- [2020-12-30] A new version of the Election Information System (VIS) is being developed which will introduce an electronic list of voters making it possible to cancel an already given i-vote on election day with a paper vote. News portal Geenius tried to establish whether the authorities are performing background checks on the employees of private companies, Nortal and Cybernetica, involved in the development of the information systems for elections. Not clear whether such checks are needed as the security of the elections should not depend on the integrity of the developers.
- [2020-12-29] Äripäev’s Russian-language website dv.ee experienced a large-scale DDoS attack. Äripäev’s editor-in-chief believes that the attacks are related to the published story about cryptocurrency millionares in Ida-Viru.
- [2020-12-28] Arnis Parsovs (UT) has published the draft of his PhD dissertation “Estonian Electronic ID card and its Security Challenges”.
- [2020-12-22] An anonymous interview was given for the Kanal 2 television channel where the coronavirus vaccine plan was criticized. The Health Board used a freeware program downloaded from the Internet to remove the voice distortion added to anonymize the source. As a result, the whistle blower was identified and asked to resign from the Health Board.
- [2020-12-18] The Minister of Finance Martin Helme (EKRE) said that Estonian e-elections are not verifiable. The head of the state electoral service refuted the statements of the minister.
- [2020-12-16] Sten Mäses (TalTech) defended his PhD thesis “Evaluating Cybersecurity-Related Competences through Simulation Exercises”.
- [2020-12-16] For years, an IT employee with a state secret permit mined cryptocurrency at the Ämari air base, bought expensive equipment with the Estonian defense budget and smuggled computer components out of the base to sell them in online forums. The purchased goods were not accounted for in the air monitoring division. From 2015 until his arrest in January 2019, the man illegally used devices belonging to the Defense Forces to extract cryptocurrencies worth 30,404 euros and misappropriated at least 190 devices with the total value of 48,935 euros.
- [2020-12-08] The Ministry of Interior sells the residence addresses entered in the population register to commercial enterprises for the purpose of sending advertisements or invitations to participate in surveys. Names, e-mail addresses, dates of birth and personal identification codes are not disclosed to the companies, but the addresses can be purchased by specifying the characteristics such as age, gender and mother tongue. People can opt-out by restricting access to their data in the e-service at rahvastikuregister.ee. In 2019, the data was sold to five customers and the state earned 8,205 EUR.
- [2020-12-07] The Estonian Foreign Intelligence Service (EFIS) allowed an active intelligence officer to give an interview to Postimees. The interview followed strict secrecy rules and Postimees did not learn the agent’s identity. This activity is likely related to the job ads recently put out by the Estonian Foreign Intelligence Service.
- [2020-12-07] The 6th Interdisciplinary Cyber Research conference took place in a semi-online format. The video recordings and proceedings are available.
- [2020-12-02] By exploiting a flaw in the content management software Drupal, attackers compromised servers of the Ministry of Economic Affairs and Communications, the Ministry of Social Affairs and the Ministry of Foreign Affairs. The attackers downloaded 350GB of data from a total of 11 servers. The data mostly consisted of the data in the document management system. However, the attackers were also able to download a database containing data about 9158 corona-positive persons and their close contacts, that was stored as a LimeSurvey database in the Drupal instance of the Health and Welfare Information Systems Center (TEHIK). RIA initiated supervision proceedings, the Data Protection Inspectorate initiated its own proceedings and the Central Criminal Police initiated criminal proceedings of obtaining illegal access to the systems. Members of Parliament suspected that data from the national car registry had also been leaked, but this information was not confirmed.
- [2020-12-01] RIA is developing an environment which will provide the possibility of installing additional smart card applications on the ID card. There are about four companies working on the creation of apps. The proof of concept will be completed by March 2021. RIA will not charge for apps, but it is possible that the use of the app will require a certain fee to be paid to the companies providing the apps.
- [2020-12-01] Internet shops of pharmacies Apotheka, Südameapteek and Azeta.ee allowed anyone to query another person’s prescriptions by entering their personal ID code. The Data Protection Inspectorate issued a precept-warning with a one-day compliance deadline and a penalty payment of 100,000 euros to these three pharmacy chains. The chains complied with the precept by the deadline and suspended the possibility for buying a prescription drug for another person from the e-pharmacy.
- [2020-12-01] Citizen Lab reported that the Estonian Education and Research Network (EENet) hosts Circles surveillance technology that exploits weaknesses in the global mobile phone system SS7 to track people’s phone calls, text messages and location, from anywhere. The technology is sold only to governments, therefore the best guess is that it has been purchased by the Estonian Foreign Intelligence Service to spy on targets abroad. RIA, who are the end-users of the IP addresses, acknowledged that they were used by RIA’s “contract partners”, but refused to name them. Since RIA refused to clarify whether the use of these IPs complied with the EENet’s network policy, EENet blocked traffic to these IPs.
- [2020-11-27] EveryPay AS, which offers payment solutions for Estonian e-shops (used by mTasku), made a mistake which resulted in the bank accounts for a few hundred people being emptied. According to the company, it was a human error in the development which the automatic tests did not catch. All affected customers have received a refund.
- [2020-11-21] Õhtuleht journalists tailed a ministerial car to reveal its misuse. The Minister of Justice asked the Prosecutor General to have the journalists’ activities investigated on the basis of section 137 of the Penal Code – the section on unauthorized surveillance. The Minister of Justice later claimed that this was a misunderstanding.
- [2020-11-21] A book chapter by Kärt Salumaa-Lepik (TalTech), ￼Tanel Kerikmäe (TalTech) and Nele Nisu (Ministry of Social Affairs): “Data Protection in Estonia”.
- [2020-11-20] IT minister Raul Siem (EKRE) proposed using face recognition in i-voting to cut out voter fraud. The Electoral committee responded that the idea is not bad, but may be expensive. RIA supports the idea of using biometrics to identify a person, but acknowledged that this requires in-depth analysis.
- [2020-11-17] RIA held an online information day. Among the topics covered: new ID card browser extension; new CDOC 2.0 encryption format; new Mobile-ID solution; remote ID card certificate update and remote applet loading; the states authentication service TARA; the new information security standard. The video recordings and the transcribed Q&A are available.
- [2020-11-16] The Ministry of Economic Affairs and Communications (MKM) is planning an independent audit and security analysis on i-voting, however, the details of the audit are still unclear. The ministry plans to propose a model where the security management of i-voting will be two-stage – RIA organizes cyber security and MKM checks the whole process and gives the National Electoral Committee an opinion on whether cyber security is organized at a sufficient level to use electronic systems for conducting elections.
- [2020-11-12] SK ID Solutions AS annual conference was replaced with a video presentation. Among the topics covered: SK team has grown; Smart-ID solution is to be implemented in Iceland; SK has teamed up with TalTech to pre-emptively identify and counter phishing scams.
- [2020-11-08] Minister of the Interior Mart Helme (EKRE) made a statement (without providing any evidence) that election results are falsified in favor of a particular political party by those with access to i-votes. The head of the state electoral service refuted all statements of the minister. The Minister of the Interior later resigned due to other unfounded claims in the context of the U.S. presidential elections.
- [2020-11-01] A cyber defense exercise “Cyber Battle of Tartu” for pupils and students was held at the Delta Center in Tartu. The competition was organized by CybExer Technologies. The participants had to find vulnerabilities in the school’s information system, stop the attack on the hospital’s vital systems and prevent a cyber attack aimed at opening the museum’s treasury.
- [2020-10-29] In the second half of July this year, a new way of banking fraud began to spread – telephone phishing calls. As of the beginning of October, the police has reported 90 cases in which fraudsters have been able to cause damage totaling 200,000 euros. Criminals spoof a bank’s Caller ID, use waiting music, read out the customer’s personal identification code or other personal data, and use all means to create the illusion that the victim is indeed talking to a bank employee. The criminals create fear and state that an action is urgently needed. The victim’s phone receives Mobile-ID or Smart-ID authentication requests and the victim thinks that he is being identified by a bank employee. Scammers are speaking Russian and the victims are mainly the Russian-speaking customers. From the audio recording of the fraudulent call to Swedbank, it is possible to hear that the scammers operate a call center – in the background similar calls can be heard being made to other potential victims. Also the phishing e-mails sent on behalf of banks are once again spreading.
- [2020-10-28] Draft regulation specifies requirements for handling interruptions in vital services. The telecommunications operator must ensure that the service is restored within 24 hours if 1000 to 30 000 end users are affected and within 8 hours if more than 200,000 users are affected by the failure.
- [2020-10-26] Cybercriminals stole patient data from a Finnish psychotherapy center. Worries are that the same could happen in Estonia.
- [2020-10-25] The Ministry of Finance plans to register the loans of residents in a central database.
- [2020-10-22] A 20-year old man in Tartu had repeatedly ridden a bicycle from the Tartu Bike Share System without authorization by using a friend of a friend’s password. It was only discovered after the bike was ridden for more than an hour in one session resulting in the 1 EUR fee being sent to the account holder. The man was identified using security camera footage. He pleaded guilty and promised to compensate for the damage caused. The police imposed a financial penalty on the man in misdemeanor proceedings.
- [2020-10-21] The Ministry of Economic Affairs and Communications and the Ministry of Interior have made amendments to ban the use of anonymous SIM cards, requiring identification verification for using pre-paid SIM cards. The amendments are needed to help solve drug offenses as well as other organized crime, where anonymous calling cards are often used. The amendments would also affect messaging app services like Skype, WhatsApp and Viber, requiring them to register as communications service providers and require the same degree of ID verification for their users.
- [2020-10-16] Estonia holds the second place in the world in terms of internet freedom after Iceland. Estonia did not receive all the points because, among other things, the Tax and Customs Board can oblige Estonian service providers to block illegal gambling sites.
- [2020-10-16] A recent audit conducted by the Data Protection Inspectorate (AKI) finds that local municipality governments often unjustifiably mark documents as “information intended for internal use”. Most commonly the wage of employees and their vacation information is hidden. There are rumors that when signing an agreement, some personal information is included on purpose so that access restrictions could be applied. At the same time, there are plenty documents available to the public, containing the full names and contacts of private persons. Sometimes personal data leaks by including personal data in the public title of a non-public document.
- [2020-10-09] The Mobile-ID service was disrupted from 11:20 to 14:30.
- [2020-10-06] The Ministry of Justice has made amendments to prevent mass-download of personal data from the public databases of court decisions and court calendars. Already on 2020-05-08, before the amendments were passed, a robot trap unexpectedly appeared on the website of Rigi Teataja without a legal basis. Previously, journalists had mass-processed the data to inform the public about the candidates of Riigikogu and municipality elections that have been criminally sentenced.
- [2020-10-01] CERT.LV organized the online conference “Cybershock 2020”. Among the participants were Estonians Jaanus Kääp (Clarified Security) and Hans Lõugas (CybExer Technologies).
- [2020-09-30] The Ministry of Economic Affairs and Communications has finished a regulation bill which will restrict the use of non-EU telecoms tech in Estonia, including those from Huawei. Initially, these requirements will affect the providers of vital services such as the communication companies, which have at least 10,000 clients – Telia, Elisa, Tele2, Levikom and STV. Huawei says it will challenge the bill. Elisa CEO claims that there is no real risk from Chinese tech and that the ban on Huawei’s equipment will cost Elisa tens of millions of euros.
- [2020-09-29] Three Romanian nationals were arrested in Romania for being suspected of organizing the Mobile-ID and Smart-ID phishing attacks that started in 2019. The aggregate sum stolen from close to 40 victims totals over €100,000. Estonian police detectives took part in the operation that was carried out in Bucharest. The prosecutor’s office is applying for the suspects to be extradited to Estonia for court proceedings.
- [2020-09-29] The procurement of a new Mobile ID solution is in process. An offer was received from two companies: the first applicant is the current partner SK ID Solutions that wants to continue providing the service, but the second applicant is the Belgian company Belgian Mobile ID, which was set up in 2016 by seven mobile operators and banks. The procurement doesn’t constrain technology too much and assesses the proposals individually. The solution must allow the change of crypto algorithms without going to a service office (i.e., remotely). For the enrollment it can support face-to-face identification, digital identification and biometric identification. Suspension of the certificates must not be supported.
- [2020-09-25] A research article by Mihkel Solvak (UT): “Does vote verification work: usage and impact of confidence building technology in Internet voting”. The study finds that: i-vote verifiers are younger males and Linux users with the verification rate especially high in the 18 to 40 age group; voting from abroad clearly leads to more verification; the cast-as-intended verification leads to higher confidence that ones vote was taken into account.
- [2020-09-18] From August, RIA started monitoring procedures for the implementation of information security measures for all critical databases in Estonia. A total of ten critical databases have been defined: e-file (e-toimik), land register, commercial register, Riigi Teataja information system, land cadastre, state treasury information system, taxpayer register, population register, register of identity documents and state pension insurance register.
- [2020-09-17] The investigative journalism show “Pealtnägija” investigated a scam of fictitious real estate ads targeted at foreign students. While the victims believed that they were transferring money as a deposit for an apartment, they effectively paid an Estonian Bitcoin trader for the scammer’s purchase of bitcoins.
- [2020-09-17] Government will revoke 10 citizenships acquired illegally as the result of a widespread fraud that was committed during the years of 2013-2015 by a criminal group involving PPA employees. Previously, Estonian citizenship has only been revoked once by a government decision in 2016.
- [2020-09-16] A research article by Sven Heiberg (SCCEIV), Kristjan Krips (Cybernetica/UT) and Jan Willemson (Cybernetica/STACC): “Planning the next steps for Estonian Internet voting”. The authors mostly reiterate the discussion points in the report of feasibility of i-voting on smart devices.
- [2020-09-06] A research article by Valentyna Tsap (TalTech), Silvia Lips (TalTech) and Dirk Draheim (TalTech): “Analyzing eID Public Acceptance and User Preferences for Current Authentication Options in Estonia”. The study finds that the ID card is used the most to access e-services; Smart ID holds the second position; username/password and Mobile-ID shares the third choice.
- [2020-09-01] Kaija Kirch, previously a document expert at the Estonian Police and Border Guard Board (PPA), now works for Cybernetica.
- [2020-08-28] After two years, the court has not yet started to resolve the case of PPA vs Gemalto. In August 2019, a preliminary hearing was held where the possibility of finding a compromise was discussed. However, as of 2020-08-28 no compromise has been reached and both parties have submitted a number of different requests that the court has to resolve.
- [2020-08-25] CERT-EE identified almost twenty websites that did not check the certificate revocation information when authenticating users with an ID card. In two cases, there was also no check on whether the certificate was signed by SK ID Solutions. This effectively allowed ID card authentication bypass in these services.
- [2020-08-25] BSc thesis by Sander-Karl Kivivare (UT): “Secure Channel Establishment for the NFC Interface of the New Generation Estonian ID Cards”. The thesis describes the cryptographic protocol that is used to communicate with the Estonian ID card over the contactless interface and provides detailed instructions with code examples in Python, to help software developers create applications that can make use of the new NFC interface introduced in the ID cards issued since December 2018.
- [2020-08-25] BSc thesis by Jekaterina Gorohhova (UT): “Malicious Android app for security testing”. In the context of this thesis, an Android app was developed to demonstrate how a malicious app with a given set of Android permissions can abuse them to collect personal data stored on a user’s device and then send it out.
- [2020-08-21] RIA has banned the social media app TikTok on all phones belonging to RIA employees and has also recommended the ban to other state institutions. The app is considered a security threat as it is collecting far more information about its users than necessary.
- [2020-08-20] July statistics from the state authentication service TARA show that Smart-ID became the most popular identification tool outperforming the ID card. The number of government agencies using TARA in their e-services is currently between 30-40, but RIA expects it to grow to over a hundred. RIA plans to remove the banklink authentication option from TARA at the end of 2020, as the banks are accessed by the same ID card, Mobile-ID and Smart-ID that are directly supported by TARA as well.
- [2020-08-20] Estonia launched the coronavirus exposure notification app “HOIA” (Keep). The app was created in cooperation with 12 Estonian companies – Cybernetica, Fujitsu Estonia, Guardtime, Icefire, Iglu, Mobi Lab, Mooncascade, Velvet, FOB Solutions, Heisi IT OÜ, Bytelogics and ASA Quality Services OÜ. The development was done at the companies’ own expense. The state only paid for an independent security audit that cost 30,000 EUR. The Data Protection Inspectorate and Chancellor of Justice deems the app suitable as the privacy of its users is protected. RIA also recommends using the app, but notes that the requirement for bluetooth to be constantly on creates additional risks.
- [2020-08-14] Research article by Arnis Parsovs (UT): “Estonian Electronic Identity Card: Security Flaws in Key Management”. The article, among other things, provides details about the malpractice of the Estonian ID card manufacturer Gemalto in generating private keys outside the ID card.
- [2020-08-13] Tartu County Court convicted Dennis Einasto of computer fraud that caused nearly €28,500 in damages, of illegally obtaining access to computer systems and of large-scale money laundering. Overall, he was sentenced to 4.5 years in jail. Einasto’s computer contained cryptocurrency and web hosting databases hosting large numbers of usernames and passwords, but which did not belong to him. The cyber crimes were committed on an international scale.
- [2020-08-05] The passwords and e-mail addresses of 27,000 users of an unnamed Estonian advertising portal was leaked. The data was accessible for almost a year without the portal being aware of it. The portal has informed users about the leak and the same account data can no longer be used to enter the environment. Although the portal did not inform the Personal Data Inspectorate (AKI) in time, AKI has not yet made a decision on whether supervision proceedings should be initiated.
- [2020-07-28] Due to a human error, the Ministry of Justice made a report in their document register public that contaied personal data of approximately 1000 people who sought legal advice. The information listed names and the reason the person had obtained legal aid. The Ministry of Justice has not informed the affected persons about the leak as this would have meant further processing of the data, which was intended to be avoided. According to the ministry, the article published by the media is enough.
- [2020-07-27] BSc thesis by Silver Maala (UT): “A Proof of Concept Malware for Interacting with the Smart-ID Android Application”. The thesis presents a proof-of-concept Android malware that can take over the Smart-ID app running on a rooted Android device.
- [2020-07-23] The National Audit Office has published the audit report “Effectiveness of the e-Residency programme”. The report finds that foreigners with a criminal background and/or business ban have become e-Residents, as PPA does not have the capability to perform sufficient background checking for foreigners. Another noteworthy finding is that only 10% of e-Residents have renewed their digital IDs after expiration.
- [2020-07-23] The Ministry of the Interior proposed a bill that would give law enforcement organizations backdoor access to encrypted messaging applications. The idea faced sharp criticism and later the Ministry of Justice rejected the proposal due to the lack of a thorough analysis of the consequences.
- [2020-07-21] The government has made amendments to the “Statutes of the Health Information System” allowing the authentication of subjects using “ID card, Mobile-ID, Smart-ID or other equivalent device”. Historically, access to the Health Information System has only been granted based on authentication using the ID card. The security requirements have likely been relaxed due to the pressing coronavirus situation.
- [2020-07-21] Kert Kingo (EKRE), a member of the Riigikogu’s Legal Affairs Committee, explained why EKRE is so worried about i-voting. According to her, the distrust is created by the fact that it is possible to give an i-vote using another person’s ID card and that i-voting data is destroyed immediately after the elections.
- [2020-07-10] Research article by Kaido Kikkas (TalTech) and Birgy Lorenz (TalTech): “Training Young Cybersecurity Talents – The Case of Estonia”. The paper describes the Estonian experience with the CyberOlympics/CyberSpike program from 2017–2019 and reflects on the lessons learned about talent building in cybersecurity.
- [2020-07-07] Research article by Laura Kask (UT/Proud Engineers) and Kristiina Laanest (RIA): “Determining the Time of Electronic Signing: Legal Requirements and Technological Possibilities”. The authors suggest establishing the time from the timestamp as the time of signing, but fail to address the issues raised in the original article “Time of signing in the Estonian digital signature scheme” by T.Mets and A.Parsovs.
- [2019-12-19] A research paper by Abasi-amefon Affia (UT): “Assessing the NFC Unlock Mechanism of the Tartu Smart Bike Share System”. The paper describes a flaw in the Tartu Smart Bike Share System that can be exploited to create a clone of a victim’s Tartu bus card, which can then be used to unlock the bikes. To create the clone, only the card number printed on the victim’s Tartu bus card is needed (valid numbers can be guessed). The flaw has now been partially mitigated as cloning is still possible, but the task is not that trivial.