Search This Blog
Powered by Blogger.

Blog Archive

Labels

About Me

Load More
Trendy Right Now

Popular Posts

Showing posts with label Data protection. Show all posts
Security Keys
Cyber Security Data protection Hardware MFA online account security online accounts Online attacks Security Keys

Why Securing Online Accounts is Critical in Today’s Cybersecurity Landscape

 

In an era where cybercriminals are increasingly targeting passwords through phishing attacks, data breaches, and other malicious tactics, securing online accounts has never been more important. Relying solely on single-factor authentication, such as a password, is no longer sufficient to protect sensitive information. Multi-factor authentication (MFA) has emerged as a vital tool for enhancing security by requiring verification from multiple sources. Among the most effective MFA methods are hardware security keys, which provide robust protection against unauthorized access.

What Are Hardware Security Keys?

A hardware security key is a small physical device designed to enhance account security using public key cryptography. This method generates a pair of keys: a public key that encrypts data and a private key that decrypts it. The private key is securely stored on the hardware device, making it nearly impossible for hackers to access or replicate. Unlike SMS-based authentication, which is vulnerable to interception, hardware security keys offer a direct, offline authentication method that significantly reduces the risk of compromise.

Hardware security keys are compatible with major online platforms, including Google, Microsoft, Facebook, GitHub, and many financial institutions. They connect to devices via USB, NFC, or Bluetooth, ensuring compatibility with a wide range of hardware. Popular options include Yubico’s YubiKey, Google’s Titan Security Key, and Thetis. Setting up a hardware security key is straightforward. Users simply register the key with an online account that supports security keys. For example, in Google’s security settings, users can enable 2-Step Verification and add a security key.

Once linked, logging in requires inserting or tapping the key, making the process both highly secure and faster than receiving verification codes via email or SMS. When selecting a security key, compatibility is a key consideration. Newer devices often require USB-C keys, while older ones may need USB-A or NFC options. Security certifications also matter—FIDO U2F provides basic security, while FIDO2/WebAuthn offers advanced protection against phishing and unauthorized access. Some security keys even include biometric authentication, such as fingerprint recognition, for added security.

Prices for hardware security keys typically range from $30 to $100. It’s recommended to purchase a backup key in case the primary key is lost. Losing a security key does not mean being locked out of accounts, as most platforms allow backup authentication methods, such as SMS or authentication apps. However, having a secondary security key ensures uninterrupted access without relying on less secure recovery methods.

Maintaining Strong Online Security Habits

While hardware security keys provide excellent protection, maintaining strong online security habits is equally important. This includes creating complex passwords, being cautious with email links and attachments, and avoiding oversharing personal information on social media. For those seeking additional protection, identity theft monitoring services can offer alerts and assistance in case of a security breach.

By using a hardware security key alongside other cybersecurity measures, individuals can significantly reduce their risk of falling victim to online attacks. These keys not only enhance security but also ensure convenient and secure access to their most important accounts. As cyber threats continue to evolve, adopting advanced tools like hardware security keys is a proactive step toward safeguarding your digital life.

Read more »
Privacy
Cyberattacks CyberCrime Cyberhacker CyberThreat Data protection Privacy

Smart Meter Privacy Under Scrutiny as Warnings Reach Millions in UK

 


According to a campaign group that has criticized government net zero policies, smart meters may become the next step in "snooping" on household energy consumption. Ministers are discussing the possibility of sharing household energy usage with third parties who can assist customers in finding cheaper energy deals and lower carbon tariffs from competitors. 

The European watchdog responsible for protecting personal data has been concerned that high-tech monitors that track households' energy use are likely to pose a major privacy concern. A recent report released by the European Data Protection Supervisor (EDPS) states that smart meters, which must be installed in every home in the UK by the year 2021, will be used not only to monitor energy consumption but also to track a great deal more data. 

According to the EDPS, "while the widespread rollout of smart meters will bring some substantial benefits, it will also provide us with the opportunity to collect huge amounts of personal information." Smart meters have been claimed to be a means of spying on homes by net zero campaigners. A privacy dispute has broken out in response to government proposals that will allow energy companies to harvest household smart meter data to promote net zero energy. 

In the UK, the Telegraph newspaper reports that the government is consulting on the idea of letting consumers share their energy usage with third parties who can direct them to lower-cost deals and lower carbon tariffs from competing suppliers. The Telegraph quoted Neil Record, the former economist for the Bank of England and currently chairman of Net Zero Watch, as saying that smart meters could potentially have serious privacy implications, which he expressed concerns to the paper. 

According to him, energy companies collect a large amount of consumer information, which is why he advised the public to remain vigilant about the increasing number of external entities getting access to household information. Further, Record explained that, once these measures are authorized, the public would be able to view detailed details of the activities of households in real-time. 

The record even stated that the public might not fully comprehend the extent to which the data is being shared and the possible consequences of this access. Nick Hunn, founder of the wireless technology consulting firm WiFore, also commented on the matter, highlighting the original intent behind the smart meter rollout, He noted that the initiative was designed to enable consumers to access their energy usage data, thereby empowering them to make informed decisions regarding energy consumption and associated costs. Getting to net zero targets will be impossible without smart meters. 

They allow energy companies to get real-time data on how much energy they are using and can be used to manage demand as needed. Using smart meters, for instance, households will be rewarded for cutting energy use during peak hours, thereby reducing the need for the construction of new gas-fired power plants. Energy firms can also offer free electricity to households when wind energy is in abundance. Using smart meters as a means of controlling household energy usage, the Government has ambitions to install them in three-quarters of all households by the end of 2025, at the cost of £13.5 billion. 

A recent study by WiFore, which is a wireless technology consulting firm, revealed that approximately four million devices are broken in homes. According to Nick Hunn, who is the founder of the firm: "This is essentially what was intended at the beginning of the rollout of smart meters: that consumers would be able to see what energy data was affecting them so that they could make rational decisions about how much they were spending and how much they were using."
Read more »
kiberphant0m
BSNL data breach CERT-In Critical Data cyberattack on BSNL cybercriminals Dark web marketplace Data Breach Data protection data security kiberphant0m

U.S. soldier linked to BSNL data breach: Arrest reveals cybercrime

 

The arrest of Cameron John Wagenius, a U.S. Army communications specialist, has unveiled potential connections to a significant data breach targeting India’s state-owned telecom provider, BSNL. The breach highlights the global reach of cybercrime networks and raises concerns about the security of sensitive data across continents. 

Wagenius, stationed in South Korea, was apprehended on December 20, 2023, for allegedly selling hacked data from U.S. telecom companies. According to cybersecurity experts, he may also be the individual behind the alias “kiberphant0m” on a dark web marketplace. In May 2023, “kiberphant0m” reportedly attempted to sell 278 GB of BSNL’s critical data, including subscriber details, SIM numbers, and server snapshots, for $5,000. Indian authorities confirmed that one of BSNL’s servers was breached in May 2023. 

While the Indian Computer Emergency Response Team (CERT-In) reported the intrusion, the identity of the perpetrator remained elusive until Wagenius’s arrest. Efforts to verify the hacker’s access to BSNL servers through Telegram communication and sample data proved inconclusive. The breach exposes vulnerabilities in telecom providers’ security measures, as sensitive data such as health records, payment details, and government-issued identification was targeted. 

Additionally, Wagenius is accused of selling call records of prominent U.S. political figures and data from telecom providers across Asia. The arrest also sheds light on Wagenius’s links to a broader criminal network led by Connor Riley Moucka. Moucka and his associates reportedly breached multiple organizations, extorting millions of dollars and selling stolen data. Wagenius’s involvement with this network underscores the organized nature of cybercrime operations targeting telecom infrastructure. 

Cybersecurity researchers, including Allison Nixon of Unit 221B, identified Wagenius as the individual behind illicit sales of BSNL data. However, she clarified that these activities differ from state-sponsored cyberattacks by groups such as Salt Typhoon, a Chinese-linked advanced persistent threat actor known for targeting major U.S. telecom providers. The case has also exposed challenges in prosecuting international cybercriminals. Indian authorities have yet to file a First Information Report (FIR) or engage with U.S. counterparts on Wagenius’s case, limiting legal recourse. 

Experts suggest leveraging international treaties and cross-border collaboration to address such incidents. As the investigation unfolds, the breach serves as a stark reminder of the growing threat posed by insider actions and sophisticated cybercriminal networks. It underscores the urgent need for robust data protection measures and international cooperation to counter cybercrime.
Read more »
Salt Typhoon
China Hackers Cyber Attacks cyber espionage Cybersecurity awareness Data protection data security FBI Salt Typhoon

T-Mobile Thwarts Cyberattack Amid Growing Telecom Threats

 

Between September and November, T-Mobile successfully defended against a cyberattack attributed to the Chinese state-sponsored group Salt Typhoon. Unlike previous incidents, this time, no data was compromised. However, the attack highlights growing cybersecurity vulnerabilities in the U.S. telecom sector. 

The Federal Bureau of Investigation (FBI) has identified nine telecom carriers targeted by cyberattacks, with Verizon, AT&T, and Lumen among the known victims. The identity of the ninth carrier remains undisclosed. Hackers reportedly accessed SMS metadata and communication patterns from millions of Americans, including high-profile figures such as presidential candidates and government officials. 

While China denies any involvement in the cyberattacks, its alleged role in the breach underscores the persistent threat of state-sponsored cyber espionage. Though the attackers did not obtain classified information, they managed to collect substantial data for analyzing communication patterns, fueling concerns over national security. 

In response, the Federal Communications Commission (FCC) is weighing penalties for carriers that fail to secure their networks. The agency is also considering a ban on China Telecom operations within the United States. Additionally, the U.S. government has advised citizens to use encrypted telecom services to bolster their privacy and security. 

Senator Ben Ray Luján called the Salt Typhoon incident one of the most significant cyberattacks on the U.S. telecom industry. He stressed the urgent need to address vulnerabilities within national infrastructure to prevent future breaches. 

Anne Neuberger, Deputy National Security Advisor, highlighted the inadequacy of voluntary cybersecurity measures. The FCC is now working on a proposed rule requiring telecom companies to submit annual cybersecurity reports, with penalties for non-compliance. The rule aims to make it harder for hackers to exploit weak networks by encouraging stronger protections.  

Neuberger also emphasized the importance of network segmentation to limit the damage from potential breaches. By isolating sections of a network, companies can contain attackers and reduce the scope of compromised data. She cited a troubling example where a single administrative account controlling 100,000 routers was breached, granting attackers widespread access. 

The FCC’s proposed rule is expected to be voted on by January 15. If passed, it could mandate fundamental security practices to protect critical infrastructure from cyberattacks by adversarial nations. 

The telecom industry’s repeated exposure to breaches highlights the necessity of robust security frameworks and accountability measures. As hackers evolve their tactics, stronger regulations and proactive measures are essential to safeguarding sensitive data and national security. By adopting stricter cybersecurity practices, telecom companies can mitigate risks and enhance their resilience against state-sponsored threats.
Read more »
SEV
Advantech vulnerabilities Cyber Privacy Cyber Technology Cyberattacks CyberCrime Cyberhackers Cybersecurity Cyberthreats Data Breach Data protection nAMD System SEV

AMD Systems Vulnerability Could Threaten Encrypted Data Protection

 


There has been an announcement of a new technique for bypassing key security protections used in AMD chips to gain access to the clients of those services. Researchers believe that hackers will be able to spy on clients through physical access to cloud computing environments. Known as the "badRAM" security flaw, it has been described as a $10 hack that undermines the trust that the cloud has in it. 

This vulnerability was announced on Tuesday. Like other branded vulnerabilities, this vulnerability is being disclosed on a website with a logo and will be explained in a paper to be presented at next May's IEEE Symposium on Security and Privacy 2025. 

There is an increasing use of encryption in today's computers to protect sensitive data in their DRAM, especially in shared cloud environments with multiple data breaches and insider threats, which are commonplace. The Secure Encrypted Virtualization (SEV) technology of AMD enables users to protect privacy and trust in cloud computing by encrypting the memory of virtual machines (VMs) and isolating them from advanced attackers, including those who compromise critical infrastructure like the virtual machine manager and firmware, which is a cutting-edge technology. 

According to researchers, AMD's Secure Encrypted Virtualization (SEV) program, which protects processor memory from prying eyes in virtual machine (VM) environments, is capable of being tricked into letting someone access the contents of its encrypted memory using a test rig which costs less than $10 and does not require additional hardware. It is important to note that AMD is among the first companies to leverage the capabilities of chipset architecture to improve processor performance, efficiency, and flexibility. 

It has been instrumental in extending and building upon Moore's Law performance gains and extending them further. As a result of the firm's research, performance gains under Moore's Law have been extended and built upon, and the company announced in 2018 that the first processor would have a chipset-based x86 CPU design that was available. Researchers at the University of Lübeck, KU Leven, and the University of Birmingham have proposed a conceptually easy and cheap attack called “BadRAM”. 

It consists of a rogue memory module used to trick the CPU into believing that it has more memory than it does. Using this rogue memory module, you get it to write its supposedly secret memory contents into a "ghost" space that is supposed to contain the hidden memory contents. In order to accomplish this task, researchers used a test rig anyone could afford to buy, composed of a Raspberry Pi Pico, which costs a couple of dollars, and a DIMM socket for DDR4/5 RAM modules. 

The first thing they did was manipulate the serial presence detection (SPD) chip within the memory module so that it would misreport the amount of memory onboard when the device was booted up – the “BadRAM” attack. Using reverse engineering techniques to locate these memory aliases, they had access to memory contents by bypassing the system's trusted execution environment (TEE), as this created two physical addresses referencing the same DRAM location. 

According to the CVE description, the issue results from improper input validation of DIM SPD metadata, which could potentially allow an attacker with certain access levels to overwrite guest memory, as the issue is described as a result of improper input validation. It has been deemed a medium severity threat on the CVSS, receiving a 5.3 rating owing to the high level of access that a potential attacker would need to engage to successfully exploit the problem. 

According to AMD, the issue may be a memory implementation issue rather than a product vulnerability, and the barriers to committing the attack are a lot higher than they would be if it were a software product vulnerability. AMD was informed of the vulnerability by the researchers in February, which has been dubbed CVE-2024-21944, as well as relates specifically to the company’s third and fourth-generation EPYC enterprise processors. According to AMD’s advisory, the recommendation is to use memory modules that lock SPD and to follow physical security best practices. 

A firmware update has also been issued, although each OEM's BIOS is different, according to AMD. As the company has stated on several occasions, it will make mitigations more prominent in the system; there is specific information on the condition of a Host OS/Hypervisor, and there is also information available on the condition of a Virtual Machine (Guest) to indicate that mitigation has been applied.

The AMD company has provided an in-depth explanation of the types of access an attacker would need to exploit this issue in a statement given to ITPro, advising clients to follow some mitigation strategies to prevent the problem from becoming a problem. The badRAM website states that this kind of tampering may occur in several ways — either through corrupt or hostile employees at cloud providers or by law enforcement officers with physical access to the computer. 

In addition, the badRAM bug may also be exploited remotely, although the AMD memory modules are not included in this process. All manufacturers, however, that fail to lock the SPD chip in their memory modules, will be at risk of being able to modify their modules after boot as a result of operating system software, and thus by remote hackers who can control them remotely. 

According to Recorded Future News, Oswald has said that there has been no evidence of this vulnerability being exploited in the wild. However, the team discovered that Intel chips already had mitigations against badRAM attacks. They could not test Arm's modules because they were unavailable commercially. An international consortium of experts led by researchers from KU Leuven in Belgium; the University of Luebeck in Germany; and the University of Birmingham in the United Kingdom conducted the research.
Read more »
Streaming Platform
Amazon Data Breach Data Leak Data protection data security Fines Hacker attack Personal Data Streaming Platform

Amazon Fined for Twitch Data Breach Impacting Turkish Nationals

 

Türkiye has imposed a $58,000 fine on Amazon for a data breach that occurred on its subsidiary, Twitch, in 2021. The breach exposed sensitive personal information of thousands of Turkish citizens, drawing scrutiny from the country’s Personal Data Protection Board (KVKK). The incident began when an anonymous hacker leaked Twitch’s entire source code, along with personally identifiable information (PII) of users, in a massive 125 GB torrent posted on the 4chan imageboard. The KVKK investigation revealed that 35,274 Turkish nationals were directly affected by the leak. 

As a result, KVKK levied fines totaling 2 million lira, including 1.75 million lira for Amazon’s failure to implement adequate preemptive security measures and 250,000 lira for not reporting the breach in a timely manner. According to the regulatory body, Twitch’s risk and threat assessments were insufficient, leaving users’ data vulnerable to exploitation. The board concluded that the company only addressed the vulnerabilities after the breach had already occurred. Twitch, acquired by Amazon in 2014 for $970 million, attempted to minimize concerns by assuring users that critical login credentials and payment information had not been exposed. The company stated that passwords were securely hashed with bcrypt, a strong encryption method, and claimed that systems storing sensitive financial data were not accessed. 

However, the leaked information still contained sensitive PII, leading to significant privacy concerns, particularly for Turkish users who were impacted. The motivation behind the hack was reportedly ideological rather than financial. According to reports from the time, the hacker expressed dissatisfaction with the Twitch community and aimed to disrupt the platform by leaking the data. The individual claimed their intent was to “foster more disruption and competition in the online video streaming space.” While this rationale highlighted frustrations with Twitch’s dominance in the industry, the data breach had far-reaching consequences, including legal action, reputational damage, and increased regulatory scrutiny. Türkiye’s actions against Amazon and Twitch underline the growing importance of adhering to local data protection laws in an increasingly interconnected world. 

The fines imposed by KVKK serve as a reminder that global corporations must ensure compliance with regional regulations to avoid significant penalties and reputational harm. Türkiye’s regulations align with broader trends, as data privacy and security become critical components of global business practices. This incident also underscores the evolving nature of cybersecurity challenges. Hackers continue to exploit vulnerabilities in popular platforms, putting pressure on companies to proactively identify and address risks before they lead to breaches. As regulatory bodies like KVKK become more assertive in holding companies accountable, the need for robust data protection frameworks has never been more urgent. The Twitch breach also serves as a case study for the importance of transparency and swift response in the aftermath of cyberattacks. 

While Twitch’s reassurances regarding encrypted data helped mitigate some concerns, the lack of prompt reporting to Turkish authorities drew criticism. Companies handling large amounts of user data must prioritize both preventive measures and clear communication strategies to regain user trust after incidents. Looking forward, the Twitch data breach highlights the necessity for all companies—especially those managing sensitive user data—to invest in proactive cybersecurity strategies. As hackers grow increasingly sophisticated, businesses must adopt a forward-thinking approach to safeguard their platforms, comply with local laws, and ensure users’ privacy remains uncompromised.
Read more »
Personal Data
Data Breach Data breaches attacks Data protection Data Theft Financial Data Hacker attack Hackers Personal Data

Set Forth Data Breach: 1.5 Million Impacted and Next Steps

 

The debt relief firm Set Forth recently experienced a data breach that compromised the sensitive personal and financial information of approximately 1.5 million Americans. Hackers gained unauthorized access to internal documents stored on the company’s systems, raising serious concerns about identity theft and online fraud for the affected individuals. Set Forth, which provides administrative services for Americans enrolled in debt relief programs and works with B2B partners like Centrex, has initiated notification protocols to inform impacted customers. The breach reportedly occurred in May this year, at which time Set Forth implemented incident response measures and enlisted independent forensic specialists to investigate the incident. 

However, the full extent of the attack is now coming to light. According to the company’s notification to the Maine Attorney General, the hackers accessed a range of personal data, including full names, Social Security numbers (SSNs), and dates of birth. Additionally, information about spouses, co-applicants, or dependents of the affected individuals may have been compromised. Although there is currently no evidence that the stolen data has been used maliciously, experts warn that it could end up on the dark web or be utilized in targeted phishing campaigns. This breach highlights the ongoing risks associated with storing sensitive information digitally, as even companies with incident response plans can become vulnerable to sophisticated cyberattacks. 

To mitigate the potential damage, Set Forth is offering free access to Cyberscout, an identity theft protection service, for one year to those affected. Cyberscout, which has over two decades of experience handling breach responses, provides monitoring and support to help protect against identity fraud. Impacted customers will receive notification letters containing instructions and a code to enroll in this service. For those affected by the breach, vigilance is critical. Monitoring financial accounts for unauthorized activity is essential, as stolen SSNs can enable hackers to open lines of credit, apply for loans, or even commit crimes in the victim’s name. 

Additionally, individuals should remain cautious when checking emails or messages, as hackers may use the breach as leverage to execute phishing scams. Suspicious emails—particularly those with urgent language, unknown senders, or blank subject lines—should be deleted without clicking links or downloading attachments. This incident serves as a reminder of the potential risks posed by data breaches and the importance of proactive protection measures. While Set Forth has taken steps to assist affected individuals, the breach underscores the need for businesses to strengthen their cybersecurity defenses. For now, impacted customers should take advantage of the identity theft protection services being offered and remain alert to potential signs of fraud.
Read more »
trending news
cyberattacks news Data protection Data Theft Privacy smart home devices trending news

UK Watchdog Urges Data Privacy Overhaul as Smart Devices Collect “Excessive” User Data

 

A new study by consumer group Which? has revealed that popular smart devices are gathering excessive amounts of personal data from users, often beyond what’s required for functionality. The study examined smart TVs, air fryers, speakers, and wearables, rating each based on data access requests. 

Findings suggested many of these devices may be gathering and sharing data with third parties, often for marketing purposes. “Smart tech manufacturers and their partners seem to collect data recklessly, with minimal transparency,” said Harry Rose from Which?, calling for stricter guidelines on data collection. The UK’s Information Commissioner’s Office (ICO) is expected to release updated guidance on data privacy for smart devices in 2025, which Rose urged be backed by effective enforcement. 

The study found all three tested air fryers, including one from Xiaomi, requested precise user locations and audio recording permissions without clarification. Xiaomi’s fryer app was also linked to trackers from Facebook and TikTok, raising concerns about data being sent to servers in China, though Xiaomi disputes the findings, calling them “inaccurate and misleading.” 

Similar privacy concerns were highlighted for wearables, with the Huawei Ultimate smartwatch reportedly asking for risky permissions, such as access to location, audio recording, and stored files. Huawei defended these requests, stating that permissions are necessary for health and fitness tracking and that no data is used for marketing. 

Smart TVs from brands like Samsung and LG also collected extensive data, with both brands connecting to Facebook and Google trackers, while Samsung’s app made additional phone permission requests. Smart speakers weren’t exempt from scrutiny; the Bose Home Portable speaker reportedly had several trackers, including from digital marketing firms.  

Slavka Bielikova, ICO’s principal policy adviser, noted, “Smart products know a lot about us and that’s why it’s vital for consumers to trust that their information is used responsibly.” She emphasized the ICO’s upcoming guidance, aiming to clarify expectations for manufacturers to protect consumers. 

As the debate over data privacy intensifies, Which? recommends that consumers opt out of unnecessary data collection requests and regularly review app permissions for added security.
Read more »
Subscribe to: Posts (Atom)