[2021-02-18] The Ministry of Economic Affairs and Communications (MKM) will establish a new state cyber security department joining the current state information systems department (RISO) and the information society services development department.
https://digi.geenius.ee/rubriik/uudis/valitsus-korrastab-digiriiki-luuakse-uus-riiklik-kuberturvalisuse-osakond/ [2021-02-18] The LokiBot malware is being distributed using a spoofed e-mail address of the TalTech rector. The phishing email is written in good Estonian and as a pretext invites recipients to participate in a procurement. As a response, TalTech has enabled DMARC so that recipients could detect emails from spoofed @taltech.ee addresses.
https://forte.delfi.ee/artikkel/92598139/kustuta-kohe-petukiri-korgel-tasemel-tehnikaulikooli-rektori-tiit-landi-nime-alt-laks-tana-teele-massiliselt-libaparinguid [2021-02-17] An information security specialist of Viljandi Hospital raised a privacy issue of PDF and DDOC signature files being sent for validation to RIA validation service SiVa. According to RIA, data is not permanently stored on RIA servers and the DigiDoc4 client explicitly asks for permission before the file is sent to RIA. The DDOC file validation logic has been moved server side to simplify the DigiDoc4 client-side software. On a side note, people have forgotten that a few years ago, all documents signed using Mobile-ID were sent to the SK DigiDocService.
https://www.ohtuleht.ee/1026090/paranoia-voi-suure-venna-sund-digiallkirja-kehtivuse-kontrollimiseks-laheb-dokument-kogu-taiega-riigi-katte-miks [2020-02-16] At the end of 2020, an ID card authentication bypass flaw was found in the Coop Pank’s internetbank environment. Since Coop Pank also provides a bank link authentication service, the eesti.ee e-service and other e-services supporting the bank link option were also affected. A similar flaw was also found in elisa.ee, printincity.ee and arved.ee.
https://digi.geenius.ee/rubriik/uudis/turvaauk-elisa-iseteeninduses-ning-arved-ee-keskkonnas-voimaldas-paaseda-voorale-kontole/ [2021-02-12] In January 2021, Estonian banks lost more than 200 thousand euros in Smart-ID and Mobile-ID phishing attacks.
https://majandus24.postimees.ee/7178741/pangakelmustega-peteti-eesti-inimestelt-jaanuaris-valja-ule-200-000-euro [2021-02-10] The personal data of 5000 persons was leaked from the Mineral Garden (mineralgarden.org – Living Minerals OÜ) online store. The names, email addresses, phone numbers, home addresses, and shopping cart information of thousands of Mineral Garden customers were searchable on Google. The Data Protection Inspectorate initiated a supervisory procedure. The shop is controversial as it distributes a harmful substance advertised as a miracle cure. Postimees published the name of a parliament member, who was found in the leak to have purchased the substance.
https://leht.postimees.ee/7176185/nimed-telefoninumbrid-aadressid-tuhandete-eesti-veebipoe-klientide-andmed-rippusid-avalikult-internetis [2021-02-10] From March 2021, RIA will stop supporting bank link in the state authentication service TARA, because the security of bank link authentication mechanisms has not been assessed according to eIDAS regulation. The change will affect approximately 7000 people, which accounts for about 1% of all authentications in TARA. This move has been long awaited as the use of banks as authentication providers has never had legal basis and security flaws in banking systems have put personal data, that is accessible through the bank link, at risk.
https://news.err.ee/1608104449/some-public-e-services-cannot-be-accessed-via-a-bank-link-from-march [2021-02-05] The litigation between PPA and the Estonia ID card manufacturer Gemalto has reached a compromise with Gemalto paying the state 2.2 million EUR in compensation. While the press release only mentions the ID card security incident in 2017, the compromise also covers the claim against Gemalto regarding private key generation outside the ID card.
https://news.err.ee/1608100102/gemalto-ppa-reach-compromise-over-id-card-security-weakness [2021-02-03] RIA fixed an authentication man-in-the-middle flaw in the ID card browser signing extension. The flaw (a feature to sign raw values using the authentication key) was quietly introduced in 2017 without a proper security analysis. Swedbank began using the feature to authenticate their clients at the end of 2020, because it was considered to be more reliable than TLS client certificate authentication.
https://digi.geenius.ee/eksklusiiv/swedbank-kasutas-turvanorkusega-id-kaardi-laiendust-kaks-aastat-pank-pidas-seda-tookindlamaks/ [2021-02-03] Geenius wrote an article about the recent repeated failures of revoking ID cards of deceased persons. RIA in 2019 initiated a supervisory procedure which still has not been completed.
https://digi.geenius.ee/eksklusiiv/teist-korda-jaid-hulga-surnud-inimeste-id-kaartide-sertifikaadid-kehtetuks-tunnistamata/ [2021-01-25] CERT-EE reported that in December 2020, an ID card authentication bypass flaw was found in the website of quick loan provider (credit24.ee), which would have provided the opportunity to take a quick loan on behalf of a stranger.
https://forte.delfi.ee/artikkel/92359667/kiirlaenu-pakkuja-veebilehel-avastati-ohtlik-turvanorkus [2021-01-26] Liisa Past and Jan Willemson from Cybernetica, in the Digital Government podcast (30min), talk about the historical and cognitive aspects of i-voting and explain how technology and math ensure a secure and trustworthy solution.
https://www.buzzsprout.com/1191800/7491415-what-makes-online-voting-secure [2021-01-25] Estonian server hosting company Zone.ee experienced a DDoS attack. The attack lasted a total of five hours and affected the company’s operations.
https://digi.geenius.ee/rubriik/uudis/eesti-serverimajutusettevote-on-aktiivse-ddos-runnaku-all/ [2021-01-25] The Ministry of Economic Affairs and Communications (MKM), the State Information System Authority (RIA) and the State Electoral Service (RVT) signed a cooperation agreement to define the division of tasks between the agencies for organizing i-voting security. MKM will organize a security audit. RVT undertakes the development of the i-voting system and organization of security testing and risk analysis. RIA will provide hosting services and perform security testing and logging. RVT and RIA will undertake the procurement of a technical and legal analysis of the possibility of voter identification by facial biometrics. The analysis should be conducted by 1 June 2021.
https://www.ria.ee/et/uudised/mkm-ria-ja-rvt-solmisid-koostoolepingu-e-valimiste-kuberturvalisuse-korraldamiseks.html [2021-01-24] The Estonian government recently fell and a new one was formed with a new Minister of Foreign Trade and IT: Andres Sutt (Reform). The political position on i-voting has now significantly changed as the coalition agreement seeks to develop a mobile app for i-voting.
https://twitter.com/ikubjas/status/1353315211571294213 [2021-01-14] The Ministry of Economic Affairs and Communications (MKM) announced a public procurement tender for the audit of the i-voting system. The purpose of the audit is to get a reasoned assessment of the security of the election information systems and proposals for improvements that can raise the level of security. The audit shall be performed by internationally renowned auditors and information security specialists. The deadline for presenting the project’s final report is October 1, 2021.
https://news.err.ee/1608073477/ministry-seeking-international-auditor-to-check-security-of-e-elections [2021-01-05] On 2021-01-05, Smart-ID, Mobile-ID and ID-card authentication and signing services were disrupted for a few hours. The state does not know the reason behind the failures and did not answer whether the question of whether a supervisory procedure will be initiated against SK ID Solutions AS.
https://digi.geenius.ee/rubriik/uudis/riik-ei-tea-pohjust-miks-oli-mobiil-id-ja-id-kaardi-too-korraga-hairitud/ [2021-01-04] On 2021-01-04, SK ID Solutions AS failed to rotate the OCSP signer’s certificate, as a result, for 10 hours OCSP responses were signed with an expired certificate.
https://www.skidsolutions.eu/en/News/certifier-esteid2018-validity-information-responses-were-signed-with-an-expired-certificate/ [2020-12-22] A research article by Valeh Farzaliyev, Kristjan Krips and Jan Willemson (Cybernetica): “Developing a Personal Voting Machine for the Estonian Internet Voting System”. The article describes a proof-of-concept i-voting client implemented on a microcontroller. The client only supports Mobile-ID for casting an i-vote. The source code of the client and build instructions have been published in GitHub.
https://github.com/Valeh2012/PersonalVotingMachine [2020-12-18] RIA has published a technical report produced by Cybernetica: “Analysis of planned architectural changes in Open-eID”. The work analyzes the proposed alternative to TLS certificate authentication – authentication using a new web browser extension that RIA is currently developing.
https://web-eid.gitlab.io/analysis/webextensions-main.pdf [2020-12-04] The Data Protection Inspectorate (AKI) initiated a supervisory procedure against the Health Board (TA) in connection with the COVID-19 data leak of 9158 persons. However, the Health Board will not be fined, because AKI does not have the power to fine another state agency.