Home + Mobile

Simplified Two-factor Authentication for Webroot

Webroot has evolved its secure login offering from a secondary security code to a full two-factor authentication (2FA) solution for both business and home users. Webroot’s 2FA has expanded in two areas. We have: Implemented a time-based, one-time password (TOTP)...

Shoring Up Your Network and Security Policies: Least Privilege Models

Why do so many businesses allow unfettered access to their networks? You’d be shocked by how often it happens. The truth is: your employees don’t need unrestricted access to all parts of our business. This is why the Principle of Least Privilege (POLP) is one of the...

Online Gaming Risks and Kids: What to Know and How to Protect Them

Online games aren’t new. Consumers have been playing them since as early as 1960. However, the market is evolving—games that used to require the computing power of dedicated desktops can now be powered by smartphones, and online gaming participation has skyrocketed....

Thoughtful Design in the Age of Cybersecurity AI

AI and machine learning offer tremendous promise for humanity in terms of helping us make sense of Big Data. But, while the processing power of these tools is integral for understanding trends and predicting threats, it’s not sufficient on its own. Thoughtful design...

A Cybersecurity Guide for Digital Nomads

Technology has unlocked a new type of worker, unlike any we have seen before—the digital nomad. Digital nomads are people who use technologies like WiFi, smart devices, and cloud-based applications to work from wherever they please. For some digital nomads, this means...

A False Sense of Cybersecurity: The Riskiest States in America

Reading Time: ~ 5 min.

Like many Americans, you might think your online habits are safe enough—or, at least, not so risky as to put you in danger for cybercrime. As it happens, most of us in the U.S. are nowhere near as secure as we think we are.

As part of our recent survey to better understand people’s attitudes, perspectives, and behaviors relating to online cyber-safety (or “cyber-hygiene”), we calculated each state’s cyber-hygiene score, which you can think of like a test score on people’s understanding and practice of good online habits. I’ve repaired computers and worked in the cybersecurity business for almost 15 years now, and I was shocked by some of the results.

Cut to the chase: just how bad were the results?

Bad. The average across all 50 states was only 60% (that’s a D in letter grades) on our scale. In fact, only 10% of Americans got a 90% or higher (i.e. an A). The riskiest states—Mississippi, Louisiana, California, Alaska, and Connecticut— combined for an average score of 56%. So what made their scores so low?

  • In Mississippi, almost 1 in 4 people don’t use any kind of antivirus and don’t know if they’ve ever been infected by malware.
  • Only 44% of Louisiana residents take any precautions before clicking links in emails leaving themselves vulnerable. (This is a great way to get scammed by a phishing email and end up with a nasty infection on your computer.)
  • Over 43% of Californians and Alaskans share their passwords with friends or family.

What does people’s perception vs. reality look like?

Americans in every state were overconfident. An astounding 88% feel they take the right steps to protect themselves. But remember, only 10% of people scored an A on our test, and the highest scoring state (New Hampshire) still only got an average of 65% (that’s still only a D).

While the average American has a surface level understanding of common cyber threats, there’s a lot of room for education. Many of those interviewed have heard of malware (79%), phishing (70%), and ransomware (49%), but few could explain them. Defending against the most common online threats in today’s landscape requires a basic understanding of how they work. After all, the more cyber aware you are of an attack such as phishing, the greater chance you have to spot and avoid it.

Along with understanding common cyberattacks, it’s also important to recognize threats to your online privacy. An alarming amount of Americans don’t keep their social media accounts private (64%) and reuse their passwords across multiple accounts (63%).

Given the number of news reports involving major companies getting breached, huge worldwide ransomware attacks, etc., we were pretty surprised by these numbers. As you’re reading these, you might be checking off a mental list of all the things you do and don’t know, the actions you do and don’t take when it comes to cybersecurity. What’s important here is that this report should act as a reminder that understanding what kinds of threats are out there will help you take the proper precautions. And, following a few simple steps can make a huge difference in your online safety.

How about some good news?

There is good news. There are some who scored a 90% or above on our test. We call them Cyber-Hygiene Superstars, because they not only take all the basic steps to protect themselves and their data online, but they go above and beyond. Cyber-Hygiene Superstars are evenly spread across the entirety of the U.S., and they help demonstrate to the rest of us that it’s easy to raise our own cyber-hygiene scores.  

Some of the standout behavior of superstars included regularly backing up their data in multiple ways, always using antivirus, and using a VPN when connecting to public WiFi hotspots.

Superstars can also explain common attacks and are less likely to fall victim of phishing attacks and identity theft. They frequently monitor their bank and credit card statements and regularly check their credit scores.

What can you do to improve your cyber-hygiene score?

All in all, it’d be pretty easy for the average American to take their score from a D to at least a B, if not higher. You won’t have to do anything drastic. But just making a few small tweaks to your regular online behavior could work wonders to keep you and your family safe from cybercrime.

  1. Use antivirus/antimalware software.
    There are a lot of free solutions out there. While you typically get what you pay for in terms of internet security, even a free solution is better than no protection at all.
  2. Keep all your software and your operating system up to date.
    This one’s super easy. Most applications and operating systems will tell you when they need an update. All you have to do is click OK instead of delaying the update to a later date.
  3. Don’t share or reuse passwords, and make sure to use strong ones.
    You might think password sharing is no big deal, especially when it comes to streaming or gaming sites, but the more you share, the more likely it is that your passwords could end up being misused. And if the password to just one of your accounts is compromised, then any of your other accounts that use that password could also become compromised. If you’re concerned about having to create and remember a lot of unique passwords, use a secure password manager.
  4. Lock down your social media profiles.
    Making your posts and personal details public and searchable means scammers can find your details and increase their chances of successfully stealing your identity or tricking you into handing over money or sensitive personal information.
  5. If you connect to public WiFi, use a VPN.
    Antivirus software protects the device, but a VPN protects your actual connection to the internet, so what you do and information you send online stays private.
  6. Back up your data.
    Cloud storage is a great solution. But it’s a good idea to do a regular physical backup to an external drive, too, particularly for important files like tax documents.
  7. Don’t enable macros in Microsoft® Office documents.
    If you’re ever trying to open a document and it tells you to enable macros, don’t do it. This is a common tactic for infections.
  8. Use caution when opening email attachments.
    Only open attachments from people you know and trust, and, even then, be extra careful. If you’re really not sure, call the person and confirm that they really sent the file.

Want to see where your state ranks? See the full list or read more about our study and findings here.

Test your knowledge and see where the Webroot Community stacks up against the rest of America: Join our daily contest for a chance to win prizes! Contest ends at 4:00pm MT on May 21, 2019.

Methodology
Webroot partnered with Wakefield Research to survey 10,000 Americans, ages 18 and up, with 200 interviews in each of the 50 states. This survey was conducted between February 11 and February 25, 2019, using an email invitation and an online survey instrument. The margin of error is +/- 0.98 percentage points for the total audience of this study and +/- 6.9 percentage points for each state at the 95% confidence level.

Antivirus vs. VPN: Do You Need Both?

Reading Time: ~ 3 min.

Public concern about online privacy and security is rising, and not without reason. High-profile data breaches make headlines almost daily and tax season predictably increases instances of one of the most common types of identity theft, the fraudulent filings for tax returns known as tax-related identity theft

As a result, more than half of global internet users are more concerned about their safety than they were a year ago. Over 80% in that same survey, conducted annually by the Center for International Governance Innovation, believe cybercriminals are to blame for their unease.  

Individuals are right to wonder how much of their personally identifiable data (PII) has already leaked onto the dark web. Are their enough pieces of the puzzle to reconstruct their entire online identity?  

Questions like these are leading those with a healthy amount of concern to evaluate their options for enhancing their cybersecurity. And one of the most common questions Webroot receives concerns the use of antivirus vs. a VPN.  

Here we’ll explain what each does and why they work as compliments to each other. Essentially, antivirus solutions keep malware and other cyber threats at bay from your devices, while VPNs cloak your data by encrypting it on its journey to and from your device and the network it’s communicating with. One works at the device level and the other at the network level.  

Why You Need Device-Level Antivirus Security 

Antiviruses bear the primary responsibility for keeping your devices free from infection. By definition, malware is any software written for the purpose of doing damage. This is the category of threats attempting to undermine the antivirus (hopefully) installed on your PC, Mac, and yes, even smartphones like Apple and Android devices, too.  

In an ever-shifting threat landscape, cybercriminals are constantly tweaking their approached to getting your money and data. Banking Trojans designed specifically for lifting your financial details were among the most common examples we saw last year. Spyware known as keyloggers can surreptitiously surveil your keystrokes and use the data to steal passwords and PII. A new category of malware, known as cryptojackers, can even remotely hijack your computing power for its own purposes.  

But the right anti-malware tool guarding your devices can protect against these changing threats. This means that a single errant click or downloaded file doesn’t spell disaster. 

“The amazing thing about cloud-based antivirus solutions,” says Webroot threat analyst Tyler Moffit, “is that even if we’ve never seen a threat before, we can categorize it in real time based on the way it behaves. If it’s determined to be malicious on any single device, we can alert our entire network of users almost instantaneously. From detection to protection in only a few minutes.” 

Why You Need Network-Level VPN Security 

We’ve covered devices, but what about that invisible beam of data traveling between your computer and the network it’s speaking to? That’s where the network-level protection offered by a VPN comes into play.  

While convenient, public networks offering “free” WiFi can be a hotbed for criminal activity, precisely because they’re as easy for bad actors to access as they are for you and me. Packet sniffers, for instance, can be benign tools for helping network admins troubleshoot issues. In the wrong hands, however, they can easily be used to monitor network traffic on wireless networks. It’s also fairly easy, given the right technical abilities, for cybercriminals to compromise routers with man-in-the-middle attacks. Using this strategy, they’re able to commandeer routers for the purpose of seeing and copying all traffic traveling between a device and the network they now control.  

Even on home WiFi networks, where you might expect the protection of the internet service provider (ISP) you pay monthly, that same ISP may be snooping on your traffic with the intent to sell your data.  

With a VPN protecting your connection, though, data including instant messages, login information, social media, and the rest is encrypted. Even were a cybercriminal able to peek at your traffic, it would be unintelligible.  

“For things like checking account balances or paying bills online, an encrypted connection should be considered essential,” says Moffit. “Without a VPN, I wouldn’t even consider playing with such sensitive information on public networks.”  

How Webroot Can Help 

Comprehensive cybersecurity involves protecting both data and devices. Antivirus solutions to protect against known and unknown malware—like the kinds that can ruin a laptop, empty a bank account, or do a cybercriminals bidding from afar—are generally recognized as essential. But for complete protection, it’s best to pair your antivirus with a VPN—one that can shield your data from intrusions like ISP snooping, packet sniffers, and compromised routers.  

Click the links for more information about Webroot SecureAnywhere® antivirus solutions and the Webroot® WiFi Security VPN app.  

The Evolution of Cybercrime

Reading Time: ~ 4 min.

From Landline Hacking to Cryptojacking

By its very nature, cybercrime must evolve to survive. Not only are cybersecurity experts constantly working to close hacking loopholes and prevent zero-day events, but technology itself is always evolving. This means cybercriminals are constantly creating new attacks to fit new trends, while tweaking existing attacks to avoid detection. To understand how cybercrime might evolve in the future, we look back to understand how it emerged in the past. 

Cybercrime’s origins are rooted in telecommunications, with “hacker” culture as we know it today originating from “phone phreaking,” which peaked in the 1970s. Phreaking was the practice of exploiting hardware and frequency vulnerabilities in a telephone network, often for the purpose of receiving free or reduced telephone rates. As landline networks became more security savvy—and then fell out of favor—phone phreaking became less and less common. But it hasn’t been phased out completely. In 2018, a phone phreaker staged a series of creepy attacks in New York City WiFi kiosks, reminding us that the phreaks may have been forgotten, but they are certainly not gone. 

Cybercrime as we currently think of it began on November 2, 1988 when Robert Tappan Morris unleashed the Morris Worm upon the world. Much like Dr. Frankenstein, Morris did not understand what his creation was capable of. This type of self-replicating program had never been seen before outside of a research lab, and the worm quickly transformed itself into the world’s first large-scale distributed denial of service (DDoS) attack. Computers worldwide were overwhelmed by the program and servers ground to a halt. Although Morris quickly released the protocol for shutting the program down, the damage had been done. In 1989, Morris was the first to be prosecuted and charged in violation of the Computer Fraud and Abuse Act. 

At the turn of this century, we began to see a new era of malware emerge as email gave hackers a fresh access point. The infamous ILOVEYOU worm infected 50 million computers in 2000, corrupting data and self-propagating by exploiting a user’s email contacts. Given that the infected emails were coming from an otherwise trusted source, it forced many consumers to gain perspective on cybersecurity for the very first time. With antivirus software becoming a must-have for all computer owners, cybercriminals had to get inventive once again. 

Phishing Makes A Splash 

Phishing is the practice of tricking a user into willingly providing account logins or other sensitive information. This popular style of attack began with downloadable files through email, like the ILOVEYOU worm, but quickly grew more sophisticated. Phishing emails often imitate a trusted source, like an internet or phone service provider, and often include official-looking graphics, email addresses, and dummy websites to trick the user. In some cases, these phishing attacks are so convincing that even top government officials have been fooled—something we learned all too well in 2016 when the Democratic National Committee was breached.  

With the rise of social media, we have seen a new style of phishing attack that doesn’t appear to be going anywhere anytime soon. Messages from Facebook, Instagram, Twitter and other social media accounts are frequent and increasingly sophisticated sources of social media phishing. 

The Rise of Ransomware 

No history of cybercrime would be complete without an examination of ransomware, a type of malware that gains access to critical files and systems and encrypts them, blocking a user from accessing their own data. Perpetrators extort the user, threatening to permanently delete the data or—in some cases—expose incriminating or embarrassing information. While ransomware has been around for decades, encryption and evasion techniques have become increasingly refined, sometimes at the hand of state actors. One of the most infamous examples of ransomware is the WannaCry attack in 2017, in which North Korean hackers used loopholes developed by the United States National Security Agency in the Windows operating system to attack more than 200,000 computers across 150 countries.  

This made ransomware an international cybersecurity boogeyman, but it shouldn’t be your top concern. Webroot security analyst Tyler Moffitt explains why it’s a complicated strategy: 

“Ransomware requires criminals to execute a successful phish, exploit, or RDP breach to deliver their payload, bypass any installed security, successfully encrypt files, and send the encryption keys to a secure command-and-control server—without making any mistakes,” Moffitt said. “Then the criminals still have to help the victim purchase and transfer the Bitcoin before finally decrypting their files. It’s a labor-intensive process and leaves tracks that must be covered up.”  

Cryptojacking: the cutting edge? 

A more recent workaround for the hard work of ransomware? Cryptojacking. Cryptojacking works by embedding JavaScript code into a website, which can then harvest the processing power of all devices that visit that site, using device processors to mine cryptocurrency for the host. This resource theft drags systems down, but often stealthily enough to go undetected; a fact that makes it very attractive to hackers. The number of cryptojacked URLs detected more than doubled from September to December of 2018, and cryptojacking attacks have officially surpassed ransomware in prevalence.  

“Cryptojacking costs basically nothing to pull off and has much less illegal footprint,” Moffitt said. “When criminals are leveraging victims’ hardware (CPU) and power for siphoned crypto, the profits are very appealing. Even with the volatility of crypto prices, large campaigns have been able to make hundreds of thousands of dollars in only a few months. It’s estimated that over 5% of the cryptocurrency Monero in circulation is the result of illicit mining.”  

Until recently, a cyptocurrency mining service called Coinhive was responsible for 60% of all cryptojacking attacks. Coinhive announced in early March 2019 that they would be shuttering the service. But this is by no means a death knell for crytpojacking—competitors are already rushing to fill the vacuum, not to mention inventing new ways to pivot off of existing cryptojacking techniques.  

Being prepared for this next generation of cybercrime requires a few things from internet users. Keeping devices protected with antivirus software is a strong first step, but awareness of current threat trends is also helpful in preventing outside actors from viewing your data. Pairing antivirus software with a trusted VPN wraps your web traffic in a tunnel of encryption, shielding it from prying eyes. A double-pronged antivirus-plus-VPN defense will stop a majority of cybercrime in its tracks, but it’s by no means where your cybersecurity plan should end.  

The best tool you have against evolving cybersecurity threats? Ongoing education. Read Webroot’s 2019 Threat Report to prepare yourself against threats on the horizon, and check back for regular cybercrime updates. 

How To Keep Better Tabs on Your Connected Apps

Reading Time: ~ 4 min.

Not that long ago, before data breaches dominated daily headlines, we felt secure with our social media apps. Conveniently, every website seemed to allow logging in with Facebook or Twitter instead of creating a whole new password, and families of apps quickly became their own industry. Third-party apps and games on social media platforms (remember Farmville on Facebook?) were allowed profile access en masse. Trivia games, horoscope predictions, personality quizzes — all seemingly secure and engaging diversions — let social media users enable some type of third-party app.  

Unfortunately, we now know that this left many of us, and our data, exposed to a potential breach

So we turned to Randy Abrams, Webroot’s Sr. Security Analyst, for insights on how to keep third-party app breaches in check. The trick to keeping yourself and your loved ones safe? Information silos, both on and off of social media. 

“As a rule, I leave my apps in silos, meaning I severely limit their connectivity level — especially when it comes to accessing my mobile device, “Abrams says. “Apps for email, texting, and calling people do have a reasonable need for access to your contacts on the phone. Most other apps, such as social media apps do not need to be able to look up your unsuspecting friends.”  

Limiting the access your apps have to their direct functions will help keep you and your loved ones safe. Here’s how to get it done. 

Mobile App Permissions 

Limiting your app’s permissions may seem like a chore, but it is the best way to keep breaches from expanding in scope. We’ve put together a mobile app permissions crash course to help you silo your sensitive data quickly and easily. 

For Android Users 

To monitor and edit an existing application’s accessibility permissions on your device, go to your Android’s settings and tap Apps & Notifications. From there, you will be able to locate all the applications that are active on your device. When you’ve located the application whose permissions you would like to edit, simply tap the app and then tap “Permissions” to view and edit its current permission settings. 

To review an application’s accessibility permissions before you install it on your device from the Google Play Store, tap on the app you’d like to install and click Read more to bring up its detail page. Scroll to the bottom and tap App permissions to review the app’s requested permissions. After you install and open the application for the first time, you will be prompted to allow or deny application permissions (like access to your contacts or location). You can always edit the application’s existing permissions later using the steps outlined above. 

For iOS Users 

To monitor and edit an existing application’s accessibility permissions on your device, go to the settings app Privacy to see all the permissions available on your phone (like location services and camera access). Select the permission set you would like to review to see all of the applications with access, and revoke any permissions you’re not comfortable with. 

To review an application’s accessibility permissions at install, simply open the app and begin using it. The app will request permissions, which you can either allow or deny. You can always revoke permissions after they have been granted by following the steps outlined above. 

Preventing social media applications from gaining unnecessary access to your mobile data could help stop data breaches from spreading. But it won’t stop the breaches themselves from happening. Leaving apps enabled entails large-scale security issues — not only for ourselves, but also for friends and family connected with us through social media. When we connect apps to our social media profiles, we expose not just our information, but the shared information of a broader network of connections — one that expands well beyond our immediate circles. In a startling example, only 53 Facebook users in Australia downloaded Cambridge Analytica’s infamous thisisyourdigitallife app, but a total of 311,127 network connections had their data exposed through those users. That amount of collateral damage is nothing to scoff at. 

Removing Third Party Apps 

“Facebook is the company best known for leaking extensive amounts of data about users, usually by default privacy settings that allow third-party apps to access as much user data as possible,” says Abrams. “Most users had no idea they could control some of what is shared and would have a difficult time navigating the maze to the settings.” 

Facebook 

Facebook made a few reform efforts to help make managing third-party access to your account a little bit easier. Click on Settings from the account dropdown menu, and then select Apps and Websites. This should take you to a dashboard that will show your active, expired, and removed apps. It will also give you the option to turn off the capability for any third-party apps to connect with your profile. 

Twitter 

From your account dropdown, click on Settings and privacy. Click on the Apps and devices tab, which will show all of the apps connected to your account. You can see the specific permissions that each app has under the app name and description. To disconnect an app from your account, click the Revoke access button next to the app icon. 

Instagram 

From a web browser, log in to your account and click the gear icon next the Edit Profile button. Select Authorized Apps to see all of the apps connected to your account. Click the Revoke Access button under an app to remove it from your account. 

Building Secure Social Media Habits 

Monitoring the access levels of your connected apps is a good start to keeping yourself and your loved ones secure, but it’s not always enough. 

“It must be assumed that all third-party apps are collecting all of the information on the platform, regardless of privacy settings,” warns Abrams. 

Establishing secure social media habits will continue to help keep you secure after you’ve reviewed your app permissions. This means conducting regular audits of the third-party app permissions associated with all of your social media accounts and — slightly more arduously — thoroughly reading the privacy policies of any third party apps before you connect them. 

“If a person is going to use apps in conjunction with social media platforms, it’s important to understand their privacy policies,” say Abrams. “Unfortunately, with many apps, the privacy policy may not be shown until the app has been installed, and may not even be visible on the developer’s website. When the policy can be located, you’ll often find the user’s friends’ privacy is collateral damage in the agreement. It is up to the individual choosing to decide if their friends’ privacy is acceptable collateral damage. Unfortunately, few know how to obtain the information required to make an informed decision. 

“Without reading the privacy policies you cannot know to what extent your friends’ private information will be shared, “adds Abrams. “Remember, it isn’t just their names you are sharing, it is part of the data aggregation they are already subjected to. Simply letting an app know you are friends provides more information than just their names. It helps app companies build more robust profiles.” 

Stay Vigilant and Informed 

Don’t allow your data or your network to be used beyond your wishes or against your will. Take charge of your data security, and protect your friends by conducting regular audits of your third-party app permissions. Before you connect any new apps, settle down with a little light reading and thoroughly vet their privacy policy. Given how intertwined our digital lives have become, the cybersecurity of our closest friends and loved ones could well depend on it. 

Four Tips to Help Tidy Up Your Tech

Reading Time: ~ 3 min.

This spring, many of us will roll up our sleeves and get down to business decluttering our homes. Garage sales will be held, basement storage rooms will be re-organized, and donations will be made. 

Shouldn’t the same thing happen in our digital lives? After all, the average American will spend the bulk of their waking hours parked in front of some sort of screen—flipping , swiping, and clicking away. A little tidying up of data and online habits can go a long way toward enhancing your digital security andpeace of mind. 

So here are a few tips for tidying up your tech designed to make you ask not only: “Does this bring me joy?” but also, “does this make me more secure?”  If not, consider purging apps, connections, and permissions that could leave you more susceptible to a breach. If you answer yes, make sure you’re taking the necessary steps to protect it.

Turn off Bluetooth when it’s not in use

Since the Blueborne family of vulnerabilities was discovered in 2017, deactivating Bluetooth when not in use has become standard security advice. With the increasing adoption of home IoT devices, the consequences of ignoring that advice have only risen. 

Bluetooth connections are like a lonely person on a dating site; they’re in constant search of a connection. When Bluetooth-enabled devices seek out the wrong sources—that of a cybercriminal, say—they are vulnerable to exploitation.

“Smart speakers and other IoT devices may introduce convenience to our daily lives,” says Webroot Security Analyst Tyler Moffitt. “But they’re also a calculated risk, and even more so for knock-off devices whose manufacturers don’t pay proper attention to security. Minimizing the time Bluetooth is on helps to manage that risk.”

Or, as Webroot VP of engineering David Dufour put it to Wired magazine soon after the discovery of Blueborne, “For attackers, it’s Candyland.”

Use a VPN to cloak your digital footprint

Shrouding your connection in a virtual private network (VPN) is especially important when accessing public or unsecured WiFi networks. Again, we make a trade-off between convenience and security when logging on to these “free” networks. 

Without additional protection, cybercriminals can spy on these unencrypted connections either by commandeering the router or by creating their own spoof of a legitimate WiFi hotspot, in a variation of a man-in-the-middle attack. From here, they’re free to monitor the data flowing between your device and the network. 

“It’s more than just the privacy violation of being able to see what you’re doing and where you’re going online,” Moffitt explains. “Cybercriminals can lift sensitive data like banking login credentials and drop ransomware or other malicious payloads like cryptojackers.”

A VPN encrypts the traffic between your device and the router, ensuring your digital footprint is shielded from prying eyes. 

Keep apps updated with the latest software

While some apps are inherently sketchy, and users shouldn’t expect the app creators behind them to prioritize security, others introduce vulnerabilities inadvertently. When responsibly run, app developers address these security gaps through software updates.

Take the cultural phenomenon Fortnite, for example. The game that drove its parent company, Epic Games, to an $8 billion valuation was found at the beginning of the year to contain multiple vulnerabilities that would have allowed malicious actors to take over player accounts, make in-game purchases, and join conversations. Epic Games was quick to issue “a responsibly deployed” fix, but in this and similar instances, users are only protected after installing the suggested updates.

“I always recommend users keep both their apps and their mobile operating systems up to date,” says Moffit. “This is made easier by turning on automatic updates wherever possible and only downloading apps from reputable app stores, so you increase the chances that updates are timely.”

For more tips on protecting your smartphone from mobile malware, see our complete list of recommendations here.

Set up automatic cloud backups

Purging unused apps is a good principle for spring cybersecurity cleaning – like a box of old clothes you haven’t worn in decades, unused apps represent digital data containers you no longer need. But what about all that data you’d hate to lose—the pictures, videos, documents, and other files you’d be devastated to see disappear? Protecting that trove of data is another core tenant for tidying up your tech. 

Ransomware is one prime reason for keeping up-to-date backups of valuable data. It can strike anyone from college students to cities, and the list of those who’ve been burned is long and distinguished.

“The combination of an antivirus and a cloud backup and recovery solution is an effective one-two punch against ransomware,” Moffit says. “On the one hand, you make your device more difficult to infect. On the other, you become a less attractive target because you’re unlikely to pay a ransom to recover data that’s already backed up to the cloud and out of reach for ransomware.”

Natural disasters and device theft—two contingencies even the tightest cybersecurity can’t account for—are prime reasons to make sure backups are in place sooner, rather than later. Cloud backup is more secure and affordable than ever, so it makes sense to back up anything you couldn’t stand to lose, before it’s too late. Want more tips for cybersecurity spring cleaning? Download Webroot’s full checklist for tidying up your tech.

Lock Down Your Digital Identity

Reading Time: ~ 3 min.

The last decade has been one of digital revolution, leading to the rapid adoption of new technology standards, often without the consideration of privacy ramifications. This has left many of us with a less-than-secure trail of digital breadcrumbs—something cybercriminals are more than aware of. Identity theft is by no means a new problem, but the technology revolution has created what some are calling a “global epidemic.”

Securing your digital identity is more important now than ever, and Webroot can help you start.

What is a Digital Identity?

The first step in locking down your digital identity is understanding what it is. A digital identity is the combination of any and all identifying information that can connect a digital persona to an actual person. Digital identities are largely comprised of information freely shared by the user, with social media accounts generally providing the largest amount of data. Other online services like Etsy and eBay, as well as your email and online banking accounts, also contribute to your digital identity. Realistically, any information that can be linked back to you, no matter how seemingly inconsequential, is part of your digital identity.

Digital Identity Theft

Digital identity theft occurs in several ways. A common tactic is social media fraud, where a hacker will impersonate a user by compromising an existing social media account, often messaging friends and family of the user requesting money or additional account information. If unable to gain full control of a genuine social media account, identity thieves will often set up a dummy social media account and impersonate the user using it.

A less widely-known form of digital identity fraud is internet-of-things (IoT) identity theft, where an attacker gains access to an IoT device with weak security protocols and exploits it to gain access to a higher priority device connected to the same network. Another growing threat is “SIM swapping”— an attack that involves tricking a mobile provider into swapping a legitimate phone number over to an illegitimate SIM card, granting the attacker access to SMS-enabled two-factor authentication (2FA) efforts.

Even those who don’t consider themselves targets should be aware of these tactics and take steps to lock down their digital identities.

Locking it Down

Reviewing your social media accounts’ privacy settings is one of the easiest things you can do to cut opportunistic identity thieves off from the start. Set your share settings to friends only, and scrub any identifying information that could be used for security clearance — things like your high school, hometown, or pets’ names. Only add people you personally know and if someone sends you a suspicious link, don’t click it! Phishing, through email or social media messages, remains one of the most prevalent causes of digital identity theft in the world. But your digital identity can be compromised in the physical world as well — old computers that haven’t been properly wiped provide an easy opportunity hackers won’t pass up. Always take your outdated devices to a local computer hardware store to have them wiped before recycling or donating them.

The Right Tools for the Job

This is just the start of a proper digital identity lock-down. Given the sensitive nature of these hacks, we asked Webroot Security Analyst Tyler Moffitt his thoughts on how consumers can protect their digital identities.

“Two-factor authentication in combination with a trusted virtual private network, or VPN, is the crown jewel of privacy lock-down,” Tyler said. “Especially if you use an authenticator app for codes instead of SMS authentication. A VPN is definitely a must… but you can still fall for phishing attempts using a VPN. Using two-factor authentication on all your accounts while using VPN is about as secure as you can get.”

2FA provides an additional level of security to your accounts, proactively verifying that you are actually the one attempting to access the account. 2FA often uses predetermined, secure codes and geolocation data to determine a user’s identity.

Because 2FA acts as a trusted gatekeeper, do your research before you commit to a solution. You’ll find some offerings that bundle 2FA with a secure password manager, making the commitment to cybersecurity a little bit easier. When making your choice, remember that using SMS-enabled 2FA could leave you vulnerable to SIM swapping, so though it is more secure than not using 2FA at all, it is among the least secure of 2FA strategies.

VPNs wrap your data in a cocoon of encryption, keeping it out of sight of prying eyes. This is particularly important when using public WiFi networks, since that’s when your data is at its most vulnerable. Many VPNs are available online, including some free options, but this is yet another instance of getting what you pay for. Many free VPNs are not truly private, with some selling your data to the highest bidder. Keeping your family secure behind a VPN means finding a solution that provides you with the type of comfort that only comes with trust.

The two things that only you can do to keep your identity secure? Constant vigilance and continuous education. Visit the Home+Mobile page on the Webroot blog for a host of resources to help keep you and your family safe online—at home and on the go. 

The Hidden Costs of ‘Free’ WiFi

Reading Time: ~ 3 min.

The True Cost of Free WiFi

Ease-of-access is a true double-edged sword. Like all powerful technologies, WiFi (public WiFi in particular) can be easily exploited. You may have read about attacks on publicly accessible WiFi networks, yet studies show that more than 70% of participants admit to accessing their personal email through public WiFi. WiFi vulnerabilities aren’t going away anytime soon—in 2017, the WPA2 security protocol used by essentially all modern WiFi networks was found to have a critical security flaw that allowed attackers to intercept passwords, e-mails and other data.

So what are the most commonly seen attacks via free WiFi, and how can we protect ourselves and our families? We turned to Tyler Moffitt, Webroot’s Sr. Threat Research Analyst, for answers.

Common Public WiFi Threats

“Criminals are either taking over a free WiFi hotspot at the router level, or creating a fake WiFi hotspot that’s meant to look like the legitimate one,” explained Moffitt. “The purpose of these man-in-the-middle attacks is to allow attackers to see and copy all of the traffic from the devices connected to the WiFi they control.”

Basic security protocols often aren’t enough to protect users’ data.

“Even with HTTPS sites where some data is encrypted, much of it is still readable,” Moffitt said. “Beyond just seeing where you surf and all the login credentials, criminals also have access to your device and can drop malicious payloads like ransomware.”

We are now seeing these attacks evolve, with cryptojacking becoming a particularly lucrative exploitation model for public WiFi networks. Cryptojacking is seen as a “low risk” attack as an attacker siphons a victim’s computer processing power, something far less likely to be detected and tracked than a traditional malware or ransomware attack. This was particularly notable in a 2017 cryptojacking attack that targeted Starbucks customers, which went uncorrected until Noah Dinkin—a tech company CEO—noticed a delay when connecting to the shop’s WiFi. Dinkin took it upon himself to investigate

It’s not just coffee shops that are being targeted. Airports, hotels, and convention centers are particularly prime targets due to their high  traffic. To demonstrate the power of a targeted attack in a conference setting, a security experiment was conducted at the 2017 RSA Conference. Surprisingly, even at an IT security conference, white hat hackers were able to trick 4,499 attendees into connecting to their rogue WiFi access point. The targeting of high-traffic, travel-focused locations means that many frequent travelers will leave themselves exposed at some point by connecting to public WiFi options—even though they may know better.

How to Detect the Threat

What are the telltale signs of a compromised system?

“With cryptomining, you will definitely notice that your machine will start acting slow, the fans will kick on full blast, and the CPU will increase to 100 percent, usually the browser being the culprit,” Moffitt said. “But there are few signs of a man-in-the-middle attack, where wireless network traffic is spied on for credentials and financial information. You won’t notice a thing, as your computer is just connecting to the router like normal. All information is being observed by someone in control of the router.”

With one recent attack in 2018 alone affecting 500,000 WiFi routers, the need for WiFi security has never been stronger.

Protecting Yourself on the Go

You can take steps to keep your data secure; the first of which is being sure that you have a VPN installed and protecting your devices. Nothing else will as effectively encrypt and shield your traffic on a public network.

“Using a VPN is the most impactful way to combat the dangers of free WiFi,” Moffitt said. “Think of VPN as a tunnel that shelters all of your information going in and out of your device. The traffic is encrypted so there is no way that criminals can read the information you are sending.”

“I use a VPN on my phone when I’m on the go,” he continued. “It’s really easy to use and you make sure all your data is private and not visible to prying eyes.”

But be sure to research any VPN before you commit to ensure it is trustworthy. It’s important to review the vendor’s privacy policy to make sure the VPN does not monitor or retain logs of your activities. Remember that, with security software and apps, you generally get what you pay for.

While free VPN apps will shield your data from the router you are connecting to, they may still spy on you and sell your information,” Moffitt said.

What does this all mean for you? If there is no such thing as free lunch, then there is definitely no such thing as free WiFi. The true cost just might be your online security and privacy.

Stay vigilant, secure all of your web traffic behind a trusted VPN, and check back here often for the latest in cybersecurity updates

Avoid Unsecure IoT: Smart Device Shopping Tips

Reading Time: ~ 3 min.

“Internet of things” (IoT) is a term that’s becoming increasingly commonplace in our daily lives. Internet-connected devices are being designed and implemented at a rapid clip, especially in our own homes. The internet is not just at our fingertips anymore, but also at our beck and call with smart speakers and digital assistants.

It’s easy to see why we are drawn to these cool new devices. They promise to make our lives easier and the convenience associated with some of these devices is undeniable.

But at what point are we sacrificing security for convenience?

A Brave New World of IoT Devices

Internet-connected doorbells can beam a video feed to your phone so you can see who is at your door before deciding whether or not to open it. A smart refrigerator will alert you when supplies are running low or approaching expiration while you shop at the grocery store. Smart thermostats boost efficiency and deliver monthly savings on utilities. These functions have obvious appeal for consumers.

However, some devices on the market stretch their advertised utility and convenience. Smart salt shakers, for instance, deliver voice-controlled sodium so you can avoid the hassle of salting your food the old fashioned way. Smart toasters will burn the date and weather into your bread, lest you forget an umbrella and what day it is. But with each new “convenience” promised by smart devices comes the danger of ceding some of your security.

Image source: Screenshot from Toasteroid YouTube.

The underlying issue with the new and accelerating trend of buying more and more IoT devices is that the average consumer has little to no education about security when shopping for these devices. Even manufacturers can be blind to or willfully negligent of the security issues inherent to their IoT devices. It’s all about coolness and convenience—and that’s the trap.

Be wary of Unsecure IoT

Many IoT devices have little to no embedded security, and there’s little incentive for designers to consider it. One reason for that is a lack of third-party standards for evaluating IoT security. Until now, the focus has been on producing a viable product that’s functional enough to get consumers to purchase it at the right price. The “right price” is usually as inexpensive as possible, and so some quality is sacrificed.

With IoT devices, that sacrifice usually comes at the expense of security vetting in the design process. As a result, one of the biggest trends we see with cheap IoT devices is a complete and total lack of security. It’s just not something that stands out in marketing materials, so manufacturers don’t promise it and consumers don’t demand it.

That’s why care is required when shopping for new IoT devices—especially cheap ones. IoT devices like smart thermostats, smart doorbells, et cetera, usually feature competing products with varying functionalities and prices. It’s common to peruse the fanciest, most expensive devices, and then purchase an off-brand device that offers similar functionality at a much lower price.

Vendors have flooded the IoT market with devices that have so-called “hardcoded passwords.” This means that, when setting up your device, the password given to you in the instructions is the same password for every device of that model and can’t be changed. Even if the device allows you to setup a custom password, the hardcoded password will still work to log into the device.

This is basically the opposite of security. It served as the principal attack vector for the infamous Mirai botnet attack a couple years ago. It’s also how hundreds of thousands of routers have been hacked to mine cryptocurrency. Even premium IoT devices like Google’s Nest are subject to attacks, but when properly set up and used—as in by setting up two-factor authentication and not reusing their compromised credentials—they tend to be safer than their knock-off counterparts.

It’s clear now that internet-connected devices will be a part of our lives for the foreseeable future. They will help run our cities, power our grids, and yes, manage our homes. But we must be aware of what we are connecting in our home and the security of each device. Vendor regulation will also need to play its part, something already underway in California, but there is plenty more ground to cover and no time to wait. For now, it’s on the consumer to scrutinize the IoT products they bring into their home, and security should be high on their checklist.

Make sure that any internet-connected devices you buy allow you to create custom passwords, as a start. It’s also wise to only shop from reputable vendors.

Taking caution will help ensure that your smart home isn’t an easy target for cybercriminals.

Common WordPress Vulnerabilities & How to Protect Against Them

Reading Time: ~ 3 min.

The WordPress website platform is a vital part of the small business economy, dominating the content management system industry with a 60% market share. It gives businesses the ability to run easily-maintained and customizable websites, but that convenience comes at a price. The easy-to-use interface has given even users who are not particularly cybersecurity-savvy a presence on the web, drawing cyber-criminals out of the woodwork to look for easy prey through WordPress vulnerabilities in the process.

Here are some of these common vulnerabilities, and how can you prepare your website to protect against them.

WordPress Plugins 

The WordPress Plugin Directory is a treasure trove of helpful website widgets that unlock a variety of convenient functions. The breadth of its offerings is thanks to an open submission policy, meaning anyone with the skill to develop a plugin can submit it to the directory. WordPress reviews every plugin before listing it, but clever hackers have been known to exploit flaws in approved widgets.

The problem is so prevalent that, of the known 3,010 unique WordPress vulnerabilities, 1,691 are from WordPress plugins. You can do a few things to impede your site from being exploited through a plugin. Only download plugins from reputable sources, and be sure to clean out any extraneous plugins you are no longer using. It’s also important to keep your WordPress plugins up-to-date, as outdated code is the best way for a hacker to inject malware into your site.

Phishing Attacks 

Phishing remains a favored attack form for hackers across all platforms, and WordPress is no exception. Keep your eyes out for phishing attacks in the comments section, and only click on links from trusted sources. In particular, WordPress admins need to be on alert for attackers looking to gain administrative access to the site. These phishing attacks may appear to be legitimate emails from WordPress prompting you to click a link, as was seen with a recent attack targeting admins to update their WordPress database. If you receive an email prompting you to update your WordPress version, do a quick Google search to check that the update is legitimate. Even then, it’s best to use the update link from the WordPress website itself, not an email.

Weak Administrative Practices 

An often overlooked fact about WordPress security: Your account is only as secure as your administrator’s. In the hubbub of getting a website started, it can be easy to create an account and immediately get busy populating content. But hastily creating administrator credentials are a weak link in your cybersecurity, and something an opportunistic hacker will seize upon quickly. Implementing administrative best practices is the best way to increase your WordPress security.

WordPress automatically creates an administrator with the username of “admin” whenever a new account is created. Never leave this default in place; it’s the equivalent of using “password” as your password. Instead, create a new account and grant it administrative privileges before deleting the default administrator account. You’ll also need to change the easily-located and often-targeted administrator url from the default of “wp-admin” to something more ambiguous of your own choosing.

One of the most important practices for any WordPress administrator is keeping the WordPress version up-to-date. An ignored version update can easily become a weak point for hackers to exploit. The more out-of-date your version, the more likely you are to be targeted by an attack. According to WordPress, 42.6% of users are using outdated versions. Don’t be one of them.

Additional Security Practices 

The use of reputable security plugins like WordFence or Sucuri Security can add an additional layer of protection to your site, especially against SQL injections and malware attacks. Research any security plugins before you install them, as we’ve previously seen malware masquerading as WordPress security plugins. If your security plugin doesn’t offer two-factor authentication, you’ll still need to install a secure two-factor authentication plugin to stop brute force attacks. Keeping your data safe and encrypted behind a trusted VPN is also key to WordPress security, especially for those who find themselves working on their WordPress site from public WiFi networks.

WordPress is a powerful platform, but it’s only as secure as you keep it. Keep your website and your users secure with these tips on enhancing WordPress security, and check back here often for updates on all things cybersecurity.

Smart Wearables: Convenience vs. Security

Reading Time: ~ 3 min.

Fitness trackers and other digital wearables have unlocked a new era of convenience and engagement in consumer health. Beyond general fitness trackers, you can find wearables for a variety of purposes; some help diabetics, some monitor for seizure activity, and some can aid in senior citizens’ health and quality of life. But the convenience of an interconnected lifestyle may be a double-edged sword. Fitness trackers and wearables are notoriously unsecured. Wearables record and store some of our most sensitive health data—which is often 10x more valuable than a stolen credit card— making them a particularly attractive target for hackers.

So what types of data does your fitness tracker store? For a start, it holds the identifying information required to set up your account, such as your email, username, and password. But other fitness tracking specifics can make a user easier to identify, including as gender, birthdate, geographical location, height, and weight. Health and activity data provides an in-depth look at the user’s daily habits through the power of GPS monitoring. If your device is paired inside of a network, other personal device information will also be stored, such as your Unique Device IDs or MAC addresses. Depending on the device, your wearables may also store your credit card information or bank account information.

New vulnerabilities

Because of their versatility, wearables and fitness trackers leave us vulnerable in many ways. In last year’s MyFitnessPal hack, which affected 150 million users, attackers hoped to access credit card information but came away with only usernames and passwords. But what about the information that is more specific to wearables, like GPS tracking? After the fitness tracker Strava revealed hidden army bases through heatmap tracking, the Pentagon began to restrict the use of wearables by military personnel due to the potential security threat. And the recently uncovered MiSafe vulnerability left thousands of children unsecured, allowing hackers to track their movements, listen in on conversations, and actually call children on their smart watches. 

Even with these concerns, the wearables market continues to grow, with the prevalence of such devices predicted to double by 2021. Large healthcare organizations and insurance carriers are also starting to use insights from fitness trackers to influence both patient care and insurance rates. We’re even beginning to see the introduction of wearables for employee tracking, although this has met with mixed response. With this increased exposure to potentially insecure technologies, you’ll need to take extra steps to ensure your family’s security.

Where to start

Always research any fitness trackers or wearable devices before you commit, and be sure to avoid devices with any known security flaws. Notable examples to avoid are Medion’s Life S2000 Activity Tracker and Moov’s Now tracker. The Life S2000 requires no authentication and sends data unencrypted, and the Now tracker can leave users vulnerable to attack via Bluetooth connectivity. Even larger brands like Lenovo struggle to maintain an adequate level of security in their fitness trackers; the Lenovo HW01 smart band sends both registration and login data to its servers unencrypted.

Although it’s tedious, we recommend you always read the privacy policy of any wearable device or fitness tracking app before you use it. If the data storage and security measures outlined in the policy aren’t up to snuff, request a refund and let the manufacturer know why. Periodically reviewing your app’s privacy settings on your phone is also a good practice—just to make sure you’re comfortable with the app’s level of access. Take common-sense cybersecurity measures to help keep your wearables as secure as possible. Never reuse passwords or use third party login services like Facebook Login, and consider using a password manager like LastPass® instead.

Wearables and fitness trackers are here to stay, and the Internet of Things (IOT) is only going to keep growing. We have to work together to protect ourselves as we integrate these technologies into our daily lives. After all, the price of convenience cannot match the value of our personal security.

As always, be sure to check back here to stay updated on the newest cybersecurity trends.

The Must-Have Tech Accessory for Students

Reading Time: ~ 4 min.

We live in a digital age where internet-connected devices are the norm. Our phones, our televisions, even our light bulbs are tied together in today’s tech ecosystem. For high school and college students, this degree of digital connection is the standard, and when school is in session, tech accessories are a popular way to customize the various connected devices that are now an essential part of students’ lives.

With their focus on specialized accessories, it’s easy for students to overlook the importance of securing their connected devices. What’s the point of an expensive phone case or the perfect PopSocket if you’re leaving yourself, and your data, vulnerable? Hacks, security breaches, and stolen identities are often seen as things that don’t happen to digital natives. But security breaches can happen to anyone—no matter how sophisticated a user may be—and are almost always preventable by practicing safe cyber habits and having the right security is in place. But where do you start?

Back to basics

For students at any level, these best practices may seem eye-rollingly intuitive, but they are the basic tools for staying safe and secure online. Flaws with basic cybersecurity often prove to be the catalyst for a chain reaction of breaches, so by making sure these essential fail-safes are in place, you go a long way toward protecting yourself from cybercrime.

Awareness

Being aware of your surroundings and the connectivity of your devices is the first step towards a digitally secure life. But what does awareness mean from a cybersecurity standpoint? It means turning airdrop, file sharing, and open Bluetooth connectivity off, before you use your device in a public area. It means not leaving your laptop unattended, even if you’re just running to the bathroom at the coffee shop. It means using a free tool, such as haveibeenpwned.com, to see if your data has been breached in the past and taking corrective measures if it has been. Most importantly, it means treating public networks like they are public, and not accessing sensitive information through them unless you take the proper precautions (more on that below).

Two-Factor authentication

Two-factor authentication, where a validation message is sent upon login, is a security feature that verifies that you are the one who is actually attempting to access your account, particularly if the access request is coming from an unrecognized device or location. Two-factor authentication is the best way to stop unauthorized users from logging into your accounts. Most social media services offer two-factor authentication, but if you don’t trust them to be up to the task, use a third party service such as Authy or Google Authenticator. SMS and email two-factor authentication measures are demonstrably weaker than other available two-factor measures, and should be avoided if possible (although it’s better than using only a password alone).

Multiple passwords

No one likes to remember multiple passwords, let alone multiple secure passwords. But never reusing passwords is the best way to prevent third-party breaches from affecting multiple accounts. A good tip for varied passwords you can remember? Choose a phrase (or favorite song lyric) and break it down into sections. For example, the quick brown fox jumps over the lazy dog, becomes three separate passphrases.

  • the quick brown
  • fox jumps over
  • the lazy dog

This is a handy trick to wean yourself off the same two passwords you’ve been using since middle school, and is better than password redundancy. Make sure you include spaces in your passphrases. In the rare case spaces are not allowed, then a phrase without spaces will suffice.

Digging deeper

If the tips above are the metaphorical security sign in the window of your digital life, the measures outlined below are the actual security system. A small amount of additional effort on your part will help keep you safe during your educational career. 

Antivirus software

Making sure you have trusted antivirus software running on all devices is one of the most effective ways to stay safe from online threats. A cross-device service, such as Webroot SecureAnywhere® solutions, will keep you safe from potentially malicious emails, files, or apps. An important step to never skip? Keeping your antivirus software up to date. This will help prevent newly surfaced viruses and malware from penetrating your systems. Or, chose cloud-based antivirus solutions, like Webroot’s, that do not require updates.

Password managers

Don’t want to bother with remembering passwords at all? Password managers with secure encryption make generating and storing passwords safe and easy. Many password managers are compatible with common browsers such as Chrome and Firefox, making it easy to securely auto-fill passwords and other forms online.

Message encryption

Encryption services use ciphers to convert messages into random symbols, which are only able to be converted back when accessed by the intended recipient, with a special key. Common encryption options are Apple Messages and Signal, as well as WhatsApp, which is owned by Facebook. If you prefer an encryption option that isn’t owned by a large corporation, Signal is a part of Open Whisper Systems.

Virtual private networks

If you must access sensitive information through a public network, setting up a virtual private network (VPN) will block and redirect your IP address, preventing outside parties from tracking and storing your information. Your VPN setup will largely depend on both your specific devices and price point, but with a little research and energy you can prevent anyone and anything from accessing your digital vault.

Vigilance is key

These tools are the true must-have tech accessories to support young people today and their digitally enhanced life. It’s easy to be overwhelmed as a student with school, work, and social life, but don’t let your cybersecurity defenses lag. Stay informed and stay updated.

Cybersecurity Trends to Watch Out for in 2019

Reading Time: ~ 5 min.

The cybersecurity landscape is in constant flux, keeping our team busy researching the newest threats to keep our customers safe. As the new year approaches, we asked our cybersecurity experts to predict which security trends will have the most impact in 2019 and what consumers should prepare for.

Continued Growth of Cryptojacking

“Cryptojacking will continue to dominate the landscape. Arguably more than a third of all attacks in 2019 will be based off of leveraging hardware in your devices to mine cryptocurrency.” – Tyler Moffitt, Senior Threat Research Analyst 

The largest cyber threat of 2018 will continue its unprecedented growth in 2019. Cryptojacking—a type of hack that targets almost any device with computing power, including mobile devices, company servers, and even cable routers to mine for cryptocurrencies—grew by more than 1,000% in the first half of 2018. Compared to ransomware attacks, cryptojacking is incredibly stealthy, with many systems losing processing power while sitting idle anyway. We are now seeing cryptojacking in more significant systems, as was the case when Nova Scotia’s St. Francis Xavier University struggled for weeks to recover after cryptojacking software led to the school to disable its entire digital infrastructure in order to purge the network. For home internet users, cryptojacking can put undue stress on your computer’s processor, slowing down performance and increasing your electric bill.

But, as with any cybersecurity threat, it’s a constant cat-and-mouse game between criminals and the security industry. As cryptojacking continues to grow, so does criminals’ ability to successfully implement the attack. At the same time, so does our knowledge and ability to defend against it. This type of attack can impact your devices in multiple ways, whether via a file on your computer or a website you visit. We recommend a layered solution that can protect against these different attack vectors, like Webroot SecureAnywhere® solutions.

General Data Protection Regulation (GDPR) Influence

“We are going to see a lot more legislation proposed within the US that will be very similar to GDPR, much like California already has. These types of laws will inspire the idea that companies don’t own data that identifies people, and we need to be better stewards of that data. Data, by all accounts, is a commodity. It’s necessary for innovation and to stay competitive, but the data must be good to be of any use.” – Briana Butler, Engineering Data Analyst

The General Data Protection Regulation (GDPR) is a set of regulations put in place in 2018 that standardize data protection measures within the European Union, marking the beginning of a new era of international data protection. In the United States, California has been on the frontlines of data protection law since 2003 when bill SB1386 was passed, pioneering mandatory data-breach notifications nationwide. California continues to innovate in data privacy law with the recently passed California Consumer Privacy Act of 2018 (CCPA), possibly the toughest data privacy law in the country. Although clearly influenced by GDPR, it differs in many ways—enough that companies who are compliant with GDPR may need to take additional steps to also be compliant under the CCPA. But it’s not just lawmakers who are pushing for data protection regulation, influential tech industry leaders like Tim Cook are also calling for stronger consumer protections on data collection nationwide.

What does this mean for you? Expect another wave of “Privacy Update” emails and cookie collection pop-up notices while browsing, as well as expanded protections regarding the collection and storage of your personal data. Given the rising regularity of third party data breaches—like the one that recently left 500 million Marriott guests exposed—stronger data protection laws can only mean good things for consumers.

Biometrics on the Rise

“We will see continued growth in biometric services. Devices with usernames and passwords will become the legacy choice for authentication.” – Paul Barnes, Sr. Director of Product Strategy

Largely associated with facial and fingerprint recognition, biometrics have been on the rise since at least 2013, when the launch of TouchID placed the technology in every iPhone user’s hands. But the adoption of biometric technologies—particularly facial recognition biometrics—was dampened by cultural and ethical concerns, with some fearing the establishment of a national biometric database. But today we are beginning to see the normalization of facial recognition biometrics, like those utilized by Snapchat and Instagram. Biometrics are also now widely seen used in critical infrastructure applications. Airports use biometrics to facilitate a faster boarding process, and hospitals are adopting biometrics for both patient care and as a HIPAA security precaution.

We predict this regular exposure to biometrics will lead to a larger cultural acceptance and adoption of biometrics as a trusted security standard, leading to the eventual death of usernames and passwords. Why bother with a login when your computer knows the minute details of your iris? But convenience may come as a cost. Corresponding with rising use, biometric data will continue to become a more valuable commodity for cybercriminals to steal.

The Beginning of the End for SSNs

“There will be significant discussion around replacing Social Security numbers for a more secure, universal personal identity option.” – Kristin Miller, Director of Communications

In 2017 the Equifax breach compromised 145.5 million Social Security numbers, forcing us to face an uncomfortable truth: SSNs are a legacy system. First available in 1935 from the newly minted Social Security Administration, they were created to track accounts using Social Security programs. They were never intended to act as the secure database key we expect them to be today.

The conversation has already begun on the federal level. “I think it’s really clear there needs to be a change,” White House Cybersecurity Coordinator Rob Joyce said at the 2017 Cambridge Cyber Summit. “It’s a flawed system. If you think about it, every time we use the Social Security number you put it at risk.”

Although it will be some time until we fully replace Social Security numbers, what should you expect from a replacement? When it comes to personal identifiers that are both unique and secure, the conversations tend to center around two technologies: biometrics and blockchains. Biometrics—particularly behavioral biometrics, which derive their logic from individual’s behavioral patterns, such as the syncopation of types or taps on a screen, or even your unique heart beat—are proving to be an especially intuitive solution.

Certification for the Internet of Things

“We will finally see a consumer IoT/connected goods certification body, similar to the Consumer Electrical Safety Certifications today. This will enforce the notion of Security by Design for a smart goods manufacturer.” – Paul Barnes, Sr. Director of Product Strategy

We love the Internet of Things (IoT). It powers our smart homes, our fitness trackers, and our voice assistants. But IoT devices are notoriously insecure, oftentimes featuring overlooked flaws that can lead to exploitation in unexpected places. A recent Pew Research Center survey looked at how growing security concerns are influencing the spread of IoT connectivity reported only 15% of participants saying security concerns would cause significant numbers of people to disconnect from IoT devices. Alternatively, 85% believe most people will move more deeply into an interconnected life due to the convenience of IoT products. Recently published documents may signal that the time of putting convenience ahead of security is quickly coming to an end.

The United Kingdom’s department for Digital, Culture, Media, and Sport (DCMS) published the “Code of Practice for Consumer IoT Security.” The code outlines thirteen steps for organizations to follow for the implementation of appropriate security measures in IoT offerings. It also emphasizes the need for a secure-by-design philosophy, a belief that security measures need to be designed into products, not bolted on afterwards. This type of regulatory influence on the industry is sure to make waves across the pond, and we are already seeing this play out with California’s new IoT security law.

Keep these predictions in mind as you make your way through 2019. Staying informed is the best way to keep you and your family safe, so check back here for more cybersecurity trend updates in the future!