- [2018-07-06] There are plans to simplify application for Mobile-ID. Currently, to enable Mobile-ID the person has to authenticate in PPA web environment. In the future this security feature will be implemented using face recognition. The solution is developed with MindTitan.
https://www.err.ee/844674/mobiil-id-taotlemine-lihtsustub - [2018-07-06] RIA temporary removed banklink authentication from eesti.ee due to some vulnerability being found in the implementation of authentication mechanism.
https://www.err.ee/844496/ria-on-tanavu-avastanud-mitu-tosist-turvanorkust - [2018-07-03] New version of DigiDoc 4 client has been released. The changes are mainly in the frontend. The functionality of DigiDoc3 Client, DigiDoc Crypto and ID card utility is now merged in a single application.
https://www.err.ee/843839/uus-id-kaardi-rakendus-digidoc-4-jouab-arvutitesse - [2018-06-29] It is now possible to order test cards of new generation ID card chips. New generation will be introduced in identity documents in the end of 2018. While the software and drivers are available, the technical documentation is not yet public. The card will also have a contactless interface, but not clear yet what functionality will be accessible over it.
https://www.ria.ee/ee/rialt-saab-susteemide-testimiseks-tellida-uue-id-kaardi-testkaardi.html
https://www.err.ee/843133/tanavuse-aasta-lopus-tuleb-valja-kontaktivaba-liidesega-id-kaart - [2018-06-27] The maintenance of ID card helpline moves from AS SK ID Solution to Tieto Estonia AS. The new helpline will have new number, but will not provide support 24/7.
The certificates can be suspended 24/7 calling SK ID Solutions using the current number.
https://www.ria.ee/en/the-id-card-helpline-number-will-be-changed-on-sunday.html
https://news.err.ee/842614/ria-changing-id-card-helpline-number-scaling-down-user-support - [2018-06-22] Government discussed the results of implementing cybersecurity strategy 2014-2017. The report shows that 70% of the activities were completed, 16% of the activities were completed in the next period, and 14% of the activities were either not completed mainly due to lack of financial or human resources.
http://www.ituudised.ee/uudised/2018/06/22/kuberturvalisuse-edendamisel-mitmeid-kitsaskohti - [2018-06-22] CyberSpike 2018 has finished and winners are known: 1st place – Artur Luik (TUT), 2nd place – Georg Kahest (TUT), 3rd place – Martin Širokov (Tallinn Technical Gymnasium).
https://geenius.ee/rubriik/teadus-ja-tulevik/eesti-noored-panid-oma-kuberkaitseoskused-proovile-kaitstes-lumemaad/ - [2018-06-18] Tõnu Tammer is the head of Estonian CERT from the beginning of June 2018. Interview (in Estonian):
https://geenius.ee/uudis/certi-uus-juht-mullu-kollitas-lunavara-tanavu-pannakse-ohver-oma-teadmata-kruptoraha-kaevandama/
https://geenius.ee/uudis/eesti-cert-sai-uue-juhi/ - [2018-06-15] Geenius has analyzed transparency reports of biggest service providers for information requests from Estonian state authorities. Google has received requests about 85 user accounts, delivered data 75% of cases. No requests received by Apple. Microsoft has received requests for five user accounts. Facebook received request for 143 users, delivered data in 67% cases. No data requested from Twitter.
https://geenius.ee/uudis/suur-ulevaade-tehnoloogiafirmadelt-noutakse-endiselt-palju-eestlaste-andmeid/ - [2018-06-14] CyCon 2018 videos of keynotes and panels are online:
https://www.youtube.com/watch?v=G0SRPC0Etv0&list=PLV8RTnZwQxcmJQGPlyxknrsVArsUNx1oE - [2018-06-13] National Audit Office has done some audits in Estonia’s local governments and have found that IT security requirements still aren’t implemented.
https://news.err.ee/839106/local-councils-it-security-entirely-inadequate-national-audit-office-finds
https://www.riigikontroll.ee/Riigikontrollipublikatsioonid/Auditiaruanded/tabid/206/Audit/2466/Area/1/language/et-EE/Default.aspx - [2018-06-11] Estonian man arrested for stealing Bitcoin wallets by accessing victim’s e-mail accounts. Large database of user account credentials found on the suspect’s computer.
https://geenius.ee/uudis/kahtlus-eesti-mees-teenis-bitcoine-varastades-mitu-miljonit-eurot/ - [2018-06-11] Estonian criminal police has added databases of compromised user accounts found in their investigations to the publicly searchable service “Have I Been Pwned” which will help the victims to get informed.
https://geenius.ee/uudis/politsei-kontrollige-ega-teie-kontot-pole-ule-voetud-ega-bitcoine-varastatud/
https://www.troyhunt.com/data-provided-by-the-estonian-central-criminal-police-is-now-searchable-on-have-i-been-pwned/ - [2018-06-08] The state supports UT and TUT cyber security studies with 1.5 millions. The universities are expected to open up research teams for cryptography, digital expertise and cyber defense.
http://www.ituudised.ee/uudised/2018/06/08/riik-toetab-tu-ja-ttu-kuberkaitse-opet-15-miljoniga - [2018-06-08] Swedbank implements limitations for code card use in internet banking. From February 2019 code cards will be abandoned. Currently around 200 000 users are using password card.
https://tehnika.postimees.ee/4501277/swedbank-asus-paroolikaarte-kaotama
https://tarbija24.postimees.ee/4486778/paroolikaardi-kasutajate-arv-vaheneb-visalt-200-000-swedbanki-klienti-jatkuvalt-kasutab-seda - [2018-06-06] RIA’s “Annual Cyber Security Assessment 2018” has been translated to English. Section about ROCA flaw and Internet voting included.
https://www.ria.ee/en/head-of-ria-last-year-was-proof-that-securing-the-digital-lifestyle-requires-investing.html
https://www.ria.ee/public/Kuberturvalisus/RIA-CSA-2018.pdf
https://www.ria.ee/ee/ria-esitles-kuberturvalisuse-aastaraamatut.html - [2018-06-01] Vulnerability has been found in AS Ühisteenused self-service portal parkimine.ee. The flaw allows to browse parking tickets issued to other persons by changing ID in the URL.
https://geenius.ee/uudis/turvaauk-uhisteenuste-veebist-sai-igauks-naha-teiste-inimeste-ja-soidukite-andmeid/
https://geenius.ee/uudis/anto-veldre-uhisteenuste-trahviveebist-leitud-turvaauk-on-muldvana-nii-et-kuidas-see-sinna-sattus/ - [2018-05-24] National Audit Office has identified problems with critical state databases: they lack risk analysis, action plan, only minimum needed audits are conducted, backups have not been tested, but no reason to panic.
https://news.err.ee/834127/national-audit-office-identifies-weaknesses-in-critical-database-care - [2018-05-24] Anto Veldre published harsh opinion article in the response to the seminar held by National Electoral Committee about the possibility to introduce i-voting using mobile device.
https://geenius.ee/uudis/anto-veldre-mobiilihaaletamine-saab-tulla-ainult-ule-minu-laiba/ - [2018-05-23] RIA is performing security assessment of Smart-ID to decide whether it should be allowed for authentication to state services.
https://www.err.ee/833840/turvatesti-labimisel-voib-ka-smart-id-st-saada-riigiteenuste-autentimisviis - [2018-05-17] It has been found that ID card manufacturer Gemalto has generated private keys outside the chip. As a result, PPA is recalling 12’500 ID cards and revoking the affected certificates on 2018-06-01. Gemalto denies accusations.
https://news.postimees.ee/4490059/estonia-replacing-12-500-unsecure-id-cards-for-free
https://news.postimees.ee/4491312/new-id-card-fault-could-have-been-intentional
https://news.err.ee/832236/police-12-500-id-card-certificates-to-be-deleted-due-to-security-issue - [2018-05-10] RIA has published TUT study about lessons learned from the ID card case. The translation to English is in progress.
https://www.ria.ee/public/PKI/ID-kaardi_oppetunnid.pdf
https://news.err.ee/822819/ttu-cybersecurity-center-director-estonia-needs-more-specialists
https://geenius.ee/uudis/uuring-id-kaardi-kriisile-oleks-olnud-kiire-lahendus-kui-info-selle-kohta-eestisse-oleks-joudnud/
https://www.err.ee/822535/rain-ottis-id-kaardi-kriisist-eestis-on-vaja-spetsialistide-reservi
https://www.err.ee/822452/ttu-raport-kritiseerib-id-kaardi-kriisi-valguses-eesti-hadaolukordade-plaane - [2018-04-25] State will allocate 1.1 million to RIA to cover expenses due to ID card crisis.
https://majandus24.postimees.ee/4478455/valitsus-plaanib-id-kaardi-kriisi-tottu-ria-le-eraldada-ule-miljoni-euro - [2018-04-19] RIA managed to factor one vulnerable RSA authentication key to prove that the ROCA flaw was not only a theoretical threat and the steps taken to eliminate the risk were justified. The factorizing software was provided by Cybernetica AS. Not known how much processing resources the attack required.
http://epl.delfi.ee/news/eesti/id-kaart-murti-lahti-ria-toestas-et-kara-id-kaardi-turvanorkuse-parast-polnud-asjata?id=81807683 - [2018-04-11] Digi-ID validity term will be extended from 3 to 5 years.
https://geenius.ee/uudis/digiisikutunnistus-ehk-digi-id-kehtib-nuud-varasemast-kauem/
https://tarbija24.postimees.ee/4481983/digi-id-kehtivusaeg-pikenes-viiele-aastale - [2018-03-26] Police has posted a job offer which involves solving puzzle of cat GIF.
https://geenius.ee/uudis/kui-suudad-selle-kassi-gifi-moistatuse-lahendada-ootab-sind-eestis-haruldane-toopakkumine/ - [2018-03-23] RIA has announced EUR 150k worth procurement for design of new eID logos.
https://geenius.ee/uudis/ria-tellib-150-000-euroga-e-id-visuaalse-segapudru-asemele-uue-valimuse/ - [2018-03-23] Geenius has listed what data by law the law enforcement agencies in Estonia can ask from mobile operators and Internet service providers:
https://geenius.ee/uudis/millised-sinu-kohta-kaivad-andmed-politsei-su-telefonioperaatori-kaest-katte-saab/ - [2018-03-20] The videos from Nordic-Baltic Security Summit 2018 are online. Some selected presentations:
Andres Elliku – CERT-EE S4A: an Open-Source Solution for Distributed Network Security Monitoring
Merike Käo – Estonian 2007 and 2017 Incidents – Have We Learned to Respond Better?
Elsa Neeme – Estonian Cyber Security Act – Ensuring Public Order In Cyber Domain
Rain Ottis – Selected lessons from the 2017 ID-Card case
Oskar Gross – What are the Challenges of Handling Cyber Crime?
https://tehnika.postimees.ee/4444549/otse-kaljurand-koppel-keskkriminaalpolitsei-ja-teised-kogu-tode-kuberturvalisusest
https://summit.confent.com/summary18/ - [2018-03-05] According to the head of cybercrime bureau Oskar Gross, secure encryption capability improves the security for ordinary users. The technological environment has not caused a particular headache for PPA in solving crimes.
https://novaator.err.ee/687558/ppa-kruptorakendustest-krupteeritud-sideta-oleks-internet-ohtlikum-koht - [2018-02-13] Due to human error on mobile operator Elisa side, emergency line 112 could not be reached for several hours. In total 151 persons were affected. SMIT discovered the error and Elisa fixed it in 20 minutes. Elisa as a provider of vital service failed to report the fault to RIA.
https://geenius.ee/uudis/elisa-vea-tottu-ei-saanud-paev-otsa-112-helistada-firma-jattis-sellest-teavitamata/
Cyber Security Newsletter 2018-07-06
Leave a reply