[2021-08-13] Starting August 23, the Estonian identity cards will be issued containing the ePassport applet that will contain the cardholder’s photo and fingerprints. The residence permit cards have been issued with the ePassport applet already since 2011. The ePassport applet will not be installed on the digital identity cards, the e-resident’s digital identity cards and the diplomatic identity cards. The introduction of the ePassport applet on identity cards is required by an EU regulation.
[2021-08-11] Mauno Pihelgas (TalTech) defended his PhD thesis “Automating Defences against Cyber Operations in Computer Networks”.
[2021-08-09] The procurement for the next-generation SIM-less Mobile-ID solution has taken longer than originally planned. The winner should be announced in September and the new solution should be operational from July 1, 2022. The current Mobile-ID contract with SK has been extended by half a year.
[2021-08-08] A group of local cyber security enthusiasts are organizing the BSides Tallinn conference with a program committee consisting of well know Estonian cyber security experts. The conference is planned to take place on October 7 in Tallinn.
[2021-08-07] The Data Protection Inspectorate (AKI) has stated that identification check of a person showing a vaccination certificate is allowed only if there is reasonable doubt. For example, if there are obvious discrepancies – the name of the certificate is of the opposite sex, the person’s appearance does not match the date of birth, and so on. Also, the applications used to verify vaccination certificates should not store or forward the data to third-parties. The Minister of Health and Labor suggested the inspection of vaccination certificate only “visually” as it is assumed that most people who live in Estonia are honest.
[2021-08-05] RIA has proposed an idea to enable a vaccination status lookup using the document number of the cardholder’s ID card. This would effectively make a person’s vaccination status public, as the document number of a cardholder’s ID card cannot be considered secret. The Health and Welfare Information System (TEHIK) is looking into the legal side of this solution.
[2021-07-29] The web app kontroll.digilugu.ee created to check COVID certificates provides a misleading status response, as it verifies only the authenticity of the certificate and not whether the COVID certificate satisfies legal requirements (e.g., whether test results are not outdated). Currently, the certificate’s compliance to legal requirements have to be inspected manually.
[2021-07-28] Geenius journalist Ronald Liive proposes the introduction of a state-level bug bounty program to motive white hat hackers to report vulnerabilities.
[2021-07-28] A hacker exploited a vulnerability in RIA’s service that allows people to download their document photos using the DigiDoc client. As a result, facial photos of 286,438 persons have been downloaded. The flaw allowed unauthorized retrieval of document photos by sending queries using a fake ID card certificate containing the document holder’s personal identification code. The queries were made from 9,000 different domestic and foreign IP addresses routed through a malware network. The flawed solution was created several years ago. The police has temporarily detained an Estonian citizen, a resident of Tallinn, whose computer was used to download the photos. The downloaded data has been confiscated and the police believes that the data was not transmitted further. The mass download of photos was detected after SK ID Solutions notified RIA of an abnormal number of (OCSP?) queries. The persons whose document photo was downloaded received a notification to their @eesti.ee email addresses. If the leak caused damage, the person can ask RIA for compensation. In RIA’s opinion no damage could have been caused. The government gave RIA 500,000 euros to improve the security of their legacy services.
[2021-07-24] The number of banking scams is growing. This year already more than 800,000 euros have been lost. If last summer there were 25-30 such cases in one month, then this year there are already more than 50 in one month.
[2021-07-22] Gert Auväärt became RIA’s director of the Cyber Security Branch. Lauri Aasmann, the current director of the Cyber Security Branch, will continue as an advisor to the Director General.
[2021-07-21] AS Morrison Invest (morrison.ee) approached the Data Protection Inspectorate (AKI) questioning the legality of kv.ee showing the name of real estate agents for advertisements posted on behalf of legal entities. AKI found it to be in line with good practice, but in turn found that the website morrison.ee that collects personal data does not use an HTTPS connection, the visitor is not informed about the use of Google Analytics cookies, and thirdly, the site does not have the required data protection conditions. AKI issued a precept requesting that these deficiencies be eliminated.
[2021-07-21] Estonian citizen Pavel Tsurkan (33) was extradited to the US where he pled guilty for building a botnet of more than 1000 routers and allowing his criminal clients to use them as proxies routing their malicious internet traffic through the compromised routers. He also pled guilty in a second case for operating the Crypt4U service since 2013 that allowed criminals to obfuscate their malware. The Estonian national faces two 10-year prison sentences.
[2021-07-15] Cybernetica has completed the analysis of implementing facial recognition in the Estonian i-voting. The analysis points out problems with false negatives, the requirement for high quality video cameras, privacy issues related to the fact that the captured video may contain other persons and a voter’s home interior, and points out a list of legal challenges. The report concludes that facial recognition is still in its infancy and should be first piloted within other public services.
[2021-07-15] A Geenius journalist had a look at the mysterious information system SITIKAS created by the State Situation Center. The system is meant to help decision makers and almost 2.8 million euros have been spent on its development. The system uses mostly publicly available information, but the content of the system is classified. Allegedly, the system generates various reports and uses machine learning and neural networks.
[2021-07-13] The Data Protection Inspectorate (AKI) has reprimanded the Health Board for its official contacting TalTech to ask whether one of the Health Board employees studies in TalTech. TalTech disclosed the information over phone without identifying the questioner and without the legal basis.
[2021-07-13] For DDOC signatures that have been timestamped after 2018-07-01, the ID software will show a warning “The signature is valid (with a warning)”. Signatures in DDOC format use the outdated SHA-1 hash function whose collision resistance was practically broken in February 2017 and hence any DDOC signatures created since then could be challenged.
[2021-07-09] RIA has closed an information leak in the state portal eesti.ee, where personal data of 336,733 people could be accessed. The data contained the first and last names, personal identification codes, places of work and, in some cases, links to previous positions. The leak was in the self-service environment that gave representatives of companies the right to manage the access rights of their employees. The leak was part of the intended functionality that was introduced about ten years ago when the approach to data protection and privacy was different than today. The issue was reported by an attentive user. RIA has no information on whether anyone had saved the data.
[2021-07-01] Personal data of 96 drone pilots was visible in the website of the Transport Agency for two hours. The personal data contained the pilots’ home addresses, phone numbers, e-mail addresses and personal identification numbers. Due to the leak, the registration numbers issued to the pilots will be replaced. Piksel OÜ developed the flight safety monitoring information system (LOIS). The security of the system was tested, but the flaw was detected only after the information system went into production.
[2021-06-29] MKM is using the EU structural funds to produce 60 thematic biographical video interviews to document the history of the Estonian digital state. The plan is to collect the memories and knowledge of the birth and formation of the digital state, including the development of eID, i-voting and cyber security. The work will be completed in the beginning of 2022.
[2021-06-29] The UT computer science BSc student Peeter Vahe in his BSc research discovered a race condition flaw in the Tartu Smart Bike Share system, which allows a user to unlock 2 bikes at once using a single account.
[2021-06-18] The Supreme Court decided that the procedure for storage and use of communications metadata is in conflict with the law of the EU and therefore the state cannot request this data for criminal investigations. The EU law forbids retaining the communication data of all users without distinction, regardless of whether they have any connection with serious crime (the current practice of the Electronic Communications Act). This decision will affect the proceedings where phone logs are the most substantial evidence. The Ministry of Justice is looking for a solution to agree on some kind of a new metadata keeping obligation.
[2021-06-16] Kaie Maennel (TalTech) defended her PhD thesis “Advancing Cybersecurity Education through Learning Analytics”.
[2021-06-15] An MSc thesis defended at UT brought to light a security risk concerning signing documents with an ID card via a browser. More specifically, the fact that the signatories are not able to see what exactly the service provider is asking them to sign. The thesis provides the implementation of two solutions. RIA is looking to introduce a solution as well.
[2021-06-15] A bill has been passed to create a central biometric database ABIS for storing facial images and fingerprints, as currently such data is scattered between several databases. No new data will be collected. The bill has raised concerns regarding cross use of biometric data, as it would allow fingerprints and facial images collected for identification purposes (when applying for an identity document) to be used in criminal proceedings. However, it turns out that since 2012 identity documents database has been used in criminal investigations. While it was possible to compare fingerprints against all fingerprints in the database, ABIS plans to provide the technological capability to match a person’s facial image against facial images stored in the database.
[2021-06-14] Cyber Security Summer School 2021 took place during June 14-16 in virtual format. The focus of this year’s summer school was on real-world internet voting systems.
[2021-06-11] The Transport Administration is developing a database in which private parking lots from Helsinki and Riga can obtain personal data of car owners registered in Estonia. The Estonian vehicle owner database has now been opened to Estonia’s private parking lots for imposing fines.
[2021-06-04] The President of Estonia, Kersti Kaljulaid awarded ENISA’s Executive Director, Juhan Lepassaar, the Order of the White Star, 3rd Class state decoration for advancing EU cybersecurity.
[2021-06-03] MSc thesis by Taavi Turu (TalTech): “The Role of Co-production in National Cyber Security and Cyber Resilience of Critical Infrastructures: the Case of Estonian Defence League’s Cyber Unit”
[2021-06-02] A new Estonian information security standard (E-ITS) has been compiled to replace the voluminous information security standard ISKE. The standard contains data on security threats and provides measures for public sector authorities.
[2021-06-02] RIA organized a seminar “Cyber Security in Estonia 2021” in English. Presentations by Gert Auväärt, Tõnu Tammer, Perit Kirkmann, Mark Erlich, Lauri Tankler and Märt Hiietamm are available in RIA’s youtube channel.
[2021-05-31] Due to a database error, the health information system was not available for more than two and a half hours in the middle of the working day.
[2021-05-28] Arnis Parsovs (UT) has published “Security Analysis of RIA’s Authentication Service TARA”. The analysis finds that the TARA protocol might be susceptible to man-in-the-middle and phishing attacks.
[2021-05-26] The TV investigative program Pealtnägija has published materials and insights from the “passport mafia Marika” criminal case of running an illegal document business with insiders from PPA. A trap was set up with the help of a secret agent who was interested in a document. Video footage and other materials from covert police surveillance activities are demonstrated.
[2021-05-21] Following a scheduled maintenance at SK ID Solutions, the issuance of Mobile-ID and Smart-ID certificates were disrupted.
[2021-05-15] An Estonian accounting software company fell victim to a ransom attack and through it the attackers gained access to the systems of one of the Lääne County rural municipality governments. The attack was discovered by CERT-EE before the attackers were able to cause damage.
[2021-05-13] RIA refuses to disclose how many sessions at once the authentication service TARA can handle, as this would reveal too much of the e-Estonia capability to potential attackers. TARA has been used up to 150,000 times a day.
[2021-05-13] A court in the US convicted 3 IT specialists that were residing in Estonia for providing bulletproof hosting services to cyber criminals from 2009 to 2015.
[2021-05-12] There is a plan to amend the Public Information Act that would allow for the classification of documents to last indefinitely. Currently, the access restriction limit for classified documents “information intended for internal use” (AK) is five years. This limit can be extended by another five years to a total maximum of 10 years.
[2021-05-11] The Data Protection Inspectorate (AKI) has released the 2020 yearbook.
[2021-05-05] The Estonian Digital Society Development Plan 2030 has been released. One of the areas is national cyber security. Among the plans is to: improve the personal data tracker service; develop the possibility to get all the data stored in the country from the state portal; create a national eID that is free of physical media; update the national cyber security governance model to clarify roles, responsibilities and tasks of organizations; increase the capacity of academic institutions and development centers to implement nationally important cyber security R&D projects.
[2021-05-03] Liisa Past (former employee of Cybernetica and RIA) has started working as an information security manager (CISO) at the Information Security Department of the Information Technology and Development Center (SMIT) of the Ministry of the Interior.
[2021-04-27] Over the last couple of years, most of the security testing procurements have been won by the company Clarified Security OÜ. Last year, procurements for up to 2 million and 3.5 million euros were won. Paevaleht looked at the similarities of the procurement specifications and discussed the need to introduce mandatory rotation of security testers.
[2021-04-22] Äripäev has published a special issue “Cyber security 2021” covering a variety of cyber security related topics: cyber hygiene, i-voting, cybercrime, training of cyber experts and other topics.
[2021-04-22] Due to a hardware failure, the state authentication service TARA was not available for 45 minutes, as a result of which it was not possible to log into any service that uses TARA.
[2021-04-15] The government introduced a draft legislation to strengthen rules for assessing eID system trustworthiness and delimiting institutional responsibilities. In addition, RIA will be able to check whether providers of public e-services fulfill the obligation of recognizing international eID solutions arising from the eIDAS regulation.
[2021-04-13] Due to a software error, the digital prescription service was not available for almost 7 hours.
[2021-04-09] Arnis Parsovs (UT) defended his PhD thesis “Estonian Electronic Identity Card and its Security Challenges”.
[2021-04-07] The Mobile-ID and Smart-ID phishing attackers who were detained in Romania last September, sent emails to 100,000 Estonians and managed to steal money from the accounts of nearly 40 people in the total amount to more than 100,000 euros.
[2021-04-07] RIA released the yearbook “Cyber Security in Estonia 2021”. Some of the covered topics: DDoS ransom attacks, ransomware attacks, phishing attacks, E-ITS security standard, DigiTest cyber hygine training platform, cyber diplomacy, 5G security.
[2021-04-05] Based on a precept issued by the Technical Supervision Authority (TTJA), Zone Media OÜ blocked access to the websites koroonavabaeesti.ee and kloordiioxidiinfokeskus.ee, which were used to spread misinformation about the anti-COVID drug. The websites were registered by a private person and used the web hosting service of Zone Media OÜ.
[2021-04-04] Personal data of 533 million Facebook users leaked online. The leak contains personal data of 87,533 users from Estonia. The data includes their phone numbers, Facebook IDs, full names, locations, birthdates, bios, and (in some cases) email addresses. The dataset was collected by crawling the data made public by users themselves.
[2021-03-31] The government approved an amendment enabling automatic forwarding of a person’s @eesti.ee mailbox to their contact information in the population register. The population register has almost every person’s contact information (email address and phone number) as it is collected, for instance, when applying for an identity document. Before this change, around 413,000 people of 1.3 million had manually enabled forwarding for their @eesti.ee address. The opt-out in @eesti.ee forwarding was introduced after many elderly people missed invitations to be vaccinated.
[2021-03-31] E-residency background checks will become more thorough. New data sought from applicants includes information about misdemeanor proceedings initiated against the applicant, prohibition on business as well as bank accounts owned by the applicant or their businesses. To improve user friendliness, PPA has created a new self-service environment for e-residents at https://eresident.politsei.ee.
[2021-03-26] The Latvian Data Protection Inspectorate did not apply sanctions to the company responsible for the e-shop charlot.ee database leak in which personal data of 14,000 Estonians was made publicly available. According to the Latvian inspectorate, they learned about the personal data of only 168 Latvians being compromised. The Estonian Data Protection Inspectorate (AKI) now regrets not initiating proceedings, as Charlot OÜ had appointed Estonia as the data controller and hence the server’s location in Latvia should not have played a role.
[2021-03-19] The attackers who downloaded 350GB of data from government servers last November used the security testing tool Acunetix to discover the .git catalogue which had remained public by accident. By using information in the .git catalogue, the attackers were able to upload malicious code and gain access to the servers. The same scanning pattern has been observed lately against companies in the private sector. RIA has purchased a license to the Acunetix tool and is offering it to the public sector.
[2021-03-17] A former employee of the newspaper Raplamaa Sõnumid was convicted in court of illegally disrupting the operation of the newspaper’s computer system. The employee left the newspaper in 2015 and committed the crime four years later by using Google’s Search Console tool to hide the website https://sõnumid.ee in the Google search engine. The conviction of the county court and the circuit court has been appealed to the Supreme Court.
[2021-03-17] The Prosecutor’s Office has released a yearbook about 2020. In 2020, various covert surveillance operations were carried out on 729 people. There have been cases where criminals have compromised state systems to mine cryptocurrencies. One of the biggest achievements last year was the detention of three Romanian cyber criminals last September, which was possible thanks to direct contacts with foreign partners. In one criminal case, it was possible to seize 1 million worth of cryptocurrency by transferring it to a wallet held by police. It is not uncommon to see criminal cases being closed without gathering additional evidence if the identified IP address is located abroad.
[2021-03-17] Due to an error on the SK ID Solutions side, 6000 Smart-ID users received a false SMS alert as if someone had just created a Smart-ID account on their behalf. Turns out the alert was not false, but was sent with a delay. Smart-ID users who created an account on 2021-02-27 or later received the alert on 2021-03-17.
[2021-03-08] RIA has published a technical report produced by Cybernetica: “Cryptographic algorithms and their support in libraries and information systems”. The report looks at cryptographic primitives and protocols, federated authentication protocols (OAuth, OpenID), cryptographic libraries and crypto file containers. The use of PGP is not recommended anymore.
[2021-03-04] The birth registration service in the self-service portal of the population register (rahvastikuregister.ee) allows the lookup of a mother’s name and personal identification code by entering a newborn’s personal identification code. A Geenius journalist tried 50 random personal code combinations and in 9 cases was able to see the child’s mother’s name and personal identification code and was able to apply to be registered as the father of the child. A rate limit for number of queries is not present. The officials do not consider this a risk as it only reveals the fact that someone has given birth. The queries leave a trace that can be seen in the data tracker, but to see who exactly viewed the data the child’s mother must contact the Ministry of Interior. The Data Protection Inspectorate (AKI) sees no problem.
[2021-03-02] The European Court of Justice ruled that the Prosecutor’s Office in Estonia should not grant access to communications metadata as it is not a fully independent party in the conduct of criminal investigations. A good deal of evidence in thousands of criminal cases may prove inadmissible.
[2021-03-02] MKM has submitted a draft regulation on the security of communications networks. The change mostly affects the radio equipment on the mobile operator masts. The transition away from Huawei equipment would cost Elisa up to 54 million euros over the next five years, for Telia up to 5 million euros, but for Tele2 there would be no additional costs. The government will vote on the draft bill in the autumn.
[2021-03-02] The National Audit Office (Riigikontroll) has raised several issues related to X-Road. The audit has found that in many cases X-Road data service providers did not enter into service agreements and the public authorities have not audited whether private operators were implementing adequate security risk mitigation measures. The regulation should clarify which security measures should be implemented at what level. The audit has found that there has been one significant disruption in X-Road services during the last three years due to the failure of key components.
[2021-03-01] A research article by Sven Heiberg, Kristjan Krips and Jan Willemson (Cybernetica): “Mobile Voting – Still Too Risky?”. The article is mainly based on the report “Mobile voting feasibility study and risk analysis” that was released by Cybernetica in April 2020.
[2021-02-01] Denial-of-service extortion attack took place against one of the banks in Estonia. As a result, online banking, card payments and internal bank services were disrupted.
[2021-01-22] Thousands of .ee domains were unavailable for a few hours due to an administrative error made by the Zone Media in their name server solution.
[2021-01-18] For a few hours hundreds of websites hosted at Zone Media were not available due to a network switch failure.
[2021-01-15] Denial-of-service attacks took place against Estonian financial institutions and technology companies, accompanied by blackmail letters. The ransom demands were between 0.5 to 10 bitcoins. The longest interruption lasted for about six hours. According to RIA, the attackers did not receive any ransom money from Estonia.