Home Improvement Firm Fined £200k for Nuisance Calls

Read Time:2 Minute, 10 Second

Home Improvement Firm Fined £200k for Nuisance Calls

A Welsh home improvement firm has been fined £200,000 by the UK’s privacy watchdog after making more than half a million nuisance phone calls.

Home2Sense Ltd of Lampeter made 675,478 nuisance calls between June 2020 and March 2021 to offer individuals insulation services, according to the Information Commissioner’s Office (ICO).

However, these people were registered with the Telephone Preference Service (TPS), meaning they had explicitly opted out of receiving unsolicited marketing calls.

According to the UK’s Privacy and Electronic Communications Regulations (PECR), it is illegal to contact anyone registered with the TPS for more than 28 days unless that person has explicitly notified the company that they do not object to receiving such calls.

Among the scores of complaints made to the ICO about Home2Sense’s business practices, one distressed victim said a call center marketer asked to speak to their late mother, who had passed away a decade earlier.

On other calls, the operative posed as a local surveyor and claimed the recipient might be in line for a free grant to replace their loft insulation.

“This is my recently deceased mother’s house that I have just inherited in the past few months. It was extremely upsetting to have someone deliberately cold-call me,” they complained.

The company also illegally used several aliases when presenting themselves to the public, including “Cozy Loft,” “Warmer Homes” and “Comfier Homes.”

Head of ICO regions, Ken Macdonald, argued that the firm’s attempt to blame its staff for failing to screen individuals on the TPS list shows a complete disregard for victims’ privacy.

“Some of the complainants described the calls received as ‘aggressive,’ and the company caused two complainants to feel distressed and upset when they asked to speak to a relative that had passed away,” he added.

“Business owners operating in this field have a duty to have robust procedures and training in place so the law is followed. Attempts to rely on ignorance of the law, or trying to pass the buck onto members of staff or external suppliers, will not be tolerated.”

However, it remains to be seen if Home2Sense ends up paying the full £200,000. Just a quarter (26%) of the monetary value of fines issued by the ICO from January 2020 to September 2021 have been paid, according to a November 2021 report. That’s down from 32% during the previous  report period (January 2019-August 2020).

Fines for nuisance calls were among the most likely to remain unpaid, with nearly 80% yet to be collected.

Read More

Online Thieves Steal $320m from Crypto Firm Wormhole

Read Time:1 Minute, 45 Second

Online Thieves Steal $320m from Crypto Firm Wormhole

Yet another cryptocurrency firm is offering a multimillion-dollar ‘bug bounty’ reward to those who hacked it after suffering a cyber-heist worth an estimated $322m.

Wormhole operates what’s known as a cross-blockchain bridge, enabling holders of certain cryptocurrencies to transfer tokens, data and other assets between siloed blockchains. It offers this service to bridge Ethereum, Solana, BSC, Polygon, Avalanche, Oasis and Terra.

In a brief statement late yesterday, the firm tweeted that its network was down while it investigated a potential exploit.

Then came the news that users were dreading: Wormhole confirmed that attackers stole 120,000 Ethereum tokens worth over $320m.

However, the firm claimed that it would be adding more Ethereum to its platform “over the next hours” to ensure any assets it owns are backed 1:1. The fear is that without this backing, various Solana users and platforms would be helpless.

A security researcher going by the handle “samczsun” on Twitter has a detailed write-up of the attack here, having reverse-engineered the exploit. The hacker exploited a vulnerability on the Wormhole platform, enabling them to pocket new wrapped Ethereum (wETH) without needing to deposit any in return.

WETH is a version of Ethereum designed to be exchanged with other Ethereum-based tokens and has the same value as ETH.

Just like Qubit Finance a few days ago, Wormhole has reached out to its attacker, offering a massive $10m reward for finding the bug.

“We noticed you were able to exploit the Solana VAA verification and mint tokens. We’d like to offer you a white hat agreement, and present you a bug bounty of $10m for exploit details, and returning the wETH you’ve minted,” it said in a message on the Ethereum blockchain.

The audacious cyber-heist makes this easily the biggest theft of cryptocurrency so far this year and the largest such incident targeting cross-blockchain bridges.

In its most recent update, Wormhole claimed the vulnerability had now been patched, and it was working on getting the network back up and running.

Read More

Multiple Vulnerabilities in Cisco Products Could Allow for Arbitrary Code Execution

Read Time:27 Second

Multiple vulnerabilities have been discovered in Cisco Products, the most severe of which could allow for arbitrary code execution. Successful exploitation of the most severe of these vulnerabilities could allow an unauthenticated, remote attacker to execute code on the affected systems. Depending on the privileges associated with the targeted user, an attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. Users configured to have fewer privileges on the system could be less impacted than those who operate with elevated privileges.

Read More

Privacy in Practice: Securing Your Data in 2022 and Beyond

Read Time:6 Minute, 6 Second

Every year we can count on new technology to make our lives easier. Right? As beneficial and convenient as tech can be, it can also pose risks to our online safety and privacy—risks that we should be prepared to handle. Increasingly, we’re seeing governments around the world implementing stricter privacy laws. And even major players like Google are phasing out invasive tracking technology like cookies. However, when it comes to activities like banking, shopping, taxes, and more, the need for broader online privacy protection has never been greater. Let’s take a look at some prominent trends in the way we now live online and how we can protect our data.  

Web3

Crypto, the blockchain, NFTs, tokens – all of these terms are considered part of what’s being termed Web3. Whereas Web 2.0 described an internet made up of large corporations hosting content and consumers, Web3 is governed by the blockchain. What this means is that applications use a decentralized online ledger to document transactions of all sorts. The most famous example is bitcoin, a blockchain that acts as a digital currency. Another example would be NFTs, which are digital works of art. Web3 may be in its infancy, but it’s important to consider what this means for privacy and data protection. Blockchain affords users anonymity in regards to currencies like bitcoin. Of course that means bitcoin also has a reputation as the currency of choice for money-launderers and other shady enterprises. Still, that means it’s good for privacy, right? Well, maybe. The EU’s GDPR rights to erase or amend data are at odds with transactions on a blockchain, which are essentially unchangeable. So if you’re buying cryptocurrency, NFTs, or interacting with blockchains in other ways, just understand your personal information might be hidden, but the record of your transactions is totally visible. 

Tip: If you’re keeping cryptocurrencies in an online wallet, you’ll want to use an identity protection service to monitor those account credentials so you can be warned of breaches and leaks onto the dark web. 

 Education

Student privacy is a top concern as households turn to remote learning. In a rush to optimize remote learning experiences in the face of a rapidly evolving digital landscape, many educators and remote learners may not realize the hazards that put student privacy at risk. 

Since 2020, schools have adopted a range of technologies to optimize the digital classroom, including virtual learning platforms, holistic learning solutions, and even social media applications. However, many of these digital platforms are not designed for child usage, nor do they have privacy policies in place to ensure that the student data gathered is protected. Many learning platforms may even treat student data as consumer data, raising more red flags regarding student data privacy and compliance. Online learning has also garnered the attention of cybercriminals looking to exploit student data, resulting in online bullying, identity theft, and more. 

For educators and parents alike, knowledge is the greatest asset to mitigating the risks of remote learning. IT teams and educators must understand the implications of the student data they collect, govern access to it, and control its usage to comply with child privacy regulations. Parents can take proper precautions by discussing the importance of privacy with their children. Keeping learning platforms up to date and monitoring their children to prevent them from downloading suspicious apps or straying to unknown websites are all ways to ensure safer remote learning environments. 

Tip: Getting a VPN for the family to use is a great way to safeguard your privacy while your kids are learning online. 

Work

Remote work has become commonplace nowadays as more companies permit their employees to work from home long-term and, for some, permanently. In a recent Fenwick poll among HR, privacy, and security professionals across industries, approximately 90% of employees now handle intellectual property, confidential, and personal information in their homes. Endpoint security, or the protection of end-user devices such as our laptops and mobile devices, poses more of a concern as employees trade in office networks for their in-home Wi-Fi. If these devices and networks are unsecured or if the data is not encrypted, employees run the risk of exposing sensitive information to hackers. Those of us working from home can help ensure the safety of our company’s confidential information by boosting our awareness of security threats and prevention measures via company-mandated security training.  

Tip: McAfee’s Protection Score is a great way to understand how protected you are online and what you can do to stay more secure 

The Metaverse

This buzzy term is being used to describe Meta’s (previously Facebook) vision for a fully connected future. Right now it exists as an AR/VR space accessible through Meta’s own VR hardware, Oculus. However, the terminology has caught on as a catch-all for platforms that may contain work, business, gaming, entertainment, social interactions, and more in one easily navigable, immersive online setting. Web3 features, like blockchain, NFTs, and cryptocurrencies are being touted as integral parts of the metaverse. As exciting and futuristic as this is, there are major privacy questions that will have to be answered. This means that as customers you’ll want to think hard about what you choose to share through the metaverse and look into the privacy settings a platform offers you.  

Tip: Use comprehensive online protection. McAfee Total Protection secures all aspects of your life online. From identity to online connections to antivirus, a full security suite like Total Protection keeps you and your family safer on all the devices you use and places you go online. 

 Personal Finances

Some of the platforms I use the most allow me to keep track of and manage my finances. Whether it’s my mobile banking app or taking advantage of online tax filing, there is such a convenience in having the ability to pay bills, deposit checks, and more, all with the devices I use every day. But many of us may not realize just how much trust we put into these platforms to protect our online privacy, especially when we don’t have a clear picture of who exactly is on the other end of our online transactions. 

While recognizing the signs of online banking and tax-related fraud helps ease the burdens associated with these schemes, there are multiple steps users can take to prevent becoming a victim of these scams in the first place.  

Tip: Full-featured identity protection will protect you financially. Services like McAfee Identity Protection Service include credit checks, identity theft restoration, and even stolen fund restoration as benefits. 

Digital devices are part of how we live our lives every day, whether we’re taking conference calls on our laptops, tracking the latest mile on our smartwatches, or banking on the go. Although our everyday digital devices make our lives that much more convenient, securing them makes our lives that much safer by minimizing online threats to ourselves and those around us. Safeguarding the digital platforms we use for work, school, finances, you name it, is the first step to ensuring our private information remains just that—private. 

The post Privacy in Practice: Securing Your Data in 2022 and Beyond appeared first on McAfee Blog.

Read More

DSA-5066 ruby2.5 – security update

Read Time:12 Second

Several vulnerabilities have been discovered in the interpreter for the
Ruby language and the Rubygems included, which may result in
XML roundtrip attacks, the execution of arbitrary code, information
disclosure, StartTLS stripping in IMAP or denial of service.

Read More

Orange County Launches Cybercrime Initiative

Read Time:1 Minute, 48 Second

Orange County Launches Cybercrime Initiative

Authorities in California’s Orange County have launched a new initiative to help the public identify and report cyber-threats.

SafeOC is a localized version of the national ‘If You See Something, Say Something’ anti-terrorism public awareness campaign that emphasizes the importance of reporting suspicious items and behaviors to law enforcement.

A website and a social media account have been created to support the campaign. The website provides examples of suspicious cyber-activity and online threats, including configuration changes to files, sharing of account access and changes in user permissions.

Through the website, users can report suspicious activity directly to the Orange County Intelligence Assessment Center (OCIAC)

“Cyber is by far the up-and-coming crime and risk domestically,” said Orange County sheriff Don Barnes. 

He added: “Crimes happening online are much more prevalent than they were just a decade ago and criminals are finding new ways to create new victims and ways to victimize people.” 

Cyber-investigator with the OCIAC, Lance Larson, said solving cybercrime cases is challenging as bad actors often operate from overseas, and encryption makes it difficult to “follow the money.” He added that early detection was crucial in the fight against cybercrime.

“It gives us that ability to go on and be able to start the disruption process of stopping the cyber-attack, potentially being able to freeze money as it’s moving through the financial system potentially trying to go overseas,” said Larson.

The SafeOC website also provides information about the dangers children face when gaming online such as cyber-bullying, malware, spying and data loss. Advice offered to parents includes ensuring webcams and microphones are defaulted to the ‘off’ setting and ensuring children don’t create usernames that reveal any personal information.

The site also warns parents about hidden fees in freemium games that provide some content for free but charge users to access the game’s full features and functions. 

“In 2018, these ‘free’ games generated $61bn in revenue,” states the site before warning users never to share their payment card details with a freemium game and to regularly check their credit card bills for unapproved purchases.

Read More

Fake Influencer Flags Hacking Tactics

Read Time:1 Minute, 51 Second

Fake Influencer Flags Hacking Tactics

A Swiss secure storage company has launched a creative cybersecurity awareness campaign to show how hackers gather personal data from social media.

The campaign by pCloud uses a fake influencer account on Instagram (@thealiceadams) to highlight how users unintentionally give away pieces of sensitive data through their bios and the content they post. 

“Through what we share online, the pictures we post and the locations we tag, hackers and criminals can guess your password in seconds, putting your identity and your bank accounts at risk of being stolen,” said a pCloud spokesperson.

In one post from the mock account, the influencer reveals her date of birth by sharing an image of birthday balloons that spell out her age. Other seemingly harmless posts give away information commonly used in passwords and security questions, including her pet’s name, where she went to school and her favorite movie.

Additional posts emphasize the importance of checking photographs for sensitive data before sharing them. Captured in an image of the influencer at her desk is a post-it note upon which a password has been written. Another shot of the influencer dining at a restaurant features her credit card, revealing her bank details. 

“You may be posting a picture of your birthday balloons, a heartwarming picture of your newborn baby or snapping that ‘picture perfect’ bar you spent the weekend at. But those seemingly harmless posts could actually be giving away security information that gives hackers access to all your accounts,” said pCloud.

Research performed by pCloud found that the most common themes for passwords that hackers are aware of include the last name followed by a number, date of birth, child or grandchild’s name and date of birth, pet name, place of birth and current place of residence. 

Other popular password choices are Qwerty (the first letters on a keyboard), favorite films, foods and nicknames. 

The company advised users to leave personal information out of their passwords and make their passwords long and nonsensical, making them more challenging for hackers to guess. It also recommended using different passwords for different accounts so that cracking one password won’t enable a hacker to access all accounts

Read More

Online Ad Association Fined for Privacy Violation

Read Time:1 Minute, 51 Second

Online Ad Association Fined for Privacy Violation

An association for online advertising companies has been fined hundreds of thousands of dollars for developing an ad-targeting tool that violated European Union data laws. 

The Belgian Data Protection Authority (BE DPA) said it was necessary to impose “harsh sanctions” on IAB Europe because the association’s Transparency and Consent Framework (TCF) “could, for a large group of citizens, lead to a loss of control over their personal data.”

The TCF tool allows online publishers and websites to obtain users’ consent to process their personal data for targeted advertising. It was designed to facilitate real-time bidding (RTB) – a means by which advertising inventory is bought and sold on a per-impression basis via instantaneous programmatic auction. 

In a statement released October 2020, IAB Europe said that the TCF is a voluntary standard whose purpose is to assist companies in the digital advertising ecosystem to comply with EU data protection law.

“It contains a minimal set of best practices seeking to ensure that when personal data is processed, users are provided with adequate transparency and choice,” said IAB Europe. 

“Its policies do not assist or seek to assist the processing of special categories of data. It does not intend to replace legal obligations nor enable practices prohibited under the law.”

The Belgian data watchdog imposed a fine of €250k ($282,690) on IAB Europe and ordered the advertising association to implement a “series of remedies” to ensure that it complied with the EU’s General Data Protection Regulation (GDPR).

“Contrary to IAB Europe’s claims, the Litigation Chamber of the BE DPA found that IAB Europe is acting as a data controller with respect to the registration of individual users’ consent signal, objections and preferences by means of a unique transparency and consent (TC) string, which is linked to an identifiable user,” stated the BE DPA.

IAB Europe has been given six months to bring the framework into compliance with European law. 

David Stevens, a chairperson of the BE DPA, said: “Brave little Belgium has once again shown that it is not afraid to tackle major cases such as this one, which really concerns all European citizens that shop, work or play online.”

Read More