- [2019-09-03] OSCE assessed Estonian 2019 parliamentary elections and have produced report containing recommendations for i-voting. According to OSCE, the Election Service should develop a strategy to reduce the risk of internal attack before the next election, and should also publish third-party risk assessments, audits and other reports before the next election.
- [2019-09-03] Uku Särekanno, head of cyber security at RIA, starting October will take up duty at the European Union’s IT agency eu-LISA, where he will coordinate the deployment of new large-scale databases in the Schengen area. RIA will be looking for new Deputy Director General.
- [2019-09-03] Estonian passports will be manufactured by ID Global Solutions Limited. They will provide all the templates and equipment but PPA will print them. Currently Gemalto OY provides the service (until 2021). To mitigate the risks the state prefers to purchase ID-1 format documents and travel documents from different companies (source: Lips et al.).
- [2019-08-29] I-voting workgroup members have submitted 30 suggestions for improvements. Among them is the proposal that the number of people involved in conducting and supervising elections should increase and to raise the number of independent observers at election counts.
- [2019-08-23] MoD announced MSc thesis scholarship competition in categories: cryptography; situational awareness; accounting of defense material; planning and management of defense infrastructure; drones. The Master’s thesis scholarship competition is aimed primarily at students entering the Master’s program, but applications may also be submitted by second-year students who have not yet chosen a Master’s Thesis.
- [2019-08-15] Minister of Finance showed Director General of PPA printout with the line that the document has been digitally signed. It turned out that the document was only a draft which has not been signed. This created a discussion on whether the printout was a forgery.
- [2019-08-06] The Estonian government approved objectives to simplify processing of identity documents at foreign representations by introducing online applications and streamlining of passport deliveries by mail. Contrary to government proposal, PPA thinks that mailing documents has security risks and is currently not working on such plan.
- [2019-08-07] Microsoft Security Response Center published the list of 75 most valuable security researchers who have contributed to securing the Microsoft’s customers and the broader ecosystem this year. Estonian Jaanus Kääp is among them. He was there also last year.
- [2019-08-07] Gemalto left Estonia without paying to PPA legal expenses of litigation process.
- [2019-07-31] Visually impaired people claimed 10 000 EUR from RIA due to faulty DigiDoc4 software that did not support screen readers for nearly a year. RIA refused to pay.
- [2019-07-28] Silvia Lips, Krista Aas, Ingrid Pappel and Dirk Draheim wrote an article “Designing an Effective Long-Term Identity Management Strategy for a Mature e-State” where they analyze the process of developing identity management strategy white paper.
- [2019-07-26] Head of SK ID Solutions reported about a scam where criminals promise several thousands of euros in earnings. During a Skype call people are asked to share access to their computer. After making the connection, people are prompted to insert ID card into the computer and criminals use it to create a Smart-ID account on behalf of the person. This is quite extreme scam which is hard to prevent with technological means. Nevertheless, these scams should not be used as an excuse for the scams that rely on the poor security design choices of Mobile-ID/Smart-ID.
- [2019-07-23] IT minister to establish cybersecurity working group whose task will be to coordinate the implementation of the 2019-2022 cybersecurity strategy. This is the third strategy document for the cybersecurity and safety field that defines a longer-term vision for the sector, the objectives to be achieved, and priority courses of action, roles and responsibilities for achieving it.
- [2019-07-22] The first-ever Tallinn Summer School of Cyber Diplomacy was held in Estonia, bringing to Estonia approximately 80 diplomats, researchers and experts engaged in cyber issues.
- [2019-07-22] Cyber Security Summer School 2019 took place. This time it was organized by UT on the bockchain topic.
- [2019-07-17] Estonian Juhan Lepassaar was elected from among 80 candidates to become the next executive director of the European Union Agency for Cybersecurity (ENISA).
- [2019-07-12] Olerex had it’s customer transaction database stolen. The leak affects about 100 000 transactions concluded in the previous month and a half. It consisted mostly of business client’s names, personal identification numbers, fueling limits and other undisclosed pieces of data. The database was freely available online for a month and a half. Olerex claims that the data was downloaded only by an IT security expert who has confirmed to Olerex that the data has been deleted.
- [2019-07-10] Tartu Smart Bike Share website maintained by Bewegen Technologies had a security flaw which allowed to access personal data of registered users (contact details and usage history). Bewegen fixed the flaw in few hours and claimed that nobody except the person who reported the flaw had accessed the data.
- [2019-07-10] Smart-ID account creation using Mobile-ID has been augumented with SMS notification containing security code that has to be entered when creating Smart-ID instance. This should prevent Mobile-ID phishing attacks towards Smart-ID account creation. To date, there are 42 cases in Estonia where Smart-ID counterfeit accounts were created, in 10 cases it was actually used. Unfortunately, this does not address Mobile-ID/Smart-ID phishing attacks against other services.
- [2019-07-03] Web shop charlot.ee leaked usernames, home addresses and plaintext passwords of 14 000 users. The personal details were published as plain text documents and were easily found by googling. The manager of the company initially denied the leak, but later admitted it. So far, there have been no cases in Estonia where the Data Protection Inspectorate has fined some companies for data leakage.
- [2019-07-02] At the National Defense Council meeting it was agreed that MKM would come out by the end of the year with proposals to strengthen the country’s cryptographic and information security areas. It also gave an overview of the current status of the agreed activities following the ID-card crisis of 2017.
- [2019-06-28] Email notices sent by the state to personal_ID_code@eesti.ee (but not email@example.com) address will be stored on a virtual “mailbox” on eesti.ee, regardless of whether e-mail forwarding has been configured.
- [2019-06-28] ICR2019 workshop took place. Video recordings of the presentations are online.
- [2019-06-26] PPA found that due to a technical failure, for more than 15 000 automatically revoked ID cards the certificates were not revoked, which in 285 cases resulted in the ID card of the deceased person being electronically abused by other persons. The bug was discovered already in 2015, but investigated only in the begginning of 2019. Praise to the authorities for not sweeping the incident under the carpet!
- [2019-06-26] Father of i-voting Tarvi Martens made quite a strong statement saying that the i-voting system has no weaknesses and nothing depends on people or computers.
- [2019-06-22] Märt Põder wrote in his blog why he accepted invitation to take part in i-voting workgroup.
- [2019-06-21] The i-voting workgroup has been established and members have been listed. The working group is headed by MKM and includes RIA, the election service, research institutions and other experts. The task of this working group will be to analyze the security and transparency of electoral system processes and, if necessary, make suggestions for improvement. The workgroup will present its report by 12 December 2019 at the latest, which will include an assessment and proposals for system security and public awareness.
- [2019-06-19] President has rejected the amended Defence Forces Organisation Act for the second time, the Supreme Court will look into the constitutionality of the act this fall. The bill of amendments would grant the Estonian Defence Forces (EDF) the right to secretly gain access to data of the state, municipalities, and legal as well as private persons. EDF argues that this is needed to improve background checks.
- [2019-06-17] RIA is preparing to implement a new national information security standard, which will replace the ISKE reference security system, which is currently mandatory for public authorities in Estonia. In May, the public procurement process was completed and KPMG Baltics, Cybernetica and TalTech will start assembling a new information security standard. The new standard and accompanying materials should be ready by the end of next year.
- [2019-06-06] RIA had annual conference. The slides are available.
- [2019-06-04] PPA will not apply contractual sanctions against SK for Mobile-ID downtime in May.
- [2019-05-14] The report “Development and application of cryptography in the Estonian public and private sectors” commissioned by the Ministry of Defence has been released. The report prepared by Cybernetica gives an overview of the state of art in development of cryptography in Estonia, and analyzes the technological and economic potential of the field. Among recommendations is establishment of a national cryptographic competence centre and improving math and science education in Estonia.
Cyber Security Newsletter 2019-09-05
Leave a reply