We live in a digital age where internet-connected devices are the norm. Our phones, our televisions, even our light bulbs are tied together in today’s tech ecosystem. For high school and college students, this degree of digital connection is the standard, and when school is in session, tech accessories are a popular way to customize the various connected devices that are now an essential part of students’ lives.
With their focus on specialized accessories, it’s easy for students to overlook the importance of securing their connected devices. What’s the point of an expensive phone case or the perfect PopSocket if you’re leaving yourself, and your data, vulnerable? Hacks, security breaches, and stolen identities are often seen as things that don’t happen to digital natives. But security breaches can happen to anyone—no matter how sophisticated a user may be—and are almost always preventable by practicing safe cyber habits and having the right security is in place. But where do you start?
Back to basics
For students at any level, these best practices may seem eye-rollingly intuitive, but they are the basic tools for staying safe and secure online. Flaws with basic cybersecurity often prove to be the catalyst for a chain reaction of breaches, so by making sure these essential fail-safes are in place, you go a long way toward protecting yourself from cybercrime.
Being aware of your surroundings and the connectivity of your devices is the first step towards a digitally secure life. But what does awareness mean from a cybersecurity standpoint? It means turning airdrop, file sharing, and open Bluetooth connectivity off, before you use your device in a public area. It means not leaving your laptop unattended, even if you’re just running to the bathroom at the coffee shop. It means using a free tool, such as haveibeenpwned.com, to see if your data has been breached in the past and taking corrective measures if it has been. Most importantly, it means treating public networks like they are public, and not accessing sensitive information through them unless you take the proper precautions (more on that below).
Two-factor authentication, where a validation message is sent upon login, is a security feature that verifies that you are the one who is actually attempting to access your account, particularly if the access request is coming from an unrecognized device or location. Two-factor authentication is the best way to stop unauthorized users from logging into your accounts. Most social media services offer two-factor authentication, but if you don’t trust them to be up to the task, use a third party service such as Authy or Google Authenticator. SMS and email two-factor authentication measures are demonstrably weaker than other available two-factor measures, and should be avoided if possible (although it’s better than using only a password alone).
No one likes to remember multiple passwords, let alone multiple secure passwords. But never reusing passwords is the best way to prevent third-party breaches from affecting multiple accounts. A good tip for varied passwords you can remember? Choose a phrase (or favorite song lyric) and break it down into sections. For example, the quick brown fox jumps over the lazy dog, becomes three separate passphrases.
- the quick brown
- fox jumps over
- the lazy dog
This is a handy trick to wean yourself off the same two passwords you’ve been using since middle school, and is better than password redundancy. Make sure you include spaces in your passphrases. In the rare case spaces are not allowed, then a phrase without spaces will suffice.
If the tips above are the metaphorical security sign in the window of your digital life, the measures outlined below are the actual security system. A small amount of additional effort on your part will help keep you safe during your educational career.
Making sure you have trusted antivirus software running on all devices is one of the most effective ways to stay safe from online threats. A cross-device service, such as Webroot SecureAnywhere® solutions, will keep you safe from potentially malicious emails, files, or apps. An important step to never skip? Keeping your antivirus software up to date. This will help prevent newly surfaced viruses and malware from penetrating your systems. Or, chose cloud-based antivirus solutions, like Webroot’s, that do not require updates.
Don’t want to bother with remembering passwords at all? Password managers with secure encryption make generating and storing passwords safe and easy. Many password managers are compatible with common browsers such as Chrome and Firefox, making it easy to securely auto-fill passwords and other forms online.
Encryption services use ciphers to convert messages into random symbols, which are only able to be converted back when accessed by the intended recipient, with a special key. Common encryption options are Apple Messages and Signal, as well as WhatsApp, which is owned by Facebook. If you prefer an encryption option that isn’t owned by a large corporation, Signal is a part of Open Whisper Systems.
Virtual private networks
If you must access sensitive information through a public network, setting up a virtual private network (VPN) will block and redirect your IP address, preventing outside parties from tracking and storing your information. Your VPN setup will largely depend on both your specific devices and price point, but with a little research and energy you can prevent anyone and anything from accessing your digital vault.
Vigilance is key
These tools are the true must-have tech accessories to support young people today and their digitally enhanced life. It’s easy to be overwhelmed as a student with school, work, and social life, but don’t let your cybersecurity defenses lag. Stay informed and stay updated.
SMBs are overconfident about their cybersecurity posture.
A survey of SMBs conducted by 451 Research found that in the preceding 24 months, 71% of respondents experienced a breach or attack that resulted in operational disruption, reputational damage, significant financial losses or regulatory penalties. At the same time, 49% of the SMBs surveyed said that cybersecurity is a low priority for their business, and 90% believe they have the appropriate security technologies in place. Clearly, SMBs are not correctly evaluating cybersecurity risk.
Many of us can relate – each day we ignore obvious signs that point to a reality that is in direct contrast to our beliefs. For example, as each year passes, most of us get a little slower, muscles ache that never ached before, we get a bit softer around the middle, and we hold our reading material farther away. Yet, we are convinced we could take on an NBA player in a game of one-on-one or complete the American Ninja Warrior obstacle course on the first try.
While it’s unlikely that most of us can make the improvements needed to compete with elite athletes, the same can’t be said for enterprise cybersecurity. The journey is not an easy one given the security talent vacuum, a lack of domain understanding at the executive level, and the complexity of implementing a long-term, metric-based strategy. But, if you are an SMB struggling to run up and down the proverbial court, here are five things you should consider when building a better security practice:
1. Experienced staff are valuable, but expensive, assets.
Although enterprise cybersecurity is a 24/7/365 effort requiring a full roster of experienced professionals, many SMB cybersecurity teams are underequipped to handle the constant deluge of alert notifications, let alone the investigation or remediation processes. In fact, only 23% of survey respondents plan to add staff to their security teams in the coming year. For many SMBs, the security staffing struggles may get worse as 87% reported difficulties in retaining existing security professionals. To fill this gap, SMBs are increasingly turning to MSPs and MSSPs to provide the expertise and resources needed to protect their organizations around the clock.
2. Executives understand what is at stake, but not what action to take.
As the threat landscape becomes more treacherous, regulatory requirements multiply, and security incidents become more common, executives at SMBs have become more acutely aware of the business impact of security incidents – most are feeling an urgency to strengthen organizational cybersecurity. However, acknowledging the problem is only the first step of the process. Executives need to interface with their internal security teams, industry experts and MSPs in order to fully understand their organization’s risk portfolio and design a long-term cybersecurity strategy that integrates with business objectives.
3. Security awareness training (SAT) is low-hanging fruit (if done right).
According to the 451 Research Voice of the Enterprise: Information Security: Workloads and Key Projects survey, 62% of SMBs said they have a SAT program in place, but 50% are delivering SAT on their own using ‘homegrown’ methods and materials. It should be no surprise that many SMBs described their SAT efforts as ineffective. MSPs are increasingly offering high-quality, comprehensive SAT for a variety of compliance and regulatory frameworks such as PCI-DSS, HIPAA, SOX, ISO, GDPR and GLBA. SMBs looking to strengthen their security posture should look to partner with these MSPs for security awareness training.
4. Securing now means securing for the future.
The future of IT architecture will span both private and public clouds. This hybrid- and multi-cloud infrastructure represents a significant challenge for SMBs that require a cybersecurity posture that is both layered and scalable. SMBs need to understand and consider long-term trends when evaluating their current cybersecurity strategy. With this aim in mind, SMBs can turn to MSPs and MSSPs with the experience and toolsets necessary for securing these types of complex environments.
5. A metrics-based security approach is needed for true accountability.
In a rush to shore up organizational security, SMBs might make the all-too-common mistake of equating money spent with security gained. To be clear: spending not backed by strategy and measurement only enhances security posture on the margins, if at all. To get the most bang for each buck, SMBs need to build an accountable security system predicated on quantifiable metrics.Again, this is an area where SMBs can partner with MSPs and MSSPs. This serves as an opportunity to develop cybersecurity strategy with measurable KPIs to ensure security gains are maintained over time. MSPs can help SMBs define the most applicable variables for their IT architectures, whether it be incident response rate, time-to-response or other relevant metrics.
The strategic reevaluation of organizational security is a daunting task for any organization, but given the risks SMBs face and their tendency to be underprepared, it is a necessary challenge. These key points of consideration for SMBs embarking on this critical journey underscore the importance of building an accountable and forward-looking security system and highlight the ways in which SMBs can work alongside MSP or MSSP partners to implement the right cybersecurity system for their organizations. I hope this will be the wake-up call all SMBs need to unleash their inner cybersecurity all-star.
If you’re interested in learning more about how other SMBs are approaching cybersecurity, read my report Security Services Fueling Growth for MSPs.
American Newspapers Shutdown After Ransomware Attack
Nearly all news publications owned by Tribune Publishing suffered disruptions in printing or distribution after the publisher was hit by a ransomware attack. Many of the papers across the country were delivered incomplete or hours or days late. Even some papers that had been sold off to other publishers in previous years were affected. Fortunately, digital and mobile versions of the newspapers were untouched by the attack, allowing users to view local news as normal online.
‘PewDiePie’ Hacker Turns Focus to Smart Devices
The hacker previously responsible for hacking thousands of printers and directing them to print ads in support of PewDiePie, the world’s largest YouTuber, has now started using unsecured smart devices to continue the campaign. In addition to requesting the “victim” subscribe to PewDiePie, the hacker’s main message is to bring light to the extreme lack of security many of us live with daily. By using the standard ports used by smart TVs to connect to streaming devices, the hacker has even created scripts that will search for these insecure ports and begin connecting to them.
California Alcohol Retailer Faces Data Breach
One of the largest alcohol retailers in California, BevMo, recently announced they’ve fallen victim to a credit card breach on their online store. The breach lasted for nearly two months, during which time customer payment card data for nearly 14,000 customers was illegitimately accessed. While officials are still unclear as to who was behind the breach, it is likely related to the MageCart attacks that appeared across the globe during the latter half of 2018.
Blur Password Manager Leaves Passwords Exposed
An independent security researcher recently discovered a server that was allowing unauthenticated access to sensitive documents for well over two million users. The exposed information included names, email addresses, IP addresses from prior logins, and even their account password, though the company has remained firm that the passwords contained within their accounts are still secure. Since the reveal, Blur’s parent company, Abine, has prompted users to change their main passwords and enable two-factor authentication, if they had not already done so.
Bitcoin Wallets: Still Major Target for Hackers
Nearly $750,000 worth of Bitcoin was stolen from Electrum wallets in an attack that began only a few days before Christmas. By exploiting a previously documented vulnerability, the hackers were able to inject their own server list into the connections made by the Electrum wallet and successfully rerout their victims to another server, where they were then presented with a fake update screen. By moving forward with the “update,” malware was promptly downloaded to the device and users could then enter their wallet credentials, only for them to be stolen and their accounts drained.
Amazon User Receives Thousands of Alexa-Recorded Messages
Upon requesting all his user data from Amazon, one user promptly received over 1,700 recorded messages from an Alexa device. Unfortunately, the individual didn’t own such a device. The messages were from a device belonging to complete stranger, and some of them could have easily been used to find the identity of the recorded person. While Amazon did offer the victim a free Prime membership, it’s cold comfort, as these devices are constantly recording and uploading everyday details about millions of users.
San Diego School District Hacked
In a recent phishing scheme, hackers successfully gained the trust of a San Diego Unified School Districtemployee and obtained credentials to a system that contained student, parent, and staff data from the past decade. The database mostly consisted of personal data for over half a million individuals, but also included student course schedules and even payroll information for the District’s staff.
Data Breach Affects Hundreds of Coffee Shops
Attackers were able to access payment data for 265 Caribou Coffee shopsacross the United States. The breach could affect any customers who made purchases between the end of August 2018 and the first week of December. The company recommends that any customers who may have visited any of their locations across 11 states engage a credit monitoring service to help avoid possible fraud.
FBI Shuts Down DDoS-for-Hire Sites
At least 15 DDoS-for-Hire siteshave been taken down in a recent sweep by the U.S. Justice Department, and three site operators are currently awaiting charges. Some of the sites had been operating for more than 4 years and were responsible for over 200,000 DDoS attacks across the globe. This is the second in a series of government-led cyberattack shutdowns over the last year.
Email Scam Offers Brand New BMW for Personal Info
A new email scam is informing victims that they’ve just won a 2018 BMW M240iand over $1 million dollars, which they can easily claim if they provide their name and contact information. Victims who provide their contact details are then contacted directly and asked to give additional information, such as their social security number and credit or bank card details. If you receive this email or one like it, we recommend you delete it immediately, without opening it.
The cybersecurity landscape is in constant flux, keeping our team busy researching the newest threats to keep our customers safe. As the new year approaches, we asked our cybersecurity experts to predict which security trends will have the most impact in 2019 and what consumers should prepare for.
Continued Growth of Cryptojacking
“Cryptojacking will continue to dominate the landscape. Arguably more than a third of all attacks in 2019 will be based off of leveraging hardware in your devices to mine cryptocurrency.” – Tyler Moffitt, Senior Threat Research Analyst
The largest cyber threat of 2018 will continue its unprecedented growth in 2019. Cryptojacking—a type of hack that targets almost any device with computing power, including mobile devices, company servers, and even cable routers to mine for cryptocurrencies—grew by more than 1,000% in the first half of 2018. Compared to ransomware attacks, cryptojacking is incredibly stealthy, with many systems losing processing power while sitting idle anyway. We are now seeing cryptojacking in more significant systems, as was the case when Nova Scotia’s St. Francis Xavier University struggled for weeks to recover after cryptojacking software led to the school to disable its entire digital infrastructure in order to purge the network. For home internet users, cryptojacking can put undue stress on your computer’s processor, slowing down performance and increasing your electric bill.
But, as with any cybersecurity threat, it’s a constant cat-and-mouse game between criminals and the security industry. As cryptojacking continues to grow, so does criminals’ ability to successfully implement the attack. At the same time, so does our knowledge and ability to defend against it. This type of attack can impact your devices in multiple ways, whether via a file on your computer or a website you visit. We recommend a layered solution that can protect against these different attack vectors, like Webroot SecureAnywhere® solutions.
General Data Protection Regulation (GDPR) Influence
“We are going to see a lot more legislation proposed within the US that will be very similar to GDPR, much like California already has. These types of laws will inspire the idea that companies don’t own data that identifies people, and we need to be better stewards of that data. Data, by all accounts, is a commodity. It’s necessary for innovation and to stay competitive, but the data must be good to be of any use.” – Briana Butler, Engineering Data Analyst
The General Data Protection Regulation (GDPR) is a set of regulations put in place in 2018 that standardize data protection measures within the European Union, marking the beginning of a new era of international data protection. In the United States, California has been on the frontlines of data protection law since 2003 when bill SB1386 was passed, pioneering mandatory data-breach notifications nationwide. California continues to innovate in data privacy law with the recently passed California Consumer Privacy Act of 2018 (CCPA), possibly the toughest data privacy law in the country. Although clearly influenced by GDPR, it differs in many ways—enough that companies who are compliant with GDPR may need to take additional steps to also be compliant under the CCPA. But it’s not just lawmakers who are pushing for data protection regulation, influential tech industry leaders like Tim Cook are also calling for stronger consumer protections on data collection nationwide.
What does this mean for you? Expect another wave of “Privacy Update” emails and cookie collection pop-up notices while browsing, as well as expanded protections regarding the collection and storage of your personal data. Given the rising regularity of third party data breaches—like the one that recently left 500 million Marriott guests exposed—stronger data protection laws can only mean good things for consumers.
Biometrics on the Rise
“We will see continued growth in biometric services. Devices with usernames and passwords will become the legacy choice for authentication.” – Paul Barnes, Sr. Director of Product Strategy
Largely associated with facial and fingerprint recognition, biometrics have been on the rise since at least 2013, when the launch of TouchID placed the technology in every iPhone user’s hands. But the adoption of biometric technologies—particularly facial recognition biometrics—was dampened by cultural and ethical concerns, with some fearing the establishment of a national biometric database. But today we are beginning to see the normalization of facial recognition biometrics, like those utilized by Snapchat and Instagram. Biometrics are also now widely seen used in critical infrastructure applications. Airports use biometrics to facilitate a faster boarding process, and hospitals are adopting biometrics for both patient care and as a HIPAA security precaution.
We predict this regular exposure to biometrics will lead to a larger cultural acceptance and adoption of biometrics as a trusted security standard, leading to the eventual death of usernames and passwords. Why bother with a login when your computer knows the minute details of your iris? But convenience may come as a cost. Corresponding with rising use, biometric data will continue to become a more valuable commodity for cybercriminals to steal.
The Beginning of the End for SSNs
“There will be significant discussion around replacing Social Security numbers for a more secure, universal personal identity option.” – Kristin Miller, Director of Communications
In 2017 the Equifax breach compromised 145.5 million Social Security numbers, forcing us to face an uncomfortable truth: SSNs are a legacy system. First available in 1935 from the newly minted Social Security Administration, they were created to track accounts using Social Security programs. They were never intended to act as the secure database key we expect them to be today.
The conversation has already begun on the federal level. “I think it’s really clear there needs to be a change,” White House Cybersecurity Coordinator Rob Joyce said at the 2017 Cambridge Cyber Summit. “It’s a flawed system. If you think about it, every time we use the Social Security number you put it at risk.”
Although it will be some time until we fully replace Social Security numbers, what should you expect from a replacement? When it comes to personal identifiers that are both unique and secure, the conversations tend to center around two technologies: biometrics and blockchains. Biometrics—particularly behavioral biometrics, which derive their logic from individual’s behavioral patterns, such as the syncopation of types or taps on a screen, or even your unique heart beat—are proving to be an especially intuitive solution.
Certification for the Internet of Things
“We will finally see a consumer IoT/connected goods certification body, similar to the Consumer Electrical Safety Certifications today. This will enforce the notion of Security by Design for a smart goods manufacturer.” – Paul Barnes, Sr. Director of Product Strategy
We love the Internet of Things (IoT). It powers our smart homes, our fitness trackers, and our voice assistants. But IoT devices are notoriously insecure, oftentimes featuring overlooked flaws that can lead to exploitation in unexpected places. A recent Pew Research Center survey looked at how growing security concerns are influencing the spread of IoT connectivity reported only 15% of participants saying security concerns would cause significant numbers of people to disconnect from IoT devices. Alternatively, 85% believe most people will move more deeply into an interconnected life due to the convenience of IoT products. Recently published documents may signal that the time of putting convenience ahead of security is quickly coming to an end.
The United Kingdom’s department for Digital, Culture, Media, and Sport (DCMS) published the “Code of Practice for Consumer IoT Security.” The code outlines thirteen steps for organizations to follow for the implementation of appropriate security measures in IoT offerings. It also emphasizes the need for a secure-by-design philosophy, a belief that security measures need to be designed into products, not bolted on afterwards. This type of regulatory influence on the industry is sure to make waves across the pond, and we are already seeing this play out with California’s new IoT security law.
Keep these predictions in mind as you make your way through 2019. Staying informed is the best way to keep you and your family safe, so check back here for more cybersecurity trend updates in the future!
Facebook API Bug Reveals Photos from 6.8 Million Users
Facebook announced this week that an API bug had been found that allowed third-party apps to access all user photos, rather than only those posted to their timeline. The vulnerability was only available for 12 days in mid-September, but could still impact up to 6.8 million users who had granted apps access to their photos in that time.
Children’s Charity Falls Victim to Email Scam
Over $1 million was recently diverted from a children’s charity organization after hackers were able to gain access to an internal email account and begin creating false documents and invoices. Due to a lack of additional authentication measures, the funds were promptly transferred to a Japanese bank account, though insurance was able to compensate for most of the loss after the scam was finally discovered.
Email Extortion Scams Now Include Hitmen
The latest in a series of email extortion campaigns promises its victims will be executed by a hitman if a Bitcoin ransom of $4,000 isn’t paid within 38 hours. Given such poorly executed scare tactics, it comes as no surprise that the payment account has still not received any funds after several days. Hopefully, as the threats of violence leads to victims contacting law enforcement rather than paying the scammers, these types of scams will become more rare.
Hackers Force Printers to Spam PewDiePie Message
Nearly 50,000 printers around the world have been spamming out a message suggesting subscribing to PewDiePie on YouTube and recommending the recipient improve their printer security. The group behind the spam has stated they want to raise awareness of the real threat of unsecured devices connected to the internet and how they can be used maliciously. In addition to sending print-outs, attackers could also steal data being printed or modify documents while they are being printed.
Cybersecurity Audit Shows Major Vulnerabilities in U.S. Missile Systems
A recent report showed that U.S. ballistic missile defense systems have consistently failed security audits for the past five years. Some of the major flaws included a lack of encryption for data stored on removable devices, patches reported in previous years that remained untouched, and the regular use of single-factor authentication for entire facilities. Physical security issues that could leave highly-sensitive data exposed to anyone willing to simply try to access it were also detailed in the report.
Clemson Supercomputer Susceptible to Cryptojacking
IT staff at Clemson University have been working to remove the recent introduction of a cryptominer on its supercomputer, known as Palmetto. As they compromised the system for the mining of Monero, the attackers’ ploy was only spotted due to spikes in computing power and rising operating costs for the supercomputer, since manually monitoring the entire system is nearly impossible. It’s still unknown who was responsible for the mining, but Clemson staff have already begun increasing security measures to discourage copy-cat crimes.
Cyberattack Strikes Italian Oil Company
Italian oil and gas company Saipemfell victim to a cyber-attack earlier this week that knocked several critical servers offline. The attack appears to have focused specifically on servers located in Middle Eastern countries in which the company operates. It’s presently believed the attackers were also involved in prior cyberattacks on Saudi Aramco, for whom Saipem is a supplier.
Data Breach Affects Topeka Residents
A data breach that could expose the personal details of nearly 10,000 residents of Topeka, Kansas was recently discovered. The breach could affect anyone who made online payments to the Topeka Utilities Department between October 31 and December 7. Officials are still working to determine the cause of the breach. The city’s utility department is in the process of contacting all 10,000 potential victims.
Google+ Reaches End of Life Sooner than Expected
While the consumer version of Google+was destined to be shut down in mid-2019, a new bug will hasten its end to April. This final vulnerability had the potential to expose entire user profiles to any applications searching for data, even if the account was set to private. This vulnerability left over 52 million accounts accessible to any number of app developers during the six days it was left exposed.
Android-based Trojan Steals Credentials
A new Trojan has been spotted on the Android OS that uses screen overlays for popular applications to trick users into entering credentials for apps like PayPal, Google Play, and even several banking apps. By displaying the overlay in the lock foreground screen, users are unable to close the pop-ups with normal methods, and can only do so by completing a form requesting login information. Additionally, the malware can identify if a legitimate app is currently installed and prompt the user to open it and log in, thereby removing a step in gaining access to the victim’s funds.
Virtual Private Networks (VPNs) are quickly becoming a fundamental necessity for staying safe online. From large corporations to family households, people are turning to VPNs to ensure their data is encrypted end to end. But as with any emerging technology, it’s easy to become overwhelmed with new and untested VPN options. So, how does Webroot® WiFi Security distinguish itself from other VPNs?
Whether or not you can trust your VPN provider should be the first thing to consider when selecting a VPN. A recent analysis of nearly 300 mobile VPN services on the Google Play store found that, unlike Webroot WiFi Security, almost one in five didn’t encrypt data as it was transmitted through their private network, a core tenant of VPN protection. At Webroot we have decades of cybersecurity experience. We’ve built confidence with every customer, from the world’s leading IT security vendors to families just like yours. Security and privacy are what we do best, and Webroot WiFi Security was purpose-built to always encrypt your data without screening, storing, or selling your private information.
“New products from unknown companies can be risky—what data are they capturing, what are they doing with the data, and how are they protecting that information?” notes Andy Mallinger, Webroot director of product. “Webroot has been in the security business for more than 20 years, and has built machine learning-based security systems for more than a decade. We designed our products to evolve with the ever-changing threat landscape. Adding VPN protection with Webroot WiFi Security, is a perfect next step in our continued evolution.”
Webroot WiFi Security was built to provide best-in-class security, while still being easy to use. A one-click setup automatically enables security features without any confusion or missed steps. For extra security, Android®, Mac®, and Windows® users can enable Webroot WiFi Security’s unique “killswitch” feature. If your VPN connection is lost, the kill switch prevents the transmission of your data over an unsecure network until you are reconnected to the VPN.
“Webroot WiFi Security also helps protect your privacy by obscuring your location,” says Randy Abrams, senior security analyst at Webroot. “Websites are able to precisely pinpoint your location and use that information to track your browsing habits. With Webroot WiFi Security, you can be in Broomfield, Colorado, but your VPN IP address can make it look like you are in any one of the more than 30 countries where our VPN servers are located.”
Privacy plus security
Webroot WiFi Security also offers Web Filtering powered by BrightCloud® Threat Intelligence*. This feature provides an extra layer of protection that keeps your financial information, passwords, and personal files from being exploited. Webroot goes a step above other VPNs by safeguarding users from visiting malicious or risky websites known to be associated with malware, phishing, key logging spyware, and botnets. Web Filtering is a feature that the user can choose to enable or disable.
The combination of consumer trust and the power of best-in-class threat intelligence makes Webroot WiFi Security one of the most unique and secure VPN offerings on the market. Webroot has a deep history of protecting its customers’ privacy, and we are excited to showcase this dedication in the VPN market.
Ready to make the switch to Webroot WiFi Security? Learn more after the jump.
*The BrightCloud Web Filtering feature is only available on Windows®, Mac®, and Android® systems.
Touch ID Used to Scam Apple Users
Two apps were recently removed from the Apple App Store after several users reported being charged large sums of money after installing the app and scanning their fingerprint. Both apps were fitness-related and had users scan their fingerprint immediately so they could monitor calories or track fitness progress. But the apps launched a payment confirmation pop-up with the user’s finger still on the device to charge any card on file for the account. Luckily, the apps were only available for a brief period before being removed and refunds issued.
Signet Jewelers Expose Customer Order Data
Signet Jewelers, the parent company for Kay and Jared jewelers, was informed last month by an independent researcher of a critical flaw in their online sites. By simply altering the hyperlink for an order confirmation email, the researcher was able to view another individual’s order, including personal payment and shipping information. While Signet resolved the issue for future orders, it took additional weeks to remedy the flaw for past orders.
WeChat Ransomware Hits over 100k Chinese Computers
In the five days since December began, a new ransomware variant dubbed WeChat Ransom has been spreading quickly across China. With over 100,000 computers currently infected and thousands more succumbing each day, WeChat has made a significant mark. Though it demands a ransom of only roughly $16 USD, the variant quickly begins encrypting the local environment and attempts to steal login credentials for several China-based online services. Fortunately, Tencent banned the QR code being used to send ransom payments and disabled the account tied to it.
Nearly 100 Million Users Compromised in Quora Breach
Servers containing sensitive information for nearly 100 million Quora.comusers were recently compromised by unknown hackers. In addition to personal information about users, any posts or messages sent over the service were also breached. While informing affected users of the leak, Quora stated that all password data they store was fully encrypted using bcrypt, which makes it considerably more expensive and time-consuming for the hackers to break the algorithms and obtain the data.
Marriott Hotels Breach Leaves Half a Billion Users Vulnerable
In one of the largest data breaches to date, Marriott International is under fire for exposing the personal data of nearly 500 million individuals. A class-action lawsuit has been filed against the hotel chain. For many victims, their names, home addresses, and even passport information was available on an unsecured server for nearly four years after the company merged with Starwood, whose reservation systems were already compromised.
Reading Time: ~2 min.
USPS Website Leaves Personal Data Available to Anyone
Within the last week, The U.S. Postal Service (USPS) has been working to resolve a vulnerability that allowed any authenticated user to view and modify the personal information for any of the other 60 million users. Fortunately, USPS was quick to fix the vulnerability before any detectable alterations were made, which could have included changes to social security numbers, addresses, and even live tracking information on deliveries.
Amazon Exposes Customer Data
Many Amazon shoppers recently received an email informing them that their personal information was released, though the announcement was light on details. To make matters worse, Amazon’s only response was that the issue has been fixed. It did not mention what the actual issue was or what may have caused it. Official Amazon forums have been bombarded with concerned customers in advance of the approaching holiday season.
IRS Audit Reveals Fraud Protection Failure
It was revealed during a recent audit of the IRS that victims of at least 89 unique data breaches received no fraud protection for their tax filings. The number of affected victims is just over 11,000, some of whom have already fallen victim to tax filing fraud for either their 2016 or 2017 tax return. IRS staff have made promises to include the missing breaches in their tracking systems as quickly as possible and to begin assisting the victims of these incidents.
Atrium Health Breach Involves 2.65 Million Patients
The names and other sensitive personal information have been compromised for over 2.65 million patients of Atrium Health after a third-party provider experienced a data breach. Over the course of a week in late September, several servers belonging to AccuDoc were illegitimately accessed, though none of the data was downloaded. Fortunately, the servers didn’t contain payment or personal medical records and Atrium Health was informed just 2 days after the incident was discovered.
New Jersey Police Computers Hit with Ransomware
Since Thanksgiving Day, the computer systems for one New Jersey police force have been taken completely offline after experiencing a ransomware attack. Computer and email systems normally used by office administrators were also shutdown as a precaution. It’s possible that the attack originated from one of the two official devices that have been missing for several months following the previous mayor’s abrupt passing.
Reading Time: ~5 min.At Webroot, we stay ahead of cybersecurity trends in order to keep our customers up-to-date and secure. As the end of the year approaches, our team of experts has gathered their top cybersecurity predictions for 2019. What threats and changes should you brace for?
General Data Protection Regulation Penalties
“A large US-based tech company will get hammered by the new GDPR fines.” – Megan Shields, Webroot Associate General Counsel
When the General Data Protection Regulation (GDPR) became law in the EU last May, many businesses scrambled to implement the required privacy protections. In anticipation of this challenge for businesses, it seemed as though the Data Protection Authorities (the governing organizations overseeing GDPR compliance) were giving them time to adjust to the new regulations. However, it appears that time has passed. European Data Protection Supervisor Giovanni Buttarelli spoke with Reuters in October and said the time for issuing penalizations is near. With GDPR privacy protection responsibilities now incumbent upon large tech companies with millions—if not billions—of users, as well as small to medium-sized businesses, noncompliance could mean huge penalties.
GDPR fines will depend on the specifics of each infringement, but companies could face damages of up to 4% of their worldwide annual turnover, or up to 20 million Euros, whichever is greater. For example, if the GDPR had been in place during the 2013 Yahoo breach affecting 3 billion users, Yahoo could have faced anywhere from $80 million to $160 million in fines. It’s also important to note that Buttarelli specifically mentions the potential for bans on processing personal data, at Data Protection Authorities’ discretion, which would effectively suspend a company’s data flows inside the EU.
“Further adoption of AI leading to automation of professions involving low social intelligence and creativity. It will also give birth to more advanced social engineering attacks.” – Paul Barnes, Webroot Sr. Director of Product Strategy
The Fouth Industrial Revolution is here and the markets are beginning to feel it. Machine learning algorithms and applied artificial intelligence programs are already infiltrating and disrupting top industries. Several of the largest financial institutions in the world have integrated artificial intelligence into aspects of their businesses. Often these programs use natural language processing—giving them the ability to handle customer-facing roles more easily—to boost productivity.
From a risk perspective, new voice manipulation techniques and face mapping technologies, in conjunction with other AI disciplines, will usher in a new dawn of social engineering that could be used in advanced spear-phishing attacks to influence political campaigns or even policy makers directly.
AI Will Be Crucial to the Survival of Small Businesses
“AI and machine learning will continue to be the best way to respond to velocity and volume of malware attacks aimed at SMBs and MSP partners.” – George Anderson, Product Marketing Director
Our threat researchers don’t anticipate a decline in threat volume for small businesses in the coming year. Precise attacks, like those targeting RDP tools, have been on the rise and show no signs of tapering. Beyond that, the sheer volume of data handled by businesses of all types of small businesses raises the probability and likely severity of a breach.
If small and medium-sized businesses want to keep their IT teams from being inundated and overrun with alerts, false positives, and remediation requests, they’ll be forced to work AI and machine learning into their security solutions. Only machine learning can automate security intelligence accurately and effectively enough to enable categorization and proactive threat detection in near real time. By taking advantage of cloud computing platforms like Amazon Web Services, machine learning has the capability to scale with the increasing volume and complexity modern attacks, while remaining within reach in terms of price.
Ransomware is Out, Cryptojacking is In
“We’ll see a continued decline in commodity ransomware prevalence. While ransomware won’t disappear, endpoint solutions are better geared to defend against suspicious ransom-esque actions and, as such, malware authors will turn to either more targeted attacks or more subtle cryptocurrency mining alternatives.” – Eric Klonowski, Webroot Principal Threat Research Analyst
Although we’re unlikely to see the true death of ransomware, it does seem to be in decline. This is due in large part to the success of cryptocurrency and the overwhelming demand for the large amounts of computing power required for cryptomining. Hackers have seized upon this as a less risky alternative to ransomware, leading to the emergence of cryptojacking.
Cryptojacking is the now too-common practice of injecting software into an unsuspecting system and using its latent processing power to mine for cryptocurrencies. This resource theft drags systems down, but is often stealthy enough to go undetected. We are beginning to feel the pinch of cryptojacking in critical systems, with a cryptomining operation recently being discovered on the network of a water utility system in Europe. This trend is on track to continue into the New Year, with detected attacks increasing by 141% in the first half of 2018 alone.
“Attacks will become more targeted. In 2018, ransomware took a back seat to cryptominers and banking Trojans to an extent, and we will continue see more targeted and calculated extortion of victims, as seen with the Dridex group. The balance between cryptominers and ransomware is dependent upon the price of cryptocurrency (most notably Bitcoin), but the money-making model of cryptominers favors its continued use.” – Jason Davison, Webroot Advanced Threat Research Analyst
The prominence of cryptojacking in cybercrime circles means that, when ransomware appears in the headlines, it will be for calculated, highly-targeted attacks. Cybercriminas are now researching systems ahead of time, often through backdoor access, enabling them to encrypt their ransomware against the specific antivirus applications put in place to detect it.
Government bodies and healthcare systems are prime candidates for targeted attacks, since they handle sensitive data from large swaths of the population. These attacks often have costs far beyond the ransom itself. The City of Atlanta is currently dealing with $17 million in post-breach costs. (Their perpetrators asked for $51,000 in Bitcoin, which the city refused to pay.)
The private sector won’t be spared from targeting, either. A recent Dharma Bip ransomware attack on a brewery involved attackers posting the brewery’s job listing on an international hiring website and submitting a resume attachment with a powerful ransomware payload.
Zero Day Vulnerabilities
“Because the cost of exploitation has risen so dramatically over the course of the last decade, we’ll continue to see a drop in the use of zero days in the wild (as well as associated private exploit leaks). Without a doubt, state actors will continue to hoard these for use on the highest-value targets, but expect to see a stop in Shadowbrokers-esqueoccurrences. Leaks probably served as a powerful wake-up call internally with regards to access to these utilities (or perhaps where they’re left behind). – Eric Klonowski, Webroot Principal Threat Research Analyst
Though the cost of effective, zero-day exploits is rising and demand for these exploits has never been higher, we predict a decrease in high-profile breaches. Invariably, as large software systems become more adept at preventing exploitation, the amount of expertise required to identify valuable software vulnerabilities increases with it. Between organizations like the Zero Day Initiative working to keep these flaws out of the hands of hackers and governmental bodies and intelligence agencies stockpiling security flaws for cyber warfare purposes, we are likely to see fewer zero day exploits in the coming year.
However, with the average time between the initial private discovery and the public disclosure of a zero day vulnerability being about 6.9 years, we may just need to wait before we hear about it.
The take-home? Pay attention, stay focused, and keep an eye on this space for up-to-the-minute information about cybersecurity issues as they arise.
Reading Time: ~5 min.‘Tis the season of giving, which means scammers may try to take advantage of your good will. A surprising fact about American donation habits is that everyday folks like yourself are the single largest driver of charitable donations in the United States. Giving USA’s Annual Report on Philanthropy found that individuals gave $286.65 billion in 2017, accounting for 70 percent of all donations in the country.
Last year, Giving Tuesday donations alone grew by 22 percent, with an average household donation of $111. With the seventh annual Giving Tuesday on November 27 fast approaching and technology that makes it increasingly easier to support your favorite causes, it’s more important than ever to keep your guard up before you click the “donate” button.
Unsolicited donation requests are fairly normal during the holiday season —especially since non-profits depend on year-end giving for the success of their organizations—but look out for a few behaviors as red flags. Overly aggressive pitches including multiple phone calls and emails, or high-pressure tactics that require your immediate donation, should always be avoided. Be on high alert for “phishy” emails and links; make sure to check the sender’s email address and hover over links to reveal their true destination before clicking on them. Even if a website looks legitimate, it may be a spoofed. Check that the domain matches the company you intended to visit. This can be trickier than it sounds. For instance, stjudehospital.com may appear to be genuine, but an easy Google search of “St. Jude Hospital” reveals their actual site to be stjude.org.
If you’re donating to a charity you’ve never worked with before, do a little research before committing your funds. Charity Navigator is a particularly useful resource; just type in the organization’s name and check out their rating. If they are not listed on Charity Navigator, it’s probably best to err on the side of caution and donate your hard-earned dollars elsewhere. Also, be sure to only enter sensitive or personal information into websites that have an SSL certificate; you’ll be able to tell if a page is secure if the link begins with “https”. (This is a great tip for shopping online this holiday season too.) Finally, before making any online donations, make sure you have a strong antivirus program installed that can detect phishing sites and that it’s up-to-date on all your devices.
If you are contacted by a charitable organization by telephone and want to make a donation, don’t give them your credit details over the phone. Have them mail you a donation form for you to evaluate and mail back. Remember: no legitimate charity will ask you to wire them money or pay them in gift cards. If you encounter a charity that is urging you to do so, cut all contact and block them on all platforms.
Bear in mind that not all charity scams are out for money, either—some are hoping to skim personal information. There is absolutely no reason to provide a charitable organization with information like your Social Security Number or driver’s license number—these are major red flags. Also, be especially cautious of requests to send an SMS code to donate via text message.
Social Media Scams
Social media is an easy and typically secure way to donate to legitimate charitable organizations, but scammers know how to use these platforms as well. Social media scams are on the rise, but a little bit of common sense goes a long way with donations on social channels. If you’re looking to donate to someone through a crowdfunding site, be sure the campaign fully answers these questions:
- Can you verify if the organizer of the campaign has an existing relationship with the intended donation recipient?
- Is there a plan for how the funds be used to aid the intended recipient?
- Are verifiable friends and family of the intended recipient making donations and leaving supportive comments?
- How will the intended recipient access the funds?
If you cannot easily find the answers to these questions, we recommend you avoid donating to that campaign.
Another pervasive social media scam is celebrity imposters who pretend to raise funds for charities or disaster relief. These imposters use the familiar faces of some of our favorite media personalities to gain our trust and access our wallets. If you have been solicited by a celebrity for donations, stop and take moment before you give. Make sure it’s their official social media page, which can be often verified on Twitter and Facebook by a small blue checkmark next to their name. You may also Google the celebrity’s name and “scam” to see if others have already reported a trap.
Source: @PatrickDempsey on Twitter
Attacks Targeting Seniors
While scams that target our aging loved ones are a problem year-round, the Consumer Financial Protection Bureau says scammers tend to ramp up their efforts during the holidays to take advantage of seasonal generosity. Most charity scams that target seniors are similar to the ones we all face, including phishing emails, phishing sites, and false charities. However, “Grandkid Scams” are a unique variety.
For this type of fraud, an older adult is contacted by a someone pretending to be a family member in desperate need of money or assistance, often impersonating a grandchild. Speak with the older adults in your life about the common signs of scams, like misspelled emails and requests for wire transfers, and teach them how to hover over a link to check its destination. Remind them to verify whether a family member is reaching out for money, and check in with them more often leading up to the holidays to catch any potential security issues early.
Stop Attacks Early
Vigilance is key in stopping a potential security breach in its tracks. If you believe you may have unwittingly sent money to a scam charity, reach out to the organization you used to send the money, such as your bank or credit card company. Tell them the transaction was fraudulent and ask them to cancel it, if possible. If you believe your personal information was exposed, you can freeze your credit to prevent any long-term damage. Also, if you think you may have encountered a charity scam of any type, be sure to report it to the FTC to help keep others safe.
Even if you don’t think you have suffered a breach, keep an eye on your credit score and monitor your banking and credit accounts closely this holiday season. Paying a little extra attention will help you act quickly if your information has been compromised, potentially saving you and your family major holiday heartache. For an added layer of protection, secure all of your family’s devices behind a trusted VPN, which will keep your private data encrypted and safe should anyone try to intercept information you send over WiFi.
Do you know of a common scam we missed? Have some advice you think we should have included? Let us know in the comments!