[2020-07-15] MKM is studying the possibility to notify citizens via alternative channels such as WhatsApp and Facebook.
https://news.err.ee/1113020/government-seeking-to-create-communication-system-through-mobile-phone-apps [2020-07-02] The Estonian Ministry of Foreign Affairs organized an open master class on cyber diplomacy with experts from around the world. Video recording is available on Youtube.
https://vm.ee/et/virtuaalne-kuberdiplomaatia-meistriklass-2020 [2020-07-01] SK intermediate CA certificates have been issued with the “OCSP sign” extension which means that revoking these intermediate CA certificates in the event the key gets compromised will be problematic. According to CA/B Baseline Requirements these certificates have been misissued and SK should revoke them. SK has responded that it does not plan to revoke the certificates and is ready to leave Mozilla CA program earlier than planned (the last 4 still valid TLS server certificates issued by SK will expire by September 29, 2020).
https://bugzilla.mozilla.org/show_bug.cgi?id=1649942 [2020-07-01] The work of Smart-ID and Mobile-ID was disrupted for about ten minutes.
https://digi.geenius.ee/rubriik/uudis/mobiil-id-ja-smart-id-kasutamine-on-hairitud/ [2020-06-30] The state has stalled plans to include information from all guests who stay in accommodation establishments in Estonia in a single police database.
https://news.err.ee/1107522/state-pauses-plans-for-hotel-guests-e-database [2020-06-29] The Interdisciplinary Cyber Research (ICR) conference 2020 has been rescheduled to December. The Cyber Security Summer School has been renamed to Cyber Security Winter School and moved to December. The theme for the winter school will be “Transport as a Service”.
http://www.studyitin.ee/c3s2020 [2020-06-29] In the period of COVID emergency, Elisa for more than 1,700 people provided a solution for automated Mobile-ID issuance using a self-service portal. The solution was accepted by SK and their auditors.
https://forte.delfi.ee/news/digi/tehisintellekt-aitas-eriolukorra-ajal-vormistada-mobiil-id-rohkem-kui-1700-inimesele?id=90685697 [2020-06-27] The 50 EUR limit on contactless card payments put in place during the coronavirus emergency situation will remain in place.
https://raha.geenius.ee/rubriik/uudis/pangad-kahekordistavad-kriisi-ajaks-viipemakse-limiidi-et-inimesed-ei-peaks-pin-klaviatuuri-nappima/ [2020-06-22] In May fraudsters persuaded a victim to create a Smart-ID account over the phone. The created Smart-ID account was used by fraudsters to purchase services from several financial service providers.
https://www.ria.ee/et/uudised/olukord-kuberruumis-mai-2020.html [2020-06-17] Research article by Valentyna Tsap (TalTech), Silvia Lips (TalTech) and Dirk Draheim (TalTech): “eID Public Acceptance in Estonia: towards Understanding the Citizen”. The researchers conducted a survey among Estonian eID users to find out which of the existing eID authentication options are preferred and why.
https://dl.acm.org/doi/pdf/10.1145/3396956.3397009 [2020-06-04] The use of eID increased in the period of COVID emergency. As of May, 35 institutions with as many as 114 different applications had joined the state authentication service.
https://blog.ria.ee/e-riik-eriolukorras/ [2020-06-09] Lithuanian Cyber Security Center found 61 vulnerabilities in Chinese security cameras Hikvision and Dahua used by PPA. According to PPA, the cameras are not available on the public network and PPA has verified that the cameras do not communicate with servers that are not located in NATO or EU member states.
https://www.nksc.lt/doc/biuleteniai/2020-05-27%20Hikvision%20ir%20Dahua%20kameru%20kibernetinio%20saugumo%20vertinimas.pdf [2020-06-02] Thanks to IT Academy funding, TalTech has established the “Centre for Hardware Security” led by professor Samuel Pagliarini. The main research directions include the design of reliable microelectronics, measures to prevent reverse engineering, side-channel attacks, the deployment of cryptographic hardware, secure system design tools, and hardware Trojans and backdoors. The long term goal is to build all the right competences to put Estonia “on the map” of Hardware Security and IC design in general.
https://old.taltech.ee/ttu-uudised/uudised/mente-et-manu-5/varske-veri-samuel-nascimento-pagliarini/?id=196261&year=2019 [2020-06-01] Research article by Arnis Parsovs (UT): “Solving the Estonian ID Card Crisis: the Legal Issues”. The study analyzes to what extent, while solving the 2017 ID card crisis, the involved parties were able to precisely follow the applicable laws and regulations in the field.
https://papers.ssrn.com/sol3/papers.cfm?abstract_id=3644664 [2020-05-28] Ahto Truu (TalTech) defended his PhD thesis “Hash-Based Server-Assisted Digital Signature Solutions” and gave an interview in Geenius about universal digital signing and its dangers.
https://digi.geenius.ee/rubriik/teadus-ja-tulevik/taltechi-doktor-millal-jouame-universaalse-digiallkirjastamiseni-ja-mis-ohud-seda-varitsevad/ [2020-05-28] RIA provided an explanation for why they recommended that the National Electoral Committee not enable Smart-ID for i-voting in the 2021 elections. To summarize: (1) Smart-ID has been used in successful attacks; (2) Smart-ID is not a state provided eID solution – if allowing i-voting with Smart-ID, there is no reason to not enable i-voting with other private eID solutions; (3) not enough experience to say if Smart-ID biometrical enrollment is secure enough; (4) the state does not have enough control over Smart-ID to intervene in case of emergency;
https://blog.ria.ee/smart-id-ja-valimised/ [2020-05-20] The Estonian National Electoral Committee has reviewed 25 suggestions from the i-voting working group and has provided their decision on each suggestion. The most important decisions included not enabling i-voting with Smart-ID and i-voting with a mobile app for the 2021 elections.
https://digi.geenius.ee/rubriik/uudis/mobiiliga-haaletamist-jargmistel-valimistel-ei-tule/ [2020-05-27] SK had a scheduled maintenance on May 28 and 29 due to which the use of ID card, Mobile-ID and Smart-ID was affected.
https://news.err.ee/1095129/id-cards-mobile-id-and-smart-id-to-be-interrupted-during-maintenance [2020-05-27] The Estonian Students Society organized a public discussion about cyber security. Participants in the discussion: Siim Alatalu (Head of EU CyberNet), Märt Hiietamm (Head of RIA Analysis and Prevention Department), Uku Särekanno (European Union IT Agency), Ragnar Õun (Head of RIA Critical Information Infrastructure Protection Department) and Ilmar Üle (CERT-EU).
https://www.youtube.com/watch?v=qpr3IQCRSp8 [2020-05-26] Dan Bogdanov (Cybernetica) in an interview explains the privacy principles behind the Estonian coronavirus app.
https://digi.geenius.ee/rubriik/uudis/eestis-on-nuud-esimene-koroona-kontaktijalgimise-app-aga-sa-ei-peaks-seda-kasutama/ [2020-05-26] Research article by Anne Veerpalu (UT), Liisi Jürgen (UT), Eduardo da Cruz Rodrigues e Silva (TalTech) and Alex Norta (TalTech): “The hybrid smart contract agreement challenge to European electronic signature regulation”, assesses whether the signature on a smart contract used in an ICO process is functionally equivalent to the qualified electronic signature under eIDAS.
https://academic.oup.com/ijlit/advance-article-abstract/doi/10.1093/ijlit/eaaa005/5846238 [2020-05-25] A research article by Mart Oruaas (Cybernetica) and Jan Willemson (Cybernetica/STACC): “Developing requirements for the new encryption mechanisms in the Estonian eID infrastructure”.
https://link.springer.com/chapter/10.1007/978-3-030-57672-1_2 [2020-05-21] Sorainen’s partner, lawyer Kaupo Lepasepp, writes that the digital signature is essentially unforgeable.
https://www.youtube.com/watch?v=bV-HwuhGKO8 [2020-05-20] RIA has compiled a comprehensive overview of cyber security in Estonia titled “Cyber Security in Estonia 2020”. The compilation mostly consists of excerpts from annual reports of different public sector organizations.
https://www.ria.ee/sites/default/files/content-editors/RIA/cyber_security_in_estonia_2020_0.pdf [2020-05-20] UT student Siim-Alexander Kütt in his BSc research found a flaw in the Tartu Bike Share system which allowed anyone to query the location of any bike and the user ID of the person riding the bike. Turns out that Tartu City previously paid 12 960 EUR to Estonian company SecTeam for a black-box security audit of the system.
https://ee.linkedin.com/in/arvo-saalits took a credit for discovring the previous leak in July 2019.
https://comserv.cs.ut.ee/ati_thesis/datasheet.php?id=69774&year=2020 [2020-05-18] The Data Protection Inspectorate released its yearbook describing in more detail the data leak in Tartu Bike Share system discovered in July 2019. Arvo Saalits in his Linkedin profile has taken the credit for the discovery of the flaw.
https://ee.linkedin.com/in/arvo-saalits [2020-05-19] LHV bank accidentally leaked names of 200 LHV customers by sending a mass email with the recipients in the CC field. According to the Data Protection Inspectorate, the data controller must notify the Inspectorate of a personal data breach within 72 hours of the incident, but whether it is a breach or not, the bank must assess it itself.
https://forte.delfi.ee/news/varia/suur-eksitus-lhv-lekitas-kogemata-sadade-laenusaajate-nimed?id=89906591 [2020-05-14] From May 14 to 16 a Smart-ID phishing campaign was run imitating SEB bank page.
https://www.ria.ee/et/uudised/olukord-kuberruumis-mai-2020.html [2020-05-14] MKM plans to hire an official who will focus on the i-voting risks. In order to apply, the applicants had to write an essay on the topic “Problems of risk management related to e-elections”. Five people applied but the results are not yet known.
https://www.mkm.ee/sites/default/files/kuberriskide_nounik.pdf [2020-05-12] KAPO released their annual review describing a flaw in the free email provider’s mail.ee website (opening an email triggers XSS). By opening a specially crafted email, mail.ee user account was automatically configured to enable an email redirect to the attacker’s email address. The flaw was exploited against a small number of mail.ee users who were of interest to a foreign country. Another attack described in the review is a phishing email used to try to gain access to some email accounts of the University of Tartu. According to KAPO, the attack was organized at the instructions of the government of Iran.
https://securityaffairs.co/wordpress/102471/hacking/estonian-provider-mail-ee-hacked.html [2020-05-12] Riigikogu amended the Electronic Communications Act providing that in order to ensure national security, the government may, by a regulation, impose an obligation on a communications undertaking to notify the hardware and software used in the communications network and to apply for a permit to use the hardware and software of the communications network. These amendments are most likely targeted to exclude Huawei from 5G deployment.
https://www.riigikogu.ee/istungi-ulevaated/riigikogu-muutis-elektroonilise-side-seadust/ [2020-05-07] RIA’s new yearbook provides a good overview of the current and upcoming work of RIA – the state network, DigiDoc4 software, e-voting, critical information infrastructure protection and CERT-EE activities. Some highlights:
– Starting from July 2021, the ID card chip will contain the cardholder’s picture and fingerprints in addition to their personal data file.
– RIA is considering enabling a single sign-on service (SSO) to be used for the state authentication service.
– RIA is introducing a consent service to allow citizens to share their health and other data with service providers (e.g., health insurers).
https://github.com/e-gov/NT/ [2020-05-06] TalTech and Estonian Maritime Academy received 2.5 million euro funding to establish a maritime cyber security center. The five-year project plans to supplement the existing master’s and doctoral study programs, organize trainings and conferences.
https://vikerraadio.err.ee/1084657/uudis-lauri-varik/1049735 [2020-04-22] Cybernetica released the report “Mobile voting feasibility study and risk analysis”, which found that introducing a mobile i-voting application has its risks but is possible. The National Electoral Committee, however, in their 2020-05-20 meeting decided not to introduce it in the 2021 elections.
https://digi.geenius.ee/rubriik/uudis/ria-loodetavasti-saab-mobiiliga-haaletada-juba-jargmistel-valimistel/ [2020-04-21] EKRE has formed a committee in riigikogu with the aim to make i-voting transparent. Former minister of IT and foreign trade Kert Kingo is chairman of the committee.
https://www.ituudised.ee/uudised/2020/04/21/ekre-loi-riigikogus-e-haaletamise-labipaistvaks-muutmise-toetusruhma-kuhu-kuulub-terve-fraktsioon [2020-04-18] According to RIA, in April 18 denial-of-service attacks sharing a similar handwriting were executed against the e-services eesti.ee, id.ee, emta.ee, elron.ee and elisa.ee. RIA was also notified about DoS attacks against eKool.eu and SK ID Solutions. On April 22, the availability of Luminor’s bank website was disrupted as a result of a DDoS attack on a Lithuanian service provider.
https://www.ria.ee/et/uudised/olukord-kuberruumis-aprill-2020.html [2020-04-17] RIA has made its internal chat and file sharing platform publicly available. The services were built using open source solutions Rocket.Chat and Nextcloud. The solutions have been pentested by the order of RIA. A Twitter user noticed that the chat service has a public list of its users with their last names, birth dates and personal ID codes.
https://twitter.com/SadEstonianIT/status/1246168005396115456 [2020-04-15] A UT professor obtained information from UT about the student who left negative feedback about the professor in the anonymous study information system (OIS) feedback form.
https://news.err.ee/1077745/university-of-tartu-professor-demanding-2-000-from-alum-over-word-usage [2020-04-15] The pensioner who organized document forgery in PPA was sentenced to long-term imprisonment.
https://cybersec.ee/2017/02/02/document-counterfeiting-case-maarika-comes-to-court/ [2020-04-15] The use of Smart-ID was disrupted between 11:18 and 23:00. The error was caused by a problem with the database.
https://www.postimees.ee/6950878/smart-id-too-oli-kolmapaeval-hairitud [2020-04-13] The Cyber Defense Unit of the Defense League provided support for the Health Board by processing and visualizing COVID data using various data sources.
https://forte.delfi.ee/news/tehnika/kubervagi-tegi-terviseametile-olulise-infosusteemi?id=89876695 [2020-04-06] According to RIA a fraud scheme is becoming popular, where criminals send a convincing e-mail to HR managers in the name of the employee requesting their salary to be transfered to a new bank account from the coming month.
https://www.ituudised.ee/uudised/2020/04/06/ria-hoiatus-levimas-on-palgakonto-pettused [2020-03-26] Podcast with Marko Belzetski (Clarified Security) discussing Android and web application penetration testing.
https://testguild.com/podcast/security/s14-marko/ [2020-03-24] The state has analyzed the spread of the coronavirus by analyzing mobile phone location data. This raised privacy concerns and the Chanchellor of Justice examined the constitutionality of the use of data. Aggregate data was prepared by mobile operators and sent to Statistics Estonia. Google used its data to provide similar mobility analysis.
https://news.err.ee/1073762/opinion-why-is-government-pursuing-extensive-surveillance-law-in-crisis [2020-03-23] Research article by Luukas Ilves (Guardtime) and Anna-Maria Osula (Guardtime/TalTech), “The Technological Sovereignty Dilemma – and How New Technology Can Offer a Way Out”, discusses 5G and related topics.
https://cybersecforum.eu/media/ECJ_vol6_issue1.pdf [2020-03-12] Statistics from the state authentication service shows the usage popularity of eID tools: ID cards are used 44% of the time, Smart-ID 30% and Mobile-ID 22%.
https://forte.delfi.ee/news/tarkvara/uus-seis-smartid-seljatas-mobiilid?id=89203485 [2020-02-04] MKM has published the report “Estonian Cybersecurity R&D Concept” prepared by TalTech. The report gives a good overview of the research institutions and people conducting cybersecurity related research in Estonia.
https://www.mkm.ee/sites/default/files/content-editors/failid/E_riik/estonian_cybersecurity_rd_concept.pdf [2020-02-04] A US journalist wrote an article about Estonia and cybersecurity featuring Cyber Defense League and others.
https://www.csmonitor.com/World/Europe/2020/0204/Cybersecurity-2020-What-Estonia-knows-about-thwarting-Russians [2019-12-18] A member of the i-voting working group, Heldur-Valdek Seeder, published video recordings of the working group’s meetings on a personal blog. Initially, the minister Kert Kingo wanted to classify the content of the working group, but the majority of members did not support this idea, hence there may be no basis to request removal of the published videos.
https://digi.geenius.ee/rubriik/uudis/e-valimiste-tooruhma-liige-avalikustas-omavoliliselt-koosolekute-videosalvestisi/ [2019-06-05] MSc thesis by Gregor Johannson (TalTech): “Technical Prerequisites for Enabling Third-Party Applications on the New Estonian ID-card”.
https://digikogu.taltech.ee/et/Item/64c83d8f-8f2d-4311-b548-b07c9b58a6cb [2019-06-06] BSc thesis by Pavel Kargin (TalTech): “Testing the Compliance of the Estonian Electronic Document to the Technical Specification”.
https://digikogu.taltech.ee/et/Item/66881079-2923-42df-acfe-e5dacf3ccad7 [2018-05-31] BSc thesis by Kristel Merilain (TalTech): “Business and Risk Analysis of Electronic Identity Tools Used in Estonia”.