Home + Mobile

Carbonite to Acquire Webroot

I’m excited to share that Webroot has entered into an agreement to be acquired by Carbonite, a leader in cloud-based data protection for consumers and businesses. Why do I think this is such good news for customers, partners and our employees?   For customers and...

The Reality of Passphrase Token Attacks

In my blog, Password Constraints and Their Unintended Security Consequences, I advocate for the use of passphrases. Embedded in the comments section, one of our readers Ben makes a very astute observation: What happens when attackers start guessing by the word instead...

Common WordPress Vulnerabilities & How to Protect Against Them

The WordPress website platform is a vital part of the small business economy, dominating the content management system industry with a 60% market share. It gives businesses the ability to run easily-maintained and customizable websites, but that convenience comes at a...

A Miner Decline: The Slowdown of a Once-Surging Threat

This is the first of a three-part report on the state of three malware categories: miners, ransomware and information stealers. In Webroot’s 2018 mid-term threat report, we outlined how cryptomining, and particularly cryptojacking, had become popular criminal tactics...

Smart Wearables: Convenience vs. Security

Fitness trackers and other digital wearables have unlocked a new era of convenience and engagement in consumer health. Beyond general fitness trackers, you can find wearables for a variety of purposes; some help diabetics, some monitor for seizure activity, and some...

MSPs: Your Security Vendor Should Integrate with More Than Just Your RMM and PSA

For many MSPs, integrating their security solution with their remote monitoring and management (RMM) and professional service automation (PSA) platforms is essential for doing business. Together, these platforms help lower the cost of keeping up with each client,...

Top 5 Things SMBs Should Consider When Evaluating a Cybersecurity Strategy

SMBs are overconfident about their cybersecurity posture. A survey of SMBs conducted by 451 Research found that in the preceding 24 months, 71% of respondents experienced a breach or attack that resulted in operational disruption, reputational damage, significant...

What’s Next? Webroot’s 2019 Cybersecurity Predictions

At Webroot, we stay ahead of cybersecurity trends in order to keep our customers up-to-date and secure. As the end of the year approaches, our team of experts has gathered their top cybersecurity predictions for 2019. What threats and changes should you brace for?...

Responding to Risk in an Evolving Threat Landscape

There’s a reason major industry players have been discussing cybersecurity more and more: the stakes are at an all-time high for virtually every business today. Cybersecurity is not a matter businesses can afford to push off or misunderstand—especially small and...

Two-Factor Authentication: Why & How You Should Use it

Reading Time: ~3 min.

Conventional wisdom about passwords is shifting, as they are increasingly seen as a less-than-ideal security measure for securing digital accounts. Even the recommended rules for creating strong passwords were recently thrown out the window. Average users are just too unreliable to regularly create secure passwords that are different across all accounts, so using technology to augment this traditional security is imperative.

From online banking to email to cloud-based file storage, much of our high-value information is in danger if a hacker gains access to our most frequently visited sites and accounts. That’s where two-factor authentication comes in.

Two-factor authentication (2FA) adds an extra layer of security to your basic login procedure. When logging into an account, the password is a single factor of authentication, and requiring a second factor to prove you are who you say you are is an added layer of security. Each layer of security that you add, exponentially increases protection from unauthorized access.

Three categories of two-factor authentication:

  1. Something you know, such as a password.
  2. Something you have, such as an ID card, or a mobile phone.
  3. Something you are, a biometric factor such as a fingerprint.

The two factors required should come from two different categories. Often, the second factor after entering a password is a requirement to enter an auto-generated PIN code that has been texted to your mobile phone. This combines two different types of knowledge: something you know (your password) and something you have (your mobile phone to receive a code in SMS text or code from a 2FA app).

Protect accounts with an extra layer of security

Popular social media sites, including Twitter, Facebook, Instagram and Pinterest, have added 2FA to help protect users. In addition, you may have noticed that services from companies such as Apple, Google and Amazon will notify you via email each time you log in from a different device or location.

While 2FA from an SMS text message is popular and much more secure than a password alone, it is one of the weaker types of 2FA. This is because it’s relatively easy for an attacker to gain access to your SMS texts. When you log in to your account and it prompts for a SMS code, the website then sends the code to a service provider and then that goes to your phone.

This is not as secure as everyone thinks, because the phone number is the weakest link in the process. If a criminal wanted to steal your phone number and transfer it to a different SIM card, they would only need to provide an address, the last four digits of your social security number, and maybe a credit card number.

This is exactly the type of data that is leaked in large database breaches, a tactic to which most Americans have fallen victim at some point or another. Once the attacker has changed your phone number to their SIM card, they essentially have your number and receive all your texts, thus compromising the SMS 2FA.

 

Do you live in one of the most-hacked states?

 

Many people are guilty of using weak passwords or the same login information across several accounts, and if this sounds like you, we recommend that you use authenticator apps such as Google Authenticator and Authy. These apps are widely supported and easy to setup.

Simply go to the “account settings” section on the site you want to enable. There should be an option for 2FA if it is supported. Use the app on your phone to scan the QR code and, just like that, it’s configured to give you easy six-digit encrypted passwords that expire every 30 seconds.

What happens when you’re not using sites that have 2FA enabled? Quite simply, security is not as tight and there’s a higher risk of a hacker gaining access to your accounts. Depending on what is stored, your credit card information, home address, or other sensitive data could be stolen and used to commit fraud or sold on the DarkWeb.

And until passwords are put to death completely, be sure to heed a few safety tips from Gary Hayslip, Webroot CISO, in addition to using two-factor authentication:

“Change passwords periodically, do not recycle passwords, don’t use the same password for your social media account and your bank account, and finally store your passwords in a safe place. Consider using some type of password vault program, avoid keeping passwords on a Post-it note under your keyboard, on your monitor or in a drawer near your computer.” – Webroot CISO Gary Hayslip

Public Safety in a Connected World

Reading Time: ~2 min.

The U.S. electrical grid is in “imminent danger” from cyberattacks according to a report from the U.S. Energy Department released earlier this year. Such an attack would put much of the infrastructure that we rely on for public safety and basic services in jeopardy—electricity, water, healthcare, and communications systems, among others.

Just last week, an email was sent to energy and industrial firms by the DHS and FBI warning of hacking groups targeting critical infrastructure in the “energy, nuclear, water, aviation, and critical manufacturing sectors.”

Great power, great responsibilty

While the networked technology behind this infrastructure empowers our society, it also exposes us to new risks. Most people are aware of the cyber threats facing our personal mobile devices, home computers, and smart appliances. But the risks to public safety on a larger scale are less well known. Commitment to securing this brave new world is critical if we are to avoid serious public safety problems.

Cyberattacks targeting our critical infrastructure reveal our shared responsibility in securing the networks we depend on each and every day in our connected world. 

Ransomware attacks—when cybercriminals hack a computer, encrypt the files and hold them hostage—pose a particularly dangerous threat for public infrastructure.  It is estimated that ransomware has resulted in billions of dollars of losses in the last year alone, according to our June 2017 Quarterly Threat Trend Report.

Already this year, we’ve seen several major ransomware attacks on government entities, including counties, cities and multiple police departments leading to major disruptions in services like emergency response times, video surveillance and emergency radio transmissions.

 

Do you live in one of the most-hacked states?

 

In June, an infamous cyberattack dubbed NotPetya hit Europe, affecting workplaces and public domains. This attack mirrored its predecessor named Petya (a type of ransomware), except this new incarnation used “EternalBlue to target Windows systems—the same exploit behind the infamous WannaCry attack.” It also differed from other popular ransomware attacks by denying user access and attacking low-level structures on the disk. This Petya-based attack targeted employees at one of the world’s largest advertising agencies, as well as oil companies, shipping companies and banks. A new ransomware attack that emerged this week named Bad Rabbit also appears to be linked to the NotPetya attack.

As advanced threats such as ransomware continue to evolve in sophistication, they present a more imminent threat to the systems and services we rely on for public safety. Cyberattacks targeting our critical infrastructure reveal our shared responsibility in securing the networks we depend on each and every day in our connected world. 

Get tips on becoming a more proactive and prepared citizen with our “One Wrong Click” infographic.

Raising Cyber Savvy Kids

Reading Time: ~2 min.

Over the last year, a handful of cyberattacks have made news headlines and affected families. High-tech toy maker Spiral Toys was the victim of a particularly cunning hacking scheme. The maker of CloudPets stuffed animals reportedly exposed more than two million private voice recordings and the login credentials of 800,000 accounts. While these “smart toys” are part of a wave of internet-connected devices providing fun and memorable experiences, they are also exposing millions of users to cyber threats. These toys may appear harmless on the surface, but their vulnerability to attack should be kept top-of-mind by any parent.

Educate your family

One of the best ways to ensure your children maintain a safe online presence is to start the conversation around the potential risks they face in our increasingly connected world early on.

When it comes to online safety, the U.S. Department of Homeland Security recommends looking for “teachable moments” that arise naturally during day-to-day computer use. For example, if you get a phishing message, show it to your kids so they can identify similar messages in the future and recognize they are not always what they seem.

BBC reported that “children aged five to 16 spend an average of six and a half hours a day in front of a screen compared with around three hours in 1995, according to market research firm Childwise.” With the amount of time kids and teens spend in front of a computer screen daily, and with hacking and cybercriminals becoming more advanced and sophisticated, it’s more important than ever to teach kids how to be cyber savvy.

One of the best ways to ensure your children maintain a safe online presence is to start the conversation around the potential risks they face in our increasingly connected world early on.

Tips for your cyber savvy kids

In addition to using tools like Webroot’s Parental Controls, CISO Gary Hayslip summarizes a few safety tips:

  • Don’t give out financial account numbers, Social Security numbers, or other personal identity information unless you know exactly who’s receiving it.
  • Remember to also protect other people’s information as you would your own.
  • Never send personal or confidential information via email or instant messages as these can be easily intercepted.

Find more tips to keep your family safe online, wherever they connect.

Why You Should Protect Your Mac from Viruses

Reading Time: ~2 min.

“I use a Mac, so I don’t need to worry about malware, phishing, or viruses.” Many Mac users turn a blind eye to cybersecurity threats, often noting that most scams and attacks occur on PCs.

However, within the last few years, there has been a noted uptick in spyware (a type of software that gathers information about a person or organization without their knowledge), adware (software that automatically displays or downloads advertising material), and potentially unwanted applications (PUAs) on Macs and iOS devices.

While Macs are known to have strong security features, they are by no means bullet proof. In a recent interview with CSO Magazine, Webroot Vice President of Engineering David Dufour noted, “Many of these incidents are occurring through exploits in third-party solutions from Adobe, Oracle’s Java and others, providing a mechanism for delivering malicious software and malware.” Even the most internet-savvy users should be sure to install antivirus software on their Mac products.

Security tips for safe browsing on a Mac

Traditionally, because the Windows operating system is more widely used around the world, it is also more highly targeted by cybercriminals. However, Apple devices running macOS are still vulnerable to security threats, and protecting them should be a priority for anyone who owns them. Check out the following security recommendations to help ensure safety wherever you connect with your Mac, in addition to having an up-to-date antivirus installed:

  1. Try using a VPN
    VPN stands for “virtual private network” and is a technology that adds an extra level of privacy and security while online, particularly when using public WiFi networks, which are often less secure. This recent Refinery29 article illustrates the benefits of VPNs for your work and personal life.
  2. Secure your browser
    You may be tempted to ignore messages about updating your browsers, but the minute an update is available, you should download and install it. This is good advice for all software being run on any devices—desktop, laptop, or mobile.
  3. Secure backup
    Be sure to regularly backup your computer and iOS devices so you can easily retrieve your data in case you get locked out of your device.
  4. Use a strong login password
    Use a unique combination of numbers and letters to password-protect your Mac. This is good advice in general for all of the passwords you create. For an added security step, check out the Webroot Password Manager tool to make it easier to manage and organize your passwords.

Phishing: don’t take the bait

Reading Time: ~3 min.

Another day, another phishing attack. From businesses to consumers, phishing attacks are becoming a more widespread and dangerous online threat every year. One wrong click could quickly turn into a nightmare if you aren’t aware of the current techniques cyber scammers are using to get access to your valuable personal information.

A phishing attack is a tactic cybercriminals use to bait victims with fake emails that appear to come from reputable sources. The attackers’ goal is to lure the user into opening an attachment, clicking on a malicious link, or responding with private information. These phony emails have become alarmingly realistic and sophisticated. A scam may come in the form of a banking inquiry, an email from a seemingly official government agency, or even a well-known brand with whom you’ve done business—maybe you even pay them a monthly subscription fee.

If you do take the bait, you’ll likely be directed to a malicious website, where you’ll be prompted to enter your account login details, a credit card number, or worse yet, your social security number. The end goal of these phishing attacks is solely to steal your private information.

According to the Webroot Quarterly Threat Trends Report, the first half of 2017 saw an average of more  46,000 new phishing sites being launched every single day, making it the number-one cause of cybersecurity breaches. As hackers devise new phishing tactics, traditional methods of detecting them quickly become outdated.

One of the most popular tricks criminals use to avoid detection is the short-lived attack. The Quarterly Threat Trends Report also revealed that these attacks, where a phishing site is live on the internet for as short as 4 to 8 hours, are seeing a continued rise. Short-lived attacks are so hard to catch because traditional anti-phishing techniques like black-lists are often 3-5 days behind, meaning the sites have already been taken down by the time they appear on the list.

Five ways free antivirus could cost you

You’re probably already aware of the primary phishing-avoidance tip: do not click on suspicious links or unknown emails. But, as the state of phishing becomes even more advanced, how can you best spot and avoid an attack?

Lesser-known phishing giveaways

Webroot recommends keeping an eye out for the following:

  1. Requests for confidential information via email or instant message
  2. Emails using scare tactics or urgent requests to respond.
  3. Lack of a personal message or greeting. Legitimate emails from banks and credit card companies will often include a personalized greeting or even a partial account number, user name, or password.
  4. Misspelled words or grammatical mistakes. Call the company if you have suspicions about an email you’ve received.
  5. Directions to visit websites with misspelled URLs, or use of , which precede the normal domain (something like phishingsite.webroot.com).

Stay ahead of cybercriminals

If an email in your inbox does seem suspicious, here are a few things you can do:

  1. Contact the service or brand directly via another communication channel (i.e., look up their customer support phone number or email address), and ask them to verify whether the content of the email is legitimate.
  2. Avoid providing any personally identifiable information (PII) electronically, unless you are extremely confident the email is from the stated source.
  3. If you do click a link from an email, verify the site’s security before submitting any information. Make sure the site’s URL begins with “https” and that there’s a closed lock icon near the address bar. Also, be sure to check for the site’s security certificate.

Ransomware Spares No One: How to Avoid the Next Big Attack

Reading Time: ~3 min.

With global ransomware attacks, such as WannaCry and not-Petya, making big headlines this year, it seems the unwelcomed scourge of ransomware isn’t going away any time soon. While large-scale attacks like these are most known for their ability to devastate companies and even whole countries, the often under-reported victim is the average home user.

We sat down with Tyler Moffit, senior threat research analyst at Webroot, to talk ransomware in plain terms to help you better understand how to stop modern cybercriminals from hijacking your most valuable data.

Webroot: For starters, how do you describe ransomware? What exactly is being ransomed?

Tyler Moffit: To put it simply, your files are stolen. Basically, any files that you would need on the computer, whether those are pictures, office documents, movies, even save files for video games, will be encrypted with a password that you need to get them back. If you pay the ransom, you get the password (at least, in theory. There’s no guarantee.)

How does the average home user get infected with ransomware?

Malspam” campaigns are definitely the most popular. You get an email that looks like it’s from the local post office, saying you missed a package and need to open the attachment for tracking. This attachment contains malware that delivers the ransomware, infecting your computer. It is also possible to become infected with ransomware without clicking anything when you visit malicious websites. Advertisements on legitimate websites are the biggest target. Remote desktop protocol (RDP) is another huge attack vector that is gaining traction as well. While controlling desktops remotely is very convenient, it’s important to make sure your passwords are secure.

How is the data ? Is the ransomed data actually taken or transmitted?

When you mistakenly download and execute the ransomware, it encrypts your files with a password, then sends that password securely back to the attacker’s server. You will then receive a ransom demand telling you how to pay to get the password to unlock your files. This is a really efficient way to prevent you from accessing your files without having to send gigabytes of information back to their servers. In very simple terms, the files are scrambled using a complex algorithm so that they are unreadable by any human or computer unless the encryption key is provided.

 

What types of files do ransomware attacks usually target?

Most ransomware is specifically engineered to go after any type of file that is valuable or useful to people. Around 200 file extensions have been known to be targeted. Essentially, any file that you’ve saved or open regularly would be at risk.

How does the attacker release the encrypted files?

The attacker provides a decryption utility via the webpage where you make the payment. Once you receive the decryption key, all you have to do is input that key into the tool and it will decrypt and release the files allowing you to access them again. Keep in mind, however, that the criminal who encrypted your files is under no obligation to give them back to you. Even if you pay up, you may not get your files back.

Tips for protecting your devices:

  • Use reliable antivirus software.
  • Keep all your computers up-to-date. Having antivirus on your computer is a great step towards staying safe online; however, it doesn’t stop there. Keeping your Windows PCs and/or Mac operating systems up-to-date is equally important.
  • Backup your data. Being proactive with your backup can help save your favorite vacation photos, videos of your kid’s first piano recital, not to mention sensitive information that could cost you thousands by itself.

Remember, being an informed and aware internet user is one of the best defenses against cyberattacks. Stay tuned in to the Webroot blog and follow us on your favorite social media sites to stay in-the-know on all things cybersecurity.

Fending Off Privacy Invasion

Reading Time: ~3 min.

Internet users in the U.S. have seen internet privacy protections diminish significantly in the post-9/11 era. In just March of this year, Congress swiftly (and quietly) did away with federal privacy regulations that prevented internet service providers from selling their customers’ browsing histories without consent.

In recent years, products intended to deliver conveniences directly to our doorsteps have begun to present tacit privacy intrusions into the modern home. Always-on smart speakers from online retailers make it easier than ever to order products, but they also enable those companies to listen to our every word. Those same companies are monitoring our behaviors across the web.

“Google knows quite a lot about all of us,” said cybersecurity expert Bruce Schneier in a recent interview with the Harvard Gazette. “No one ever lies to a search engine. I used to say that Google knows more about me than my wife does, but that doesn’t go far enough. Google knows me even better, because Google has perfect memory in a way that people don’t.”

Giant corporations aren’t the only ones intruding into our daily lives to collect our personal data for financial gain—cybercriminals are intent on doing the same. Crimes such as identity theft and extortion can be carried out with stealthy malware, such as remote access tools (RATs) used to spy on users via laptop webcams.

We asked people in downtown Denver, CO what they are doing to protect their privacy. Their answers were rather bleak:

 

While public awareness of this ominous trend has mounted somewhat since 2013, when revelations of America’s government surveillance surfaced via the Snowden leaks, virtually nothing has been done to reverse it. Faced with this constant barrage of privacy invasion, pulling the plugs and disconnecting entirely may seem like the only way out—but rejecting “the way things are” is a pill most people are unlikely to swallow.

Until there’s a major shift in our society’s attitudes (and public policies) toward internet privacy, the duty falls on individual users to safeguard their own private data, identities, and other sensitive information. Follow and share the tips below to take back control over your privacy.

Tips for protecting your online privacy

  • Configure your web browser to delete cookies after closing. You can also take control of other advanced privacy features in your web browser to have greater control of what you’re sharing with websites you visit.
  • Cover your webcam with tape, a sticker, or something else that can block the camera lens and also be easily removed when you need to use it. (Webroot SecureAnywhere® solutions protect against webcam spying and other potentially unwanted applications.)
  • Don’t share sensitive information on social media. Check your privacy settings on sites like Facebook and Twitter and make sure only your trusted followers can see your complete profile. For instance, do your Facebook friends really need to know your real birthday? Deliberately sharing a fake birthday on social media can be a crafty way to enhance your privacy.
  • Lock your screens. All of them. Losing a device like your laptop or smartphone could spell disaster if they were to end up in the wrong hands. Strong, uncommon PINs and passwords can lock down your devices from would-be thieves.
  • Use fake answers for password security questions. Honest answers to security questions can often be found with just a little online digging. Why can’t your mother’s maiden name be “7O7F1@!3kgBj”? This brings us to our next tip…
  • Use a password manager app to generate and store strong, unique passwords for all of your accounts. (A password manager can also safely store those fake security answers mentioned above.)
  • Use security software to monitor and protect your digital devices from threats like malware, spyware, and phishing attacks, which can steal your private data.

For more videos related to cybersecurity and staying safe online, subscribe to our YouTube channel.

Why You Should be Using a Password Manager

Reading Time: ~2 min.

From streaming entertainment to social media to our online bank accounts and software, we are inundated every day with the need to create and remember new passwords. In fact, one study revealed that Americans have an average of 130 online accounts registered to a single email address. And what are the chances that those 130 passwords are each unique and difficult to crack? Slim to none.

You’ve probably heard about the infamous Yahoo breach that came to light last year, in which hackers stole the credentials and other sensitive information of more than 1 billion users. For people who used their Yahoo password for other sites, those accounts were also compromised.

Unfortunately, many people admit their passwords are less secure than they should be. See for yourself:

 

So how, exactly, can we all be expected to create and remember an average of 130 unique passwords?

The best solution available today, offering both convenience and security, is a password manager.

What exactly is a password manager?

It is a type of application that can address all the above issues. Password managers come in the form of lightweight plugins for web browsers such as Google Chrome or Mozilla Firefox and can automatically fill in your credentials after saving them in an encrypted database.

The major benefit of using a password manager is that you only need to remember a single master password. This allows you to easily use unique, strong passwords chosen for each of your online accounts. Just remember one strong password and the manager will take care of the rest.

Avoid these common password security risks:

  • Typing passwords to login each time can be dangerous in itself. Malicious keyloggers designed to secretly monitor keystrokes can record your passwords as you type them. (You can eliminate these with good antivirus software.)
  • Remembering multiple passwords, especially if you have carefully picked a password that is complicated. Most people tend to use the same or similar passwords for different accounts, which means that if one password is exposed, criminals can log into all those accounts.
  • Storing passwords in a document or writing them down, which creates a very high risk of being affected by a breach or simply losing the information.

For more videos related to cybersecurity and staying safe online, subscribe to our YouTube channel.

Your Identity Is Yours. Here’s How To Keep It That Way.

Reading Time: ~2 min.

Have you ever been out with friends, had a little too much to drink, and left your credit card in a bar? Or maybe you thought you’d stowed your child’s social security card safely away in your desk drawer, but now you can’t find it. It may seem like losing these items is just an inconvenience, but the reality is that simple slip-ups like these can spell disaster for you and your family.

According to NBC News, more than 15 million Americans were victims of identity theft last year alone, up 16 percent from 2015. And stolen credit or social security cards are just a couple of the ways identity thieves can invade your personal life, dealing major blows to your finances and even your reputation.

Unfortunately, the culprits behind identity theft can be anyone from family, friends, and neighbors to sophisticated cybercriminals.

“Most cybercriminals use automated tools to steal thousands, if not millions, of IDs at a time. Ensuring you have unique passwords for financial sites, avoiding public Wi-Fi in hotels and airports, and keeping backups of all your data are all important steps toward protecting yourself from identity theft. Finally, having a current, layered antivirus solution that not only protects against malicious files like ransomware, but also prevents phishing attacks and protects online browsing can close the loop on cybercriminals trying to do your and your family harm.”

-David Dufour, Senior Director of Engineering, Webroot

We recently took to the streets of Denver to get a feel for how average Americans are staying safe from identity theft. Their responses were not so surprising.

How to protect yourself from identity theft

With these types of malicious acts making the news more frequently than ever, why are people not taking more precautions with their identity? That’s not something we can answer, but we can give you a few tips on how to be safer with your identity:

  • Don’t send or receive private data over unsecured Wi-Fi networks or in public spaces.
  • Keep personal data encrypted when stored on devices.
  • Safely store (or destroy) physical documents that contain your private information, from credit cards to mail.
  • Freeze your credit. It sounds scary, but it isn’t. Freezing your score makes it harder for a criminal to open a new credit card account or take out a loan in your name. The FCC provides details on their website.
  • Know your credit score. There are many free services that help you keep track of your credit score, and make sure nothing phishy is going on.
  • Make sure all your devices are installed with up-to-date cybersecurity that protects you from all knows threats in real-time.

If you’re looking for more ways to protect yourself from identity theft, the federal government has a few more tips.

What if I’ve been a victim of identity theft?

The Federal Trade Commission has a useful one-stop-shop to help you repair the damage and recover from identity theft. The task may seem daunting, but at the end of the day, your identity is yours—and it should stay yours.

Creating Strong Passwords on World Password Day

Reading Time: ~2 min.

Update: World Password Day will officially be observed on May 3, 2018. While the the rules for creating tough-to-crack passwords remain true, additional layers of password security such as two-factor authentication and password manager tools are giving users even stronger security for their online accounts. Follow the advice below and have some fun crafting strong passwords to keep you safe online in 2018.

We’ve heard the same advice over and over when it comes to passwords—make it strong. But how many of us actually follow this advice? Would you believe that some of the most popular passwords are still “password”, “123456”, “qwerty”, and “abc123”? For World Password Day, we’ve want to offer a few tips to make sure your passwords are up to snuff.

Tips for securing passwords
  1. Create a strong password that uses numbers, caps, and special characters
  2. Use unique passwords for each account
  3. Enable two-factor authentication
  4. Set up a secure password manager

You’re probably thinking “it’s hard to remember multiple strong passwords.” To help you out, here’s how you can choose something easy to remember, but hard to crack.

  1. Start with your favorite song, movie, or book. Use the first letter of each word. So, if your jam is “Guardians of the Galaxy Vol. 2”, that would make it “Gotgv2”.
  2. You could then increase the complexity by changing out any vowels with numbers. That makes it “G0tgv2”.
  3. Now add a special character, such as “!” or “$”. Your password would now be “G0tgv2!”.
  4. Turn it into a passphrase for good measure. Something like  “G0t7gv2! is my jam!”.
  5. Make sure it’s at least 16 letters long. This one is, but you may need to add another number or symbol to make the password long enough.

If this is still too much to remember, you can use the first letter of one of your favorite phrases from a song, movie, or book until you reach 12 or so characters, mix up capitalization, then add in a few special characters.

Otherwise, go with option 4 from my original list: get yourself a password manager. There are a number of free and low-cost password manager applications out there, which will generate and store secure passwords for all of your accounts. Many Webroot subscribers already have one, depending on their Webroot subscription type.

Note: If you do use this option, you will still need a strong password for the password management program itself.

Mobile reminder

If you don’t have a password on your mobile phone or tablet, you should reread part about following security advice. Most smartphones offer the option of a 4-digit PIN or a pattern. When creating your PIN, be sure to use a unique string of numbers, and one that isn’t easy to guess (e.g. don’t use your birthday.)

Join Webroot and hundreds of other organizations worldwide on May 4th to take the pledge to build stronger password habits.

7 dangerous subject lines

Reading Time: ~3 min.

Email attacks are the most common methods for initiating ransomware and phishing scams. Attackers want you to open an infected attachment or click a malicious link, and unwittingly download malware to your machine. But you can avoid such attacks by being patient, checking email addresses, and being cautious of sketchy-sounding subject lines.

Cybersmart - dangerous subject lines

7 dangerous subject lines to avoid

Cybercriminals initiate their attacks through hyperlinks or attachments within emails. Most of these attacks use urgency or take advantage of user trust and curiosity to entice victims to click. Here are examples of subject lines to be cautious of.

  1. Remember me? It’s Tim Timmerson from Sunnytown High! Criminals use social engineering tactics to find out the names of the people close to you. They may also hack a friend or relative’s email account and use their contact lists as ammo. Next, they research and impersonate someone you know, or used to know, through chats and emails. Not quite sure about a message you received? Hover your mouse over the sender address (without clicking) to see who the real sender is.
  2. Online Banking Alert: Your Account will be Deactivated. Imagine the sense of urgency this type of subject line might create. In your panicked rush to find out what’s going on with your account, you might not look too closely at the sender and the URL they want you to visit. At the end of March, a Bank of America email scam just like this was successfully making the rounds. Initially, the email looked completely legitimate and explained politely that a routine server upgrade had locked the recipient out of their account. At this point, when clicking the link to update their account details, an unsuspecting victim would be handing their login credentials and banking information over to cybercriminals.
  3. USPS: Failed Package Delivery. Be wary of emails saying you missed a package, especially if they have Microsoft Word documents attached. These attacks use the attachments to execute ransomware payloads through macros. Senior Threat Research Analyst Tyler Moffitt walks us through what it’s like to get hit with a ransomware payload from a USPS phishing email.
  4. United States District Court: Subpoena in a civil case. Another common phishing attack imitates government entities and may try to tell you that you’re being subpoenaed. The details and court date are, of course, in the attachment, which will deliver malware.
  5. CAMPUS SECURITY NOTIFICATION: Phishing attacks have been targeting college students and imitating official university emails. Last month, officials at The University of North Carolina learned of an attack on their students that included a notification email stating there was a security situation. The emails were coming from a non-uncg.edu address and instructed users to “follow protocols outlined in the hyperlink”. Afterward, the attacker would ask victims to reset their password and collect their sensitive information.
  6. Ready for your beach vacay? Vacation scams offer great deals or even free airfare if you book RIGHT NOW. These scams are usually accompanied by overpriced hotel fees, hidden costs, timeshare pitches that usually don’t pan out, and even the theft of your credit card information. Check the legitimacy of offers by hovering over links to see the full domain, copy and pasting links into a notepad to take a closer look, and by researching the organization.
  7. Update your direct deposit to receive your tax refund. The IRS warns of last minute email phishing scams that take advantage of everyone’s desire for hard-earned refunds and no doubt, their banking credentials.

Read between the lines

Help us create awareness in the community around scams and phishing attacks with dangerous subject lines. From here on, education should be top of mind as our community begins to adopt safer online habits. Share this blog with your friends and family or get in on the #CyberSmart conversation by sharing a Tweet.

Celebrate World Backup Day the Smarter Way

Reading Time: ~2 min.

Don’t wait for a system failure, ransomware attack, or for your laptop to be stolen before you start thinking about backing up your data.

Why back up?

According to a 2016 study by Acronis, 1 in 3 people have suffered data loss and are willing to pay up to $500 or more to recover lost files. Your data and important files are undoubtedly worth a lot to you, but—realistically speaking—just how much are you willing (or even able) to shell out?

With the increase in ransomware and sophisticated attacks, you can’t afford NOT to back up your files and sensitive data. Being proactive with your backup can help save your favorite vacation photos, videos of your kid’s first piano recital, not to mention sensitive information that could cost you thousands by itself.

In an effort to help the community be more cyber aware, WorldBackupDay.com celebrates on March 31st not only as a day for backing up your personal data, but a day for preserving our increasingly digital heritage for future generations.

World Backup Day

How to effectively back files up to prevent data loss:

  • Choose a secure backup solution. Whether it’s a cloud-based service or an external hard drive, do your research and choose what’s right for you.
  • Implement a backup schedule that covers your preferred data through your cloud solution or external drive.
  • Set reminders to ensure that your backups are running regularly and that they haven’t encountered any errors.

I’ve backed up my data. Now what? How do I avoid a ransomware attack?

“Throughout 2016 and likely into 2017, the Office document macro infection into encrypting ransomware was quite common. By disabling macros completely in the trust center (free and easy to do) you will completely remove this attack vector from posing a threat to you or your organization.” –Tyler Moffitt, Senior Threat Research Analyst

Take the Pledge

Hop on the World Backup Day bandwagon. Share a Tweet to help keep yourself, your friends, and your family protected from ransomware attacks, stolen devices, and system failure.

It’s easy. Repeat after me.

“I solemnly swear to backup my important documents and precious memories on March 31st.”

Page 3 of 812345...Last »