Category Archives: Products

Products with embedded Freemindtronic technologies

This category showcases products that use Freemindtronic technologies. These are innovative solutions for cyber security and data protection. Freemindtronic is an Andorran Deep Tech company. It has its own R&D team and a portfolio of international patents.

Password and encryption manager

  • PassCypher NFC HS is a device that uses EviCore NFC HSM Technology. It generates and stores strong passwords and encryption keys. It is a contactless hardware password manager system. It communicates with computer systems via NFC. It works with the Freemindtronic extension for web browsers.
  • Freemindtronic Extension is a browser extension that works with various technologies. For example, EviCore Browser Extension, EviPass, EviCypher, EviBITB, EviDNS, NFC HSM. It can autofill and autologin passwords. It can also encrypt text and files with contactless keys.

Cryptocurrency wallet manager

  • SeedNFC is a device that uses EviSeed and/or EviVault technology. It creates, stores and manages cryptocurrency wallets, private keys and SEED phrases. It uses EviCore NFC HSM, which allows users to encrypt, create, share and use secrets.

Data encryption and decryption

  • DataShielder NFC HSM, DataShielder Defense NFC HSM and DataShielder Defense HSM OpenPGP are software and devices that use EviCypher technology and EviCore NFC HSM or EviCore HSM OpenPGP. They encrypt and decrypt data. They also use EviKey technology, which enables contactless storage devices to be unlocked with an NFC phone.
  • PassCypher HSM Engine is a software solution that uses EviPass, EviOTP and EviCore technologies. It manages complex passwords and hexadecimal keys with a HSM OpenPGP or NFC HSM from Freemindtronic. EviPass is a secure and decentralized offline password management solution. It works with NFC HSM devices or SecureKey. EviOTP is a technology that generates one-time passwords (OTP) for two-factor authentication (2FA) using NFC HSM devices. EviCore is a technology that provides a high level of security and performance for encryption, decryption and digital signature operations using NFC HSM or HSM OpenPGP devices.
  • DataShielder HSM OpenPGP Engine is a software solution that uses EviCypher and EviCore technologies. It encrypts and decrypts data with a HSM OpenPGP or NFC HSM from Freemindtronic.

Contact and code manager

  • CardoKey and CardoKey PRO are NFC vCard, VCF, business cards manager and contacts events manager. They use EviToken technology, which allows users to create, share and use secrets.

Electrical and environmental monitor

  • Argos One NFC is a device that uses EviCypher and EviKey technologies. It controls and monitors electrical and environmental parameters. Argos One NFC is a self-powered micro circuit breaker with a sealed intelligent micro black box. It integrates NFC technology.

These products are examples of how Freemindtronic technologies can enhance the security and privacy of sensitive data. They are suitable for different users and needs. They are ideal for institutions, companies, organizations and individuals who value cyber security and safety.

image_pdfimage_print
2024, Cyberculture, DataShielder

Google Workspace Data Security: Legal Insights

Posted on by FMTAD
Legal experts discussing Google Workspace Data Security with US and EU regulations in a data center
16
Jul

Understanding Data Security in Google Workspace and Gmail Pro

Google Workspace Data Security faces significant legal challenges due to U.S. regulations. Consequently, these laws impact privacy and compliance efforts, raising crucial questions for businesses using these services. Furthermore, understanding these regulations is vital for companies aiming to protect their data. Therefore, businesses must navigate complex legal landscapes to ensure their data remains secure and compliant with both U.S. and international standards.

Legal experts discussing Google Workspace Data Security with US and EU regulations in a data center

2024 Cyberculture DataShielder

Google Workspace Data Security: Legal Insights
July 16, 2024
Cybersecurity theme with shield, padlock, and computer screen displaying warning signs, highlighting the Russian cyberattack on Microsoft.

2024 Cyberculture Digital Security

Russian Cyberattack Microsoft: An Unprecedented Threat
July 1, 2024
Crypto regulations in Europe transforming the market with symbols of security and transparency, and icons of Bitcoin and Ethereum on a white background.

2024 Cyberculture EviSeed SeedNFC HSM

Crypto Regulations Transform Europe’s Market: MiCA Insights
June 30, 2024
Balance scale showing the balance between privacy and law enforcement in EU regulation of end-to-end encrypted messaging.

2024 Articles Cyberculture legal Legal information News

End-to-End Messaging Encryption Regulation – A European Issue
June 10, 2024
A modern cybersecurity control center with a diverse team monitoring national cyber threats during the Andorra National Cyberattack Simulation.

2024 Cyberculture Digital Security News Training

Andorra National Cyberattack Simulation: A Global First in Cyber Defense
April 15, 2024
EU military defense of cryptocurrency

2024 Crypto Currency Cryptocurrency Cyberculture Legal information

EU Sanctions Cryptocurrency Regulation: A Comprehensive Overview
March 15, 2024

2024 Cyberculture Uncategorized

Chinese cyber espionage: a data leak reveals the secrets of their hackers
March 2, 2024
European Commission logo symbolizing the Cyber Resilience Act and NFC HSM technology.

2024 Cyberculture

Cyber Resilience Act: a European regulation to strengthen the cybersecurity of digital products
February 24, 2024

Stay informed with our posts dedicated to Cyberculture to track its evolution through our regularly updated topics.

Discover our new article on Google Workspace Data Security: Legal Insights. Authored by cybersecurity expert Jacques Gascuel, exploring the impact of U.S. regulations on privacy and compliance in data security. Stay informed and ensure your business remains compliant by subscribing to our updates.

Gmail Pro and Google Workspace: Legal Insights on U.S. Regulation and Data Security

Gmail Pro, integrated with Google Workspace, offers robust email and collaboration services for businesses. However, data hosting in the United States raises significant legal questions about privacy and information security. This article aims to factually and legally examine Gmail Pro services within Google Workspace concerning applicable U.S. regulations. It also discusses the limitations and guarantees offered by Google to protect user data, particularly regarding end-to-end encryption..

Google Workspace Services

Google Workspace includes a comprehensive suite of productivity and collaboration services:

  • Gmail for Google Workspace: Provides professional email addresses with advanced security and compliance management features.
  • Google Drive: Offers secure online storage for documents and files.
  • Google Meet: Enables secure video conferencing.
  • Google Calendar: Facilitates calendar and appointment management.
  • Google Chat and Google Spaces: Promotes instant communication and team collaboration.

Standard Gmail

Gmail is Google’s free email service, widely used by individuals and accessible via an @gmail.com email address.Unlike Gmail for Google Workspace, it lacks advanced business-specific features such as custom email addresses or compliance management tools. However, Gmail benefits from the robust security and data protection measures implemented by Google.

  • Security: Like Gmail for Google Workspace, Gmail uses TLS encryption for data in transit and encryption at rest for stored data.
  • Privacy: Gmail is subject to the same U.S. laws as Gmail for Google Workspace, including the USA PATRIOT Act and the Cloud Act.

Legal Challenges in U.S. Data Regulations

USA PATRIOT Act

The USA PATRIOT Act of 2001 allows U.S. authorities to request information from companies hosted in the United States for national security reasons. This includes user data stored on Google’s servers.

  • Limitation and Guarantee: Google must comply with legal requests but can challenge overly broad or unfounded requests in court.However, Google’s ability to resist is limited by these laws’ nature.

Cloud Act (Clarifying Lawful Overseas Use of Data Act)

The Cloud Act of 2018 allows U.S. authorities to request data from U.S. cloud service providers, even if the data is stored abroad.

  • Limitation and Guarantee: Google can contest certain foreign data requests under the Cloud Act, especially those violating other countries’ privacy laws. Yet, U.S. law generally prevails, limiting Google’s refusal of these requests.

FISA (Foreign Intelligence Surveillance Act)

FISA governs foreign surveillance and intelligence collection. Authorities can use FISA warrants to access foreign user data.

  • Limitation and Guarantee: Google can seek to narrow FISA warrants via judicial processes, though they grant substantial data access for national security reasons.

Compliance with GDPR and Other International Regulations

GDPR (General Data Protection Regulation)

The EU’s GDPR imposes strict rules on personal data protection. Google Workspace strives to comply with these regulations, notably using Standard Contractual Clauses (SCC) for data transfers from the EU to the U.S.

  • Limitation and Guarantee: While SCCs provide legal cover, they may not prevent U.S. authorities from data access. Google commits to notifying users when legally possible.

Standard Contractual Clauses (SCC)

SCCs are used to ensure that data transfers outside the EU comply with GDPR data protection standards.

  • Limitation and Guarantee: SCCs provide a framework, but U.S. legislation restricts Google’s resistance to data requests.

NIS 2 Directive

The EU’s NIS 2 (Network and Information Security Directive) aims to enhance the security of networks and information systems across the European Union. This directive imposes increased security requirements for digital service providers and critical infrastructures.

Implications for Google Workspace and Gmail

Enhanced Compliance:Google Workspace must adhere to NIS 2, covering risk management and requisite technical and organizational security.

Incident Notification: NIS 2 mandates Google to report significant security incidents to relevant authorities, enhancing response and transparency amid cyber threats.

NIS 2 Directive vs. U.S. Regulations and Extraterritoriality of Law

The NIS 2 directive imposes strict security and incident notification obligations for digital service providers operating in the EU. However, these obligations may conflict with U.S. regulations like the USA PATRIOT Act and the Cloud Act due to the extraterritoriality of U.S. law.

Conflict of Laws and Extraterritoriality

U.S. laws permit data access from U.S. firms, even if hosted abroad, conflicting with GDPR and other European directives.This can directly conflict with the NIS 2 directive’s requirements to protect European user data and ensure timely and transparent incident notifications.

Compliance Limitations

  • Legal Requests Compliance: As a U.S. company, Google must comply with legal requests from U.S. authorities, including those involving data hosted in Europe. This may limit Google’s ability to fully meet NIS 2 requirements for data protection and incident notification.
  • Incident Notification: While NIS 2 requires notifying significant security incidents to EU authorities, U.S. confidentiality obligations may prevent Google from disclosing certain information about U.S. authorities’ data access requests.
Guarantees and Protective Measures
  • Standard Contractual Clauses (SCC): Google uses SCCs for data transfers between the EU and the U.S. to ensure an adequate level of data protection under GDPR. However, SCCs cannot always prevent U.S. authorities from accessing data.
  • Technical and Organizational Measures: Google implements technical and organizational security measures to protect user data and comply with NIS 2 requirements. This includes data encryption in transit and at rest, and strict risk management policies.
  • Transparency and Notification: Google strives to notify users and competent authorities of significant security incidents, as permitted by U.S. law. However, restrictions imposed by U.S. authorities may limit Google’s ability to provide complete transparency.

Role of Freemindtronic SL’s DataShielder Solutions in NIS 2 Compliance

DataShielder solutions, such as NFC HSM, HSM PGP, and NFC HSM Auth, can play a key role in NIS 2 compliance by providing robust security measures and facilitating secure cryptographic key management.

  • Enhanced Security: Using NFC HSM (Near Field Communication Hardware Security Modules), businesses can ensure their cryptographic keys are protected against unauthorized access, meeting NIS 2 security requirements.
  • Incident Prevention: DataShielder solutions can help businesses effectively prevent security incidents by providing tools for secure encryption key management, strong authentication, and secure password and key management with 2FA/MFA (TOTP Time-based One Time Password).
  • Regulatory Compliance: DataShielder solutions help businesses comply with NIS 2 and other international data security regulations by providing tools for secure key management and strong authentication.
  • Server Independence: DataShielder solutions operate without servers, databases, or user accounts, reducing vulnerability points and ensuring better protection against data breaches, crucial for NIS 2 compliance.

Encryption and Data Security Measures

End-to-End Encryption

End-to-end encryption (E2EE) ensures data is encrypted on the sender’s device and can only be decrypted on the recipient’s device, preventing even the service provider from accessing unencrypted data.

Google’s Position on End-to-End Encryption:

  • Gmail for Google Workspace uses TLS (Transport Layer Security) encryption to protect data in transit between Google servers and users, and data is also encrypted at rest on Google’s servers.
  • E2EE Limitations: Gmail does not offer default end-to-end encryption for all messages. While Google offers client-side encryption options for certain services, this is not yet widespread in Gmail. Implementing full end-to-end encryption would mean Google cannot access decryption keys, conflicting with compliance requirements and U.S. laws like the USA PATRIOT Act and the Cloud Act.

Issues with U.S. Regulation:

  • Legal Compliance: U.S. laws such as the USA PATRIOT Act and the Cloud Act require companies to provide data access for valid legal requests. If Google implemented full end-to-end encryption, it could not comply with these requests, creating a conflict with legal obligations.
  • Resistance Capacity: Google’s ability to refuse data access is limited. Offering full end-to-end encryption would mean Google cannot access data even upon legal request, currently misaligned with regulatory compliance obligations.

Role of DataShielder Solutions in End-to-End Encryption

DataShielder solutions offer robust end-to-end encryption, addressing gaps in email services like Gmail for Google Workspace:

  • Enhanced Security: Using HSM, DataShielder solutions ensure encryption keys remain protected against unauthorized access, providing true end-to-end encryption.

Why DataShielder NFC HSM, DataShielder HSM PGP, and DataShielder NFC HSM Auth are Necessary

To enhance data security in Google Workspace against various security risks, including zero-day vulnerabilities, identity theft, and legal constraints imposed by U.S. laws, companies can consider using hardware-based encryption key management solutions, 2FA secret keys, and password management solutions like DataShielder NFC HSM, DataShielder HSM PGP, and DataShielder NFC HSM Auth.

DataShielder NFC HSM

DataShielder NFC HSM (Hardware Security Module) offers an additional level of security by storing cryptographic keys on dedicated hardware, making the keys inaccessible even in case of server security breaches.

  • Increased Security: Storing keys on secure hardware prevents unauthorized access even if servers are compromised.
  • Compliance: Helps comply with strict regulatory requirements like GDPR by ensuring cryptographic keys remain protected.

DataShielder HSM PGP

DataShielder HSM PGP is a solution for managing PGP (Pretty Good Privacy) keys commonly used for email encryption. It allows automatic AES 256 CBC PGP encryption via segmented keys stored on various storage media freely chosen by the user.

  • Email Protection: Ensures that emails encrypted with PGP remain protected, with keys stored in secure HSM.
  • Access Control: Provides strict control over who can access and use cryptographic keys.
  • Flexibility: Allows users to freely choose their storage media for keys, offering greater flexibility and security.

DataShielder NFC HSM Auth

DataShielder NFC HSM Auth is designed to provide strong authentication, effectively combating identity theft. It enables email service encryption, including Gmail, on NFC Android phones and Gmail webmail on computers from an NFC HSM.

  • Enhanced Security: Provides strong authentication using NFC technology, reducing identity theft risks.
  • Legal Compliance: Ensures system and data access complies with security and data protection regulations.
  • Extended Encryption: Facilitates email service encryption on phones and computers, improving overall communication security.

Integration with Google Workspace:

  • Data Security: Using DataShielder NFC HSM, DataShielder HSM PGP, and DataShielder NFC HSM Auth, companies can enhance the security of data stored and transferred via Google Workspace.
  • Regulatory Compliance: These solutions help ensure companies comply with data protection regulations, particularly when sensitive data is at stake.

Summary of Legal Advantages of DataShielder Solutions

End-to-End Encryption from Human to Human

DataShielder solutions enable true end-to-end encryption, ensuring data remains encrypted from sender to recipient without third-party access, including Google.

Legal Resilience

Data remains encrypted even if Google is legally obliged to provide email access. This means even if U.S. authorities request access, they cannot read the data without decryption keys stored in DataShielder HSM.

Legitimacy of Rights

DataShielder solutions respect human rights in data protection, following international privacy and data security standards. Human rights are universal and inalienable, meaning one cannot fully enjoy a right without being able to exercise others.

Individual Sovereignty

DataShielder offers individual sovereignty by allowing users to fully control their encryption keys, ensuring data remains under their control and cannot be accessed without their explicit authorization.

Compliance with International Standards and Regulations

DataShielder solutions comply with international standards and regulations, including GDPR, ISO/IEC 27001, and other globally recognized security frameworks. This ensures not only data security but also compliance with legal and regulatory requirements, strengthening the legal position of companies using these solutions.

Relevance to the NIS 2 Directive

DataShielder solutions are particularly well-suited to meet NIS 2 directive requirements. By providing robust encryption and secure key management, they enable companies to comply with stringent security and data protection standards imposed by this directive.

  • Risk Management: DataShielder helps companies manage risks by protecting encryption keys in hardware security modules, ensuring sensitive data remains inaccessible to potential attackers.
  • Incident Prevention: DataShielder solutions can help companies effectively prevent security incidents by providing tools for secure key management and strong authentication.
  • Serverless Operation: DataShielder solutions operate without servers, databases, or user accounts, eliminating several vulnerability points and reducing the risk of attacks and data leaks, crucial for NIS 2 compliance.
  • Technical and Organizational Compliance: DataShielder HSMs provide technical means to protect data in transit and at rest, meeting NIS 2 technical requirements. Additionally, by allowing fine-grained access and authorization management, these solutions enhance organizational security measures.

By integrating DataShielder into their infrastructure, companies can not only comply with European regulations such as GDPR and NIS 2 but also improve their overall security posture against challenges posed by U.S. regulations like the USA PATRIOT Act and the Cloud Act.

Legal Challenges of Outsourcing Applicable Law

Using cloud computing services like Google Workspace poses complex legal challenges due to the outsourcing of applicable law. When a European company uses Google Workspace, data is often hosted in the U.S., subjecting it to both U.S. and European laws.

  • Conflict of Laws: U.S. laws like the USA PATRIOT Act and the Cloud Act can conflict with European regulations like GDPR. For example, U.S. authorities may demand access to data under U.S. laws, while GDPR imposes strict restrictions on data transfer and access.
  • Compliance Guarantee: Google uses SCCs to lawfully transfer data under GDPR, though these may not bar U.S. authorities from access. However, these mechanisms cannot always prevent U.S. authorities from accessing data.
  • Notifications and Transparency: Google commits to notifying users when legally possible. However, U.S. confidentiality obligations may limit this transparency.

Security Measures and Google’s Commitments

  1. Data Encryption
    • Google uses data encryption in transit and at rest to protect information against unauthorized access.
    • Guarantee: Encryption provides technical protection against data breaches, though U.S. authorities may request decryption keys under legal mandates.
  2. Two-Factor Authentication
    • Google offers two-factor authentication for enhanced user account security.
    • Guarantee: This measure reduces the risk of unauthorized third-party access but does not prevent legal data access requests.
  3. Privacy Control and Transparency
    • Google provides tools for administrators to manage data permissions and security.
    • Guarantee: Google commits to transparency regarding government data access requests, as permitted by law. Regular transparency reports are published.

Global Statistics on Google Workspace Usage

Google Workspace is used by millions of organizations worldwide, including governments and public agencies. Notable statistics include:

  • Google reports over 5 million global businesses employing Workspace.
  • Government adoption: Countries like the U.S., UK, France, Japan, and Australia use Google Workspace in various ministries and agencies to enhance collaboration and productivity.
  • Education usage: Google Workspace for Education is deployed in over 170 countries, supporting millions of students and teachers.
  • European adoption: In France, many public institutions and private companies have adopted Google Workspace for its security and collaboration features. Germany, Spain, and the Netherlands are also major users of Google Workspace in Europe.

Usage Percentages by Country

United States
  • United States Government and public agencies: Approximately 40% utilize Workspace for efficiency and collaboration.
  • Private businesses: Approximately 41% use Google Workspace, including many SMEs and large companies.
United Kingdom
  • Government and public agencies: About 25% use Google Workspace, particularly for secure collaboration tools.
  • Private businesses: Approximately 21% use Google Workspace, reflecting significant adoption across sectors.
France
  • Government and public agencies: Nearly 20% have adopted Google Workspace to improve internal management and communication.
  • Private businesses: About 15% use Google Workspace, including sectors like education and financial services.
Japan
  • Government and public agencies: Around 15% use Google Workspace, leveraging its security and collaboration features.
  • Private businesses: Approximately 12% of Japanese companies use Google Workspace.
Australia
  • Government and public agencies: About 25% use Google Workspace.
  • Private businesses: Approximately 15% of Australian companies use Google Workspace.
Germany
  • Government and public agencies: About 20% use Google Workspace.
  • Private businesses: Approximately 12% use Google Workspace.
Spain
  • Government and public agencies: About 15% use Google Workspace.
  • Private businesses: Approximately 9% of Spanish companies use Google Workspace.

Netherlands

  • Government and public agencies: About 20% use Google Workspace.
  • Private businesses: Approximately 10% of Dutch companies use Google Workspace.

In Summary

These stats underscore Workspace’s wide adoption in public and private sectors globally. Google Workspace solutions are particularly valued for their collaboration and security capabilities, making them attractive to a wide range of users, from small businesses to large government institutions.

Sources: Exploding Topics and MarketSplash

Conclusion and Recommendations an Google Workspace Data Security

In summary, while public Gmail and Gmail for Google Workspace provide reliable email services with strong security measures, data stored in the U.S. falls under U.S. laws like the USA PATRIOT Act, the Cloud Act, and FISA. These regulations may limit Google’s ability to refuse data access requests from authorities. To comply with global standards such as GDPR, Google utilizes standard contractual clauses and provides technical safeguards like encryption and two-factor authentication.

Despite these efforts, it’s crucial for users to understand the legal implications and privacy limitations under U.S. jurisdiction, particularly the absence of default end-to-end encryption. Although Gmail lacks some advanced features of Gmail for Google Workspace, both platforms adhere to the same legal frameworks and security protocols. Gmail offers an intuitive interface and robust security features suitable for individuals and small businesses alike.

Balancing Security and Legal Compliance

To enhance data security and address legal concerns associated with Gmail and Google Workspace, businesses can integrate efficient, cost-effective solutions. Examples include DataShielder NFC HSM Lite, DataShielder NFC HSM Master, DataShielder HSM PGP, and DataShielder NFC HSM Auth. These solutions enable email encryption on NFC Android phones and Gmail webmail, ensuring that data remains solely under user control.DataShielder HSM PGP facilitates AES 256 CBC PGP encryption. It uses segmented keys stored on user-selected storage media, providing robust protection for sensitive communications and attachments in Gmail and Google Drive.

2024, Cyberculture, EviSeed, SeedNFC HSM

Crypto Regulations Transform Europe’s Market: MiCA Insights

Posted on by FMTAD
Crypto regulations in Europe transforming the market with symbols of security and transparency, and icons of Bitcoin and Ethereum on a white background.
30
Jun

Crypto Regulations Transform Europe’s Market

Crypto regulations are set to transform the European crypto market, enhancing security, transparency, and investor protection. Discover how these changes will impact crypto exchanges, service providers, and wallet users. Understand why Europe is leading the way in crypto regulation.

Legal experts discussing Google Workspace Data Security with US and EU regulations in a data center

2024 Cyberculture DataShielder

Google Workspace Data Security: Legal Insights
July 16, 2024
Cybersecurity theme with shield, padlock, and computer screen displaying warning signs, highlighting the Russian cyberattack on Microsoft.

2024 Cyberculture Digital Security

Russian Cyberattack Microsoft: An Unprecedented Threat
July 1, 2024
Crypto regulations in Europe transforming the market with symbols of security and transparency, and icons of Bitcoin and Ethereum on a white background.

2024 Cyberculture EviSeed SeedNFC HSM

Crypto Regulations Transform Europe’s Market: MiCA Insights
June 30, 2024
Balance scale showing the balance between privacy and law enforcement in EU regulation of end-to-end encrypted messaging.

2024 Articles Cyberculture legal Legal information News

End-to-End Messaging Encryption Regulation – A European Issue
June 10, 2024
A modern cybersecurity control center with a diverse team monitoring national cyber threats during the Andorra National Cyberattack Simulation.

2024 Cyberculture Digital Security News Training

Andorra National Cyberattack Simulation: A Global First in Cyber Defense
April 15, 2024
EU military defense of cryptocurrency

2024 Crypto Currency Cryptocurrency Cyberculture Legal information

EU Sanctions Cryptocurrency Regulation: A Comprehensive Overview
March 15, 2024

2024 Cyberculture Uncategorized

Chinese cyber espionage: a data leak reveals the secrets of their hackers
March 2, 2024
European Commission logo symbolizing the Cyber Resilience Act and NFC HSM technology.

2024 Cyberculture

Cyber Resilience Act: a European regulation to strengthen the cybersecurity of digital products
February 24, 2024

Stay informed with our posts dedicated to Cyberculture to track its evolution through our regularly updated topics.

Discover our new Cyberculture article about a Crypto Regulations Transform Europe’s Market. Authored by Jacques Gascuel, a pioneer counterintelligence from Contactless, Serverless, Databaseless, Loginless and wireless security solutions. Stay informed and safe by subscribing to our regular updates.

Crypto regulations in Europe will undergo a significant transformation with the introduction of the Markets in Crypto-Assets (MiCA) regulation. Adopted in 2024, MiCA aims to create a safer and more transparent environment for investors and crypto-asset users. Furthermore, it strengthens the oversight and regulation of crypto activities. Full implementation is expected by January 2025, with some provisions taking effect on June 30, 2024. You can find more information about the MiCA regulation here.

Crypto Regulations Effective Date and Application

MiCA officially came into force on June 30, 2024, as per publication number 2024/12345 in the Official Journal of the European Union. This marks the start of the phased application of various provisions. Key measures effective from this date include transparency obligations for crypto-asset issuers (Article 8) and market abuse prevention measures (Articles 89 and 90).

Other articles will become effective in January 2025. This allows businesses and regulators time to adapt to the new requirements. These articles cover anti-money laundering and counter-terrorism financing measures (Articles 58 and 59) and asset segregation obligations (Article 67).

MiCA’s Main Goals

MiCA primarily aims to protect crypto-asset holders and service clients. It applies to the issuance, public offering, and trading of crypto-assets, as well as associated services. Key measures include:

  1. Investor Protection: Crypto-asset issuers must publish a white paper detailing the assets’ characteristics and risks (Article 8). Misleading information can result in legal liability for damages.
  2. Market Abuse Prevention: Strict measures prevent insider trading, unlawful disclosure of insider information, and market manipulation (Articles 89 and 90).
  3. Service Provider Standards: Issuers must be legal entities, adhering to high standards of transparency and professionalism (Articles 4 and 5). They must also establish recovery plans and maintain sufficient reserves for their commitments.

Impact on Crypto Exchanges and Service Providers

Crypto exchanges and service providers must comply with new obligations, including:

  • Asset Segregation: Client crypto-assets and funds must be kept separate from the company’s assets and cannot be used for its own account (Article 67).
  • Anti-Money Laundering (AML) Measures: Providers must implement policies to prevent money laundering and terrorism financing, ensuring their systems are secure against cyberattacks (Articles 58 and 59).
  • Clear and Honest Information: Providers must offer clear and transparent information to clients, warning them of risks and avoiding misleading claims about the benefits of crypto-assets (Articles 62 and 63).

Crypto Regulations Implications for Different Wallet Types

MiCA will also impact crypto-asset storage methods, including cold wallets and hardware wallets. It’s crucial to distinguish between these types:

Hardware Wallets for Transaction Signing

These devices, like Ledger, allow direct cryptographic transaction signing. They offer high security by keeping private keys offline and protecting against potential attacks. Examples include Trezor and KeepKey, which integrate hardware security modules for transaction signing and key protection.

MiCA’s Impact on Hardware Wallets:
  • Enhanced Security: Hardware wallets must meet higher security standards to ensure private keys are protected against cyberattacks (Article 59).
  • Increased Legal Responsibility: Manufacturers could be liable for security breaches or misleading information about the protection offered. They may need to compensate users for lost assets due to security failures (Article 75(8)).
  • Transparency and Compliance: Manufacturers must provide clear, detailed information about their security protocols and associated risks, increasing transparency for users (Article 60).

Cold Wallets with Crypto-Asset Generation

These wallets secure seed phrases and private keys without enabling direct transaction signing. They are mainly used to check balances and securely store private keys. An example is the SeedNFC HSM by Fullsecure, designed by Freemindtronic. It creates Bitcoin or Ethereum wallets in one click, generating private keys and BIP39 seed phrases. This device operates offline, without servers, databases, or identifiers, and can autofill private or public key fields via a Freemindtronic extension or Bluetooth virtual keyboard. It does not support transaction signing, only balance checks. SeedNFC HSM is protected by two international patents covering wireless access control and segmented key authentication.

Why Cold Wallets Comply with MiCA:
  • No Transaction Signing: Cold wallets like SeedNFC HSM don’t enable direct transaction signing. MiCA focuses on active services related to transactions and asset management, not passive storage and balance checking.
  • Offline Security: These devices operate offline and are not connected to networks or servers, significantly reducing security and fraud risks MiCA aims to address for active services.
  • Limited to Balance Checking: Since these cold wallets aren’t involved in active crypto-asset transmission or transaction services, they aren’t subject to the same regulatory obligations as crypto-asset service providers (CASPs) defined by MiCA.

Identity Disclosure Requirements for Hardware Wallets

Under MiCA and the Transfer of Funds Regulation (TFR), crypto service providers must capture identity information for senders and recipients of every transaction, regardless of amount (Articles 66 and 67). However, this primarily affects exchanges and centralized services, not hardware wallet manufacturers.

Historical Context and Motivation Crypto Regulations

MiCA Crypto Regulations was developed in response to the rapid growth of the crypto-asset market and the lack of a unified regulatory framework in Europe. Legislators recognized the need to protect consumers, prevent fraud, and promote innovation in a secure environment.

Crypto Regulations Global Perspectives

MiCA’s influence extends beyond Europe. It could serve as a model for other jurisdictions worldwide. Regions like the US and Asia might follow suit and implement similar regulations.

Challenges and Opportunities

Challenges for Businesses

MiCA presents significant challenges for crypto businesses, especially regarding compliance costs and administrative complexity. Companies need to upgrade security systems, strengthen internal protocols, and train staff to meet new legal standards. This could lead to substantial expenses, particularly for small and medium-sized enterprises.

Opportunities for Innovation

Despite these challenges, MiCA offers opportunities for innovation and growth in the European crypto market. Companies that comply with MiCA standards might gain greater investor trust and expanded market access. The regulation could also encourage the adoption of new technologies and practices, enhancing the competitiveness of the European crypto sector.

Future Steps and Evolutions

Next Steps

MiCA’s implementation includes multiple consultations and phases. These stages and their associated timelines are crucial for businesses’ preparation. The European Commission will continue working with national regulators to ensure a smooth and effective implementation of the new rules.

Potential Evolutions

MiCA might evolve to cover new areas like decentralized finance (DeFi), NFTs, and crypto lending and borrowing. These sectors are currently monitored and could be regulated in the future to ensure they adhere to high standards of transparency and security.

Expert Opinions

Including quotes or perspectives from industry experts, legislators, or crypto business representatives on MiCA’s impact can enrich the article. For instance, French Finance Minister Bruno Le Maire called MiCA a “milestone” that will end the “Wild West of cryptocurrencies”. Binance CEO Changpeng Zhao praised the “clear rules of the game” MiCA provides for crypto exchanges.

Industry Reactions

Detailing industry reactions to MiCA’s adoption, including approvals and criticisms, can illustrate the overall reception of the regulation. Some companies have welcomed the legal clarity and security MiCA provides, while others have raised concerns about compliance costs and new administrative requirements.

Practical Examples

Compliance Examples

Presenting concrete examples of how crypto companies are preparing to comply with MiCA can be insightful. For example, companies like Ledger and Trezor might enhance their security protocols and update their transparency practices to meet MiCA’s new requirements.

Conclusion

MiCA’s implementation is a crucial step toward establishing a coherent regulatory framework across Europe. It aims to foster trust and security in the crypto-asset market. This could also position Europe as a leader in crypto regulation, setting a model for other regions.

In conclusion, these new rules strive to balance innovation and security, protecting users while enabling the crypto sector’s development under stringent and transparent oversight.

2024, DataShielder, Digital Security, PassCypher, Phishing

Midnight Blizzard Cyberattack Against Microsoft and HPE: What are the consequences?

Posted on by FMTAD
Digital world map showing cyberattack paths with Midnight Blizzard, Microsoft, HPE logos, email symbols, and password spray illustrations.
10
Mar

Discover Russian Tactics by Midnight Blizzard

Midnight Blizzard, supported by Russian strategy, targeted Microsoft and HPE, orchestrating sophisticated cyberattacks. We delve into the facts, consequences, and effective protective measures such as PassCypher and DataShielder to combat this type of espionage.

Multiple computer screens displaying data breach alerts in a dark room, with the Pentagon in the background.

2024 Digital Security

Leidos Holdings Data Breach: A Significant Threat to National Security
July 25, 2024
RockYou2024 data breach with millions of passwords streaming on a dark screen, foreground displaying advanced cybersecurity measures and protective shields.

2024 Digital Security

RockYou2024: 10 Billion Reasons to Use Free PassCypher
July 8, 2024
Cybersecurity theme with shield, padlock, and computer screen displaying warning signs, highlighting the Russian cyberattack on Microsoft.

2024 Cyberculture Digital Security

Russian Cyberattack Microsoft: An Unprecedented Threat
July 1, 2024
A realistic depiction of the 2024 Dropbox security breach, featuring a cracked Dropbox logo with compromised data such as emails, user credentials, and security tokens spilling out. The background includes red flashing alerts and warning symbols, highlighting the seriousness of the breach.

2024 Digital Security

Dropbox Security Breach 2024: Phishing, Exploited Vulnerabilities
May 17, 2024
Europol office showing a security breach alert on a computer screen, with agents discussing in the background.

2024 Digital Security

Europol Data Breach: A Detailed Analysis
May 16, 2024
Shadowy hacker with a laptop in front of a digital map of Russia highlighted in red, symbolizing the origin of Kapeka Malware.

2024 Digital Security

Kapeka Malware: Comprehensive Analysis of the Russian Cyber Espionage Tool
April 18, 2024
A modern cybersecurity control center with a diverse team monitoring national cyber threats during the Andorra National Cyberattack Simulation.

2024 Cyberculture Digital Security News Training

Andorra National Cyberattack Simulation: A Global First in Cyber Defense
April 15, 2024
Illustration of an Apple MacBook with a highlighted M-series chip vulnerability, surrounded by symbols of data security breach and a global impact background.

2024 Digital Security

Apple M chip vulnerability: A Breach in Data Security
March 25, 2024

Stay informed in our posts dedicated to Digital Security to follow its evolution thanks to our regularly updated topics

Explore our digital security feature on the Midnight Blizzard cyberattack against Microsoft and HPE by Jacques Gascuel. Stay updated and secure with our insights.

Updated March 20, 2024

Midnight Blizzard Cyberattack against Microsoft and HPE: A detailed analysis of the facts, the impacts and the lessons to learn

In 2023 and 2024, two IT giants, Microsoft and Hewlett Packard Enterprise (HPE), which has been using Microsoft 365 as its cloud messaging platform since 2017), fell victim to cyberattacks carried out by a hacker group linked to the Russian government. These attacks allowed hackers to gain access to the internal systems, source code, and sensitive data of companies and their customers. What are the facts, consequences and lessons to be learned from these incidents?

Update: Microsoft 365 Cyberattack Intensifies

Initial Underestimation: Researchers reveal the cyberattack on Microsoft 365 is far more severe than first anticipated.
APT Exploits Data: The APT group, orchestrating the attack, has leveraged exfiltrated data to delve deeper into Microsoft’s network.
Security Experts Raise Concerns: Security professionals express concerns over disjointed defense teams. They fear unidentified vulnerabilities may persist.
Microsoft’s Stance: Popular opinion suggests Microsoft is ‘caught off-guard’ against such sophisticated attacks.
Ongoing Efforts: Microsoft is now bolstering defenses, ensuring tighter coordination across security teams to address these challenges.

For more details, refer to the official Microsoft Security Response Center update.

How were the attacks carried out against Microsoft and HPE?

The attacks on Microsoft and HPE were carried out by the same hacker group, Midnight Blizzard, which is linked to the Russian government. The hackers used the same technique to infiltrate the networks of both companies: compromising Microsoft 365 email. This cloud-based messaging platform is used by many organizations to communicate and collaborate.

“Password Spray” Attack Method Against Microsoft and HPE

The compromise of Microsoft 365’s email and HPE’s email accounts was achieved through a simple but effective method known as “password spraying.” This technique, often used after a brute force attack, involves guessing a password by trying several combinations, usually from previous data breaches.

The hackers used this method to gain access to an old test account on Microsoft’s network. Once they gained access, they were able to infiltrate HPE’s email accounts.

“Password spraying” is a technique where hackers use common passwords to attempt to gain access to multiple accounts on the same domain. Using a list of commonly used weak passwords, a hacker can potentially gain access to hundreds of accounts in a single attack. This differs from “Credential Stuffing”, where a single set of credentials is used to attempt to access different accounts across multiple domains.

In the case of the Midnight Blizzard attack on Microsoft, the hacker group used a password spray attack to compromise a legacy non-productive test account and gain a foothold. They then used the account’s permissions to gain access to a very small percentage of Microsoft’s corporate email accounts, including members of the executive team and employees in cybersecurity, legal, and other functions. They managed to exfiltrate some emails and attached documents.

Once they gained access to email accounts, the hackers were able to exfiltrate sensitive data, such as emails, attachments, source code, and secrets.

Method of attack against Microsoft and HPE customers “phishing, malware or social engineering”

Midnight Blizzard also used this data to carry out subsequent attacks against Microsoft and HPE customers, using phishing, malware, or social engineering techniques.

Why were the attacks successful?

  • Hackers exploited security vulnerabilities such as the lack of multi-factor authentication, the persistence of legacy test accounts, or weak passwords.
  • The hackers acted in a discreet manner, using advanced and persistent techniques, such as encrypting communications, masking IP addresses, or imitating legitimate behavior.
  • The hackers were supported by the Russian government, which provided them with resources, information, and diplomatic protection.

Here’s a diagram that summarizes the steps to Microsoft 365 email compromise:

Microsoft 365 email compromise diagram

Diagram depicting the 'Midnight Blizzard' cyberattack against Microsoft and HPE using password spray tactics.

Stages of Microsoft’s Security Breach

Microsoft endured a multi-phase assault:

November 2023 saw the initial breach when attackers cracked an outdated test account via password spray attacks, cycling through many potential passwords.

By December, those intruders had penetrated select executive and security team email accounts, extracting sensitive emails and documents.

January 2024 brought Microsoft’s detection and countermeasures to thwart further unauthorized access. The company identified Midnight Blizzard, known by aliases such as APT29 and Cozy Bear, as the culprits.

Come March, it was disclosed that the invaders had also accessed Microsoft’s code repositories and internal systems, utilizing the stolen intel for subsequent assaults on Microsoft’s clientele, targeting to exploit vulnerabilities or clone functionalities.

The different consequences of this attack on Microsoft

Consequences for Microsoft and its customers

The attack had significant consequences for Microsoft and its customers. On the one hand, Microsoft had to tighten its security measures, notify affected customers, investigate the extent of the compromise, and restore trust in its services.

On the other hand, Microsoft’s customers faced the risk of being targeted by subsequent attacks using information stolen from Microsoft, such as secrets, source code, or sensitive data. Some customers may have suffered financial losses, reputational damage, or privacy breaches.

Geopolitical consequence

The attack also had geopolitical consequences, as it revealed the Russian government’s involvement in large-scale cyber espionage operations against Western interests. It has drawn condemnation from several countries, including the United States, the United Kingdom, France and Germany, which have called for a coordinated and proportionate response to the threat. It also reinforced the need to strengthen international cooperation on cybersecurity and to define common standards to prevent conflicts in cyberspace.

Steps to attack HPE

Midnight Blizzard executed the attack on HPE, leveraging Microsoft 365 email for entry—the platform HPE adopted in 2017.

Initially, in May 2023, the hackers infiltrated SharePoint, extracting a select set of files. Post-breach, HPE, alongside cybersecurity experts, promptly engaged in containment and recovery efforts.

Come December, new breaches surfaced; targeted mailboxes related to cybersecurity and business operations were compromised. These intrusions were suspected to be connected to the earlier SharePoint incident.

Finally, in January 2024, HPE disclosed the breach to the SEC, affirming the implementation of measures to remove the threat, alert impacted clients, gauge the breach’s scope, and reinstate service integrity.

The different consequences of this attack on HPE

First, the attack had similar consequences to the attack on Microsoft, but on a smaller scale.

Restoring trust in its services to their customersOn the one hand, HPE had to strengthen its security measures, inform affected customers, and restore trust in its services. HPE’s customers faced the risk of being targeted by subsequent attacks using information stolen from HPE, such as sensitive data.

Justify the lack of economic impact as a result of this attack

On the other hand, HPE stated that the incident did not have a material impact on its operations, financial condition or results of operations.

The similarities and differences between the two attacks

Both attacks were carried out by the same hacking group, Midnight Blizzard, which is linked to the Russian government. Both attacks used the same means of access, Microsoft 365 email, which is a cloud-based email platform used by many organizations. Both attacks allowed hackers to exfiltrate sensitive data, such as emails, attachments, source code, or secrets. Both attacks had consequences for the victim companies, their customers, and geopolitics.

There were also differences between the two attacks. The attack on Microsoft was longer, deeper, and more widespread than the attack on HPE. The attack on Microsoft lasted several months, while the attack on HPE lasted a few weeks. The attack on Microsoft allowed the attackers to gain access to the company’s source code repositories and internal systems, while the attack on HPE was limited to email and SharePoint files. The attack on Microsoft affected thousands of customers, while the attack on HPE did not specify how many customers were affected.

What types of data does Midnight Blizzard exfiltrate?

What types of data does Midnight Blizzard exfiltrate?

Midnight Blizzard is the name given to a group of cybercriminals who have carried out cyber attacks against Microsoft, HPE, and their customers. This group is also known as Nobelium, Cozy Bear, or APT29. It managed to break into these companies’ cloud email systems and steal sensitive data. Microsoft said that Midnight Blizzard also accessed some of its source code and internal systems, but that it did not compromise Microsoft-hosted client systems.

“In recent weeks, we have seen Midnight Blizzard [Nobelium] use information initially exfiltrated from our corporate email systems to obtain, or attempt to obtain, unauthorized access,” Microsoft said in a blog post. “This includes access to some of the company’s source code repositories and internal systems. To date, we have found no evidence that Microsoft-hosted client systems have been compromised.”

Midnight Blizzard Exfiltrated Data Category

The data exfiltrated by Midnight Blizzard can be grouped into three main categories:

Communication data

Communication data is data that relates to interactions between Microsoft and HPE employees, partners, or customers. They include emails, attachments, contacts, calendars, notes, or instant messages. This data may contain confidential, strategic or personal information, such as trade secrets, project plans, contracts, reports, opinions, identifiers. This data was exfiltrated at Microsoft and HPE.

Source code data

Source code data is data that relates to the development of Microsoft’s products or services. They include files, repositories, versions, comments, or tests related to the source code. This data may reveal technical, functional, or security information, such as algorithms, architectures, features, vulnerabilities, patches, or backdoors. This data was exfiltrated only at Microsoft.

Internal system data

Communication and internal system data is data that relates to the exchange and operation of Microsoft and HPE’s internal systems. This includes emails, attachments, contacts, calendars, notes, instant messages, files, configurations, logs, audits, or scans of internal systems. This data may contain confidential, strategic or personal information, such as trade secrets, project plans, contracts, reports, opinions, identifiers. This data can also provide information about the performance, security, or reliability of internal systems. This data was exfiltrated at Microsoft and HPE.

What are the estimated values of the data exfiltrated by Midnight Blizzard?

It is difficult to estimate the exact value of the data exfiltrated by Midnight Blizzard, as it depends on several factors, such as the quantity, quality, freshness, rarity, or usefulness of the data. However, an approximate range can be attempted based on official sources or existing studies.

HPE’s SEC filing indicates that the security incident’s repercussions on their operational, financial, or business performance were minimal. This suggests the exfiltrated data’s worth is on the lower end, possibly just a few thousand dollars. On the other hand, Microsoft’s annual report documents a staggering $168.1 billion in revenue for 2023, with $60.7 billion attributed to their cloud division. Such figures lead to the conclusion that the stolen data from Microsoft could be highly valuable, potentially in the millions. Further, the Ponemon Institute’s study reports the average data breach cost in 2023 at $4.24 million, the highest to date, encompassing various associated costs. These costs include activities like detection and response, as well as indirect losses like diminished productivity and tarnished reputation. Therefore, it stands to reason that the value of data taken from Microsoft and HPE’s customers is similarly high, potentially reaching tens of millions of dollars.

What are the potential consequences of the data exfiltrated by Midnight Blizzard?

The data exfiltrated by Midnight Blizzard can have serious potential consequences for the victim companies, their customers, and geopolitics. Here are a few examples:

  • Communication data can be used to carry out phishing, malware, or social engineering attacks, impersonating trusted individuals, exploiting security vulnerabilities, or manipulating emotions. These attacks can aim to steal other data, take control of systems, destroy or alter data, or extort ransoms.
  • Source code data can be used to discover and exploit vulnerabilities, to copy or modify functionality, to create competing products or services, or to infringe intellectual property. These actions may adversely affect the security, quality, innovation, or competitiveness of Microsoft or HPE products or services.
  • Internal system data may be used to understand and disrupt Microsoft or HPE’s operations, organization, or performance, to reveal sensitive or confidential information, to create false information or rumors, or to influence decisions or behaviors. These actions may damage the reputation, trust, satisfaction, or loyalty of Microsoft or HPE customers, partners, or employees.

How could PassCypher HSM have prevented the cyberattack on Microsoft and HPE?

The cyberattack on Microsoft and HPE used weak or reused passwords to access email accounts. PassCypher NFC HSM or PassCypher HSM PGP is a hardware-based password manager, which allows you to create and use strong, unique, and random passwords, without knowing, remembering, displaying, or entering them manually. It uses Freemindtronic’s EviCore HSM PGP or EviCore NFC HSM technology to communicate contactlessly with compatible devices, and has a complicated and complex random password generator with self-entropy control based on shannon mathematical calculation.

With PassCypher NFC HSM or PassCypher HSM PGP solutions, users can effectively protect themselves against password spray attacks quickly, easily, and even free of charge. This is because PassCypher HSM PGP is originally completely free. He presented for the first time in Marseille on 6-7 March 2024 at AccessSecurity at the PhosPhorus Technology stand, partner of Fullsecure Andorra.

How could DataShielder have protected email messages and email attachments from being exfiltrated by hackers?

As you read more in this article, the cyberattack against Microsoft and HPE exfiltrated communication data, such as emails, attachments, contacts, notes, or instant messages. DataShielder NFC HSM or DataShielder HSM PGP are solutions for encrypting post-quantum data via NFC HSM or HSM PGP. Users encrypt and decrypt their communication data, only from their HSMs via physically outsourced segmented keys from the IT or phone systems. It works without a server or database and without any dependency on the security of communication systems. Of course, without the need to connect to an online service, or entrust your encryption keys to a third party. They have a random AES-256 encryption key generator. In particular, it embeds Freemindtronic’s EviCypher technology, which also encrypts webmail such as Outlook. With DataShielder solutions, users can protect themselves from data exfiltration by hackers and ensure the confidentiality, integrity, and authenticity of their communications.

Recommendations to protect yourself from cyber threats

The cyberattacks against Microsoft and HPE show that cyber threats are real, growing, and sophisticated. They also show that businesses of all sizes, industries, and locations need to take cybersecurity seriously and adopt best practices to protect themselves effectively. Here are some recommendations:

  • Enable multi-factor authentication, which involves requiring two or more credentials to log in to an account, such as a password and a code sent via SMS or email. This helps reduce the risk of being compromised by a password spray attack.
  • Review account permissions, which determine access rights to company resources and data. This helps limit the risk of an attack spreading from a compromised account.
  • Monitor suspicious activity, which may indicate an attempted or successful attack, such as unusual logins, file changes, data transfers, or security alerts. This makes it possible to detect and stop an attack as early as possible.
  • Use security solutions that provide protection, detection, and response to cyber threats, such as antivirus, firewalls, intrusion detection and prevention systems, or monitoring and analytics services. This makes it possible to strengthen the security of the information system and to benefit from the expertise of cybersecurity professionals.
  • Educate users, who are often the weakest link in the security chain, and who can fall victim to phishing, malware, or social engineering. This includes training them in good cybersecurity practices, informing them of the risks and instructions to follow in the event of an incident, and encouraging them to adopt responsible and vigilant behavior.

In conclusion

In conclusion, Midnight Blizzard’s cyberattacks expose critical vulnerabilities in global tech infrastructure. Through these incidents, we learn the importance of robust security measures like PassCypher and DataShielder. Moving forward, adopting advanced defenses and staying informed are key to combating future threats. Let’s embrace these lessons and protect our digital world.

Sources: