[2021-11-11] The State Electoral Committee (VVK) received an appeal from candidate Andrea Eiche demanding the i-voting results in Lüganuse municipality be annulled due to alleged vote buying activities. The complainant claimed that voters had been “persuaded” to cast an i-vote for a Center Party candidate, both at the Kiviõli Russian School and at a nearby store, with the latter providing gifts in return for doing so. The applicant requested VVK to ascertain how many i-votes had been cast from the store and also from the school’s IP address to specific candidates. The Supreme Court found that processing such data would breach the ballot secrecy. The court found that the allegations lacked sufficient proof, although the court ordered the police to investigate a potential criminal offense. https://news.err.ee/1608398816/supreme-court-orders-ppa-investigation-into-alleged-luganuse-vote-buying
[2021-10-28] EKRE submitted a complaint asking for i-voting in the ongoing elections to be declared illegal, as the translation feature of the Google Chrome browser distorted (translated) candidate names listed in the election website kov2021.valimised.ee. On the night of October 13th, the developers of the website added the translate=”no” flag to the candidate list, instructing browsers to not apply translation on that part of the page. National Electoral Committee (NEC) rejected the complaint as the names of the candidates were displayed correctly in the i-voting application. The Supreme Court rejected the appeal assessing the impact of the translation problem as unlikely. https://www.ohtuleht.ee/1047049/riigikohus-e-haaletamine-oli-seaduslik https://news.err.ee/1608379718/ekre-goes-to-court-over-e-voting-translation-issue https://news.err.ee/1608370794/ekre-seeks-annulment-of-e-voting-result
[2021-10-28] Virgo Kruve submitted a complaint asking for i-voting to be canceled for the local elections due to several issues: (1) the source code of the i-voting application was not publicly available; (2) the software was not audited and the i-voting server was not under the supervision of auditors; (3) paper voters and i-voters were not treated equally as i-voting was not possible on election day; (4) the i-voting application was signed after the i-voting trail; (5) VVK confirmed the results of the i-voting trail after the start of the i-voting period. NEC and the Supreme Court dismissed the complaint: (1) legislation does not require publication of the i-voting application source code or audit of the application; (2) the law does not impose an obligation to use the i-voting application provided by VVK; (3) the vote verification application can be used to check if the correct vote has been cast; (4) there are measures to verify the authenticity of the state-provided i-voting application. https://www.ohtuleht.ee/1047049/riigikohus-e-haaletamine-oli-seaduslik https://news.err.ee/1608364593/electoral-committee-dismisses-e-voting-organization-complaint
[2021-10-16] On the sixth day of advance voting, voting in polling stations experienced issues from 12:00 to 12:45. The cause was in RIA’s authentication service TARA that is used by the Election Information System VIS3. For security reasons, the number of queries processed from a single IP address was restricted to prevent DoS attacks. During the inaccessibility of VIS3, voters were able to cast paper votes using double envelopes. The electronic list of voters was updated as soon as VIS3 became available again. https://digi.geenius.ee/rubriik/uudis/ria-loodud-valimiste-infosusteem-tokestas-valimistel-fuusiliselt-haaletamist/
[2021-09-09] A research article by Sven Heiberg (SCCEIV), Kristjan Krips (Cybernetica/UT), Jan Willemson (Cybernetica/STACC) and Priit Vinkel (Cybernetica/VVK): “Facial Recognition for Remote Electronic Voting – Missing Piece of the Puzzle or Yet Another Liability?”. The authors studied the applicability of facial recognition for verifying voter identities (not specifically for the Estonian i-voting context). The architectural aspects and the main technical and ethical issues were discussed. https://eprint.iacr.org/2021/1143 https://twitter.com/krips_k/status/1437413997393874950 https://cyber.ee/resources/stories/facial-recognition-elections-biometrics/
[2021-09-05] A research article by Bingsheng Zhang (Zhejiang University), Zengpeng Li (Shandong University) and Jan Willemson (Cybernetica): “UC Modelling and Security Analysis of the Estonian IVXV Internet Voting System”. The authors claim that the Estonian i-voting system achieves end-to-end verifiability in practice despite the fact that only 4% (on average) of the i-voters verify their votes. https://arxiv.org/pdf/2109.01994.pdf
[2021-08-28] A research article by Arne Koitmäe (VVK), Jan Willemson (Cybernetica) and Priit Vinkel (Cybernetica): “Vote Secrecy and Voter Feedback in Remote Voting – Can We Have Both?”. The authors discuss the possibility for introducing a feedback channel that would inform a person if someone (or the person themselves) has cast an i-vote in their name. The Estonian i-voting system is used as an example for discussing the possible feedback channel. https://research.cyber.ee/~janwil/publ/Vote-Secrecy.pdf https://link.springer.com/chapter/10.1007/978-3-030-86942-7_10
[2021-08-25] A Belgian cryptographer (Olivier Pereira) described a variant of the revoting attack for the vote verification feature of the Estonian i-voting. By forcing a voter to revote (e.g., by simulating a voting application crash before the verification QR code is shown), on revote a malicious voting application can display the verification QR code from the previous (non-modified) vote cast by the voter, while the revote is substituted with the attacker’s candidate. The benefit compared to the silent revoting is that malware does not have to interact with the ID card (or compromise the voter’s phone in the case of Mobile-ID). An obvious fix is for the i-voting system to allow the verification of the last vote only. The developers of the i-voting system have implemented such a feature, but this feature was not enabled by VVK for the local elections. https://nitter.eu/ikubjas/status/1430875590677123072#m https://eprint.iacr.org/2021/1098
[2021-08-13] Starting August 23, the Estonian identity cards will be issued containing the ePassport applet that will contain the cardholder’s photo and fingerprints. The residence permit cards have been issued with the ePassport applet already since 2011. The ePassport applet will not be installed on the digital identity cards, the e-resident’s digital identity cards and the diplomatic identity cards. The introduction of the ePassport applet on identity cards is required by an EU regulation. https://news.err.ee/1608306396/fingerprint-recognition-to-be-added-to-new-id-cards https://www.riigiteataja.ee/akt/114082021001
[2021-08-07] The Data Protection Inspectorate (AKI) has stated that identification check of a person showing a vaccination certificate is allowed only if there is reasonable doubt. For example, if there are obvious discrepancies – the name of the certificate is of the opposite sex, the person’s appearance does not match the date of birth, and so on. Also, the applications used to verify vaccination certificates should not store or forward the data to third-parties. The Minister of Health and Labor suggested the inspection of vaccination certificate only “visually” as it is assumed that most people who live in Estonia are honest. https://news.err.ee/1608300642/aki-personal-data-must-be-protected-when-checking-covid-19-certificates https://news.err.ee/1608293448/kiik-vaccination-certificates-will-usually-not-be-scanned
[2021-08-05] RIA has proposed an idea to enable a vaccination status lookup using the document number of the cardholder’s ID card. This would effectively make a person’s vaccination status public, as the document number of a cardholder’s ID card cannot be considered secret. The Health and Welfare Information System (TEHIK) is looking into the legal side of this solution. https://news.err.ee/1608298248/id-cards-could-be-used-as-vaccination-certificates
[2021-07-29] The web app kontroll.digilugu.ee created to check COVID certificates provides a misleading status response, as it verifies only the authenticity of the certificate and not whether the COVID certificate satisfies legal requirements (e.g., whether test results are not outdated). Currently, the certificate’s compliance to legal requirements have to be inspected manually. https://digi.geenius.ee/rubriik/uudis/koroonapassi-apis-on-suur-puudus-riik-ei-tea-millal-see-ara-parandatakse/
[2021-07-15] A Geenius journalist had a look at the mysterious information system SITIKAS created by the State Situation Center. The system is meant to help decision makers and almost 2.8 million euros have been spent on its development. The system uses mostly publicly available information, but the content of the system is classified. Allegedly, the system generates various reports and uses machine learning and neural networks. https://digi.geenius.ee/eksklusiiv/esimest-korda-avalikkuse-ees-salaparane-infosusteem-sitikas-aitab-peaministril-paremaid-otsuseid-teha/
[2021-07-09] RIA has closed an information leak in the state portal eesti.ee, where personal data of 336,733 people could be accessed. The data contained the first and last names, personal identification codes, places of work and, in some cases, links to previous positions. The leak was in the self-service environment that gave representatives of companies the right to manage the access rights of their employees. The leak was part of the intended functionality that was introduced about ten years ago when the approach to data protection and privacy was different than today. The issue was reported by an attentive user. RIA has no information on whether anyone had saved the data. https://www.ria.ee/en/news/data-more-300000-people-were-available-state-portal.html https://digi.geenius.ee/rubriik/uudis/riigiportaalis-olid-kattesaadavad-ule-300-000-inimese-andmed/
[2021-06-29] MKM is using the EU structural funds to produce 60 thematic biographical video interviews to document the history of the Estonian digital state. The plan is to collect the memories and knowledge of the birth and formation of the digital state, including the development of eID, i-voting and cyber security. The work will be completed in the beginning of 2022. https://mkm.ee/et/uudised/eesti-riik-hakkab-talletama-digiriigi-ajalugu
[2021-06-02] RIA organized a seminar “Cyber Security in Estonia 2021” in English. Presentations by Gert Auväärt, Tõnu Tammer, Perit Kirkmann, Mark Erlich, Lauri Tankler and Märt Hiietamm are available in RIA’s youtube channel. https://www.youtube.com/playlist?list=PLNPWRftK1TNr0A3WrxK05IOVCaDlsf6nh
[2021-05-26] The TV investigative program Pealtnägija has published materials and insights from the “passport mafia Marika” criminal case of running an illegal document business with insiders from PPA. A trap was set up with the help of a secret agent who was interested in a document. Video footage and other materials from covert police surveillance activities are demonstrated. https://www.err.ee/1608225496/salajased-kaadrid-pealtnagijas-ulatuslik-passiari-toimis-kui-kellavark
[2021-05-12] There is a plan to amend the Public Information Act that would allow for the classification of documents to last indefinitely. Currently, the access restriction limit for classified documents “information intended for internal use” (AK) is five years. This limit can be extended by another five years to a total maximum of 10 years. https://news.err.ee/1608210079/defense-minister-documents-should-not-be-classified-for-over-10-years
[2021-05-03] Liisa Past (former employee of Cybernetica and RIA) has started working as an information security manager (CISO) at the Information Security Department of the Information Technology and Development Center (SMIT) of the Ministry of the Interior. https://www.smit.ee/et/uudised/smiti-infoturbejuhina-alustas-toeoed-liisa-past-97
[2021-04-22] Äripäev has published a special issue “Cyber security 2021” covering a variety of cyber security related topics: cyber hygiene, i-voting, cybercrime, training of cyber experts and other topics. https://www.aripaev.ee/lisa/2021/04/22/kuberturvalisus-22042021
[2021-04-15] The government introduced a draft legislation to strengthen rules for assessing eID system trustworthiness and delimiting institutional responsibilities. In addition, RIA will be able to check whether providers of public e-services fulfill the obligation of recognizing international eID solutions arising from the eIDAS regulation. https://news.err.ee/1608178582/government-endorses-regulation-updates-to-e-identification
[2021-03-31] E-residency background checks will become more thorough. New data sought from applicants includes information about misdemeanor proceedings initiated against the applicant, prohibition on business as well as bank accounts owned by the applicant or their businesses. To improve user friendliness, PPA has created a new self-service environment for e-residents at https://eresident.politsei.ee. https://news.err.ee/1608161419/e-residency-background-checks-to-become-more-thorough
[2021-03-17] A former employee of the newspaper Raplamaa Sõnumid was convicted in court of illegally disrupting the operation of the newspaper’s computer system. The employee left the newspaper in 2015 and committed the crime four years later by using Google’s Search Console tool to hide the website https://sõnumid.ee in the Google search engine. The conviction of the county court and the circuit court has been appealed to the Supreme Court. https://digi.geenius.ee/rubriik/uudis/googlei-otsingus-endise-tooandja-veebilehe-varjamine-toi-kaasa-kriminaalasja/
[2021-03-04] The birth registration service in the self-service portal of the population register (rahvastikuregister.ee) allows the lookup of a mother’s name and personal identification code by entering a newborn’s personal identification code. A Geenius journalist tried 50 random personal code combinations and in 9 cases was able to see the child’s mother’s name and personal identification code and was able to apply to be registered as the father of the child. A rate limit for number of queries is not present. The officials do not consider this a risk as it only reveals the fact that someone has given birth. The queries leave a trace that can be seen in the data tracker, but to see who exactly viewed the data the child’s mother must contact the Ministry of Interior. The Data Protection Inspectorate (AKI) sees no problem. https://digi.geenius.ee/eksklusiiv/iga-huviline-saab-e-rahvastikuregistris-naha-vastsundinud-laste-emade-nimesid-ja-isikukoode/
[2021-03-01] A research article by Sven Heiberg, Kristjan Krips and Jan Willemson (Cybernetica): “Mobile Voting – Still Too Risky?”. The article is mainly based on the report “Mobile voting feasibility study and risk analysis” that was released by Cybernetica in April 2020. https://research.cyber.ee/~janwil/publ/mvoting-design.pdf
[2021-02-17] An information security specialist of Viljandi Hospital raised a privacy issue of PDF and DDOC signature files being sent for validation to RIA validation service SiVa. According to RIA, data is not permanently stored on RIA servers and the DigiDoc4 client explicitly asks for permission before the file is sent to RIA. The DDOC file validation logic has been moved server side to simplify the DigiDoc4 client-side software. On a side note, people have forgotten that a few years ago, all documents signed using Mobile-ID were sent to the SK DigiDocService. https://www.ohtuleht.ee/1026090/paranoia-voi-suure-venna-sund-digiallkirja-kehtivuse-kontrollimiseks-laheb-dokument-kogu-taiega-riigi-katte-miks
[2021-01-26] Liisa Past and Jan Willemson from Cybernetica, in the Digital Government podcast (30min), talk about the historical and cognitive aspects of i-voting and explain how technology and math ensure a secure and trustworthy solution. https://www.buzzsprout.com/1191800/7491415-what-makes-online-voting-secure
[2021-01-25] The Ministry of Economic Affairs and Communications (MKM), the State Information System Authority (RIA) and the State Electoral Service (RVT) signed a cooperation agreement to define the division of tasks between the agencies for organizing i-voting security. MKM will organize a security audit. RVT undertakes the development of the i-voting system and organization of security testing and risk analysis. RIA will provide hosting services and perform security testing and logging. RVT and RIA will undertake the procurement of a technical and legal analysis of the possibility of voter identification by facial biometrics. The analysis should be conducted by 1 June 2021. https://www.ria.ee/et/uudised/mkm-ria-ja-rvt-solmisid-koostoolepingu-e-valimiste-kuberturvalisuse-korraldamiseks.html
[2021-01-14] The Ministry of Economic Affairs and Communications (MKM) announced a public procurement tender for the audit of the i-voting system. The purpose of the audit is to get a reasoned assessment of the security of the election information systems and proposals for improvements that can raise the level of security. The audit shall be performed by internationally renowned auditors and information security specialists. The deadline for presenting the project’s final report is October 1, 2021. https://news.err.ee/1608073477/ministry-seeking-international-auditor-to-check-security-of-e-elections
[2020-12-22] A research article by Valeh Farzaliyev, Kristjan Krips and Jan Willemson (Cybernetica): “Developing a Personal Voting Machine for the Estonian Internet Voting System”. The article describes a proof-of-concept i-voting client implemented on a microcontroller. The client only supports Mobile-ID for casting an i-vote. The source code of the client and build instructions have been published in GitHub. https://research.cyber.ee/~janwil/publ/votingclient-final.pdf https://github.com/Valeh2012/PersonalVotingMachine
[2020-12-18] RIA has published a technical report produced by Cybernetica: “Analysis of planned architectural changes in Open-eID”. The work analyzes the proposed alternative to TLS certificate authentication – authentication using a new web browser extension that RIA is currently developing. https://web-eid.gitlab.io/analysis/webextensions-main.pdf
[2020-12-30] A new version of the Election Information System (VIS) is being developed which will introduce an electronic list of voters making it possible to cancel an already given i-vote on election day with a paper vote. News portal Geenius tried to establish whether the authorities are performing background checks on the employees of private companies, Nortal and Cybernetica, involved in the development of the information systems for elections. Not clear whether such checks are needed as the security of the elections should not depend on the integrity of the developers. https://digi.geenius.ee/rubriik/uudis/kas-valimiste-infosusteemide-arendajate-taust-on-riigile-teada-riigiasutused-keerutavad/
[2020-12-28] Arnis Parsovs (UT) has published the draft of his PhD dissertation “Estonian Electronic ID card and its Security Challenges”. https://cybersec.ee/storage/phd_idcard.pdf
[2020-12-16] For years, an IT employee with a state secret permit mined cryptocurrency at the Ämari air base, bought expensive equipment with the Estonian defense budget and smuggled computer components out of the base to sell them in online forums. The purchased goods were not accounted for in the air monitoring division. From 2015 until his arrest in January 2019, the man illegally used devices belonging to the Defense Forces to extract cryptocurrencies worth 30,404 euros and misappropriated at least 190 devices with the total value of 48,935 euros. https://ekspress.delfi.ee/artikkel/91976323/it-mees-armaani-tegi-eesti-kaitserahaga-osturallit-ja-avas-amaris-salajase-kruptorahakaevanduse
[2020-12-08] The Ministry of Interior sells the residence addresses entered in the population register to commercial enterprises for the purpose of sending advertisements or invitations to participate in surveys. Names, e-mail addresses, dates of birth and personal identification codes are not disclosed to the companies, but the addresses can be purchased by specifying the characteristics such as age, gender and mother tongue. People can opt-out by restricting access to their data in the e-service at rahvastikuregister.ee. In 2019, the data was sold to five customers and the state earned 8,205 EUR. https://forte.delfi.ee/news/digi/riik-muutis-inimeste-aadressid-ariks-siseministeerium-muub-rahvastikuregistri-andmeid-otsepostitusfirmadele?id=91904305
[2020-12-07] The Estonian Foreign Intelligence Service (EFIS) allowed an active intelligence officer to give an interview to Postimees. The interview followed strict secrecy rules and Postimees did not learn the agent’s identity. This activity is likely related to the job ads recently put out by the Estonian Foreign Intelligence Service. https://news.postimees.ee/7127281/estonian-intelligence-operative-our-special-tool-is-our-brain
[2020-12-07] The 6th Interdisciplinary Cyber Research conference took place in a semi-online format. The video recordings and proceedings are available. https://www.taltech.ee/en/icr2020
[2020-12-01] RIA is developing an environment which will provide the possibility of installing additional smart card applications on the ID card. There are about four companies working on the creation of apps. The proof of concept will be completed by March 2021. RIA will not charge for apps, but it is possible that the use of the app will require a certain fee to be paid to the companies providing the apps. https://digi.geenius.ee/rubriik/uudis/tulevast-aastast-saab-id-kaardile-appe-installida/
[2020-11-27] EveryPay AS, which offers payment solutions for Estonian e-shops (used by mTasku), made a mistake which resulted in the bank accounts for a few hundred people being emptied. According to the company, it was a human error in the development which the automatic tests did not catch. All affected customers have received a refund. https://raha.geenius.ee/rubriik/uudis/eesti-maksevahendaja-eksitus-tuhjendas-monesaja-inimese-pangakonto/
[2020-11-12] SK ID Solutions AS annual conference was replaced with a video presentation. Among the topics covered: SK team has grown; Smart-ID solution is to be implemented in Iceland; SK has teamed up with TalTech to pre-emptively identify and counter phishing scams. https://www.youtube.com/watch?v=2BBgScfRy0k
[2020-10-29] In the second half of July this year, a new way of banking fraud began to spread – telephone phishing calls. As of the beginning of October, the police has reported 90 cases in which fraudsters have been able to cause damage totaling 200,000 euros. Criminals spoof a bank’s Caller ID, use waiting music, read out the customer’s personal identification code or other personal data, and use all means to create the illusion that the victim is indeed talking to a bank employee. The criminals create fear and state that an action is urgently needed. The victim’s phone receives Mobile-ID or Smart-ID authentication requests and the victim thinks that he is being identified by a bank employee. Scammers are speaking Russian and the victims are mainly the Russian-speaking customers. From the audio recording of the fraudulent call to Swedbank, it is possible to hear that the scammers operate a call center – in the background similar calls can be heard being made to other potential victims. Also the phishing e-mails sent on behalf of banks are once again spreading. https://tarbija24.postimees.ee/7063755/pank-hoiatab-petukonede-ja-petusonumite-eest https://www.ria.ee/et/uudised/sagenenud-venekeelsed-telefonikoned-raha-valja-petmiseks.html https://www.err.ee/1153036/pangapettuste-ohvriks-langevad-enamasti-venekeelsed-kliendid https://news.err.ee/1153654/ppa-ria-warn-against-phishing-letters-spread-on-behalf-of-banks
[2020-10-16] A recent audit conducted by the Data Protection Inspectorate (AKI) finds that local municipality governments often unjustifiably mark documents as “information intended for internal use”. Most commonly the wage of employees and their vacation information is hidden. There are rumors that when signing an agreement, some personal information is included on purpose so that access restrictions could be applied. At the same time, there are plenty documents available to the public, containing the full names and contacts of private persons. Sometimes personal data leaks by including personal data in the public title of a non-public document. https://news.err.ee/1147941/data-protection-inspectorate-local-governments-cover-for-officials
[2020-09-25] A research article by Mihkel Solvak (UT): “Does vote verification work: usage and impact of confidence building technology in Internet voting”. The study finds that: i-vote verifiers are younger males and Linux users with the verification rate especially high in the 18 to 40 age group; voting from abroad clearly leads to more verification; the cast-as-intended verification leads to higher confidence that ones vote was taken into account. https://link.springer.com/chapter/10.1007/978-3-030-60347-2_14
[2020-09-18] From August, RIA started monitoring procedures for the implementation of information security measures for all critical databases in Estonia. A total of ten critical databases have been defined: e-file (e-toimik), land register, commercial register, Riigi Teataja information system, land cadastre, state treasury information system, taxpayer register, population register, register of identity documents and state pension insurance register. https://www.ria.ee/et/uudised/olukord-kuberruumis-august-2020.html
[2020-09-17] The investigative journalism show “Pealtnägija” investigated a scam of fictitious real estate ads targeted at foreign students. While the victims believed that they were transferring money as a deposit for an apartment, they effectively paid an Estonian Bitcoin trader for the scammer’s purchase of bitcoins. https://news.err.ee/1136558/pealtnagija-foreign-students-falling-victim-to-fictitious-real-estate-ads
[2020-09-17] Government will revoke 10 citizenships acquired illegally as the result of a widespread fraud that was committed during the years of 2013-2015 by a criminal group involving PPA employees. Previously, Estonian citizenship has only been revoked once by a government decision in 2016. https://news.err.ee/1136097/government-to-revoke-10-citizenships-acquired-illegally
[2020-09-06] A research article by Valentyna Tsap (TalTech), Silvia Lips (TalTech) and Dirk Draheim (TalTech): “Analyzing eID Public Acceptance and User Preferences for Current Authentication Options in Estonia”. The study finds that the ID card is used the most to access e-services; Smart ID holds the second position; username/password and Mobile-ID shares the third choice. https://link.springer.com/chapter/10.1007/978-3-030-58957-8_12
[2020-09-01] Kaija Kirch, previously a document expert at the Estonian Police and Border Guard Board (PPA), now works for Cybernetica.
[2020-08-28] After two years, the court has not yet started to resolve the case of PPA vs Gemalto. In August 2019, a preliminary hearing was held where the possibility of finding a compromise was discussed. However, as of 2020-08-28 no compromise has been reached and both parties have submitted a number of different requests that the court has to resolve. https://forte.delfi.ee/news/tehnika/politsei-vs-gemalto-kaks-aastat-kohtuveskeid-ja-ei-tuhjagi?id=90871257
[2020-08-25] BSc thesis by Sander-Karl Kivivare (UT): “Secure Channel Establishment for the NFC Interface of the New Generation Estonian ID Cards”. The thesis describes the cryptographic protocol that is used to communicate with the Estonian ID card over the contactless interface and provides detailed instructions with code examples in Python, to help software developers create applications that can make use of the new NFC interface introduced in the ID cards issued since December 2018. https://comserv.cs.ut.ee/ati_thesis/datasheet.php?id=70557&year=2020&language=en https://github.com/Kivivares/estid-nfc
[2020-08-25] BSc thesis by Jekaterina Gorohhova (UT): “Malicious Android app for security testing”. In the context of this thesis, an Android app was developed to demonstrate how a malicious app with a given set of Android permissions can abuse them to collect personal data stored on a user’s device and then send it out. https://comserv.cs.ut.ee/ati_thesis/datasheet.php?id=70525&year=2020&language=en
[2020-08-20] July statistics from the state authentication service TARA show that Smart-ID became the most popular identification tool outperforming the ID card. The number of government agencies using TARA in their e-services is currently between 30-40, but RIA expects it to grow to over a hundred. RIA plans to remove the banklink authentication option from TARA at the end of 2020, as the banks are accessed by the same ID card, Mobile-ID and Smart-ID that are directly supported by TARA as well. https://forte.delfi.ee/news/digi/smart-id-tousis-koige-populaarsemaks-tuvastusvahendiks-eesti-riigi-e-teenustes?id=90789775
[2020-08-14] Research article by Arnis Parsovs (UT): “Estonian Electronic Identity Card: Security Flaws in Key Management”. The article, among other things, provides details about the malpractice of the Estonian ID card manufacturer Gemalto in generating private keys outside the ID card. https://www.usenix.org/conference/usenixsecurity20/presentation/parsovs
[2020-08-13] Tartu County Court convicted Dennis Einasto of computer fraud that caused nearly €28,500 in damages, of illegally obtaining access to computer systems and of large-scale money laundering. Overall, he was sentenced to 4.5 years in jail. Einasto’s computer contained cryptocurrency and web hosting databases hosting large numbers of usernames and passwords, but which did not belong to him. The cyber crimes were committed on an international scale. https://news.err.ee/1123315/tartu-county-court-convicts-man-of-cyber-crime-money-laundering
[2020-08-05] The passwords and e-mail addresses of 27,000 users of an unnamed Estonian advertising portal was leaked. The data was accessible for almost a year without the portal being aware of it. The portal has informed users about the leak and the same account data can no longer be used to enter the environment. Although the portal did not inform the Personal Data Inspectorate (AKI) in time, AKI has not yet made a decision on whether supervision proceedings should be initiated. https://digi.geenius.ee/rubriik/uudis/27-000-eestlase-paroolid-lekkisid-portaal-kuulis-lekkest-aasta-parast-selle-toimumist/
[2020-07-21] The government has made amendments to the “Statutes of the Health Information System” allowing the authentication of subjects using “ID card, Mobile-ID, Smart-ID or other equivalent device”. Historically, access to the Health Information System has only been granted based on authentication using the ID card. The security requirements have likely been relaxed due to the pressing coronavirus situation. https://www.riigiteataja.ee/akt/118072020004
[2020-07-10] Research article by Kaido Kikkas (TalTech) and Birgy Lorenz (TalTech): “Training Young Cybersecurity Talents – The Case of Estonia”. The paper describes the Estonian experience with the CyberOlympics/CyberSpike program from 2017–2019 and reflects on the lessons learned about talent building in cybersecurity. https://link.springer.com/chapter/10.1007/978-3-030-50729-9_36
[2019-12-19] A research paper by Abasi-amefon Affia (UT): “Assessing the NFC Unlock Mechanism of the Tartu Smart Bike Share System”. The paper describes a flaw in the Tartu Smart Bike Share System that can be exploited to create a clone of a victim’s Tartu bus card, which can then be used to unlock the bikes. To create the clone, only the card number printed on the victim’s Tartu bus card is needed (valid numbers can be guessed). The flaw has now been partially mitigated as cloning is still possible, but the task is not that trivial. https://kodu.ut.ee/~arnis/bikeshare_nfc.pdf
[2020-07-01] SK intermediate CA certificates have been issued with the “OCSP sign” extension which means that revoking these intermediate CA certificates in the event the key gets compromised will be problematic. According to CA/B Baseline Requirements these certificates have been misissued and SK should revoke them. SK has responded that it does not plan to revoke the certificates and is ready to leave Mozilla CA program earlier than planned (the last 4 still valid TLS server certificates issued by SK will expire by September 29, 2020). https://www.mail-archive.com/dev-security-policy@lists.mozilla.org/msg13607.html https://bugzilla.mozilla.org/show_bug.cgi?id=1649942
[2020-06-17] Research article by Valentyna Tsap (TalTech), Silvia Lips (TalTech) and Dirk Draheim (TalTech): “eID Public Acceptance in Estonia: towards Understanding the Citizen”. The researchers conducted a survey among Estonian eID users to find out which of the existing eID authentication options are preferred and why. https://dl.acm.org/doi/pdf/10.1145/3396956.3397009
[2020-06-04] The use of eID increased in the period of COVID emergency. As of May, 35 institutions with as many as 114 different applications had joined the state authentication service. https://blog.ria.ee/e-riik-eriolukorras/
[2020-06-01] Research article by Arnis Parsovs (UT): “Solving the Estonian ID Card Crisis: the Legal Issues”. The study analyzes to what extent, while solving the 2017 ID card crisis, the involved parties were able to precisely follow the applicable laws and regulations in the field. https://papers.ssrn.com/sol3/papers.cfm?abstract_id=3644664
[2020-05-28] RIA provided an explanation for why they recommended that the National Electoral Committee not enable Smart-ID for i-voting in the 2021 elections. To summarize: (1) Smart-ID has been used in successful attacks; (2) Smart-ID is not a state provided eID solution – if allowing i-voting with Smart-ID, there is no reason to not enable i-voting with other private eID solutions; (3) not enough experience to say if Smart-ID biometrical enrollment is secure enough; (4) the state does not have enough control over Smart-ID to intervene in case of emergency; https://blog.ria.ee/smart-id-ja-valimised/
[2020-05-27] The Estonian Students Society organized a public discussion about cyber security. Participants in the discussion: Siim Alatalu (Head of EU CyberNet), Märt Hiietamm (Head of RIA Analysis and Prevention Department), Uku Särekanno (European Union IT Agency), Ragnar Õun (Head of RIA Critical Information Infrastructure Protection Department) and Ilmar Üle (CERT-EU). https://www.youtube.com/watch?v=qpr3IQCRSp8
[2020-05-26] Research article by Anne Veerpalu (UT), Liisi Jürgen (UT), Eduardo da Cruz Rodrigues e Silva (TalTech) and Alex Norta (TalTech): “The hybrid smart contract agreement challenge to European electronic signature regulation”, assesses whether the signature on a smart contract used in an ICO process is functionally equivalent to the qualified electronic signature under eIDAS. https://academic.oup.com/ijlit/advance-article-abstract/doi/10.1093/ijlit/eaaa005/5846238
[2020-05-19] LHV bank accidentally leaked names of 200 LHV customers by sending a mass email with the recipients in the CC field. According to the Data Protection Inspectorate, the data controller must notify the Inspectorate of a personal data breach within 72 hours of the incident, but whether it is a breach or not, the bank must assess it itself. https://forte.delfi.ee/news/varia/suur-eksitus-lhv-lekitas-kogemata-sadade-laenusaajate-nimed?id=89906591
[2020-05-12] Riigikogu amended the Electronic Communications Act providing that in order to ensure national security, the government may, by a regulation, impose an obligation on a communications undertaking to notify the hardware and software used in the communications network and to apply for a permit to use the hardware and software of the communications network. These amendments are most likely targeted to exclude Huawei from 5G deployment. https://www.riigikogu.ee/istungi-ulevaated/riigikogu-muutis-elektroonilise-side-seadust/
[2020-04-18] According to RIA, in April 18 denial-of-service attacks sharing a similar handwriting were executed against the e-services eesti.ee, id.ee, emta.ee, elron.ee and elisa.ee. RIA was also notified about DoS attacks against eKool.eu and SK ID Solutions. On April 22, the availability of Luminor’s bank website was disrupted as a result of a DDoS attack on a Lithuanian service provider. https://www.ria.ee/et/uudised/olukord-kuberruumis-aprill-2020.html
[2020-03-23] Research article by Luukas Ilves (Guardtime) and Anna-Maria Osula (Guardtime/TalTech), “The Technological Sovereignty Dilemma – and How New Technology Can Offer a Way Out”, discusses 5G and related topics. https://cybersecforum.eu/media/ECJ_vol6_issue1.pdf
[2019-12-18] A member of the i-voting working group, Heldur-Valdek Seeder, published video recordings of the working group’s meetings on a personal blog. Initially, the minister Kert Kingo wanted to classify the content of the working group, but the majority of members did not support this idea, hence there may be no basis to request removal of the published videos. https://digi.geenius.ee/rubriik/uudis/e-valimiste-tooruhma-liige-avalikustas-omavoliliselt-koosolekute-videosalvestisi/
[2020-02-12] The state pays for Smart-ID on a per use basis – the more users use Smart-ID, the more the state will have to pay (SK offers volume discounts). Smart-ID users outnumber Mobile-ID users two-to-one today. At the end of 2019, there were 230,000 Mobile-ID users and 430,000 Smart-ID users. https://news.postimees.ee/6898254/estonia-to-create-new-digital-identification-tool
[2020-02-12] The Estonian Foreign Intelligence Service has published their 2020 report. It contains a section on Russian cyber operations in 2019 and mentions potential Chinese threats including Huawei. https://www.valisluureamet.ee/pdf/raport-2020-en.pdf
[2020-02-12] A ridiculous incident was reported which highlighted the core weakness in Mobile-ID (and Smart-ID). A customer of Luminor Bank unexpectedly logged into a stranger’s bank account. The customer accidentally entered the wrong username and the correct owner of the username confirmed the login with his Mobile-ID. The bank acknowledged that similar incidents have happened before. SEB bank also confirmed similar incidents. https://epl.delfi.ee/uudised/kogemata-voorale-kontole-turvarisk-toob-netipanka-uue-lahtri?id=88906895
[2020-02-11] RIA and PPA launched a cybercrime information website (cyber.politsei.ee) where people are asked to report suspicious emails, account hijacking, money stolen from accounts, etc. The data will be used to inform the public about new crime schemes and to help investigate cases. https://news.err.ee/1033928/police-launch-cybercrime-information-website
[2020-02-10] After the Tartu Smart Bike Share website had a security flaw which gave access to personal data of registered users, the Data Protection Inspectorate conducted a proceeding on the activities of the Tartu City Government over a longer period of time and concluded that the data leak did not pose a risk to users. https://digi.geenius.ee/rubriik/uudis/tartu-rattaringluse-andmeleke-ei-kujutanud-kasutajatele-ohtu/
[2020-01-30] RIA introduced a state signing service (SiGa) to replace DigiDocService. The service allows the creation of documents digitally signed with ID card and Mobile-ID and the validation of signatures. The service is provided to all persons performing public tasks. The software used by the service is public and allows anyone to run a similar service themselves. https://www.ria.ee/et/uudised/ria-vastvalminud-riigi-allkirjastamisteenus-hoiab-asutuse-kulusid-kokku.html
[2020-01-10] Geenius has contacted the biggest banks in Estonia, asking whether they have enabled security features to prevent criminals using their domain names in e-mail spoofing attacks. Danske Bank, Svenska Handelsbanken, Citadele, SEB and Bigbank has introduced DMARC to prevent e-mail spoofing attacks. Swedbank is still (already for a half a year) considering implementing DMARC. In LHV’s opinion, DMARC implementation is too complicated. https://digi.geenius.ee/rubriik/uudis/eesti-pangad-on-hakanud-agaramalt-kasutama-tehnoloogiat-millega-e-kirja-pettuseid-valtida/
[2020-01-04] The Minister of the Interior was asked how many cases of illegal surveillance have been investigated by authorities. According to the response, 17 cases of private surveillance were registered in 2016, 71 cases in 2017, 22 cases in 2018 and 24 cases in 2019. There was one confirmed case of illegal surveillance and covert listening in 2017. https://news.err.ee/1020497/authorities-not-interested-in-former-minister-s-bugged-office-claims
[2020-01-03] SK ID Solutions has paid a contractual penalty to AS LHV Pank for disruptions in the functioning of the Mobile-ID service, as the maximum permitted downtime of 45 minutes was exceeded in 2019. SEB, Swedbank and Luminor refused to disclose whether they have sought contractual penalties from SK ID Solutions. https://news.err.ee/1020240/sk-id-solutions-pays-penalty-to-lhv-for-disruptions-in-mobile-id-service
[2019-12-23] A fraud case involving fake tara deposit checks caused €12,925 in damages. The fake checks were printed with a cashier printer on the same paper as the real checks. The criminals understood the composition of the bar code and configured the printer so that the printout would deceive the Maxima checkout system that prevents the use of a copy of a check receipt. It turned out that the checks were printed by IT specialist from the company that serviced tara vending machines at Maxima stores. The criminals were tracked down using CCTV footage that is stored by the store for 30 days. https://ekspress.delfi.ee/kuum/aasta-krimiullatus-voltsitud-taaratsekkidega-raha-kokku-ajanud-kelmid-tootasid-nagu-mafioosod?id=88435809
[2019-12-23] The Supreme Court expressed its position in the case where a woman gave her ID card and PIN codes voluntarily to a man who ordered some merchandise in her name from Telia e-shop using ID card authentication. The case has been sent back to district court. According to the Supreme Court, in case the owner voluntarily gives his ID card with PIN codes to another person who uses the ID card to enter into a transaction, the transaction (or digital signature) may be valid based on the provisions of “entry into transaction through representative” (General Part of the Civil Code Act – GPoCCA – Chapter 8). As the court referenced GPoCCA § 131, this construction can still be attacked and the signed contract later annulled. https://ekspress.delfi.ee/sisuturundus/e-identimise-vahendite-turvalisest-hoidmisest-ja-tehingutest?id=88465617 https://www.riigikohus.ee/et/lahendid?asjaNr=2-16-124450/77
[2019-12-20] A group of Estonians used blank chip and PIN cards containing stolen credit card data to empty bank accounts of Indian, Bangladeshi and Pakistani victims. The criminals also attempted to order 17 phones in total from Klick using a Japanese credit card, but were reported to the police. https://news.postimees.ee/6855114/estonian-gang-emptied-indian-bank-accounts
[2019-12-19] The Supreme Court of Estonia ruled that the bill expanding EDF surveillance rights is unconstitutional. The court said that the covert collection and processing of personal data may be necessary for the effective defense of domestic and external peace, however, legislation should establish efficient procedural guarantees similar to those set out in the Code of Criminal Procedure, in order to eliminate the possibility of the person against whom surveillance is conducted not being informed of the EDF having processed their data. https://news.err.ee/1015626/top-court-bill-seeking-to-expand-edf-surveillance-rights-unconstitutional
[2019-12-18] A secret camera was found at a metal company AKG Loots. The high-tech camera was installed under the ceiling of the production workshop and was in constant communication. Industrial espionage is suspected, as the company has several international clients with classified contracts. https://ekspress.delfi.ee/teateid-elust/metallifirmas-leiti-salajane-jalgimisseade?id=88407489
[2019-12-12] Florian Hartleb wrote an article “e-Estonia. Europe´s Silicon Valley or a new 1984?”. The article mentions X-Road, personal ID code, DDoS attacks in 2007, Infineon ID card crisis in 2017 and data embassy project. Contrary to the title, the privacy aspects are not discussed in depth. https://link.springer.com/chapter/10.1007/978-3-030-27957-8_16
[2019-12-05] A cryptographer from the Republic of Senegal published a subtle attack against the Smart-ID clone detection mechanism described in the original Smart-ID paper. The flaw allows an attacker who has cloned a victim’s Smart-ID app instance to forge signatures before the victim has used his instance, such that when the victim uses his Smart-ID instance, the attacker’s clone which was used to forge signatures is not detected by the server. The flaw lies in the fact that according to the protocol description, the next expected request ID is set by the client and not the server, which means that after the attack the attacker can reset the next request ID to match the request ID stored in the victims Smart-ID instance, thereby leading to the victim’s next request to be accepted by the Smart-ID server. SK has responded that the actual Smart-ID implementation uses an updated clone detection mechanism which is not affected by this flaw. https://eprint.iacr.org/2019/1412 https://twitter.com/doomsdaysoup/status/1204399972231331846 https://www.skidsolutions.eu/en/News/iacr-published-smart-ids-cryptanalysis/
[2019-12-02] SEB has made an update to its Android mobile app, which now allows SEB customers to make payments by touching a payment terminal with their mobile phone. The app can be used to pay for mobile purchases up to €150 if NFC has been enabled on the phone. https://tehnika.postimees.ee/6839851/seb-apiga-saab-ka-nuud-poes-maksta
[2019-11-29] Phishing attacks against Smart-ID users have advanced. Now attackers are performing active attacks and displaying to victims the correct Smart-ID verification code. The usual defense of comparing verification codes does not work anymore. Now the only defense is to verify that the authentication is performed in the expected web site. https://www.ria.ee/et/uudised/petturite-ongitsuslehed-muutumas-inimeste-jaoks-usutavamaks.html
[2019-11-27] Registration of marriage is one of the few things that cannot be concluded digitally. The state is now analyzing the possibility of making marriage registration easier and partly accessible through the state portal eesti.ee. https://news.err.ee/1007521/state-analyzing-online-marriage-registration
[2019-11-26] People sent letters to the Ministry of Justice and the Chancellor of Justice expressing their dissatisfaction with the fact that the real estate owned by them can be searched in the electronic land register by anyone. The land register has now been modified such that only an authenticated user would be able to search for real estate by name or personal identification code leaving an audit trail. https://tehnika.postimees.ee/6835333/riik-asus-piirama-kinnistusraamatus-tuhnimist
[2019-11-20] A communication channel has been set up between the police and Facebook, allowing police officers to access Facebook account holders’ information in minutes if police the estimates that there is a real risk to human life. If there is no immediate threat, the request will take longer, sometimes a couple of days. In 2019, PPA asked Facebook about 88 accounts, requiring quick response nine times. Account freezes have been requested for 14 accounts. https://digi.geenius.ee/rubriik/uudis/kuidas-ja-kui-kiiresti-saab-politsei-facebookist-katte-kaja-kallase-ahvardajate-ja-teiste-kahtlusaluste-andmed/
[2019-10-30] The Estonian Research Council has financed the creation of a programmable USB device with a RGB LED and button, which can be programmed, for example, to emulate a keyboard and send key strokes after it is plugged into the computer. The device was given out to high school students in the Robotex event. https://hackest.org/usb/
[2019-09-25] The requirement for an age check when ordering alcohol online is not enforced by all e-shops. Some parcel terminals require the ID card of an adult to be inserted, but the terminal does not ask for a PIN code (which means that the process does not involve any cryptography). https://epl.delfi.ee/uudised/e-poest-alkoholi-tellides-piisab-taisealise-id-kaardist?id=87524573
[2019-04-26] TalTech in cooperation with others have created a High School Cyber Security Selection Course Digital Textbook. The textbook contains material on various topics and includes a lot of unseen video materials. https://web.htk.tlu.ee/digitaru/kyberkaitse/
[2017-01-27] In Tallinn Circuit Court, defendants contested the integrity of an electronic evidence (a virtual machine image containing Skype logs), based on the fact that the integrity of the disk image was provided by calculating the hash using the outdated MD5 hash function. The defendants demonstrated a practical MD5 collision attack by showing that when opening two visually different image files the calculated MD5 hash value of the files was the same. The court correctly noted that while the MD5 function is not collision resistant, it is still second pre-image resistant guaranteeing the integrity of the collected evidence. https://journals.sas.ac.uk/deeslr/article/view/5081
[2019-11-04] UT researchers performed interdisciplinary research studying Estonian digital signature compliance to national and EU legal requirements. The finding is that the “Signed on” time displayed by DigiDoc software cannot be trusted to establish the actual time of signing. Other finding is that due to the certificate validity suspension option, vast majority of digital signatures created as of now cannot be verified according to legal requirements. https://cybersec.ee/timesign/
[2019-10-25] Justice ministry conducted an audit into whether judges had accessed documents in the court information system regarding cases in which they do not take part. Judges warned that such audits would undermine judges’ confidence in and willingness to use the information systems. https://news.err.ee/995904/judges-protest-justice-ministry-court-information-inspection
[2019-10-18] The Estonian state will form a large cyber security policy council. MKM wishes to involve 32 different parties. The tasks of the council will include sharing information on sectoral developments and challenges, building situational awareness on cyber security, and addressing cyber security policies. https://digi.geenius.ee/rubriik/uudis/eesti-riik-moodustab-suure-kuberturvalisuse-poliitika-noukogu/
[2019-07-09] Research article by Emin Caliskan, Risto Vaarandi, Birgy Lorenz (TalTech): Improving Learning Efficiency and Evaluation Fairness for Cyber Security Courses: A Case Study. They present a case study on the Cyber Defense Monitoring Solutions course from TalTech Cyber Security MSc program. https://link.springer.com/chapter/10.1007/978-3-030-22868-2_45
[2019-08-29] I-voting workgroup members have submitted 30 suggestions for improvements. Among them is the proposal that the number of people involved in conducting and supervising elections should increase and to raise the number of independent observers at election counts. https://news.err.ee/974715/e-voting-workgroup-recommends-more-audits-and-observers
[2019-08-23] MoD announced MSc thesis scholarship competition in categories: cryptography; situational awareness; accounting of defense material; planning and management of defense infrastructure; drones. The Master’s thesis scholarship competition is aimed primarily at students entering the Master’s program, but applications may also be submitted by second-year students who have not yet chosen a Master’s Thesis. http://www.kaitseministeerium.ee/et/eesmargid-tegevused/teadus-ja-arendustegevus/kaitsealaste-magistritoode-stipendiumikonkurss
[2019-07-23] IT minister to establish cybersecurity working group whose task will be to coordinate the implementation of the 2019-2022 cybersecurity strategy. This is the third strategy document for the cybersecurity and safety field that defines a longer-term vision for the sector, the objectives to be achieved, and priority courses of action, roles and responsibilities for achieving it. https://news.err.ee/964005/it-minister-to-establish-cybersecurity-working-group
[2019-07-02] At the National Defense Council meeting it was agreed that MKM would come out by the end of the year with proposals to strengthen the country’s cryptographic and information security areas. It also gave an overview of the current status of the agreed activities following the ID-card crisis of 2017. https://www.ituudised.ee/uudised/2019/07/02/kaljulaid-peame-kuberturbe-alast-voimekust-suurendama
[2019-06-28] Email notices sent by the state to personal_ID_code@eesti.ee (but not name@eesti.ee) address will be stored on a virtual “mailbox” on eesti.ee, regardless of whether e-mail forwarding has been configured. https://blog.ria.ee/eesti-ee-meiliaadressidest-ja-postkastist/
[2019-06-26] PPA found that due to a technical failure, for more than 15 000 automatically revoked ID cards the certificates were not revoked, which in 285 cases resulted in the ID card of the deceased person being electronically abused by other persons. The bug was discovered already in 2015, but investigated only in the begginning of 2019. Praise to the authorities for not sweeping the incident under the carpet! https://news.err.ee/956106/thousands-of-id-cards-not-properly-deactivated-due-to-software-glitch
[2019-06-19] President has rejected the amended Defence Forces Organisation Act for the second time, the Supreme Court will look into the constitutionality of the act this fall. The bill of amendments would grant the Estonian Defence Forces (EDF) the right to secretly gain access to data of the state, municipalities, and legal as well as private persons. EDF argues that this is needed to improve background checks. https://news.err.ee/953694/supreme-court-to-decide-on-military-surveillance-expansion-this-fall
[2019-06-17] RIA is preparing to implement a new national information security standard, which will replace the ISKE reference security system, which is currently mandatory for public authorities in Estonia. In May, the public procurement process was completed and KPMG Baltics, Cybernetica and TalTech will start assembling a new information security standard. The new standard and accompanying materials should be ready by the end of next year. https://www.ria.ee/et/uudised/olukord-kuberruumis-mai-2019.html
[2019-05-14] The report “Development and application of cryptography in the Estonian public and private sectors” commissioned by the Ministry of Defence has been released. The report prepared by Cybernetica gives an overview of the state of art in development of cryptography in Estonia, and analyzes the technological and economic potential of the field. Among recommendations is establishment of a national cryptographic competence centre and improving math and science education in Estonia. https://www.etag.ee/wp-content/uploads/2019/05/Krypto_KAM.pdf
[2019-05-27] Bernhards Blumbergs (TalTech) defended his PhD thesis on “Specialized Cyber Red Team Responsive Computer Network Operations” https://digi.lib.ttu.ee/i/?12015&
[2019-05-26] In the EP elections 2019, 25.4% of voters cast their vote using i-voting method. There was a technical glitch concerning candidate data on the electoral website, which lasted for about 12 hours and meant that candidate searches did not yield a result on names which included diacritical marks. https://news.err.ee/946026/grazin-e-vote-cancellation-bid-rebuffed-by-electoral-committee
[2019-05-09] RIA and MoD is offering 1.1 million to study: “Simulation of Critical Information Infrastructure Protection in the Cyberspace”. The purpose is to develop a virtual environment in which to simulate situations in the area of vital critical information infrastructure. https://www.ituudised.ee/uudised/2019/05/09/riik-otsib-kuberkaitse-uuringu-labiviijat
[2019-04-01] In the “Annual Cyber Security Assessment 2019” RIA disclosed details about the vulnerability in eesti.ee authentication system discovered in June 29, 2018. Turns out that bank link implementation on eesti.ee side did not verify signature, which allowed the attacker to bypass authentication. According to RIA, they checked logs and did not find evidence of the flaw being exploited. It is not said whether the logs actually contained full parameters to retrospectively verify the signatures. https://digi.geenius.ee/rubriik/uudis/eesti-ee-keskkonnas-oli-ohtlik-turvaviga-mis-lubas-sinna-siseneda-teise-inimesena/
[2019-03-20] Mihkel Solvak (UT) gave presentation “Anonymized i-voting log data: how can it be used or abused to understand voter behavior?” (time: 1:15:07). https://www.uttv.ee/naita?id=28355
[2019-03-07] President refused to promulgate the new law that would grant the Estonian Defence Forces (EDF) the right to secretly gain access to data of the state, legal as well as private persons, clandestinely follow individuals, and carry out other surveillance activities against persons. https://news.err.ee/946931/riigikogu-backs-extension-of-military-surveillance-capabilities
[2019-01-28] From 1st to 5th July 2019, the annual Cyber Security Summer School will take place. The focus this year will be on blockchain technologies and its impact on digital transformation. http://studyitin.ee/c3s2019
[2019-01-23] Martin Paljak found that the entire electronic functionality of new Estonian ID card can be used also over the contactless interface. To establish the connection only the CAN code printed on the ID card must be known. https://github.com/martinpaljak/esteidhacker/wiki/NFC
[2019-01-11] MKM issued regulation specifying requirements for Trust Service Providers who provide certification services for certificates included in Estonian identity documents. According to the regulation, OCSP certificate validity service is currently recognized as vital service, while time-stamping and Mobile-ID service is not. https://www.riigiteataja.ee/akt/115012019011
[2018-10-23] Bank of Estonia has published interesting statistics about bank card fraud in 2016. The majority – 76% of fraudulent transactions are related to e-shopping on the Internet, 18% using payment terminals and only 6% using ATMs. https://www.eestipank.ee/blogi/kaardipettused-kolinud-internetti
[2018-12-12] RIA has announced EUR 315k procurement to create SIGa (Signature and Signature Validation Service) which will enable public authorities to add digital signature support to their e-services with minimal development costs. RIA has already created a federated authentication system (supports ID card, Mobile-ID and bank link authentication) which can be used by the public sector. https://tehnika.postimees.ee/6475645/riik-loob-uhise-digiallkirjastamise-teenuse
[2018-11-28] The head of the Institute of Estonian Academy of Security Sciences (SKA) wants to hold a debate about making the state’s work easier by allowing it to analyze masses of cell phone data. There is an opinion that the state is already using far more cell phone data than is admissible for ensuring privacy. https://news.postimees.ee/6464646/estonia-s-cyber-reputation-owed-to-putin
[2018-11-07] Estonians working in airports and airplanes must fill out a ten-page KAPO form, which requires them to specify, among other things, the names of Facebook, Twitter, Instagram and other social accounts, all telephone numbers, and even the current place of residence and contact details of “previous spouse or person similar to marriage”. It is estimated that up to 3,000 people may be subject to a such background check required by the Minister of the Interior from October 30. https://ekspress.delfi.ee/kohver/reisiuudised-eesti-alustas-lennundustootajate-radikaalse-taustakontrolliga?id=84238029
[2018-10-10] Interview in jail with Russian student Aleksei Vasilev accused of penetrating state systems on the orders of FSB. According to him, he wrote a code to access the internal wireless network of an unnamed state agency. He is disappointed that Russian authorities show no interest to help him in his situation. https://news.postimees.ee/6426230/spy-left-out-in-the-cold-my-homeland-forgot-about-me
[2018-10-10] In the Riigikogu scientific policy conference Professor of Information Security Ahto Buldas (TalTech) in his presentation “E-government base-technologies as a secure protector” stated that current e-government information systems have not been built with the knowledge of engineering based on scientific worldview and attack resistance of systems and components has not been measured. He invited the state to cooperate with universities. https://novaator.err.ee/867961/teadlane-eesti-e-riigi-kui-susteemi-rundekindlust-ei-tahetagi-moota
[2018-09-21] Last year Estonian security authorities eavesdropped on a total of 4,596 calls made in Telia’s network. This is ten times that of Sweden (taking into account countries’ population). Judges sign off on an average of 90% of the wiretap requests. Of all wiretaps 30% concern drug crime investigations, and another 30% suspected corruption cases. Number of wiretaps has stayed the same in recent years. For the purpose of counterintelligence the Office of the Prosecutor General does not need to suspect someone of having committed a crime to order a wiretap. Frequently the information obtained is in turn used to open actual criminal proceedings against individuals. https://news.err.ee/862992/estonian-state-taps-ten-times-as-many-phones-as-sweden-finland https://news.err.ee/866369/prosecutor-sees-no-problem-with-high-number-of-wiretaps-lawyers-disagree
[2018-09-17] Cybernetica AS and TalTech organizes Second Workshop on the Protection of Long-Lived Systems (17-18 September, Pärnu, Estonia). http://plls2018.ttu.ee/
[2018-09-12] Draft regulation has been prepared for allowing the face recognition robots to identify people who apply for Mobile-ID. The purpose is to enable enrollment for Mobile-ID without the need to confirm the application using the ID-card. It would be necessary to visit the PPA only if identification by robot fails. https://news.postimees.ee/6403388/estonia-to-have-ai-identify-people
[2018-09-07] Cybernetica AS won the defense ministry’s procurement to prepare study to identify opportunities in the Estonian economy in the field of cryptography and to develop concrete proposals to enable the development of the field at national level. http://www.ituudised.ee/uudised/2018/09/07/cybernetica-asub-uurima-kruptomajandust
[2018-09-04] Article “Key Factors in Coping with Large-scale Security Vulnerabilities in the eID Field” by Silvia Lips, Ingrid Pappel, Valentyna Tsap, Dirk Draheim. Describes few positive and negative effects of the vulnerability and key factors that helped to cope with the Estonian ID-card crisis 2017. https://link.springer.com/chapter/10.1007%2F978-3-319-98349-3_5
[2018-09-04] Heli Tiirmaa-Klaar has been appointed cybersecurity ambassador (Ambassador at Large for Cyber Diplomacy), being responsible for developing Estonia’s foreign policy on cyber security, ensuring its coordinated implementation, representing Estonia in international organisations and contributing to international cooperation in the field. https://vm.ee/en/news/estonia-appoints-heli-tiirmaa-klaar-its-first-ambassador-large-cyber-security
