- [2018-12-21] Estonian criminal police has once again published job advertisement that requires to solve some puzzle. This time there is a cryptic MySQL database published.
- [2018-12-20] Martin Paljak discovered that PIN envelopes for the new generation Estonian ID cards (issued by IDEMIA) have a security flaw which allows to see through the envelope with flashlight.
- [2018-12-19] Due to some human error, several confidential contracts were available publicly on the Ministry of the Environment file management system.
- [2018-12-12] RIA has announced EUR 315k procurement to create SIGa (Signature and Signature Validation Service) which will enable public authorities to add digital signature support to their e-services with minimal development costs. RIA has already created a federated authentication system (supports ID card, Mobile-ID and bank link authentication) which can be used by the public sector.
- [2018-12-04] Cryptography professor Dominique Unruh (UT) has been awarded a 1.7 million grant by ERC to develop quantum cryptography solutions and their computer-based control methods.
- [2018-12-03] The new generation ID cards are being issued by IDEMIA. The cards have color photo and new physical security features. Contact-less interface is disabled by default – requires security analysis before enabling. New cards uses different API (IAS ECC standard), therefore software has to be updated. In the new specification the “Card Management Key” has been renamed to “Police Key”. This has raised suspicion about possible backdoor key in the ID card.
- [2018-11-28] Estonian Defence Forces Cyber Command (military unit performing also offensive cyber operations) is hiring. The competitive advantage for work in Cyber Command is that people are given quite free hands (because there is no money to be made) and access to exclusive weapon systems not seen in the private sector. The unit has been assembled from the existing staff and communications battalion. The primary recruitment point is the conscripts.
- [2018-11-28] The head of the Institute of Estonian Academy of Security Sciences (SKA) wants to hold a debate about making the state’s work easier by allowing it to analyze masses of cell phone data. There is an opinion that the state is already using far more cell phone data than is admissible for ensuring privacy.
- [2018-11-09] RIA’s Director General Taimar Peterkop has been appointed by the Prime Minister Jüri Ratas as Secretary of State. Peterkop played a key role in solving the 2017 ID card crisis. New head of RIA is to be appointed.
- [2018-11-08] Smart-ID solution has been certified by German TUViT as a qualified signature creation device (SSCD), hence Smart-ID signatures now are legally equivalent to handwritten signature. From service provider’s perspective, however, the transaction cost for Smart-ID is double the cost of Mobile-ID. Smart-ID still cannot be used for I-voting, because currently the law requires electronic voter identification using a document issued by the Estonian state.
- [2018-11-07] Estonians working in airports and airplanes must fill out a ten-page KAPO form, which requires them to specify, among other things, the names of Facebook, Twitter, Instagram and other social accounts, all telephone numbers, and even the current place of residence and contact details of “previous spouse or person similar to marriage”. It is estimated that up to 3,000 people may be subject to a such background check required by the Minister of the Interior from October 30.
- [2018-11-07] Personal identification code for the woman was updated due to the change of date of birth. The state information systems were not ready for such change. Around 300 persons will get new personal identification code because of updated date of birth.
- [2018-11-06] PPA submitted one more claim against Gemalto asking 300k EUR for not informing PPA about the ID card ROCA vulnerability.
- [2018-11-06] RIA plans to create few 2-3 minutes long educational videos showing how cyber attacks happen.
- [2018-11-06] Criminals took over transaction partners’ email accounts and phished out from Estonian company 80k EUR.
- [2018-10-31] Owners of 3-year valid digital ID cards can remotely extend their Digi-ID validity to 5 years.
- [2018-10-25] Gemalto has submitted counter-claim against PPA for PPA being in bad faith (whatever it means) in the compromise negotiations in September.
- [2018-10-19] CERT.LV organized international cybersecurity conference “Cyberchess 2018”. Webapp pentester from Estonia Silvia Väli (Clarified Security) talked about the vulnerabilities she found in the Electron framework.
- [2018-10-18] SilverTicket system had a flaw which allowed to buy tickets without paying for them. The user had to simply access the return URL visible in the bank link request.
- [2018-10-15] Due to unknown error, for years sensitive personal data of children was publicly available in the Estonian Schools Information System (EKIS) document register.
- [2018-10-10] Interview in jail with Russian student Aleksei Vasilev accused of penetrating state systems on the orders of FSB. According to him, he wrote a code to access the internal wireless network of an unnamed state agency. He is disappointed that Russian authorities show no interest to help him in his situation.
- [2018-10-10] In the Riigikogu scientific policy conference Professor of Information Security Ahto Buldas (TalTech) in his presentation “E-government base-technologies as a secure protector” stated that current e-government information systems have not been built with the knowledge of engineering based on scientific worldview and attack resistance of systems and components has not been measured. He invited the state to cooperate with universities.
- [2018-10-05] Starting from November it is possible to buy tickets in Tallinn public transport using contact-less bank cards.
- [2018-10-01] Estonian police is using license plate recognition cameras on the Estonian roads (scale not known). Large part of cameras used by police have known security vulnerabilities.
- [2018-09-27] Police (PPA) sued Gemalto claiming 152 million for generating keys outside Estonian ID card.
- [2018-09-21] Last year Estonian security authorities eavesdropped on a total of 4,596 calls made in Telia’s network. This is ten times that of Sweden (taking into account countries’ population). Judges sign off on an average of 90% of the wiretap requests. Of all wiretaps 30% concern drug crime investigations, and another 30% suspected corruption cases. Number of wiretaps has stayed the same in recent years. For the purpose of counterintelligence the Office of the Prosecutor General does not need to suspect someone of having committed a crime to order a wiretap. Frequently the information obtained is in turn used to open actual criminal proceedings against individuals.
- [2018-09-20] Professor of eGovernment Robert Krimmer (TalTech) calculated price for voting, i-vote being the cheapest (2.32 EUR) compared to voting on election day (4.37 EUR).
- [2018-09-19] eID Forum 2018 was held on 19-20 September. ID card 2017 crisis was among the discussed topics.
- [2018-09-18] In the context of upcoming elections, RIA will provide personalized cybersecurity counseling to political parties and will pentest their websites. RIA has also significantly contributed to the ENISA handbook on election security “Compendium on Cyber Security of Election Technology”.
- [2018-09-17] Cybernetica AS and TalTech organizes Second Workshop on the Protection of Long-Lived Systems (17-18 September, Pärnu, Estonia).
- [2018-09-12] Draft regulation has been prepared for allowing the face recognition robots to identify people who apply for Mobile-ID. The purpose is to enable enrollment for Mobile-ID without the need to confirm the application using the ID-card. It would be necessary to visit the PPA only if identification by robot fails.
- [2018-09-07] Cybernetica AS won the defense ministry’s procurement to prepare study to identify opportunities in the Estonian economy in the field of cryptography and to develop concrete proposals to enable the development of the field at national level.
- [2018-09-06] Apparently Gemalto leaked to local journalists some internal presentation trying to convince the public that Gemalto informed the Estonian state about the ID card vulnerability (ROCA) already in June 15, 2017. In the response PPA concluded that Gemalto is not interested in compromise and will settle the dispute in court.
- [2018-09-05] Märt Põder in Civic Tech Stockholm #2 explains Estonian I-voting.
- [2018-09-04] Article “Key Factors in Coping with Large-scale Security Vulnerabilities in the eID Field” by Silvia Lips, Ingrid Pappel, Valentyna Tsap, Dirk Draheim. Describes few positive and negative effects of the vulnerability and key factors that helped to cope with the Estonian ID-card crisis 2017.
- [2018-09-04] Heli Tiirmaa-Klaar has been appointed cybersecurity ambassador (Ambassador at Large for Cyber Diplomacy), being responsible for developing Estonia’s foreign policy on cyber security, ensuring its coordinated implementation, representing Estonia in international organisations and contributing to international cooperation in the field.
- [2018-09-01] Jaak Tarien takes over as director of NATO CCDCOE. The current director Merle Maigre will go to work for CybExer Technologies.
- [2018-08-31] Significant DDoS attack by unknown actors for half an hour hit news portals owned by Express Group (Delfi, EPL, Eesti Ekspress, Õhtuleht) and PPA website.
- [2018-08-08] There are ideas for the next generation ID card to replace PIN-based cardholder verification with fingerprint verification.
- [2018-08-06] Tele2 could not provide roaming service for its customers due to faulty software update by Comfone. The failure lasted for several hours. As a compensation Tele2 will cancel the monthly bill for the affected customers.
- [2018-07-22] Card payments and ATMs for two hours were down on Sunday due to malfunction on Nets Estonia side.
- [2018-07-06] Smart-ID is soon to be certified as qualified signature creation device (QSCD). This will require change from 4096-bit to 6144-bit RSA keys (providing 3072-bit RSA security).
Tag Archives: Oskar Gross
Cyber Security Newsletter 2018-07-06
- [2018-07-06] There are plans to simplify application for Mobile-ID. Currently, to enable Mobile-ID the person has to authenticate in PPA web environment. In the future this security feature will be implemented using face recognition. The solution is developed with MindTitan.
- [2018-07-06] RIA temporary removed banklink authentication from eesti.ee due to some vulnerability being found in the implementation of authentication mechanism.
- [2018-07-03] New version of DigiDoc 4 client has been released. The changes are mainly in the frontend. The functionality of DigiDoc3 Client, DigiDoc Crypto and ID card utility is now merged in a single application.
- [2018-06-29] It is now possible to order test cards of new generation ID card chips. New generation will be introduced in identity documents in the end of 2018. While the software and drivers are available, the technical documentation is not yet public. The card will also have a contactless interface, but not clear yet what functionality will be accessible over it.
- [2018-06-27] The maintenance of ID card helpline moves from AS SK ID Solution to Tieto Estonia AS. The new helpline will have new number, but will not provide support 24/7.
The certificates can be suspended 24/7 calling SK ID Solutions using the current number.
- [2018-06-22] Government discussed the results of implementing cybersecurity strategy 2014-2017. The report shows that 70% of the activities were completed, 16% of the activities were completed in the next period, and 14% of the activities were either not completed mainly due to lack of financial or human resources.
- [2018-06-22] CyberSpike 2018 has finished and winners are known: 1st place – Artur Luik (TUT), 2nd place – Georg Kahest (TUT), 3rd place – Martin Širokov (Tallinn Technical Gymnasium).
- [2018-06-18] Tõnu Tammer is the head of Estonian CERT from the beginning of June 2018. Interview (in Estonian):
- [2018-06-15] Geenius has analyzed transparency reports of biggest service providers for information requests from Estonian state authorities. Google has received requests about 85 user accounts, delivered data 75% of cases. No requests received by Apple. Microsoft has received requests for five user accounts. Facebook received request for 143 users, delivered data in 67% cases. No data requested from Twitter.
- [2018-06-14] CyCon 2018 videos of keynotes and panels are online:
- [2018-06-13] National Audit Office has done some audits in Estonia’s local governments and have found that IT security requirements still aren’t implemented.
- [2018-06-11] Estonian man arrested for stealing Bitcoin wallets by accessing victim’s e-mail accounts. Large database of user account credentials found on the suspect’s computer.
- [2018-06-11] Estonian criminal police has added databases of compromised user accounts found in their investigations to the publicly searchable service “Have I Been Pwned” which will help the victims to get informed.
- [2018-06-08] The state supports UT and TUT cyber security studies with 1.5 millions. The universities are expected to open up research teams for cryptography, digital expertise and cyber defense.
- [2018-06-08] Swedbank implements limitations for code card use in internet banking. From February 2019 code cards will be abandoned. Currently around 200 000 users are using password card.
- [2018-06-06] RIA’s “Annual Cyber Security Assessment 2018” has been translated to English. Section about ROCA flaw and Internet voting included.
- [2018-06-01] Vulnerability has been found in AS Ühisteenused self-service portal parkimine.ee. The flaw allows to browse parking tickets issued to other persons by changing ID in the URL.
- [2018-05-24] National Audit Office has identified problems with critical state databases: they lack risk analysis, action plan, only minimum needed audits are conducted, backups have not been tested, but no reason to panic.
- [2018-05-24] Anto Veldre published harsh opinion article in the response to the seminar held by National Electoral Committee about the possibility to introduce i-voting using mobile device.
- [2018-05-23] RIA is performing security assessment of Smart-ID to decide whether it should be allowed for authentication to state services.
- [2018-05-17] It has been found that ID card manufacturer Gemalto has generated private keys outside the chip. As a result, PPA is recalling 12’500 ID cards and revoking the affected certificates on 2018-06-01. Gemalto denies accusations.
- [2018-05-10] RIA has published TUT study about lessons learned from the ID card case. The translation to English is in progress.
- [2018-04-25] State will allocate 1.1 million to RIA to cover expenses due to ID card crisis.
- [2018-04-19] RIA managed to factor one vulnerable RSA authentication key to prove that the ROCA flaw was not only a theoretical threat and the steps taken to eliminate the risk were justified. The factorizing software was provided by Cybernetica AS. Not known how much processing resources the attack required.
- [2018-04-11] Digi-ID validity term will be extended from 3 to 5 years.
- [2018-03-26] Police has posted a job offer which involves solving puzzle of cat GIF.
- [2018-03-23] RIA has announced EUR 150k worth procurement for design of new eID logos.
- [2018-03-23] Geenius has listed what data by law the law enforcement agencies in Estonia can ask from mobile operators and Internet service providers:
- [2018-03-20] The videos from Nordic-Baltic Security Summit 2018 are online. Some selected presentations:
Andres Elliku – CERT-EE S4A: an Open-Source Solution for Distributed Network Security Monitoring
Merike Käo – Estonian 2007 and 2017 Incidents – Have We Learned to Respond Better?
Elsa Neeme – Estonian Cyber Security Act – Ensuring Public Order In Cyber Domain
Rain Ottis – Selected lessons from the 2017 ID-Card case
Oskar Gross – What are the Challenges of Handling Cyber Crime?
- [2018-03-05] According to the head of cybercrime bureau Oskar Gross, secure encryption capability improves the security for ordinary users. The technological environment has not caused a particular headache for PPA in solving crimes.
- [2018-02-13] Due to human error on mobile operator Elisa side, emergency line 112 could not be reached for several hours. In total 151 persons were affected. SMIT discovered the error and Elisa fixed it in 20 minutes. Elisa as a provider of vital service failed to report the fault to RIA.
ETV “Suud Puhtaks” debate on internet voting security
Is the cyber security in Estonia ensured? Why the government wants to change the period of i-voting and what signal with that we send to the world? Talk show host Urmas Vaino helps to set things straight.
Indrek Saar, Minister of Culture, Social Democratic Party
Jaanus Karilaid, Member of Parliament, Center Party
Priidu Pärna, Member of Tallinn City Council, Pro Patria and Res Publica Union
Anto Veldre, RIA analytic
Kristjan Vassil, UT senior researcher
Märt Põder, organizer of journalism hackathon
Arti Zirk, TUT IT faculty student
Tarvi Martens, Electoral Committee, Head of Internet Voting
Kristen Michal, Member of Parliament, Reform Party
Mihkel Slovak, UT senior researcher
Henrik Roonemaa, Geenius.ee editor
Erki Savisaar, Member of Parliament, Center Party
Andres Kutt, RIA, IT architect
Sven Heiberg, Cybernetica AS, Project Manager of Internet Voting System
Jaak Madison, Member of Parliament, Conservative People’s Party
Jaanus Ojangu, Chairman of Free Party
Agu Kivimägi, Stallion cyber security consultant
Jaan Priisalu, TUT researcher
Silver Meikar, Adviser to Minister of Culture
Kalev Pihl, SK ID Solutions, Board Member
Oskar Gross, Head of Cyber Crime Unit of Central Criminal Police
Klaid Mägi, RIA, Head of the department for handling incidents (CERT-EE)
Heiki Kübbar, Founder of ICEfire OÜ
Birgy Lorenz, Board Member of Network of Estonian Teachers of Informatics and Computer Science
Andres Kahar, KAPO Bureau Manager
Sven Sakkov, Director of NATO Cooperative Cyber Defence Centre
Heiki Pikker, TUT Cyber Security MSc student
Hacking systems protected by a simple password might not be an offense
Oskar Gross, the manager of recently opened Cyber Crime Unit of Central Criminal Police writes in an opinion piece that Estonian legislation is at times more primitive than the actual cybercrime. Therefore, there may be a weird situation where hacking an account that is protected with a simple password such as “1234” is not an offense.
In the last commented edition of the Penal Code, the lawmaker rather boldly attempted to define the legal handling of computer systems’ passwords and security issues related to recovering password, and the end result is problematic in several aspects.
Penal Code has an important section §217 “Illegal obtaining of access to computer systems” which aims to penalize unauthorized access to computer systems. The commented edition of Penal Code clarifies that unauthorized access is not in case of amazingly simple passwords, such as “admin”, “123456” and “qwerty”, because such passwords can be guessed by an attacker or found from “the top worst passwords” on the Internet.
In short, this section comment says: “If you have a weak password, the access to your data is allowed.”