- [2019-05-30] In the EP elections the long time i-voting observer was asked to stop filming the vote counting on the grounds that his camera is a communication device, which could leak the results of i-voting before the allowed deadline. The observer wrote formal complaint, will see the response. It is quite naive to believe that some organizational measures could prevent leaking the results if someone from the observers really wanted to do so.
https://digi.geenius.ee/rubriik/uudis/valimisteenistus-korvaldas-europarlamendi-e-haalte-kokkulugemiselt-vaatleja/
https://www.riigiteataja.ee/akt/305062019003
https://digi.geenius.ee/rubriik/uudis/segadus-e-haalte-vaatleja-osas-valimisteenistuse-juhi-ja-kaebaja-utlused-on-vastuolus/ - [2019-05-27] Bernhards Blumbergs (TalTech) defended his PhD thesis on “Specialized Cyber Red Team Responsive Computer Network Operations”
https://digi.lib.ttu.ee/i/?12015& - [2019-05-26] In the EP elections 2019, 25.4% of voters cast their vote using i-voting method. There was a technical glitch concerning candidate data on the electoral website, which lasted for about 12 hours and meant that candidate searches did not yield a result on names which included diacritical marks.
https://news.err.ee/946026/grazin-e-vote-cancellation-bid-rebuffed-by-electoral-committee - [2019-05-17] Mobile-ID users have experienced phishing attacks, where the victim is tricked into authorizing creation of Smart-ID instances, which then can be used by the attacker without victim’s consent. Some victims lost money, the police investigation is ongoing. In the beginning of the year, users of SEB, Swedbank and LHV bank experienced similar phishing attacks, where the victims were asked to authorize Smart-ID transactions made by the attacker. According to authorities, Mobile-ID and Smart-ID is secure, the negligent users are to be blamed.
https://digi.geenius.ee/rubriik/uudis/hullem-kui-id-kaardi-kriis-smart-id-turvaauk-ajab-pangad-ja-eksperdid-arevile/
https://www.ria.ee/et/uudised/ria-aprillikuu-raport-kurjategijad-loid-inimeste-teadmata-smart-id-kontod.html
https://www.ituudised.ee/uudised/2019/05/23/pangaliit-smart-id-pettusi-aitab-valtida-ettevaatlikkus
https://news.postimees.ee/6689341/e-services-suffer-worst-breach-yet
https://www.err.ee/943492/riik-hindab-smart-id-d-ka-pettustelaine-jarel-turvaliseks-lahenduseks
https://www.err.ee/937490/lhv-hoiatab-lhv-nimel-saadetud-ongitsuskirjade-eest
https://digi.geenius.ee/rubriik/uudis/ettevaatust-kurjategijad-petavad-tana-eestlastelt-smart-id-paroole-valja/ - [2019-05-17] SK’s Mobile-ID service again experienced unexpected downtime. This time the downtime was for more than 24 hours. Due to downtime EMTA decided to extended deadline for submitting declarations. PPA is considering imposing some contractual fines against SK. The contract is confidential and it is not known how much the state pays to SK and what is the benefit for the state to be formally involved in the “issuance” of Mobile-IDs.
https://news.err.ee/938354/mobile-id-service-restored-after-day-of-disruptions
https://raha.geenius.ee/rubriik/uudis/maksuamet-pikendab-mobiil-id-torke-tottu-deklaratsioonide-esitamise-tahtaega/
https://forte.delfi.ee/news/tarkvara/ppa-kaalub-mobiil-id-torgete-tottu-sanktsioonide-rakendamist?id=86240169
https://digi.geenius.ee/rubriik/uudis/mobiil-id-teenuse-katkestus-on-kestnud-juba-ule-poole-paeva/
https://digi.geenius.ee/rubriik/uudis/mis-juhtus-mobiil-id-ga-ja-miks-see-veel-ikka-osaliselt-maas-on/ - [2019-05-13] The new IT minister announced that there are plans to conduct an analysis of the i-voting system and independent international audit to make sure that the process of i-voting is transparent and ultimately verifiable. The previous IT minister, who resigned shortly after being appointed, stated that coalition considers ending i-voting if it does not resist “the toughest tests”.
https://digi.geenius.ee/rubriik/uudis/uus-it-minister-viime-labi-e-valimiste-susteemi-analuusi-ja-soltumatu-rahvusvahelise-auditi/
https://digi.geenius.ee/rubriik/uudis/uus-it-minister-kaalume-e-valimiste-lopetamist-kui-see-ei-pea-vastu-koige-kovematele-testidele/ - [2019-05-09] RIA and MoD is offering 1.1 million to study: “Simulation of Critical Information Infrastructure Protection in the Cyberspace”. The purpose is to develop a virtual environment in which to simulate situations in the area of vital critical information infrastructure.
https://www.ituudised.ee/uudised/2019/05/09/riik-otsib-kuberkaitse-uuringu-labiviijat - [2019-04-23] Estonian Foreign Intelligence Service has published job ad looking for Microsoft administrator and IT support personnel. It is not common for intelligence agencies to publish job advertisements.
https://digi.geenius.ee/rubriik/uudis/eesti-koige-salajasem-luureamet-otsib-enda-ridadesse-avalikult-kahte-it-tootajat/ - [2019-04-03] Baltic Security and Security Summit took place. Among the Estonian speakers were Liisa Past and Uko Valtenberg.
https://tehnika.postimees.ee/6560059/otseulekanne-infoturbekonverentsilt-security-summit - [2019-04-01] RIA released “Annual Cyber Security Assessment 2019”. Among other things it includes interview with Dominique Unruh (UT) about post-quantum cryptography.
https://www.ria.ee/sites/default/files/content-editors/kuberturve/ktt_aastaraport_eng_web.pdf
https://www.ria.ee/sites/default/files/content-editors/kuberturve/kuberturvalisus-2019.pdf - [2019-04-01] In the “Annual Cyber Security Assessment 2019” RIA disclosed details about the vulnerability in eesti.ee authentication system discovered in June 29, 2018. Turns out that bank link implementation on eesti.ee side did not verify signature, which allowed the attacker to bypass authentication. According to RIA, they checked logs and did not find evidence of the flaw being exploited. It is not said whether the logs actually contained full parameters to retrospectively verify the signatures.
https://digi.geenius.ee/rubriik/uudis/eesti-ee-keskkonnas-oli-ohtlik-turvaviga-mis-lubas-sinna-siseneda-teise-inimesena/ - [2019-04-01] RIA plans to expand i-voting system to referendums and other types of elections.
https://news.err.ee/925891/information-system-authority-looks-to-expand-e-voting-as-continuous-service - [2019-03-22] Ministry of Interior published code of conduct for crisis situations, among other things, recommending to be prepared for disruptions in e-services, including the ID card, Mobile-ID, and other means of authentication.
https://kriis.ee/en/preparing-for-crisis-situations/cyberattack-or-cyber-incident/ - [2019-03-22] Margus Noormaa was appointed as the new Director General of RIA by Minister of Economic Affairs and Communications (MKM).
https://www.err.ee/922725/ria-peadirektoriks-saab-margus-noormaa - [2019-03-22] From the leaked password dumps journalists found at least 356 passwords belonging to people working in the public sector.
Head of CERT-EE claims that the cyber hygiene of state officials has improved in the recent years.
https://digi.geenius.ee/rubriik/uudis/bingo1-ja-123kalle-vaata-kui-norgad-paroolid-on-eesti-tipp-poliitikutel-ja-ametnikel/
https://digi.geenius.ee/rubriik/uudis/ria-lekkinud-paroolid-naitavad-kuberhugieeni-taset-viis-aastat-tagasi/ - [2019-03-20] Mihkel Solvak (UT) gave presentation “Anonymized i-voting log data: how can it be used or abused to understand voter behavior?” (time: 1:15:07).
https://www.uttv.ee/naita?id=28355 - [2019-03-14] Authorities plan to perform security analysis to decide whether to implement i-voting with mobile phones starting 2021.
https://tehnika.postimees.ee/6545060/eesti-kaalub-tosiselt-minna-ule-ka-m-haaletamisele
https://digi.geenius.ee/rubriik/uudis/riigi-plaan-mobiiliga-saab-haaletada-juba-jargmistel-valimistel/ - [2019-03-13] Aivo Kalu (Cybernetica AS) gave presentation on SplitKey technology used by Smart-ID solution.
https://csrc.nist.gov/CSRC/media/Presentations/SplitKey-Case-Study/images-media/Kalu%20and%20van-de-Poll-threshold-crypto-March-2019.pdf - [2019-03-13] Cybernetica released now cryptography study commissioned by RIA. This time the focus is on post-quantum cryptography.
https://www.ria.ee/et/uudised/kruptograafia-uuring-aitab-kaasa-turvalisemate-lahenduste-leidmisele.html - [2019-03-07] Estonian pet register used 15-digit chip identifier which was not random. This allowed to download data about thousands of dogs and cats and their owners.
https://epl.delfi.ee/news/eesti/ule-eestiline-register-voimaldas-alla-laadida-tuhandete-lemmikloomaomanike-andmeid?id=85544497 - [2019-03-07] President refused to promulgate the new law that would grant the Estonian Defence Forces (EDF) the right to secretly gain access to data of the state, legal as well as private persons, clandestinely follow individuals, and carry out other surveillance activities against persons.
https://news.err.ee/946931/riigikogu-backs-extension-of-military-surveillance-capabilities - [2019-03-05] CERT-EE warned about malware emails originating from @swedbank.ee domain. Part of the blame, however, must be taken by Swedbank, because it has not enabled DKIM email authentication for swedbank.ee domain.
https://twitter.com/CERT_EE/status/1103214465766641664
https://twitter.com/SadEstonianIT/status/1110220361575120896 - [2019-03-02] In Riigikogu elections 2019, 43.8% of voters cast their vote using i-voting method. One antivirus software considered the i-voting application a virus. There were many appeals. Two appeals related to i-voting procedure reached Supreme Court, but were rejected. However, the Supreme Court found that the rules in place for identifying, counting and mixing up the votes, as well as signing the results, should be clarified in regulatory acts.
http://forte.delfi.ee/news/digi/piltuudis-tuntud-viirusetorje-arvab-et-eesti-valimisrakendus-on-viirus?id=85397077
https://news.err.ee/917378/richness-of-life-demanding-recount-of-e-votes
https://www.valimised.ee/sites/default/files/uploads/rk2019/RK2019_Visitors_programme_slides.pdf
https://news.err.ee/924034/supreme-court-e-voting-regulations-need-legal-act-clarification - [2019-03-01] RIA is planning public procurement for developing Estonian information security standard.
https://www.ria.ee/et/uudised/kolmapaeval-toimub-riigihanke-eesti-infoturbestandardi-valjatootamine-teabepaev.html - [2019-02-28] Starting from March, SEB and Swedbank will stop providing ID card support services. PIN code replacement will be possible only in PPA customer service points.
https://digi.geenius.ee/rubriik/uudis/homsest-saab-id-kaardi-pin-koode-asendada-ainult-politseis/ - [2019-02-28] Data Protection Inspectorate ordered to close down website of math exercises for minors, because no data protection conditions were published and processing of personal data for persons under age 13 was done without consent of the parents.
https://digi.geenius.ee/rubriik/uudis/matemaatikaulesannete-veebileht-edastab-avalikult-paroole-ja-naitab-opilaste-isikuandmeid/ - [2019-02-25] Estonian social network rate.ee is storing plaintext passwords and recently a critical flaw was found which allowed to read private messages.
https://tehnika.postimees.ee/6531236/korobeiniku-flirdiportaali-rate-ee-kasutajate-eravestlused-voisid-lekkida - [2019-02-09] Tallinn public transport ticket system, which allows passengers to pay with contactless payment cards, has no realtime communication with banking systems, debiting the amount when it gets online. As a result, it is possible to pay also with these bank cards where contactless payments have been disabled. The good news (for passengers) is that debiting payments for these cards will fail. To fight against free-riders, such payment cards after their use will get blacklisted by ticketing system terminals.
https://tehnika.postimees.ee/6519517/jahmatav-avastus-tallinna-piletisusteem-muub-soiduoigust-ka-rahatu-pangakaardiga
https://raha.geenius.ee/eksklusiiv/auk-piletisusteemis-validaator-vottis-pangakaardilt-raha-ehkki-viipemaksed-olid-keelatud/ - [2019-02-07] Apparently in Estonia the information what property a person owns is a public information.
https://digi.geenius.ee/rubriik/uudis/kas-teadsid-sellest-portaalist-saab-igauks-tasuta-vaadata-millist-kinnisvara-sa-omad/ - [2019-02-07] Estonian Foreign Intelligence Service released annual report describing cyber threats on page 52. No crypto puzzle this year.
https://www.välisluureamet.ee/pdf/raport-2018-ENG-web.pdf - [2019-02-04] Former State Prosecutor Steven-Hristo Evestus will continue his career in the cybersecurity company CybExer Technologies. CyberExer has already hired top personnel from NATO CCDCOE, CERT-EE, SK, and others.
https://digi.geenius.ee/rubriik/uudis/steven-hristo-evestus-liitub-cybexeriga/ - [2019-01-31] All three major Estonian banks: SEB, Swedbank and LHV have joined the flash payment system today, which means that up to 95% of payments within Estonia will reach the recipient in just a few moments.
https://tehnika.postimees.ee/6512535/eesti-pankade-vahel-liiguvad-tanasest-maksed-valgukiirusel - [2019-01-31] The court has ordered PPA to take down video showing detention of crime suspect. The court found that even though the important details that would allow the person to be identified were blurred, the person had become identifiable by means of additional information available.
http://www.delfi.ee/news/paevauudised/eesti/politsei-peab-eemaldama-sotsiaalmeediast-video-hubert-hirve-kinnipidamisest?id=85191065 - [2019-01-30] On January 17, data leak with 280 000 email addresses and passwords containing Estonian domains (.ee) was published.
https://www.ria.ee/et/uudised/jaanuaris-avalikustatud-andmelekkekogu-sisaldab-460-000-eesti-meiliaadressi.html - [2019-01-28] From 1st to 5th July 2019, the annual Cyber Security Summer School will take place. The focus this year will be on blockchain technologies and its impact on digital transformation.
http://studyitin.ee/c3s2019 - [2019-01-28] The 5th Interdisciplinary Cyber Research (ICR) Conference 2019 will take place on 29th of June 2019. Deadline for abstracts is 15 April 2019.
https://www.taltech.ee/institutes/centre-for-digital-forensics-cyber-security/events-19/interdisciplinary-cyber-research-icr-workshop/icr2019-3/ - [2019-01-25] Card payments rise as ATM withdrawals fall. In Estonia around €1.50 are spent by card for every €1 withdrawn.
https://news.err.ee/904120/card-payments-rise-as-atm-withdrawals-fall - [2019-01-23] Martin Paljak found that the entire electronic functionality of new Estonian ID card can be used also over the contactless interface. To establish the connection only the CAN code printed on the ID card must be known.
https://github.com/martinpaljak/esteidhacker/wiki/NFC - [2019-01-21] Geenius raised attention to a registration form in school’s website, which was not served over a secure connection. Good to see that non-TLS forms are not anymore accepted as a norm.
https://digi.geenius.ee/rubriik/uudis/reaalkool-kogus-sisseastumise-isikuandmeid-ule-ebaturvalise-uhenduse/ - [2019-01-16] Court decided that private company “Europark Estonia” has the right to obtain personal data of car owners from traffic register maintained by Road Administration. Road Administration decided not to appeal the decision.
https://majandus24.postimees.ee/6500697/kohus-europark-voib-maanteeametilt-nouda-parkimisrikkujate-andmeid - [2019-01-14] The use of Smart-ID in state services is behind price negotiations, Smart-ID being twice expensive than Mobile-ID.
https://geenius.ee/uudis/smart-id-kasutamine-riigi-teenustes-seisab-hinnalabiraakimiste-taga/ - [2019-01-12] From February three major banks SEB, Swedbank and Coop Bank will discontinue code cards, Smart-ID being the most popular tool for authentication.
https://news.err.ee/897951/three-major-high-street-banks-phase-out-pass-code-cards-beginning-february
https://tehnika.postimees.ee/6499400/25-000-swedbanki-klienti-ahvardab-veebiteenuseta-jaamine - [2019-01-11] MKM issued regulation specifying requirements for Trust Service Providers who provide certification services for certificates included in Estonian identity documents. According to the regulation, OCSP certificate validity service is currently recognized as vital service, while time-stamping and Mobile-ID service is not.
https://www.riigiteataja.ee/akt/115012019011 - [2019-01-10] Scientific study of Estonian X-Road usage log patterns suggests that e-governance adoption is linear.
https://novaator.err.ee/897071/e-riigi-vereringe-logianaluus-paljastab-millised-e-kodanikud-me-oleme
https://www.sciencedirect.com/science/article/pii/S0736585318309390 - [2018-12-27] RIA released white paper “Identity Management and Identity Documents 1.0”
https://www.ria.ee/sites/default/files/content-editors/EID/valge-raamat-2018.pdf - [2018-10-23] Bank of Estonia has published interesting statistics about bank card fraud in 2016. The majority – 76% of fraudulent transactions are related to e-shopping on the Internet, 18% using payment terminals and only 6% using ATMs.
https://www.eestipank.ee/blogi/kaardipettused-kolinud-internetti
Cyber Security Newsletter 2019-06-02
Leave a reply