- [2018-12-21] Estonian criminal police has once again published job advertisement that requires to solve some puzzle. This time there is a cryptic MySQL database published.
- [2018-12-20] Martin Paljak discovered that PIN envelopes for the new generation Estonian ID cards (issued by IDEMIA) have a security flaw which allows to see through the envelope with flashlight.
- [2018-12-19] Due to some human error, several confidential contracts were available publicly on the Ministry of the Environment file management system.
- [2018-12-12] RIA has announced EUR 315k procurement to create SIGa (Signature and Signature Validation Service) which will enable public authorities to add digital signature support to their e-services with minimal development costs. RIA has already created a federated authentication system (supports ID card, Mobile-ID and bank link authentication) which can be used by the public sector.
- [2018-12-04] Cryptography professor Dominique Unruh (UT) has been awarded a 1.7 million grant by ERC to develop quantum cryptography solutions and their computer-based control methods.
- [2018-12-03] The new generation ID cards are being issued by IDEMIA. The cards have color photo and new physical security features. Contact-less interface is disabled by default – requires security analysis before enabling. New cards uses different API (IAS ECC standard), therefore software has to be updated. In the new specification the “Card Management Key” has been renamed to “Police Key”. This has raised suspicion about possible backdoor key in the ID card.
- [2018-11-28] Estonian Defence Forces Cyber Command (military unit performing also offensive cyber operations) is hiring. The competitive advantage for work in Cyber Command is that people are given quite free hands (because there is no money to be made) and access to exclusive weapon systems not seen in the private sector. The unit has been assembled from the existing staff and communications battalion. The primary recruitment point is the conscripts.
- [2018-11-28] The head of the Institute of Estonian Academy of Security Sciences (SKA) wants to hold a debate about making the state’s work easier by allowing it to analyze masses of cell phone data. There is an opinion that the state is already using far more cell phone data than is admissible for ensuring privacy.
- [2018-11-09] RIA’s Director General Taimar Peterkop has been appointed by the Prime Minister Jüri Ratas as Secretary of State. Peterkop played a key role in solving the 2017 ID card crisis. New head of RIA is to be appointed.
- [2018-11-08] Smart-ID solution has been certified by German TUViT as a qualified signature creation device (SSCD), hence Smart-ID signatures now are legally equivalent to handwritten signature. From service provider’s perspective, however, the transaction cost for Smart-ID is double the cost of Mobile-ID. Smart-ID still cannot be used for I-voting, because currently the law requires electronic voter identification using a document issued by the Estonian state.
- [2018-11-07] Estonians working in airports and airplanes must fill out a ten-page KAPO form, which requires them to specify, among other things, the names of Facebook, Twitter, Instagram and other social accounts, all telephone numbers, and even the current place of residence and contact details of “previous spouse or person similar to marriage”. It is estimated that up to 3,000 people may be subject to a such background check required by the Minister of the Interior from October 30.
- [2018-11-07] Personal identification code for the woman was updated due to the change of date of birth. The state information systems were not ready for such change. Around 300 persons will get new personal identification code because of updated date of birth.
- [2018-11-06] PPA submitted one more claim against Gemalto asking 300k EUR for not informing PPA about the ID card ROCA vulnerability.
- [2018-11-06] RIA plans to create few 2-3 minutes long educational videos showing how cyber attacks happen.
- [2018-11-06] Criminals took over transaction partners’ email accounts and phished out from Estonian company 80k EUR.
- [2018-10-31] Owners of 3-year valid digital ID cards can remotely extend their Digi-ID validity to 5 years.
- [2018-10-25] Gemalto has submitted counter-claim against PPA for PPA being in bad faith (whatever it means) in the compromise negotiations in September.
- [2018-10-19] CERT.LV organized international cybersecurity conference “Cyberchess 2018”. Webapp pentester from Estonia Silvia Väli (Clarified Security) talked about the vulnerabilities she found in the Electron framework.
- [2018-10-18] SilverTicket system had a flaw which allowed to buy tickets without paying for them. The user had to simply access the return URL visible in the bank link request.
- [2018-10-15] Due to unknown error, for years sensitive personal data of children was publicly available in the Estonian Schools Information System (EKIS) document register.
- [2018-10-10] Interview in jail with Russian student Aleksei Vasilev accused of penetrating state systems on the orders of FSB. According to him, he wrote a code to access the internal wireless network of an unnamed state agency. He is disappointed that Russian authorities show no interest to help him in his situation.
- [2018-10-10] In the Riigikogu scientific policy conference Professor of Information Security Ahto Buldas (TalTech) in his presentation “E-government base-technologies as a secure protector” stated that current e-government information systems have not been built with the knowledge of engineering based on scientific worldview and attack resistance of systems and components has not been measured. He invited the state to cooperate with universities.
- [2018-10-05] Starting from November it is possible to buy tickets in Tallinn public transport using contact-less bank cards.
- [2018-10-01] Estonian police is using license plate recognition cameras on the Estonian roads (scale not known). Large part of cameras used by police have known security vulnerabilities.
- [2018-09-27] Police (PPA) sued Gemalto claiming 152 million for generating keys outside Estonian ID card.
- [2018-09-21] Last year Estonian security authorities eavesdropped on a total of 4,596 calls made in Telia’s network. This is ten times that of Sweden (taking into account countries’ population). Judges sign off on an average of 90% of the wiretap requests. Of all wiretaps 30% concern drug crime investigations, and another 30% suspected corruption cases. Number of wiretaps has stayed the same in recent years. For the purpose of counterintelligence the Office of the Prosecutor General does not need to suspect someone of having committed a crime to order a wiretap. Frequently the information obtained is in turn used to open actual criminal proceedings against individuals.
- [2018-09-20] Professor of eGovernment Robert Krimmer (TalTech) calculated price for voting, i-vote being the cheapest (2.32 EUR) compared to voting on election day (4.37 EUR).
- [2018-09-19] eID Forum 2018 was held on 19-20 September. ID card 2017 crisis was among the discussed topics.
- [2018-09-18] In the context of upcoming elections, RIA will provide personalized cybersecurity counseling to political parties and will pentest their websites. RIA has also significantly contributed to the ENISA handbook on election security “Compendium on Cyber Security of Election Technology”.
- [2018-09-17] Cybernetica AS and TalTech organizes Second Workshop on the Protection of Long-Lived Systems (17-18 September, Pärnu, Estonia).
- [2018-09-12] Draft regulation has been prepared for allowing the face recognition robots to identify people who apply for Mobile-ID. The purpose is to enable enrollment for Mobile-ID without the need to confirm the application using the ID-card. It would be necessary to visit the PPA only if identification by robot fails.
- [2018-09-07] Cybernetica AS won the defense ministry’s procurement to prepare study to identify opportunities in the Estonian economy in the field of cryptography and to develop concrete proposals to enable the development of the field at national level.
- [2018-09-06] Apparently Gemalto leaked to local journalists some internal presentation trying to convince the public that Gemalto informed the Estonian state about the ID card vulnerability (ROCA) already in June 15, 2017. In the response PPA concluded that Gemalto is not interested in compromise and will settle the dispute in court.
- [2018-09-05] Märt Põder in Civic Tech Stockholm #2 explains Estonian I-voting.
- [2018-09-04] Article “Key Factors in Coping with Large-scale Security Vulnerabilities in the eID Field” by Silvia Lips, Ingrid Pappel, Valentyna Tsap, Dirk Draheim. Describes few positive and negative effects of the vulnerability and key factors that helped to cope with the Estonian ID-card crisis 2017.
- [2018-09-04] Heli Tiirmaa-Klaar has been appointed cybersecurity ambassador (Ambassador at Large for Cyber Diplomacy), being responsible for developing Estonia’s foreign policy on cyber security, ensuring its coordinated implementation, representing Estonia in international organisations and contributing to international cooperation in the field.
- [2018-09-01] Jaak Tarien takes over as director of NATO CCDCOE. The current director Merle Maigre will go to work for CybExer Technologies.
- [2018-08-31] Significant DDoS attack by unknown actors for half an hour hit news portals owned by Express Group (Delfi, EPL, Eesti Ekspress, Õhtuleht) and PPA website.
- [2018-08-08] There are ideas for the next generation ID card to replace PIN-based cardholder verification with fingerprint verification.
- [2018-08-06] Tele2 could not provide roaming service for its customers due to faulty software update by Comfone. The failure lasted for several hours. As a compensation Tele2 will cancel the monthly bill for the affected customers.
- [2018-07-22] Card payments and ATMs for two hours were down on Sunday due to malfunction on Nets Estonia side.
- [2018-07-06] Smart-ID is soon to be certified as qualified signature creation device (QSCD). This will require change from 4096-bit to 6144-bit RSA keys (providing 3072-bit RSA security).
Estonian Information System Authority (RIA) is organising an international conference on 9th of May in 2018 in Tallinn (Tallinn Creative Hub – Kultuurikatel) to discuss the impact and consequences of the security risk found in the Infineon chips in autumn 2017 by the researchers at Masaryk University in the Czech Republic.
The aim of this conference is to bring together parties affected by the security risk to discuss our lessons, experiences and responsibility, because the security flaw affected many companies and countries in Europe as well as elsewhere in the world. If possible, we aim to agree on a joint plan of follow-up activities or a memorandum to provide input to different authorities who establish regulative rules. Researchers from Masaryk University have announced their participation in the conference – they will make an opening presentation about their research.
The conference is aimed at policymakers as well as specialists in the eID field, opinion leaders, representatives of authorities and companies that are dependent on the functioning of Estonian ID-cards and e-services, developers of e-government and IT systems, and other parties related to the issue from both Estonia and Europe.
09.30-10.00 Delegate registration opens. Welcome coffee
10.00-11.30 Welcome and Opening of the Conference / Session 1
• Welcome by moderator Andres Kütt
• Welcome speech by the Prime Minister Jüri Ratas
• The goal of the research (ROCA vulnerability ) – Petr Svenda, the University of Masaryk
• The influence and the distinctness on Estonian ID-card and its use – Taimar Peterkop, the head of Information System Authority
• The examples of actions of different countries – Ulrich Latzenhofer, Austrian Regulatory Authority for Broadcasting and Telecommunications
11.30-12.00 Coffee break
12.00-13.30 Session 2
• Lessons we learned (Estonia) – Rain Ottis, Associate Professor at Tallinn University of Technology
• The contract of ID-card – who´s responsible of what? – Kaija Kirch, Police and Border Guard Board, ID expert
• Discussion How did we manage and what to do better next time? Expert panel lead by Rain Ottis. Attending: Kaija Kirch, Margus Arm, Ilmar Raag
14.30-16.30 Session 3
• eIDAS perspective of the ROCA vulnerability – Security Expert and Information Security Officer, Marnix Dekker, ENISA
• Lessons we learned (global view) – Liisa Past, Chief research officer, Information System Authority
• Lessons we learned (Commission view) – Andrea Servida, European Commission
• Discussion What can we do better in the future? Expert panel lead by Liisa Past. Attending: Marnix Dekker, Andrea Servida, Ulrich Latzenhofer, Petr Svenda
• Conference conclusion by moderator Andres Kütt
16.30-17.30 Goodbye coffee and networking
Anto Veldre, a legendary Estonian security specialist leaves RIA:
From the beginning of the year, the State Information System Authority (RIA) discharged an experienced IT security expert and promoter Anto Veldre. Veldre has worked as an analyst at the incident handling department at CERT-EE and in the Communications Department.
Helen Uldrich, head of RIA Communications Department, explained the discharge of Anto Veldre by the change in the structure of their unit from 2018. The analyst’s place where Veldre previously worked was changed into a spokesperson’s position and, as a result, his duties changed.
“Unfortunately, RIA did not have another position to offer Anto that would correspond to his professional profile. The whole staff of the State Information System Agency highly appreciates Anto and his contribution, for example, to explaining the functioning of the e-state,” added Uldrich.
Klaid Mägi, the head of CERT-EE leaves RIA:
Klaid Mägi, head of CERT-EE will leave the state office and continue to work at CybExer Technologies, a private Estonian company promoting cyber hygiene. Mägi has led the unit since autumn 2014. Previously, he has worked at the Ministry of Finance, Elisa and Elion.
Uku Särekanno, the new Deputy Director General of RIA Cyber Security Branch:
The authority organised a public competition last October to find a director for the Cyber Security Branch. About ten people applied for the position. The Director General of the Information System Authority chose the suitable candidate in early December.
Previously, Uku Särekanno has worked at different positions in the European Commission, the Government Office, and the Ministry of Foreign Affairs, led the Public Order and Criminal Policy Department of the Ministry of the Interior, and represented Estonia in Brussels regarding issues of migration and police cooperation.
Before, since September 2011, this responsibility has been borne by Toomas Vaks, who previously worked as a risk manager for bank cards in Swedbank, before he was employed at Hansapank.
Conference “The Present and Future of Cybersecurity”
April 26, 2017, National Library of Estonia
13.00-13.30 – Registration and welcome coffee
13.30-13.40 – Opening words – Urve Palo (Minister of Entrepreneurship and Information Technology)
13.40-14.00 – Keynote – Jaak Aaviksoo (Rector of TUT)
14.00-15.00 – Discussion “Evolution of cyber attacks – what has changed in ten years?” Klaid Mägi (RIA, head of CERT-EE) leader. Debating: Hillar Aarelaid (Police and Border Guard Board), Jaan Priisalu (TUT), Merike Käo (Farsight Security CTO)
15.00-15.30 – Cofee break
15.30-17.00 – Discussion “Discurses, paradigms and form of cyber policy in practice” Taimar Peterkop (Director General of RIA) leader. Debating: Sven Sakkov (Director of NATO CCD CoE), Heli Tiirmaa-Klaar (European Union, Head of Cyber Policy Coordination at European External Action Service), Lauri Lugna (Secretary General at the Ministry of Interior), Lauri Almann (Co-Founder of BHC Laboratory)
17.00-17.30 – Closing words – Toomas Vaks (RIA, Head of Cyber Security Branch)
17.30-19.30 – After conference reception. Appearance of RIA band VaRIA.
Work language of the conference is Estonian.
Minister of Economic Affairs and Infrastructure Uve Palo signed a decree to appoint Taimar Peterkop for the Estonian Information System Agency (EISA) director-general. Taimar Peterkop is currently working in Ministry of Defence as Undersecretary for Legal and Administrative Affairs. He begins his work at EISA this May.
From the CV:
Taimar Peterkop was born on 20th January 1977 in Tallinn. He has graduated from the University of Tartu Faculty of Law and he has completed many in-service trainings, including the Higher Command Studies Course in Baltic Defence College. Mr Peterkop holds a Master`s degree in Strategic Studies from the United States Army War College. He is also a reserve officer.
During 2000–2001 Taimar Peterkop worked as a lawyer in the Government Office. During 2001–2005 Mr Peterkop worked in the Ministry of Defence as the Director of International Law Office and during 2005–2008 as the Director of Operations and Crisis Management Department. From 2008 until July 2010 he worked as a Defence Counsellor in the Estonian Embassy in Washington.
Taimar Peterkop has also worked as a national defence teacher in several high schools and as an international law lecturer at Estonian Business School.