to the ministry’s state information systems department, Laura Kask, negotiations were held with other countries as well, but the ones with Luxembourg had developed the furthest. “For one thing, they offer data centers with a very high level of security, and for another they are quite similar to us in terms of their IT development and their way of thinking,” Kask said. In terms of money, there are no exact figures available, but the data center in Luxemburg will be markedly more expensive than running a similar infrastructure in Estonia. There is one entry in the government’s schedule concerning the data embassies, showing an allocation of €240,000.
The physical location of the servers will remain secret, and only people will have access to them that are cleared by the Estonian state.
The data to be backed up in Luxembourg so far covers ten priority databases, including the information system of the Governmental Payments Office (the Estonian treasury), the pensions insurance register, the business register, the population register, the cadaster, and the identity documents database.
Even now nothing forbids Estonian state to store data backups in Estonian embassies located in foreign states. Most likely the plan is to build failover system that is kept in sync in real time.
Links:
http://news.err.ee/592384/first-data-embassy-to-open-in-luxembourg
http://www.opengovasia.com/articles/7597-exclusive%E2%80%94whats-next-for-data-management-in-estonian-government%E2%80%93data-embassies-expanding-e-residency
http://news.err.ee/602273/estonian-government-approves-setting-up-data-embassy-in-luxembourg
University of Tartu is looking for professor of cryptography
Vacancy: UT, Institute of Computer Science, Professor of Cryptography
Duties and responsibilities: Development of curricula and courses in Cryptography. Teaching subjects related to Cryptography. Supervision of PhD and Master students. Successful application for research grants, administration of them and performing the research required under the grants. See also job description.
Required qualifications: PhD or an equivalent qualification in the relevant field See also requirements for teaching and research staff.
Required experience: Teaching experience at the university level, experience in supervising Master and PhD students. Administrative and research competence needed to provide the leadership in organising research.
Required language skills: Excellent command of English. Knowledge of Estonian is desirable but not essential.
Workload 1,00; and the classroom teaching load at least 128 academic hours per calendar year
Salary According to UT salary rules, depending on the candidate’s qualification and the level of experience. See also UT salary rules.
Starting at 01.01.2018
Deadline: 03.08.2017Position fields can be interpreted rather broadly. Cryptography classic and quantum, post-quantum; privacy preserving data mining; privacy and security; new technologies like blockchain; from theoretical to more applied backgrounds. It is important to have a broad view of the field in order to be able to help our curriculum development goals as well as lead research in broad spectrum with many smaller more independent groups. Cryptography has been one of University of Tartu and Estonian ICT sector strongholds, many opportunities for local collaborations exist and could be developed.
Appointments will be for indefinite contracts, i.e. at immediately “tenured” level, with standard performance reviews every 5 years. Since university rules are flexible, internationally competitive levels can be negotiated dependent on ability to attract funding, international collaborations, visibility, etc.
Links:
http://www.ut.ee/en/welcome/job-offer/professor-cryptography
Cybersecurity related bachelor’s and master’s theses in University of Tartu 2016/2017
Managing Security Risks Using Attack-Defense Trees
Abstract: The In this thesis, we have addressed risk management using Attack Tree. The contribution to resolve the problem in this thesis includes three steps. Obtaining an alignment from Attack-Defense trees to ISSRM. Measurement of the metrics of the nodes of tree using historical data.
Student: Salman Lashkarara
Curriculum: Software Engineering (MSc)
Supervisor: Raimundas Matulevicius
Reviewer: Meelis Roos
Defense: 01.06.2017, Tartu, J.Liivi 2-404On Secure Bulletin Boards for E-Voting
Abstract: In this thesis, we propose a formal model for analysis of security and functionality of a bulletin board system motivated by the security requirements Culnane and Schneider introduced in Computer Security Foundations Symposium 2014.
Student: Annabell Kuldmaa
Curriculum: Computer Science (MSc)
Supervisor: Helger Lipmaa
Reviewer: Ahto Buldas
Defense: 01.06.2017, Tartu, J.Liivi 2-404Research and Proof of Concept of Selected ISKE Highest Level Integrity Requirements
Abstract: This work takes integrity domain under detail research to meet ISKE requirements and security objectives demanded for data with highest integrity needs.
Student: Deivis Treier
Curriculum: Cyber Security (MSc)
Supervisor: Raimundas Matulevičius
Reviewer: Andrey Sergeev
Defense: 02.06.2017, Tartu, J.Liivi 2-404Method for Effective PDF Files Manipulation Detection
Abstract: The aim of this thesis is to ease the process of detecting manipulations in PDF files by addressing its source code, before having to use other methods such as image processing or text-line examination. The result is the construction of a solid and effective method for PDF file investigation and analysis to determine its integrity.
Student: Gema Fernández Bascuñana
Curriculum: Cyber Security (MSc)
Supervisor: Pavel Laptev, Inna Ivask, Raimundas Matulevičius
Reviewer: Hayretdin Bahsi
Defense: 02.06.2017, Tartu, J.Liivi 2-404Establishing, Implementing and Auditing Linux Operating System Hardening Standard for Security Compliance
Abstract: This paper provides a proof-of-concept solution for being compliant with operating system hardening requirements of the company by establishing, implementing and auditing Linux (Debian) operating system hardening standard.
Student: Martin Jõgi
Curriculum: Cyber Security (MSc)
Supervisor: Truls Tuxen Ringkjob, Raimundas Matulevičius
Reviewer: Marko Kääramees
Defense: 02.06.2017, Tartu, J.Liivi 2-404A Prototype For Learning Privacy-Preserving Data Publising
Abstract: This master thesis will discuss different threats to privacy, discuss and compare different privacy-preserving methods to mitigate these threats. The thesis will give an overview of different possible implementations for these privacy-preserving methods. The other output of this thesis is educational purpose software that allows students to learn and practice privacy-preserving methods.
Student: Rain Oksvort
Curriculum: Software Engineering (MSc)
Supervisor: Raimundas Matulevičius
Reviewer: Benson Muite
Defense: 05.06.2017, Tartu, J.Liivi 2-404Filesystem Fuzz Testing Framework
Abstract: In the present thesis a fuzz testing framework was built, which can be used for finding time-of-check-to-time-of-use type bugs in Linux filesystems.
Student: Vladislav Alenitsev
Curriculum: Computer Science (BSc)
Supervisor: Meelis Roos, Kristjan Krips
Reviewer: Karl Tarbe
Defense: 07.06.2017, Tartu, J.Liivi 2-404Performance Testing Bulletin Board Implementations for Online Voting
Abstract: This work takes a look at two software solutions that can be used for such purpose and analyses their performance in testing environment imitating real election workload.
Student: Marek Pagel
Curriculum: Computer Science (BSc)
Supervisor: Sven Heiberg, Janno Siim
Reviewer: Ivo Kubjas
Defense: 07.06.2017, Tartu, J.Liivi 2-404
Cybersecurity theses defence on June 9, 2017 in Tartu J. Liivi 2-403 at 10.00 AM.
Defence Committee: Raimundas Matulevičius (chairman), Olaf Manuel Maennel, Vitaly Skachek, Meelis Roos, Hayretdin Bahsi.
Grades received (random order): A, B, C, C, D.
Improving and Measuring Learning at Cyber Defence Exercises
Abstract: This thesis takes a fresh look at learning in Cyber Defence Exercises (CDXs) and focuses on measuring learning outcomes. As such exercises come in a variety of formats, this thesis focuses on technical CDXs with Red and Blue teaming elements.
Student: Kaie Maennel
Curriculum: Cyber Security (MSc)
Supervisor: Rain Ottis, Liina Randmann, Raimundas Matulevičius
Reviewer: Sten Mäses
Defense: 09.06.2017, Tartu, J.Liivi 2-403Federation of Cyber Ranges
Abstract: This study compares two cyber ranges and looks into possibilities of pooling and sharing of national facilities and to the establishment of a logical federation of interconnected cyber ranges. The thesis gives recommendations on information flow, proof of concept, guide-lines and prerequisites to achieve an initial interconnection with pooling and sharing capabilities.
Student: Allar Vallaots
Curriculum: Cyber Security (MSc)
Supervisor: Jaan Priisalu, Uko Valtenberg, Raimundas Matulevičius
Reviewer: Rain Ottis
Defense: 09.06.2017, Tartu, J.Liivi 2-403A New Heuristic Based Phishing Detection Approach Utilizing Selenium Webdriver
Abstract: In this paper, we focus on detecting login phishing pages, pages that contain forms with email and password fields to allow for authorization to personal/restricted content. We present the design, implementation, and evaluation of our phishing detection tool “SeleniumPhishGuard”, a novel heuristic-based approach to detect phishing login pages.
Student: Ahmed Nafies Okasha Mohamed
Curriculum: Cyber Security (MSc)
Supervisor: Olaf Manuel Maennel, Raimundas Matulevicius
Reviewer: Hayretdin Bahsi
Defense: 09.06.2017, Tartu, J.Liivi 2-403Analysis of Exploit-kit Incidents and Campaigns Through a Graph Database Framework
Abstract: A great deal of automation can be achieved here by using public APIs such as VirusTotal, whois databases, IP blacklists, etc during the analysis and a first part of our work is dedicated to that. We will then show that this approach reveals patterns and clusters from which decisions can be made from a defensive perspective.
Student: Guillaume Brodar
Curriculum: Cyber Security (MSc)
Supervisor: Toomas Lepik, Raimundas Matulevicius
Reviewer: Arnis Paršovs
Defense: 09.06.2017, Tartu, J.Liivi 2-403Investigation of JTAG and ISP Techniques for Forensic Procedures
Abstract: This thesis is focusing on JTAG and ISP physical acquisitions techniques. The aim is to give an overview of these techniques from a forensic point of view and in addition to some other tests will try to prove that are forensically equivalent to any other method.
Student: Stefanos Pappas
Curriculum: Cyber Security (MSc)
Supervisor: Pavel Laptev, Raimundas Matulevičius
Reviewer: Emin Caliskan
Defense: 09.06.2017, Tartu, J.Liivi 2-403
Links:
https://www.cs.ut.ee/sites/default/files/cs/kaitsmiste_ajakava_1_2_5_06.pdf
https://www.cs.ut.ee/sites/default/files/cs/kaitsmiste_ajakava_6_7_8_9_06_.pdf
Cyber Security master’s theses defense in Tallinn University of Technology (May 2017)
Monday, May 29, 2017, Akadeemia Tee 15a, Room ICT-315.
Grades received (random order): 5, 4, 4, 3, 3, 3, 2, 2.
Time: 10:00
Student: Kristjan Oja
Title: Cyber Security Awareness For IT Students Through Practical Assignments
Supervisor: Sten Mäses
Reviewer: Tiia SõmerTime: 10:40
Student: Sander Arnus
Title: Providing guaranteed log delivery and proof value of logs
Supervisor: Risto Vaarandi
Reviewer: Tiit HallasTime: 11:20
Student: Bolaji Ayoola Ladokun
Title: An Analytical Approach to Characterization of Targeted and Untargeted Attack in Critical Infrastructure Honeypot
Supervisor: Hayretdin Bahsi
Reviewer: Risto VaarandiTime: 12:00-13:00 – Lunch
Time: 13:00
Student: Iryna Bondar
Title: LUDROID: Evaluation of Android Malware Detection Tools and Techniques and Development of a First Line of Defense For the User
Supervisor: Emin Caliskan
Reviewer: Toomas LepikTime: 13:40
Student: Seifollah Akbari
Title: A New Method for the SYNful Knock Attack Implementation
Supervisor: Truls Ringkjob
Reviewer: Bernhards BlumbergsTime: 14:20
Student: Safak Tarazan
Title: GPS Spoofing/Jamming Resilient Mini UAV Implementation Strategy
Supervisor: Truls Ringkjob
Reviewer: Juhan ErnitsTime: 15:20
Student: Danielle Morgan
Title: Security of Loyalty Cards Used in Estonia
Supervisor: Rain Ottis, Arnis Paršovs
Reviewer: Aleksandr LeninTime: 16:00
Student: Katrin Kukk
Title: Ensuring the digital continuity of e-Estonia in different crisis scenarios
Supervisor: Rain Ottis
Reviewer: Jaan Priisalu
Tuesday, May 30, 2017, Akadeemia Tee 15a, Room ICT-315.
Grades received (random order): 4, 4, 3, 3, 2, 1.
Time: 10:00
Student: Christopher David Raastad
Title: Euro 2.0 – Securing an Ethereum Crypto Fiat Currency System
Supervisor: Alex Norta
Reviewer: Raimundas MatuleviciusTime: 10:40
Student: Mobolarinwa Taofeek Balogun
Title: Comparative Analysis of Industrial IoT and HealthCare System IoT for Cyberterrorism
Supervisor: Hayretdin Bahsi
Reviewer: Ahto BuldasTime: 11:20
Student: Chengxiang Wang
Title: Classification of Black-Box Security Reductions and Oracle Separation Techniques
Supervisor: Ahto Buldas
Reviewer: Peeter LaudTime: 12:00-13:00 – Lunch
Time: 13:00
Student: Celik Neslisah
Title: Anomaly Detection Using Locked Shields Logs
Supervisor: Olaf Maennel
Reviewer: Mauno PihelgasTime: 13:30
Student: Sophio Sakhokia
Title: Developing a Cyber Security Master Programme for Georgia
Supervisor: Tiia Sõmer
Reviewer: Olaf MaennelTime: 14:20
Student: Zaghum Awan
Title: Analytical Comprehensive Approach to Cyber Laundering and its Solutions
Supervisor: Tiia Sõmer
Reviewer: Andro Kull
Oberthur will produce Estonian ID cards from 2019
The Police and Border Guard Board (PPA) and French company Oberthur Technologies signed an agreement on Thursday for the production of Estonia’s ID cards, permanent resident cards, digital IDs and diplomatic IDs after the current manufacturer agreement expires at the end of 2018.
Oberthur Technologies will be responsible for the manufacture of the card and chip as well as and linking the document to personal data. It will also be responsible for the functioning of the card. The French company will manufacture and personalize the cards in Estonia.
The value of the five-year contract is approximately €40 million. Under the new agreement, the expenses of the PPA for the manufacture of the ID card will remain at the present level.
A tender committee, which in addition to PPA experts included experts from the Estonian Information System Authority, the Ministry of the Interior and the ministry’s IT and Development Centre, chose the offer by Oberthur from among three different offers.
This was already the second tender. In the first tender Safran Morpho was chosen as the winner. The results of the first tender were appealed by two other participants – Oberthur Technologies and Gemalto/Trüb AG. The result of the appeal was that the current contract with Trub AG was prolonged for one more year.
In a public procurement tender of the Estonian Police and Border Guard Board three renowned European ID producers submitted their offers. The tender committee chose the offer of Safran Morpho as the winner, the Police and Border Guard Board said.
The German company Trub AG, which last year was acquired by Gemalto, has been manufacturing ID cards for Estonia since 2001.
It is notable that this is the first tender in the last 15 years, where PPA decided to make participation in tender available to wider range of companies. Previous contract extensions with Trub AG were justified by “potential security risk avoidance reasons”.
Update: Gemalto and Safran Morpho appealed in court the results of the tender.
Links:
http://news.err.ee/592722/ppa-signs-deal-with-france-s-oberthur-to-produce-ids-beginning-2019
http://www.baltic-course.com/eng/good_for_business/?doc=119884
http://uudised.err.ee/v/eesti/d5436b80-2965-4a27-9e3d-92953dc4fd4f/id-kaardi-kujundus-vahetub-hiljemalt-2018-aastast
http://arileht.delfi.ee/news/uudised/konkurendid-kahtlustavad-40-miljoni-eurose-ppa-hanke-juures-valemangu?id=74676029
http://tehnika.postimees.ee/3577961/kas-sel-korral-laheb-teisiti-riik-on-seni-tellinud-id-kaarte-vaid-uhelt-ettevottelt
http://tehnika.postimees.ee/4140063/laane-suurettevotted-kaebasid-eesti-politsei-kohtusse