Information Security Blog | Cyber Security Blog

Sreejith C

Information Security Blog | Cyber Security Blog
Read More

The US government has vigorously argued otherwise. During an investigation of a drug case, in December 2013 the government had pressed Microsoft to turn over emails stored in the Irish server. Microsoft refused, claiming the government had no power to ask for data stored in another country and well outside of its jurisdiction. In April 2014, a federal judge ordered Microsoft to cough up those records. Microsoft again refused and was found in contempt of court. The case has been sitting in the Second Circuit ever since.

Thursday's ruling tempers government reach and will have important implications for privacy.

“The ruling is a striking victory for privacy over the threat of government access and overreach,” Omer Tene, vice president of research and education at at the International Association of Privacy Professionals (IAPP), told SC via email. “It recognises that national borders exist even in cyber-space and the cloud. It places an emphasis on the location of data and servers in deciding which legal regime applies.”

The Second Circuit Court's ruling comes just days after the EU-US Privacy Shield was approved by the 28 members of the EU and the European Commission (EC).

Privacy Shield had hit some glitches on its way to approval as European privacy advocates and regulators expressed concern that it didn't adequately address the chief issue that got its predecessor, Safe Harbour, tossed by a European Court of Justice – mass surveillance of private citizens.

“The [Second Circuit] decision limits the power of the [US government] to access data stored in Europe,” said Tene. Although it doesn't address bulk data collection for national security reasons, the core concern of privacy advocates and regulators in Europe, both Tene and Falcone noted, the ruling will likely be referenced going forward.

“It will definitely figure in judicial challenges to Privacy Shield, though I'm not sure it will make a difference at the end of the day in a European court,” said Tene.

The Justice Department has had little success recently in its attempts to cajole customer data from tech companies. Two cases against Apple for access into locked iPhones ended with third parties coming forward to help the government get what it needed.

It  is unclear at the time of writing whether the Justice Department will challenge the ruling, but law enforcement officials have bristled before at efforts by tech companies to spurn their data requests, contending that it would hamper their investigations. What Thursday's ruling means for national security depends on how the relationship between the two factions evolves.

“For national security, we will have to see how tech companies cooperate with law enforcement moving forward,” said Schwartz. “There has been an effort to build US-UK relations that should help in a case like this, but law enforcement will need to come to the table to work with companies to come up with a broader agreement.”

While the Second Circuit's decision puts a finer point on privacy, it may face challenges in the future.

“I don't know if this is the last word,” said Falcone.

Read More

The US government's reach got a little bit shorter Thursday when the Second Circuit Court of Appeals reversed a lower court decision and ruled that the US government can't force Microsoft to hand over customer emails stored on a server in Ireland.

The court's ruling at least temporarily capped a long-running legal battle between the tech giant and the federal government, effectively ordering a District Court to quash a warrant for the data and vacating an order that held Microsoft in contempt for its refusal to yield to the government's demands.

Privacy advocates hailed the ruling as a victory for Microsoft and, if it holds, will likely inspire confidence among privacy advocates and European privacy regulators who worried about the fortitude of the US's privacy posture.

“It's a big win for Microsoft and other tech companies pushing back against government information requests,” Joseph G. Falcone, partner at the law firm of Herbert Smith Freehills New York LLP, told

“The ruling really puts the US on an even playing field with other governments and will help in future conversations on privacy,” former White House senior director for cyber-security Ari Schwartz, now managing director of cyber-security services at Tenable LLP, told SC via email.

The court flatly said that Congress didn't intend for warrant provisions in the Stored Communications Act (SCA), its basis for making such data requests, to apply in other territories.

Indeed, “the focus of those provisions is protection of a user's privacy interests," Second Circuit Court Judge Susan L. Carney wrote, noting that the SCA “does not authorise a US court to issue and enforce an SCA warrant against a United States‐based service provider for the contents of a customer's electronic communications stored” on overseas servers. Stay tuned for next report....!!!

Putin declares it to be a dark-day for Russia after introducing surveillance measures into law - 2.0 out of 5 based on 1 review
Read More

Russian President Vladimir Putin signed legislation Thursday compelling telephone companies and internet providers to save and store the private communications of its customers, notwithstanding concerns raised by human rights advocates and big business alike.

Included within a package of amendments proposed as antiterrorism measures, the law will require telecoms to collect and keep copies of customers' phone calls, text messages and emails for six months, as well as maintain metadata concerning those communications for up to three years.

Other provisions effectively outlaw the use of digital encryption within Russia and introduce new penalties for individuals accused of inciting terrorism through social media.

Edward Snowden, the former National Security Agency contractor who leaked information about the U.S. government's intelligence gathering operations, said on Twitter that Mr. Putin's signature authorizes "a repressive new law that violates not only human rights, but common sense," and "must be condemned."

"Dark day for Russia," Mr. Snowden tweeted Thursday.

Upon signing the legislative package, Mr. Putin instructed Russia's Federal Security Service, or FSB, to acquire in two weeks the means necessary to decrypt all data sent across the internet.

Mr. Putin has been condemned by international human rights groups during his rein for routinely restricting internet access within Russia's border and censoring websites critical of the Kremlin. By requiring all "organizers of information distribution" to provide authorities with encryption keys that could be used to decipher secure communications, the legislation will further limit Russian citizens' ability to communicate under the radar of an increasingly repressive government.

Last week, the United Nation Human Rights Council passed a resolution which "condemns unequivocally measures to intentionally prevent or disrupt access to or dissemination of information online in violation of international human rights law."

Human rights concerns aside, Russian telecoms have largely opposed the package by claiming the new rules for keeping customers' data will require the deployment of additional and expensive infrastructure.

"Putting aside the ethics, morale and philosophy of these amendments, operators will need to make huge investments into new infrastructure which does not exist at the moment," said Egor Fedorov, an analyst of ING Bank, Bloomberg News reported.

Megafon CEO Sergei Soldatenkov told Kommersant newspaper Thursday that the bill "financially kills the telecommunication industry."

Mr. Snowden, who has lived in Russia since exposing secrets concerning the NSA's own surveillance endeavors, said those investments amount to a "$33 billion tax on Russia's internet."

In announcing Mr. Putin's decision to sign the amendments into law Thursday, spokesman Dmitry Peskov told reporters that the president instructed the government to make adjustments if the measures indeed due pose any "financial risks."

"The government will keep a close eye on how this law is implemented, and if some unpleasant consequences are discovered, the president will ask [the government] to take steps," he said.

Read More

Even ATM pin in smartwatch isnt secure now

Wednesday, 13 July 2016 05:30
As your day-to-day apparel and accessories are turning into networked mobile electronic devices that attach to your body like smartwatch or fitness band, the threat to our personal data these devices collect has risen exponentially. A recent study from Binghamton University also suggests your smartwatch or fitness tracker is not as secure as you think – and it could be used to steal your ATM PIN code. The risk lies in the motion sensors used by these wearable devices. The sensors also collect information about your hand movements among other data, making it possible for "attackers to reproduce the trajectories" of your hand and "recover secret key entries." In the paper, titled "Friend or Foe?: Your Wearable Devices Reveal Your Personal PIN," computer scientists from the Stevens Institute of Technology and Binghamton University used a computer algorithm that can guess your password and PIN with about 80% success rate on the first attempt, and over 90% of the time with 3 tries. Researchers say their "Backward PIN-Sequence Inference" algorithm can be used to capture anything a person type on any keyboard – from automatic teller machine or ATM keypads to mobile keypads – through infected smartwatches, even if the person makes the slight hand movements while entering PINs. "The team was able to record millimeter-level information of fine-grained hand movements from accelerometers, gyroscopes and magnetometers inside the wearable technologies regardless of a hand's pose," reports Although the researchers do not name specific wearable devices that are vulnerable, they note that attackers can record information about your hand movements... bottom Line: The team says it doesn't have any robust solution to prevent this attack but recommends manufacturers and developers to confuse attackers by inserting "a certain type of noise data" that would allow the device to be still used for fitness tracking, but not for guessing keystrokes. Another way is to take a low-tech approach – Always enter your passwords or PINs with the hand that is not having a wearable device with the highly sophisticated motion tracker.