- [2020-03-10] The company Unicount has developed an e-service which allows companies to be registered in Estonia using Smart-ID. Companies in the Estonian Business Register can only be directly registered using an ID card or Mobile-ID. The Smart-ID company registration service provided by Unicount is using the company registration API that has been offered since 2017 by the Estonian Business Register.
- [2020-03-06] A large-scale cyber attack simulation exercise developed by CybExer Technologies was conducted bringing together 12 Estonian companies and institutions.
- [2020-03-03] Yet another cybersecurity index has placed Estonia in the 58th position. According to the study, 1.59% of mobiles and 13.2% of computers in Estonia are infected with malware.
- [2020-02-26] For several years, the Estonian ID card software recognized digital signatures created with revoked certificates as valid signatures. Software libraries used by Estonian e-service providers are likely still affected. The EU-developed eSignature DSS library and libraries used in other EU countries are also affected.
- [2020-02-26] A Smart-ID account can now be created using biometrics. In the enrollment process the Smart-ID app over NFC retrieves person’s photo from their biometrical passport and uses phone’s camera to perform face recognition. For biometrical passport reading Smart-ID uses Dutch company’s InnoValor NFC-based ReadID software, but for face recognision a cloud service provided by UK company iProov. Contrary to the claims, the security guarantees provided by this technology are quite weak, since the facial verification technology at best can verify only the presence of the person and not their intent to create a Smart-ID account. Fortunately, the person is required to confirm their intent either using previous Smart-ID account (including non-qualified) or a security code sent over email or SMS.
- [2020-02-26] Self-censorship at UT. The university decided not to publish an article in the University of Tartu magazine, Universitas Tartuensis, about a cooperation agreement between the university and Huawei. Since the Chinese company Huawei is perceived as a potential threat to national security, the Huawei topic has become sensitive.
- [2020-02-25] Teachers and system owners of e-school environments are discussing the acceptable duration of an authenticated session after which the user is automatically logged out. According to RIA, session length is not specified in the ISKE implementation guide and it is up to the system owner.
- [2020-02-20] The e-shop reset.ee closed its doors leaving at least 275 customers without money. The police do not consider it a scam but a a civil offense, inviting victims to file a claim in the bankruptcy proceedings.
- [2020-02-12] The state pays for Smart-ID on a per use basis – the more users use Smart-ID, the more the state will have to pay (SK offers volume discounts). Smart-ID users outnumber Mobile-ID users two-to-one today. At the end of 2019, there were 230,000 Mobile-ID users and 430,000 Smart-ID users.
- [2020-02-12] The state’s Mobile-ID contract will expire in 2022. RIA and PPA will announce the procurement for a new eID solution this year. The state does not want to copy Smart-ID, but instead use something else possibly based on biometrics.
- [2020-02-12] The Estonian Foreign Intelligence Service has published their 2020 report. It contains a section on Russian cyber operations in 2019 and mentions potential Chinese threats including Huawei.
- [2020-02-12] A ridiculous incident was reported which highlighted the core weakness in Mobile-ID (and Smart-ID). A customer of Luminor Bank unexpectedly logged into a stranger’s bank account. The customer accidentally entered the wrong username and the correct owner of the username confirmed the login with his Mobile-ID. The bank acknowledged that similar incidents have happened before. SEB bank also confirmed similar incidents.
- [2020-02-12] RIA is analyzing the risks of enabling i-voting on iOS and Android mobile devices. It will also have to be decided whether to allow voting using Smart-ID in the next elections. The final decision will rest with the National Electoral Committee.
- [2020-02-11] RIA and PPA launched a cybercrime information website (cyber.politsei.ee) where people are asked to report suspicious emails, account hijacking, money stolen from accounts, etc. The data will be used to inform the public about new crime schemes and to help investigate cases.
- [2020-02-10] After the Tartu Smart Bike Share website had a security flaw which gave access to personal data of registered users, the Data Protection Inspectorate conducted a proceeding on the activities of the Tartu City Government over a longer period of time and concluded that the data leak did not pose a risk to users.
- [2020-02-05] The Estonian ID software introduced an option to sign documents with Smart-ID. Smart-ID signing in DigiDoc4 client uses the additional security measure of the Smart-ID app – the users have to choose the right verification code out of three (similar to LHV bank). Smart-ID support is also planned for Android and iOS DigiDoc apps.
- [2020-02-04] Remote verification will be launched in the e-Notary self-service portal enabling notarial acts to be carried out at Estonia’s foreign representations without physically visiting a notary’s office. In order to perform remote verification, the customer will need an Estonian ID-card, digital ID, Mobile-ID or an e-resident’s digital ID. The personal identification system of the participants will use Veriff’s biometric face recognition technology.
- [2020-01-30] RIA introduced a state signing service (SiGa) to replace DigiDocService. The service allows the creation of documents digitally signed with ID card and Mobile-ID and the validation of signatures. The service is provided to all persons performing public tasks. The software used by the service is public and allows anyone to run a similar service themselves.
- [2020-01-17] UT, CybExer Technologies, NATO CCDCOE, Thinnect and Elisa Eesti will create a cyber defense environment in the simulation of critical information infrastructure protection on a cyber training ground (whatever it is).
- [2020-01-16] A draft bill initiated by MKM would require telecoms to seek state permission when introducing new hardware and software. The security of any new tech will additionally be monitored by RIA, the Internal Security Service (ISS) and the state’s foreign intelligence agency. The restrictions are likely motivated to keep 5G networks away from the Chinese company Huawei, which is suspected of being controlled by the communist Chinese government.
- [2020-01-15] Estonian-based web security company WebARX found a critical vulnerability in the popular WordPress plugin InfiniteWP Client and WP Time Capsule.
- [2020-01-14] Cybernetica will create an automated threat information system between the US Air Force and the Estonian Defense Forces. The US-Estonian cyber-security alert information exchange system will cost €3.54 million. The contract was granted to Cybernetica without competition.
- [2020-01-14] In 2019, PPA instituted 12 disciplinary proceedings due to police officers making non-work related inquiries to the police information system. The police officer who made 35 queries was fired.
- [2020-01-10] Due to technical issues at RIA, the notification service using @eesti.ee email address was disrupted between December 19 and January 7. In total 85,000 emails were not delivered in this period.
- [2020-01-10] Geenius has contacted the biggest banks in Estonia, asking whether they have enabled security features to prevent criminals using their domain names in e-mail spoofing attacks. Danske Bank, Svenska Handelsbanken, Citadele, SEB and Bigbank has introduced DMARC to prevent e-mail spoofing attacks. Swedbank is still (already for a half a year) considering implementing DMARC. In LHV’s opinion, DMARC implementation is too complicated.
- [2020-01-08] A family doctor helpline service has been opened offering personalized advice. The hotline staff will have access to a patient’s medical records if the caller grants consent authenticating with Mobile-ID or Smart-ID.
- [2020-01-07] The court denied the early release of Aleksei Vasilev, a 20-year-old student from Kingisepp convicted for finding flaws in the computer networks of Estonian state agencies on the orders of FSB. His 4-year sentence will end on November 4, 2021.
- [2020-01-04] The Minister of the Interior was asked how many cases of illegal surveillance have been investigated by authorities. According to the response, 17 cases of private surveillance were registered in 2016, 71 cases in 2017, 22 cases in 2018 and 24 cases in 2019. There was one confirmed case of illegal surveillance and covert listening in 2017.
- [2020-01-03] The database leakage of e-shop charlot.ee will be investigated by Latvian Data Protection Inspectorate, as the leaked database contained more data about clients in Latvia.
- [2020-01-03] SK ID Solutions has paid a contractual penalty to AS LHV Pank for disruptions in the functioning of the Mobile-ID service, as the maximum permitted downtime of 45 minutes was exceeded in 2019. SEB, Swedbank and Luminor refused to disclose whether they have sought contractual penalties from SK ID Solutions.
- [2020-01-01] Personnel rotation in RIA. In December, Andrus Kaarelson, Deputy Director General of the State Information System Branch at the RIA has left RIA returning to work in the private sector. Margus Arm, previously the head of the Electronic Identity Department has been appointed Deputy Director General of the State Information System Branch. The new head of RIA’s Electronic Identification Department is now Mark Erlich. In December, Lauri Aasmann took over as the new RIA Deputy Director General for Cybersecurity. Aasmann came to RIA from the NATO CCD COE, where he led a team of lawyers. Previously, he worked as a lawyer at Swedbank AS and as a prosecutor at the Northern District Prosecutor’s Office and Tallinn Prosecutor’s Office, where he dealt with white-collar crime and cybercrime.
- [2019-12-31] A software engineer found a flaw in the Elisa home router which gives access to the management password and access to the router over SSH. Elisa claims that this flaw can only be used by clients themselves, but cannot be used to access other client’s devices.
- [2019-12-28] Märt Põder gave the presentation “DEBRIEF ON E-VOTING IN ESTONIA” at the 36th Chaos Communication Congress (36C3), explaining his view on the i-voting in Estonia.
- [2019-12-23] A fraud case involving fake tara deposit checks caused €12,925 in damages. The fake checks were printed with a cashier printer on the same paper as the real checks. The criminals understood the composition of the bar code and configured the printer so that the printout would deceive the Maxima checkout system that prevents the use of a copy of a check receipt. It turned out that the checks were printed by IT specialist from the company that serviced tara vending machines at Maxima stores. The criminals were tracked down using CCTV footage that is stored by the store for 30 days.
- [2019-12-23] The Supreme Court expressed its position in the case where a woman gave her ID card and PIN codes voluntarily to a man who ordered some merchandise in her name from Telia e-shop using ID card authentication. The case has been sent back to district court. According to the Supreme Court, in case the owner voluntarily gives his ID card with PIN codes to another person who uses the ID card to enter into a transaction, the transaction (or digital signature) may be valid based on the provisions of “entry into transaction through representative” (General Part of the Civil Code Act – GPoCCA – Chapter 8). As the court referenced GPoCCA § 131, this construction can still be attacked and the signed contract later annulled.
- [2019-12-21] MyHits radio uploaded, on Google Docs, a publicly available document containing names, phone numbers and email addresses of all participants in their prize game. The link was embedded in the source code of the prize game website. The subjects and Data Protection Inspectorate have been informed.
- [2019-12-20] A group of Estonians used blank chip and PIN cards containing stolen credit card data to empty bank accounts of Indian, Bangladeshi and Pakistani victims. The criminals also attempted to order 17 phones in total from Klick using a Japanese credit card, but were reported to the police.
- [2019-12-19] The Supreme Court of Estonia ruled that the bill expanding EDF surveillance rights is unconstitutional. The court said that the covert collection and processing of personal data may be necessary for the effective defense of domestic and external peace, however, legislation should establish efficient procedural guarantees similar to those set out in the Code of Criminal Procedure, in order to eliminate the possibility of the person against whom surveillance is conducted not being informed of the EDF having processed their data.
- [2019-12-18] A secret camera was found at a metal company AKG Loots. The high-tech camera was installed under the ceiling of the production workshop and was in constant communication. Industrial espionage is suspected, as the company has several international clients with classified contracts.
- [2019-12-17] From 2020 PPA will introduce a 5 EUR fee for obtaining a new ID card PIN envelope.
- [2019-12-16] Mobile-ID was down for two hours.
- [2019-12-14] A Viljandi hospital patient learned that a hospital nurse had viewed her health information and shared it in Facebook messages with her friend. The nurse has been fined for data breach.
- [2019-12-12] The i-voting workgroup published the full report with 25 proposals to improve the i-voting system enhancing credibility and managing risks. In the IT Minister’s opinion, several important directions have been outlined and following working groups should be set up to go deeper into the more specific topics. In Märt Põder’s opinion, the report is a failure as the verifiability(?) issue has not been addressed.
- [2019-12-12] Florian Hartleb wrote an article “e-Estonia. Europe´s Silicon Valley or a new 1984?”. The article mentions X-Road, personal ID code, DDoS attacks in 2007, Infineon ID card crisis in 2017 and data embassy project. Contrary to the title, the privacy aspects are not discussed in depth.
- [2019-12-06] Former Minister of Rural Affairs Mart Järvik claimed that he had detected “bugs” in his office in one section of the ceiling. He tried two eavesdropping detection devices borrowed from his friends. Later, according to an unnamed source, the detected device turned out to be a device for amplifying Wi-Fi signals.
- [2019-12-05] A cryptographer from the Republic of Senegal published a subtle attack against the Smart-ID clone detection mechanism described in the original Smart-ID paper. The flaw allows an attacker who has cloned a victim’s Smart-ID app instance to forge signatures before the victim has used his instance, such that when the victim uses his Smart-ID instance, the attacker’s clone which was used to forge signatures is not detected by the server. The flaw lies in the fact that according to the protocol description, the next expected request ID is set by the client and not the server, which means that after the attack the attacker can reset the next request ID to match the request ID stored in the victims Smart-ID instance, thereby leading to the victim’s next request to be accepted by the Smart-ID server. SK has responded that the actual Smart-ID implementation uses an updated clone detection mechanism which is not affected by this flaw.
- [2019-12-03] Toomas Vaks, former RIA Deputy Director General for Cybersecurity, wrote an opinion piece about cyber risks.
- [2019-12-02] Agu Kivimägi wrote his thoughts about the recently highlighted issue that the time of signing of a digitally signed file can be changed.
- [2019-12-02] SEB has made an update to its Android mobile app, which now allows SEB customers to make payments by touching a payment terminal with their mobile phone. The app can be used to pay for mobile purchases up to €150 if NFC has been enabled on the phone.
- [2019-11-29] Phishing attacks against Smart-ID users have advanced. Now attackers are performing active attacks and displaying to victims the correct Smart-ID verification code. The usual defense of comparing verification codes does not work anymore. Now the only defense is to verify that the authentication is performed in the expected web site.
- [2019-11-29] CERT-EE warned about scam emails sent in the name of SEB bank. A victim from Tartu lost €4,777 in the scam. Security specialists have pointed out that SEB is endangering their clients by not configuring SPF+DMARC to prevent email spoofing using seb.ee domain.
- [2019-11-27] Registration of marriage is one of the few things that cannot be concluded digitally. The state is now analyzing the possibility of making marriage registration easier and partly accessible through the state portal eesti.ee.
- [2019-11-26] People sent letters to the Ministry of Justice and the Chancellor of Justice expressing their dissatisfaction with the fact that the real estate owned by them can be searched in the electronic land register by anyone. The land register has now been modified such that only an authenticated user would be able to search for real estate by name or personal identification code leaving an audit trail.
- [2019-11-20] A communication channel has been set up between the police and Facebook, allowing police officers to access Facebook account holders’ information in minutes if police the estimates that there is a real risk to human life. If there is no immediate threat, the request will take longer, sometimes a couple of days. In 2019, PPA asked Facebook about 88 accounts, requiring quick response nine times. Account freezes have been requested for 14 accounts.
- [2019-11-20] Using a fake Facebook account, death threats were made towards Reform Party leader Kaja Kallas. According to PPA, the perpetrators are based in Sweden and therefore Kallas’ life was in no immediate danger.
- [2019-11-20] Rats seriously damaged RIA’s underground optical cable affecting the operation of eesti.ee and the services of the Health Insurance Fund. Although physical network connections are duplicated, these e-services failed to automatically move to another channel.
- [2019-10-30] The Estonian Research Council has financed the creation of a programmable USB device with a RGB LED and button, which can be programmed, for example, to emulate a keyboard and send key strokes after it is plugged into the computer. The device was given out to high school students in the Robotex event.
- [2019-09-25] The requirement for an age check when ordering alcohol online is not enforced by all e-shops. Some parcel terminals require the ID card of an adult to be inserted, but the terminal does not ask for a PIN code (which means that the process does not involve any cryptography).
- [2019-04-26] TalTech in cooperation with others have created a High School Cyber Security Selection Course Digital Textbook. The textbook contains material on various topics and includes a lot of unseen video materials.
- [2017-01-27] In Tallinn Circuit Court, defendants contested the integrity of an electronic evidence (a virtual machine image containing Skype logs), based on the fact that the integrity of the disk image was provided by calculating the hash using the outdated MD5 hash function. The defendants demonstrated a practical MD5 collision attack by showing that when opening two visually different image files the calculated MD5 hash value of the files was the same. The court correctly noted that while the MD5 function is not collision resistant, it is still second pre-image resistant guaranteeing the integrity of the collected evidence.
Cyber Security Newsletter 2020-03-19
Leave a reply