The justice system, vulnerable to hacking. The Official Monitor, High Court of Cassation and Justice, and many others, breached.
Publicație Oficială: ENTRYRISE S.R.L
Scop: Notificarea societății civile cu privire la existența mai multor brese care le-au vulnerabilizat securitatea datelor gestionate de instante si RAMO.
Detalii Breșa:
- Aproximativ 2,000,000 de dosare ale Curtii de Apel Cluj erau susceptibile sa fie exfiltrate de un atacator cu competente medii, dosare ce includeau date deosebit de sensibile
- Cel putin 100,000 de romani si persoane juridice din Romania au avut totalitatea documentelor din dosarul electronic public, documente cu sensibilitate deosebita:
- Cel putin 10.000 de romani si persoane juridice din Romania aveau anumite documente sensibile accesibile prin vulnerabilitatea IDOR
Riscuri:
- Furt de identitate (Peste 2,100,000 persoane vulnerabile)
- Santaj, acces informatii cu caractger deosebit de sensibil (Peste 2,100,000 persoane vulnerabile)
- Divulgare adresa + date din CI (Peste 2,110,000 persoane vulnerabile)
Their point of view is legally valid and has been attached at the bottom of the page. We will see if CSM will self-sanction or self-forgive.
The answer is accessible in the footer of the page.
Although technology has evolved, and the trends of "digitalization" have reached the heights of the justice sector, poorly executed digitalization allows hackers to access sensitive data, perfectly forge rulings from any court (including the High Court of Cassation and Justice), with less than 8,000 EUR, and to alter or sabotage files submitted through ECRIS, the management system of justice in Romania.
This article aims to raise public awareness regarding the level of interest that public institutions have in protecting their data, and the dangers citizens are exposed to, as public institutions continue to neglect necessary measures to address these issues.
In this article, we will discuss how:
- Hackers can obtain false legalized rulings from any court.for less than 8,000 EUR.
- Anyone can publish laws in the Official Gazettethrough the lens of a wide range of critical vulnerabilities that have remained unaddressed for two years.
- CSM has made public over 40,000 access passwords on rejust.ro the sensitive files related to Criminal Law and Family Law.
- Decisions / sensitive documents from files were accessible via Googlebecause the electronic file does not have a password for viewing the documents.
- And others
Through these, hackers could:
- To uncover your family issues and the intimate aspects you have experienced.and which were discussed in divorce, in the division of assets, or in disputes regarding custody. They could later publish details about your family, or even sell access to this information or blackmail you.
Did your wife argue that she was unhappy with the relationship because you were unable to perform during the divorce proceedings? Or perhaps she mentioned that you were abusive towards your child? No problem, everything is now public. - To discover professional secrets that were mentioned in the file or discussed therein: Your malicious competitors may have gained access to this information.
- To modify the penalties for certain offenses: Can we rely on the judges to identify that a zero was actually deleted, or that the sentence was reduced for rarely encountered offenses? They have failed in the past to identify acts that should not have been published in the Official Gazette thousands of times.
- To obtain details about what the victims experienced in a criminal trial and what they went through.The traumas they have and how they can exploit them to steal or blackmail victims.
The affected parties were:
- Approximately 2,000,000 files from the Cluj Court of Appeal were susceptible to being exfiltrated by an attacker. with average skills, files that included particularly sensitive data:
- A malicious actor you can obtain details of the documents from the electronic file related to criminal cases, cases involving minors, and cases of domestic violence/minors, which include very sensitive details
- A malicious actor It is possible to read and download documents that include service secrets, trade secrets, bank secrecy, and similar documents, making them accessible to malicious actors.
- At least 100,000 Romanians and legal entities in Romania have had all the documents from the electronic file published.licenses, documents with special sensitivity:
- Any person, even without technical skillsYou can obtain details of the documents from the electronic file in criminal cases, cases involving minors, and cases related to domestic violence/minors, which include very sensitive details.
- Any person, even without technical skills It is possible to read and download documents that include service secrets, trade secrets, bank secrecy, and similar documents, making them accessible to malicious actors.
- At least 10,000 Romanians and legal entities from Romania there are certain sensitive documents accessible through the IDOR vulnerability
- Details from court rulings that included the address, personal identification number (CNP), as well as other data that could be used to forge an identity card to obtain bank loans from non-banking financial institutions, along with sensitive remarks from the final ruling issued by the courts.
- Citations from the courts that included the address where a person resided.
How can I find out if I have been affected?
I have prepared a list of individuals who have been affected, to varying degrees, in terms of vulnerability:
- All individuals who had cases in court under the jurisdiction of Cluj - Access to the disclosure of files.
- All users until 2024 of the Official Monitor (RAMO)
- All individuals searching for the date, court, and type of ruling they had through rejust.ro, using the "using password" search, can find their case file - Full disclosure of the case file.
Brief overview:
In recent years, Romania has made significant strides in digitalization, aiming to align itself with the Western bloc that many aspire to join. While the desire for digitalization is commendable, the manner in which it has been implemented raises many questions:
- Why is digitalization so expensive when carried out by a public institution?
- Why do almost all public institutions in Romania have data breaches, or systems vulnerable to attacks and full of vulnerabilities?
- What impact do these attempts at "digitalization" have on us as citizens?
One of the important sectors in democracy, Justice, has been significantly impacted by these hasty and unplanned digitalization decisions, with many courts resorting to ad-hoc digital solutions that do not meet industry standards.
From SQL injection problems that allowed modifications to regional ECRIS nodes (the system where files, brief solutions, etc., are stored), to simple IDORs caused by the lack of authentication for particularly sensitive information, it is time to stop keeping these issues to myself and to expose them publicly.
Official Gazette hacked by cybercriminals
The Autonomous Regia "Monitorul Oficial" (RAMO) is the public institution responsible for managing the publication of laws and ensuring their accuracy. This is the institution that maintains the laws and makes them public, and the system used by RAMO to bring the Official Monitor to the public's attention was vulnerable.
Thus, even a 13-year-old child passionate about IT they can enter the Official Gazette and publish lawsbecause the application was developed without any attention to the most common and well-known attacks:
- SQL Injection - Critical Risk LevelThe RAMO application did not properly manage access to the database, allowing hackers to connect with any account on the application and extract sensitive data (e.g., user accounts).
- Directory Listing - Medium Risk LevelThe AutenticMonitor application, which could be used to access old monitors that were not indexed in the new "ExpertMonitor" application, was vulnerable to Directory Listing, meaning you could read what files existed on the Official Monitor's server.
- Unparalleled backup copies - High Risk Level: Another identified aspect was the storage on the server of unpatched backup copies, which most likely contained the source code, potentially including copies of the database, and which existed unpatched on the web server. An attacker could use this information to identify vulnerabilities on the platform.
- Missing authentication of witness photos - Low risk level: ExpertMonitor provided the public with unverified witness photos, which allowed access to the Official Monitor "for free" (in Romania, you must purchase the right to access documents you are legally obligated to know, as you are legally accountable if you do not), a clearly unintended aspect by RAMO.
Measures taken, yet completely ignored
We encountered a series of issues trying to get AutenticMonitor to work on Windows 10 (it requires a Java applet - applets that can only be accessed with Internet Explorer), attempting to rebuild it locally to function standalone.
Once identified, we urgently communicated with RAMO regarding the existence of the problems and the risks they posed, on October 17, 2022.
I have not received any response regarding the resolution deadline. When we contacted RAMO by phone, we were informed that they understood we wanted to do marketing and they invited us to Bucharest for a discussion..
In short, we were offered a collaboration through direct assignment / rigged bidding in response to our "blackmail" of notifying issues.
They told us that the application was developed by SIVECO, and that this is how programs are made in the public sector.
Siveco generated over 400,000,000 RON in contracts with the state between 2011 and 2015.
I declined, stating that we are willing to assist, within the limits of time, pro bono, but not for the development of another platform at the state's expense.
They told us they notified the necessary parties but "cannot disclose the name over the phone" (likely SRI or STS), yet apparently no action has been taken.
Therefore, after reporting another set of key vulnerabilities (UNBR + CECCAR), and the actual operationalization of the DNSC has begun (National Cyber Security Directorate), I have communicated the set of vulnerabilities that I notified and that have not been resolved.
The DNSC has informed us that it has taken the necessary measures to notify the relevant institutions. Among these issues was the situation regarding the Official Monitor, as well as some vulnerabilities affecting the majority of courts in Romania, which we will discuss later.
Among these issues was the situation of the Official Monitor, as well as some vulnerabilities that affected the majority of courts in Romania, which we will discuss later.
To ensure that vulnerabilities impacting national security were properly reported, I have communicated to the CyberInt section the vulnerabilities affecting military appeal courts and the Official Monitor.given the jurisdiction that the SRI has over them, and the dangers of launching hybrid attacks or disinformation campaigns aimed at creating confusion prior to a potential armed incursion.
Clearly, a state actor like Russia can find other ways to exploit such vulnerabilities.
Interesting, in 12 days various attacks will go viral regarding the Chamber of Deputies, which coordinates the activity of the Official Monitor.
Although the attack does not seem to have been significant, it generates media pressure that empowers the DNSC and initiates the necessary process of "arming against hackers" to prevent such attacks.
N.B: Note well I have debated with colleagues whether it could have been launched by the SRI as a false flag operation precisely to "raise awareness" of these vulnerabilities, but it remained speculative without evidence. In any case, in such a reporting scenario, where silence is the standard practice, you seek confirmations of the measures taken from various sources.
What could hackers do on the Official Gazette?
Given the nature of the application, it is certain that through it or its database, laws could be published, and this can be achieved by anyone through the SQL injection vulnerability.
So, anyone had the power to publish laws in the Official Gazette, and the chances of them being identified were minimal.
Let us remember how the legal advisor profession was hijacked by the NGO federation OCJR, which deceived the Official Gazette into publishing a fictitious statute that imposed obligations not supported by Parliament:
Due to the vast attack surface, it is almost certain that a malicious actor could exploit the reported vulnerabilities, as well as any other potential vulnerabilities that we have not identified.
Furthermore, the Official Monitor recently experienced a data breach, which was the moment after which we confirmed that the vulnerabilities had been rectified.
While details about this breach have not been publicly communicated, except for vague emails sent to individuals who had an account on ExpertMonitor / AutenticMonitor, it is certain that they have suffered a significant data breach, as previous measures were nonexistent. it has shown that MO does not respond to minor issues.
On April 5, 2024, they will issue a notification in this regard, even informing individuals to contact the DPO of MO.
It is very rare for institutions to take such measures, therefore, in this regard, we commend the MO's initiative to comply with their legal obligations.
However, even so, what the Official Monitor did not mention is:
- Punctual, what "cyber attack incident" occurred, and what impact did it have?
- A has susceptibility, or have personal data been disclosed? Does RAMO have an audit log feature that shows who accessed information and what information was accessed?
- How many accounts were accessed / what data did the attackers have access to? Previously, we emphasized that personal data including addresses were disclosed through a directory listing of all invoices/proformas, a matter brought to the attention of the MO. Furthermore, the SQL injection vulnerability likely allowed for the exfiltration of data from the database. (most were blind, however)
What is certain is that although they were notified about certain risks, risks that, once they arise, signal a weak foundation that needs to be reinforced, if not built from scratch, they did not take action until it was too late.
Moreover, this behavior is somewhat standard among public institutions, especially those with "political backing," which poses numerous dangers to democracy and should not exist in any form.
Cluj Court of Appeal vulnerable to accessing the regional ECRIS database
The System ECRISThe interconnection system used by the EU judiciary, which is currently implemented nationally in the form of modular nodes hosted separately by each court of appeal, has been vulnerable to access due to configuration errors and poorly written code snippets.
From its perspective, this situation would not have been problematic if the court's server did not also contain backups of the WordPress installation (+ database) and ECRIS used by the court.
The backups of the WordPress database and installations also include the hashed forms of the passwords used by instances, and due to the nature of some sites that must be accessed by legally trained personnel, this also creates the risk that some passwords may not be entirely secure and could potentially be identified through a brute force attack (attempting all files with rational names) on the database.
The backups for accessing the ECRIS system are likely clones of the WEB application used by the Cluj Court of Appeal, which allowed for an expanded attack surface.
Together, the two vulnerabilities mentioned above made it almost certain that there were vulnerabilities allowing access to WordPress, from which access to all applications hosted by the web user could be escalated, and depending on the version of Windows, to the entire server.
The backups for accessing the ECRIS system are likely clones of the WEB application used by the Cluj Court of Appeal, which allowed for an expanded attack surface.
Real danger
Together, the two vulnerabilities mentioned above almost certainly indicated the existence of vulnerabilities that could allow access to WordPress, from which access to all applications hosted by the web user could be escalated, and depending on the version of Windows, to the entire server.
I can say with 80% certainty that through these vulnerabilities, all files in the Cluj region could have been accessed, amounting to over 1,377,972 files, including files with cases such as:
- Pedophilia
- Files with Minors
- Violuri
- Omoruri
The accessed data could be used to blackmail individuals or disclosed publicly to create chaos in the justice system.
Measures taken and impact
We have promptly communicated the vulnerabilities to the Court of Appeal in Cluj.
On October 19, 2022, we were notified that the issues have been resolved, and we received the request to continue reporting vulnerabilities.
However, after a period of time (Confirmed at the end of 2023), the system administrator of the Court of Appeal made the mistake of re-implementing the same PHP scripts that allowed for reading information from the web directory again.
Furthermore, access to certain backup copies was permitted, even though those containing sensitive information were no longer accessible.
Over 196 Instances vulnerable to IDOR
Due to the lack of an effective authentication system, it is still possible today to identify and download documents that are published on the court's electronic file.
This issue allowed the exfiltration of personal identification numbers, addresses, as well as sensitive details about various cases, including cases involving minors, family law, or other problematic areas whose disclosure could impact individuals' privacy.
Furthermore, due to the poor configuration of the file robots.txt
al instantelor, un fisier care permite configurarea carui program automat (eg: Google, Bing) are acces la aceste informatii, aceste hotarari ajungeau sa fie indexate, chiar si acum fiind vizibile pe webarchive.
Subsequently, the authorities took measures to request the removal of these files from the web archive; however, they are still stored on CommonCrawl or other relevant sites, and the implementation of an authentication system, as we recommended, has not been carried out.
Among these courts were the High Court of Cassation and Justice, the majority of the courts of appeal, and all military courts of appeal.
List of instances vulnerable to IDOR:
- Vrancea Vrancea Court, Adjud Court, Focșani Court, Panciu Court
- Vaslui: Vaslui Tribunal, Bârlad Court, Huși Court, Vaslui Court
- Tulcea Tulcea Court, Babadag Court, Măcin Court, Tulcea Court
- Timiș Timișoara Court of Appeal, Timiș Tribunal, Timișoara Military Tribunal, Deta Court, Făget Court, Lugoj Court, Sânnicolau Mare Court, Timișoara Court
- Teleorman Teleorman Court, Alexandria Court, Roșiori de Vede Court, Turnu Măgurele Court, Videle Court, Zimnicea Court
- Suceava Suceava Court of Appeal, Suceava Tribunal, Câmpulung Moldovenesc Court, Fălticeni Court, Gura Humorului Court, Rădăuți Court, Suceava Court, Vatra Dornei Court
- Sibiu Sibiu Court, Agnita Court, Avrig Court, Mediaș Court, Săliște Court, Sibiu Court
- Satu Mare Satu Mare Court, Carei Court, Negrești-Oaș Court, Satu Mare Court
- Prahova Ploiești Court of Appeal, Prahova Tribunal, Câmpina Court, Mizil Court, Ploiești Court, Sinaia Court, Vălenii de Munte Court
- Olt: Olt Tribunal, Balș Court, Caracal Court, Corabia Court, Slatina Court
- Mureș Târgu-Mureș Court of Appeal, Mureș Tribunal, Mureș Specialized Tribunal, Luduș Court, Reghin Court, Sighișoara Court, Târgu-Mureș Court, Târnăveni Court
- Mehedinți County Mehedinți Court, Baia de Aramă Court, Drobeta-Turnu Severin Court, Orșova Court, Strehaia Court, Vânju Mare Court
- Ilfov Ilfov Court, Buftea Court, Cornetu Court
- Iași Iași Court of Appeal, Iași Tribunal, Iași Military Tribunal, Iași Court, Hârlău Court, Pașcani Court, Răducăneni Court
- Ialomița Ialomița Court, Fetești Court, Slobozia Court, Urziceni Court
- Hunedoara: Hunedoara Tribunal, Brad Court, Deva Court, Hațeg Court, Hunedoara Court, Orăștie Court, Petroșani Court
- Harghita Harghita Court, Gheorgheni Court, Miercurea Ciuc Court, Odorheiu Secuiesc Court, Toplița Court
- Gorj Gorj Tribunal, Motru Court, Novaci Court, Târgu Cărbunești Court, Târgu Jiu Court
- Giurgiu Giurgiu Court, Bolintin Vale Court, Giurgiu District Court
- Galați Galați Court of Appeal, Galați Tribunal, Galați Court, Liești Court, Târgu Bujor Court, Tecuci Court
- Dolj: Craiova Court of Appeal, Dolj Tribunal, Băilești Court, Calafat Court, Craiova Court, Filiași Court, Segarcea Court
- Dâmbovița County Dâmbovița Court, Găești Court, Moreni Court, Pucioasa Court, Răcari Court, Târgoviște Court
- Covasna Covasna Court, Întorsura Buzăului Court, Sfântu Gheorghe Court, Târgu Secuiesc Court
- Constanța Constanța Court of Appeal, Constanța Tribunal, Constanța Court, Hârșova Court, Mangalia Court, Medgidia Court
- Cluj: Cluj Military Tribunal
- Caras-Severin: Caras-Severin Tribunal, Caransebeș Court, Moldova-Nouă Court, Oravița Court, Reșița Court
- Calarasi Călărași Court, Călărași District Court, Lehliu-Gară District Court, Oltenița District Court
- Buzău Buzău Court, Buzău District Court, Pătârlagele District Court, Pogoanele District Court, Râmnicu Sărat District Court
- Bucharest: High Court of Cassation and Justice, Bucharest Court of Appeal, Bucharest Military Court of Appeal, Bucharest Tribunal, Bucharest Insurance Tribunal, Bucharest Military Tribunal, Sector 1 Court, Sector 2 Court, Sector 3 Court, Sector 4 Court, Sector 5 Court, Sector 6 Court
- Brașov Brașov Court of Appeal, Brașov Tribunal, Brașov Minor and Family Tribunal, Brașov Court, Făgăraș Court, Rupea Court, Zărnești Court
- Brăila Brăila Court, Brăila District Court, Făurei District Court, Însurăței District Court
- Botoșani BOTOȘANI Court, BOTOȘANI District Court, DARABANI District Court, DOROHOI District Court, SĂVENI District Court
- Bihor Oradea Court of Appeal, Bihor Tribunal, Oradea Court, Aleșd Court, Beiuș Court, Marghita Court, Salonta Court
- Arad: ARAD Court, ARAD District Court, CHIȘINEU-CRIȘ District Court, GURAHONȚ District Court, INEU District Court, LIPOVA District Court
- Alba Alba Iulia Court of Appeal, Alba Tribunal, Alba Iulia Court, Aiud Court, Blaj Court, Câmpeni Court, Sebeș Court
How could vulnerability be exploited:
Very simple. You would type into Google "filetype:pdf site:[Electronic case file site]" and obtain rulings / citations / documents from electronic files that have been sent via email to litigants or professionals.
What have we done to promote problem-solving?
I have promptly notified CSM and DNSC regarding these vulnerabilities, and they have informed the authorities that have now placed robots.txt files on the site.
I suggested they implement authentication on the viewing endpoints, either with a 2FA using the recipient's email or other means of authentication; however, it seems they have not taken the requested measures, except for deindexing on Google.
The access passwords for electronic files published by the CSM:
A recent non-jurist informed me of a serious issue that appears to have been exploited in the wild (by actors who accessed using this vulnerability) involving electronic files from several courts in Romania.
Approximately 40,000 electronic files, including those involving minors, have been disclosed due to the actions of certain judges and issues with the configuration of a public system provided by the CSM.
Although at first glance it may seem that the files are anonymized (by case number) on rejust.ro, the reality is that they can be easily identified by searching by date, court, subject, procedural status, or solution.
Therefore, the files from rejust.ro can be easily correlated with those from just.ro to determine the content of each solution provided by the courts.
Thus, an attacker only needs to visit the court's website, search on Sintact or another case search application for the specific court that issued a ruling of that type on that date, optionally compare it by the ruling (if desired), and bam! They have gained access to the case files and can view them.
What objects and which instances were vulnerable:
According to rejust.ro, the files that published the passwords of the cases in the court rulings were issued by:
- Constanța Court 16,21%
- Râmnicu Vâlcea Court 10,7%
- Constanța Court 7,06%
- Cluj-Napoca Court 6%
- Turda Court 5,72%
- Bistrita Court 4,72%
- Cluj Court 4,3%
- Sibiu Court 3,9%
- Tulcea Court 3,46%
- Babadag Court 3,22%
- Baia Mare Court 3,21%
- Costești Court 2,65%
In percentage terms, these solutions had objects from these areas of law:
- Civil - 64,53%
- Penalty: 10.05%
- Litigations with professionals: 7.7%
- Administrative and fiscal litigation: 6.06%
- Minors and family: 4.55%
- Labor disputes: 3.04%
- Bankruptcy: 2.61%
- Social insurance: 1.38%
More than 15.98% of the respective files had a sensitive subject, which corresponds to 22,777 files, meaning that:
- 4,483 cases related to "Minors and Family," of which approximately 1,120 have a visible password.This allowed any third party with a free account on rejust.ro to view details regarding individuals' private lives, information about minors, as well as data concerning domestic violence disputes and findings that could be used as evidence in such cases.
- 12,512 cases in the "Criminal" category, of which approximately 3,128 have visible passwords.which allowed third parties to read details about the victims and have sensitive information with which they could blackmail them, among other things.
- 1,718 cases related to "Social Insurance," of which approximately 429 have a visible password, what allowed third parties to obtain information regarding the illnesses / health issues of others.
Clearly, the other 104,606 files cannot be said to lack any sensitive information, particularly in civil and litigation matters, as documents containing such information were attached to the files:
- Trade secrets
- Bank secrecy
- Information regarding various sensitive/critical data that could impact professionals if made public.
- Details about family issues (e.g., inheritance problems, etc.)
The number of sensitive data points that are likely accessible is particularly high, and the fact that anyone could exploit this vulnerability without any technical knowledge is problematic.
Moreover, the fact that I learned about the vulnerability from a lawyer demonstrates that the data had already been misused.
Measures taken:
I have communicated these issues to the DNSC and to the CSM, which have taken temporary measures to request the deletion of information from the web archive and the de-indexing of the respective files from Google, but they have not implemented an authentication system prior to viewing the documents.
They have not informed the victims that they were victims of breaches, apparently the courts are not liable to report data breaches to the ANSPDCP, so no one could take measures to hold the guilty parties accountable.
The current situation:
The problem still persists, albeit in a more tempered manner, as attackers can attempt to guess serial numbers for files to download arbitrary information from any file. Since the file names (and the unauthenticated access URL) are serial and formatted based on certain rules, any series of documents can be de-anonymized at will in a single evening.
Moreover, since the documents are public, legal protections against attackers (who are also difficult to identify) are almost non-existent, requiring the litigant to contend with the institution of the court (High Court of Cassation and Justice, Courts of Appeal), not even being a case of judicial error, but rather poor management of their data.
It is of interest whether the entire state is held accountable, or if the institution of the court will be responsible, since this is not an error of the judges but of the institution that provides them with the resources to operate.
In any case, the lawyer who should defend you will also be confused about how to address the issues, so the chances of clients giving up and lowering their heads are high.
An electronically certified decision from the High Court of Cassation and Justice or any other court, under 10,000 EUR.
Finally, another interesting note concerns the issue of electronic seals of the courts, which in no way comply with the mandatory European standards.
Since a notary cannot "legalize" a power of attorney or any document from the restroom, but must go through certain steps, apply a stamp, add embossing to the pages, etc., electronic signatures should also be protected by specific mechanisms.
Although EU regulations and mandatory standards provide for this, precisely to prevent harder-to-identify electronic fraud, the courts in Romania, which have signatures from CertSign, do not comply with these obligations and ignore petitions to rectify this issue.
All citations in electronic format, null of rights
Without delving into the legal theory that is tedious for most non-professionals, the law stipulates that extended electronic signatures must be used for electronic citations. Furthermore, the European regulation grants equivalent legal effect to qualified electronic seals.
The same regulation stipulates that these seals must be nearly impossible to counterfeit (costs ranging from millions to billions of EUR) in order for them to have the legal effect of electronic seals.
If these aspects are not respected, the electronic signature or the advanced electronic seal applied is no longer qualified, but only has the power of initial evidence.
When the law stipulates a formal requirement (such as needing to be stamped, needing to be signed by hand, or something similar), and you do not comply, the resulting effect is ABSOLUTE NULLITY (this act has not produced and will never produce any legal effects)
If you have been electronically summoned by any court in Romania, please be aware that such summons is legally null and void. Below, I will show you how to verify this, and I will even provide a file for your verification along with a website where you can do this for free.
I have reported this issue to the court in a raised exception where the court denied the validity of some electronic signatures used by us (because they verify the electronic signature based on the "picture").
Moreover, as the law allows for citation with a "Qualified Electronic Signature" via fax (which is technically impossible, only providing a QR code with the hash and certificates used for the signature), it is clear that the legislator has no understanding of electronic signatures and their implications.
The responses of the High Court of Cassation and Justice and those of other institutions, cryptic or absurd
I have taken steps, the responses from the High Court of Cassation and Justice and those of the relevant institutions were cryptic, illegal, or downright absurd.
ICCJ - At the stage of administrative complaint for not providing us with public interest information:
Since I noticed that the High Court is evading the provision of this information (the legal deadline has passed twice), I filed an administrative complaint as the law requires. Thank goodness for ClaudeAI, which allows me to quickly submit administrative complaints.
ADR - Partial and evasive response
I have requested the ADR for their views regarding several pieces of information in order to clarify the situation of the legal documents issued by the courts; I have made the following address to the ADR:
Their response, although with the appearance of correctnessIt does not answer questions, but only states that the provider is accredited. The fact that X is a notary does not mean that X has correctly legalized a document, and that it has legal effect.
In practice, ADR refuses to delve into the substance of the issue and analyzes it very superficially, either due to a lack of technical expertise (although they have legal competence) or out of bad faith, as they are friends with CertSign, whom they have licensed.
When we reported their lack of responses, they evaded the procedure, precisely because the issues were highlighted alongside a case in court regarding the establishment of a company, which is now in the appeal phase at the High Court of Cassation and Justice.
The president of the ADR, with whom I have previously discussed multiple times, both over the phone and on LinkedIn, ignores the issues despite being aware of them.
Solvit Romania vaguely states that citizens in Romania are not protected by European law.
Solvit Romania, a European body that can engage in ensuring compliance with European regulations, including in the administrative procedures of courts, is evading responsibility.
The response given by SOLVIT ROMANIA is absurd, as the European regulations and the fundamental treaty on which SOLVIT must operate prohibit this, as I have explained here:
Explanatory Video Clip (very technical):
When I reported to the DNSC (in vain), I presented a video in which I discussed theoretically the issue that allows for the falsification of legalized decisions.
Old issues (coming soon):
In due course, we await the resolution of other vulnerabilities that will be made public after their resolution by the CSM / courts, in collaboration with the DNSC.
They include:
- Instances of SQL Injection in the ECRIS database (solutions can be modified)
- Others for which I cannot provide details yet
Conclusion
I will conclude abruptly, as the realities speak for themselves, and there is no point in discussing or speculating on the obvious.
It is indeed certain that the justice system supporting Romania remains significantly vulnerable, due to the ongoing errors made by contracted personnel in these institutions, who are negligent towards issues and indifferent to the dangers and damages inflicted on victims.
Currently, public institutions care very little about your data, they care very little if you become blackmailed, and they care very little if sensitive information about your family life is exposed.
None of my efforts have notified the victims regarding vulnerabilities. The only notification made by RAMO was vague, failing to inform the public about the impact, and was issued only after they had actually suffered an attack.
After we communicated the issues to them multiple times, the other institutions often did not even take any steps, let alone report, as required by law, the data breaches that affected their integrity.
And if the reported issues are not notified, are the ones done in secret ever known by the institutions and do they take the necessary measures? Are the problems I report, as a busy person who often discovers such issues incidentally, the only ones affecting these systems?
Useful Resources:
Below, we have prepared a list of useful resources for journalists or individuals seeking information on how we notified these issues and the measures taken.
RAMO SITUATION + INSTANTS IN ROMANIA:
Instant Situation - Electronic Signature Issues:
The documents for validating the issue, which can be used by lawyers to contest the legality of electronic summons as null by law (do not meet the formal requirements):
Response from ADR, CSM regarding issues:
Others coming soon.
Response from the DNSC:
Response from the ANSPDCP:
Responses from the involved institutions
Below, we have included the responses from the institutions that were notified regarding the breaches, for easier access.
The response given by the DNSC (regarding electronic seal issues) on 04.09.2024
The response given by ANSPDCP on 05.09.2024:
The response given by the Court of Appeal Constanta on 06.09.2024:
The response given by CA Craiova - Forward to the Prosecutor's Office confirmed on 07.09.2024:
On the weekend, we received a notification that our email was received by the prosecutor's office near the Craiova court, most likely forwarded by the Craiova Court of Appeal.