Reading Time: ~ 1 min.

Shoring Up Your Network and Security Policies: Least Privilege Models

Why do so many businesses allow unfettered access to their networks? You’d be shocked by how often it happens. The truth is: your employees don’t need unrestricted access to all parts of our business. This is why the Principle of Least Privilege (POLP) is one of the...

Online Gaming Risks and Kids: What to Know and How to Protect Them

Online games aren’t new. Consumers have been playing them since as early as 1960. However, the market is evolving—games that used to require the computing power of dedicated desktops can now be powered by smartphones, and online gaming participation has skyrocketed....

Thoughtful Design in the Age of Cybersecurity AI

AI and machine learning offer tremendous promise for humanity in terms of helping us make sense of Big Data. But, while the processing power of these tools is integral for understanding trends and predicting threats, it’s not sufficient on its own. Thoughtful design...

A Cybersecurity Guide for Digital Nomads

Technology has unlocked a new type of worker, unlike any we have seen before—the digital nomad. Digital nomads are people who use technologies like WiFi, smart devices, and cloud-based applications to work from wherever they please. For some digital nomads, this means...

What Defines a Machine Learning-Based Threat Intelligence Platform?

Reading Time: ~ 4 min.

As technology continues to evolve, several trends are staying consistent. First, the volume of data is growing exponentially. Second, human analysts can’t hope to keep up—there just aren’t enough of them and they can’t work fast enough. Third, adversarial attacks that target data are also on the rise.

Given these trends, it’s not surprising that an increasing number of tech companies are building or implementing tools that promise automation and tout machine learning and/or artificial intelligence, particularly in the realm of cybersecurity. In this day and age, stopping threats effectively is nearly impossible without some next-generation method of harnessing processing power to bear the burden of analysis. That’s where the concept of a cybersecurity platform built on threat intelligence comes in.

What is a platform?

When you bring together a number of elements in a way that makes the whole greater or more powerful than the sum of its parts, you have the beginnings of a platform. Think of it as an architectural basis for building something greater on top. If built properly, a good platform can support new elements that were never part of the original plan.

With so many layers continually building on top of and alongside one another, you can imagine that a platform needs to be incredibly solid and strong. It has to be able to sustain and reinforce itself so it can support each new piece that is built onto or out of it. Let’s go over some of the traits that a well-architected threat intelligence platform needs.

Scale and scalability

A strong platform needs to be able to scale to meet demand for future growth of users, products, functionality. Its size and processing power need to be proportional to the usage needs. If a platform starts out too big too soon, then it’s too expensive to maintain. But if it’s not big enough, then it won’t be able to handle the burden its users impose. That, in turn, will affect the speed, performance, service availability, and overall user experience relating to the platform.

You also need to consider that usage fluctuates, not just over the years, but over different times of day. The platform needs to be robust enough to load balance accordingly, as users come online, go offline, increase and decrease demand, etc.

Modularity can’t be forgotten, either. When you encounter a new type of threat, or just want to add new functionality, you need to be able to plug that new capability into the platform without disrupting existing services. You don’t want to have to worry about rebuilding the whole thing each time you want to add or change a feature. The platform has to be structured in such a way that it will be able to support functionality you haven’t even thought of yet.

Sensing and connection

A threat intelligence platform is really only as good as its data sources. To accurately detect and even predict new security threats, a platform should be able to take data from a variety of sensors and products, then process it through machine learning analysis and threat intelligence engines.

Some of the more traditional sensors are passive, or “honeypots” (i.e. devices that appear to look open to attack, which collect and return threat telemetry when compromised.) Unfortunately, attack methods are now so sophisticated that some can detect the difference between a honeypot and a real-world endpoint, and can adjust their behavior accordingly so as not to expose their methods to threat researchers. For accurate, actionable threat intelligence, the platform needs to gather real-world data from real-world endpoints in the wild.

One of the ways we, in particular, ensure the quality of the data in the Webroot® Platform, is by using each deployment of a Webroot product or service—across our home user, business, and security and network vendor bases—to feed threat telemetry back into the platform for analysis. That means each time a Webroot application is installed on some type of endpoint, or a threat intelligence partner integrates one of our services into a network or security solution, our platform gets stronger and smarter.

Context and analysis

One of the most important features a threat intelligence platform needs is largely invisible to end users: contextual analysis. A strong platform should have the capacity to analyze the relationships between numerous types of internet objects, such as files, apps, URLs, IPs, etc., and determine the level of risk they pose.

It’s no longer enough to determine if a given file is malicious or not. A sort of binary good/bad determination really only gives us a linear view. For example, if a bad file came from an otherwise benign domain that was hijacked temporarily, should we now consider that domain bad? What about all the URLs associated with it, and all the files they host?

For a more accurate picture, we need nuance. We must consider where the bad file came from, which websites or domains it’s associated with and for how long, which other files or applications it might be connected to, etc. It’s these connections that give us a three-dimensional picture of the threat landscape, and that’s what begins to enable predictive protection.

The Bottom Line

When faced with today’s cyberattacks, consumers and organizations alike need cybersecurity solutions that leverage accurate threat telemetry and real-time data from real endpoints and sensors. They need threat intelligence that is continually re-analyzed for the greatest accuracy, by machine learning models that are trained and retrained, which can process data millions of times faster than human analysts, and with the scalability to handle new threats as they emerge. The only way to achieve that is with a comprehensive, integrated machine-learning based platform.

Global Privacy Concerns: The World’s Top Five Cities Using Invasive Technology

Reading Time: ~ 4 min.

Cities are expanding their technological reach. Many of their efforts work to increase public protections, such as using GPS tracking to help first responders quickly locate the site of a car accident. But, in the rush for a more secure and technologically advanced city, privacy can fall by the wayside. We’ve reviewed the top cities around the world that are using technologies that may invade citizens’ privacy, so you know what to expect and what you can do. 

Big brother in Beijing, China 

China is infamous for its mass surveillance, with Beijing often serving as a testing ground for new surveillance software. The Chinese government uses internet monitoring, GPS tracking, and the “world’s biggest camera surveillance system”, with more than 170 million CCTV cameras to monitor the country’s populace. These CCTV cameras are backed by powerful facial recognition algorithms, which can track an individual down in just seven minutes. It is safe to say that you are probably being monitored anywhere you travel while in China, but a general rule is that, the higher the population, the more surveillance there is.  

The town of Yizhuang has more than 2,243 high definition security cameras, 277 vehicle recognition cameras, and 267 facial recognition cameras. It also features six patrol vehicles with mobile cameras, and enforcement officers equipped with video capture equipment. Each of these cameras is sending live video streams to a main control center 24/7—all to monitor a single 11-square-mile suburb of Beijing. 

Beijing is also preparing to roll out a social credit system in 2020. This system will award personal trustworthiness points to citizens and businesses based on their financial credit scores, as well as their personal and professional behavior. In the meantime, how the Chinese government plans to use this system to reward or punish its citizens remains a mystery. 

Always watching in Moscow, Russia 

Not one to be outdone, Russia has also embraced mass CCTV surveillance. Moscow alone has more than 170,000 cameras, making it the most surveilled city in Russia. Facial recognition software is paired with this massive network of cameras to track down persons of interest, though exactly what defines a “person of interest” is somewhat nebulous. In fact, Moscow officials recently admitted that they “can now trace the debtors’ movements,” thanks to this massive network of CCTV cameras. He declined to comment on the number of debtors who have been traced using this technology, nor the severity of their debts. 

Mass monitoring in Darwin, Australia 

Darwin, Australia is piloting a surveillance system similar to the technologies used in China, with some warning that it could evolve into a social credit system. Darwin has installed poles throughout the city outfitted with speakers, cameras, and WiFi. These monitoring stations track people and their movements all around the city, and are aided by facial recognition software. They can even respond to triggers, such as when a specific individual breaches a “virtual fence.” 

“We’ll be getting sent an alarm saying, ‘There’s a person in this area that you’ve put a virtual fence around.’ … Boom, an alert goes out to whatever authority, whether it’s us or police to say ‘Look at camera five,’” said Josh Sattler, the Darwin Council’s General Manager for Innovation, Growth, and Development services in an article with NT News.  

This system also tracks mobile phone use, web traffic, and mobile app usage—but only to help local businesses, of course. 

“[It will tell us] where people are using WiFi, what they’re using WiFi for, are they watching YouTube, etc., all these bits of information we can share with businesses… we can let businesses know ‘Hey, 80 percent of people actually use Instagram within this area of the city, between these hours,’” said Sattler. 

‘I spy’ in New York City, USA 

In an effort to assist its police force, NYC has turned to the world’s largest surveillance technology company—the Chinese state-owned Hikvision—to install the same surveillance tools being used in China. Thousands of surveillance cameras have been operating in New York City since 2014, using the same facial recognition software that enables law enforcement in Beijing to locate and track individuals within the city. These cameras are equipped with infrared sensors that help capture high resolution images even in very low light. The NYPD has direct access to this surveillance network, and monitors the footage remotely to avoid showing an obvious police presence. The full extent of the surveillance in New York is unknown, but reports indicate the NYPD is using these products on a “large scale.” 

Small-town surveillance in Hillsboro, USA 

Hillsboro, Oregon is the smallest city on this list, with a population of just over 100,000. So why is such a small town on the same list as places like Beijing, Moscow, and New York? The Washington County Sheriff’s Office, which presides over Hillsboro, recently became the first law enforcement agency in the United States to use Amazon’s AI-powered facial recognition tool, Rekognition. As this is the first real-world test of this technology, its accuracy is hotly debated. Many experts argue that this technology will likely lead to the wrongful arrest of innocent people whose only crime is bearing a resemblance to the accused. 

More than 300,000 mug shots taken at the Washington County jail have been uploaded into the Rekognition system. These pictures can be cross-referenced with images from a security camera, social media accounts, or even a deputy’s mobile device—without requiring a warrant. More than 1,000 facial recognition searches were logged into the Rekognition system by the Washington County Sheriff’s Office, but public records requests show that only nine official case reports mention the use of the tool. Washington County deputies are under no imperative to note when facial recognition software assisted with an arrest, so we have no way to judge how accurate the system is. 

Your Privacy is Your Concern 

While the only way to avoid detection through the facial recognition algorithms is to hide or alter your face, there are some precautions you can take to protect your privacy when visiting these cities. As an example, you can easily obscure your digital traffic, which can help prevent the kind of tracking reported in Darwin. Strong encryption is your best protection against privacy invasive cities. Research a reliable VOIP and text messaging encryption service, and invest in a trusted VPN to shield your web and mobile traffic. Encryption may not stop state actors from intercepting your data, but it will make it nearly impossible for them to interpret it. 

Have other tips for protecting your privacy while traveling? Let us know in the comments. 

A Chat with Kelvin Murray: Senior Threat Research Analyst

Reading Time: ~ 3 min.

In a constantly evolving cyber landscape, it’s no simple task to keep up with every new threat that could potentially harm customers. Webroot Senior Threat Research Analyst Kelvin Murray highlighted the volume of threats he and his peers are faced with in our latest conversation. From finding new threats to answering questions from the press, Kelvin has become a trusted voice in the cybersecurity industry.

What is your favorite part of working as a Senior Threat Research Analyst? 

My favorite part about being a threat researcher is both the thrill of learning about new threats and the satisfaction of knowing that our work directly protects our customers. 

What does a week as a Senior Threat Research Analyst look like? 

My week is all about looking at threat information. Combing through this information helps us find meaningful patterns to make informed analysis and predictions, and to initiate customer protections. It roughly breaks down into three categories. The first would be “top down” customer data like metadata. The data we glean from our customers is very important and a big part of what we do. The interlinking of all our data and the assistance of powerful machine learning is a great benefit to us.  

Next would be “whole file” information, or static file analysis and file testing. This is a slow process but there are times when the absolute certainty and granular detail that this kind of file analysis provides is essential. This isn’t usually part of my week, but I work with some great specialists in this regard.  

Last would be news and reports on the threat landscape in general. Risks anywhere are risks everywhere. Keeping up to date with the latest threats is a big part of what I do. I work with a variety of internal teams and try to advise stakeholders, and sometimes media, on current threats and how Webroot fits in. Twitter is a great tool for staying in the know, but without making a list to filter out the useful bits from the other stuff I follow, I wouldn’t get any work done! 

What skills have you built in this role? 

Customer support taught me a lot in terms of the client, company culture, and dealing with customer requests. By the time I was in business support I was learning the newer console system and more corporate terms. Training on the job was very useful for my move to threat, where I also picked up advanced malware removal (AMR), which is the most hands on you can get with malware and the pain it causes customers. All of that knowledge is now useful to me in my public facing role where I prepare webinars, presentations, interviews, blogs, and press answers about threats in general. 

What is your greatest accomplishment in your career at Webroot so far? 

Learning the no-hands trick on the scooter we have in the office. And of course my promotion to Senior Threat Research Analyst. I have had a lot of different roles in my time here, but I’m glad I went down the path I did in terms of employment. There’s never a dull moment when you are researching criminal news and trends, and surprises are always guaranteed. 

What brought you to Webroot? 

I like to say divine providence. But really I had been travelling around Asia for a few months prior to this job. When I got back home I was totally broke and needed a job. A headhunter called me up out of the blue, and the rest is history.   

Are you involved in anything at Webroot outside of your day to day work? 

Listening, singing and (badly) dancing to music. Dublin is a fantastic place for bands and artists to visit given its proximity to the UK and Europe and the general enthusiasm of concert goers. I do worry that a lot of venues, especially nightclubs, are getting shut down and turned into hotels though. I sing in a choir based out of Trinity College.  

Favorite memory on the job? 

Heading to (the now closed) Mabos social events with my team. The Mabos collective ran workshops and social and cultural events in a run-down warehouse that they lovingly (and voluntarily) converted down in Dublin’s docklands. Funnily enough, that building is now Airbnb’s European headquarters. 

What is your favorite thing about working at Webroot? 

The people that I get to work with. I have made many great friendships in the office and still see previous colleagues socially, even those from five or six years ago.  

What is the hardest thing about being a Senior Threat Research Analyst? 

Prioritizing my time. I can try my hand at a few different areas at work, but if I don’t focus enough on any one thing then nothing gets done. I find everything interesting and that curiosity can get in the way sometimes! 

What is your favorite thing to do in Dublin?  

Trying new restaurants and heading out to gigs. I’d be a millionaire if I didn’t eat out at lunchtime so much. Dublin is full of great places. I like all kinds of gigs from dance to soul to traditional. The Button Factory is one of the coolest venues we have. 

How did you get into the technology field? 

I first become interested in technology through messing with my aunt’s Mac back in the early 90s. There were a lot of cool games on her black and white laptop she brought home from a compucentre she worked in, but the one that sticks in my memory was Shufflepuck Café. My dad always had some crazy pre-Windows machines lying around. Things with cartridges or orange text screens running Norton commander. 

 To learn more about life at Webroot, visit https://www.webroot.com/blog/category/life-at-webroot/

Cyber News Rundown: Banking Trojan Closes Ohio Schools

Reading Time: ~ 2 min.

Banking Trojan Shuts Down Ohio School District

After the discovery of the banking Trojan known as Trickbot, an Ohio school district was forced to cancel school since they were unable to fully disinfect the networks before classes resumed the following Monday. Preliminary reports have concluded that no students were responsible for the attack, as it appears to have started its data-gathering on a computer belonging to the district treasurer’s office. In order for classes to resume normally, the IT staff for the district had to re-format nearly 1,000 affected computers. 

GetCrypt Spreading Through RIG Exploit Kits

Another ransomware variant, GetCrypt, has been spotted in the wild that spreads itself across systems by redirecting visitors to a compromised website to a separate page hosting an exploit kit. After checking for several Eastern European languages, the ransomware begins encrypting all files on the system and displays a standard ransom note. In addition to removing all available shadow copies from the computer, GetCrypt also appends all encrypted files with a randomized, four-character string based on the CPUID of the device itself.

Google Assistant Logs All Online Purchases

It was recently discovered that Google’s Assistant, released last year, keeps a log of all online purchases for which a receipt was sent to the user’s Gmail account. The “Payments” page on a user’s Google account shows transactions, flight and hotel reservations, and other purchases made up to several years prior, even showing the cost, date, and time of the purchase.

Forbes Joins List of Magecart Victims

It was revealed late last week that Forbes had fallen victim to a Magecart attack possibly affecting anyone who made a purchase on the site during that time. Fortunately, the researcher who discovered the attack quickly notified both Forbes and the domain owner, resulting in a swift removal of the malicious payment card skimmer from the highly-trafficked site. It’s likely that Forbes became a victim after another vendor in their supply chain was compromised.

Australian IT Contractor Arrested for Cryptomining

An IT contractor working in Australia was arrested after being caught running cryptomining software on government-owned computers, which netted him over $9,000 in cryptocurrency. The charges encompass misuse of government systems by making modifications to critical functions and security measures for personal gain while in a position of trust. By making these changes, this contractor could have exposed a much larger portion of the network to malicious actors who take advantage of misconfigured settings to access company data.

A Cybersecurity Guide for Digital Nomads

Reading Time: ~ 3 min.

Technology has unlocked a new type of worker, unlike any we have seen before—the digital nomad. Digital nomads are people who use technologies like WiFi, smart devices, and cloud-based applications to work from wherever they please. For some digital nomads, this means their favorite coffee shop or co-working space. For others, it means an idyllic beach in Bali or countryside public house. One thing remains true wherever a digital nomad may choose to lay down their temporary roots: They are at a higher cybersecurity risk than a traditional worker. So what risks should they look out for? 

Public Wifi

Without a doubt, public WiFi is one of the main cybersecurity hazards many digital nomads face. The massive and unresolved flaw in the WPA2 encryption standard used by modern WiFi networks means that anyone connecting to a public network is putting themselves at risk. All public WiFi options—including WiFi provided by hotels, cafes, and airports—poses the risk of not being secure. How can a digital nomad be digital if their main source of internet connectivity is a cybersecurity minefield?  

When connecting to public WiFi as a digital nomad, it is crucial to keep your web traffic hidden behind a virtual private network (VPN). A quality VPN app is simple to set up on your mobile devices—including laptops and smart phones—and uses a strong encryption protocol to prevent hackers and other snoops from stealing important personal information such as account passwords, banking information, and private messages. VPNs will keep your data encrypted and secure from prying eyes, regardless of locale.

Device Theft

Physical device theft is a very real risk for digital nomads, but one that can largely be avoided. The first and most obvious step to doing so is to never leave your devices unattended, even if your seatmate at the coffee shop seems trustworthy. Always be mindful of your device visibility; keeping your unattended devices and laptop bags locked away or out of sight in your hotel room is often all it takes to prevent theft. Purchasing a carrying case with a secure access passcode or keyed entry can also act as an additional deterrent against thieves looking for an easy mark. 

If your device is stolen, how can you prevent the damage from spiraling? Taking a few defensive measures can save digital nomads major headaches. Keep a device tracker enabled on all of your devices—smartphones, tablets, and laptops. Both Apple and Android have default services that will help you locate your missing device.  

But this will only help you find your property; it won’t prevent anyone from accessing the valuable data within. That’s why all of your devices should have a lock screen enabled, secured with either a pin or a biometric ID, such as your fingerprint. If you believe these efforts have failed and your device is compromised, enabling multi-factor authentication on your most sensitive accounts should help reduce the effect of the breach.  

However, if you cannot recover your device, remotely wiping it will prevent any additional data from being accessed. If you have a device tracker enabled, you will be able to remotely wipe your sensitive data with that software. If you’re using a data backup solution, any lost files will be recoverable once the status of your devices is secure 

Lower Your Risk

Being a digital nomad means that you’re at a higher risk for a breach, but that doesn’t mean you can’t take steps to lower that risk. These best practices could drastically reduce the risk incurred by leading a digitally nomadic lifestyle. 

  • Toggle off. Remember to always turn off WiFi and Bluetooth connectivity after a session. This will prevent accidental or nefarious connections that could compromise your security. 
  • Mindfulness. Be aware of your surroundings and of your devices. Forgetting a device might be an acceptable slip up for most, but for a digital nomad it can bring your lifestyle to a grinding halt. 
  • Be prepared. Secure your devices behind a trusted VPN before beginning any remote adventures. This will encrypt all of your web traffic, regardless of where you connect.  
  • Stop the spread. In case of a device or account breach, strong passwords and multi-factor authentication will help minimize the damage. 

A staggering 4.8 million Americans describe themselves as digital nomads, a number that won’t be going down anytime soon. With remote work becoming the new norm, it’s more important than ever that we take these cybersecurity measures seriously—to protect not just ourselves, but also our businesses and clients. Are you a digital nomad making your way through the remote-work landscape? Let us know your top tips in the comments below! 

Cyber News Rundown: WhatsApp Vulnerability Could Install Spyware

Reading Time: ~ 2 min.

WhatsApp Exploited to Install Spyware through Calls

A serious flaw has been discovered in the messaging app WhatsApp that would allow an attacker to install spyware on a victim’s device by manipulating the packets being sent during the call. Further disguising the attack, the malicious software could be installed without the victim answering the call, and with access to the device the attacker could also delete the call log. Fortunately, the Facebook-owned app was quick to respond and quickly released an update for affected versions. 

SIM Swapping Group Officially Charged

Nine men in their teens and 20s have been arrested and charged for a SIM-swapping operation that netted the group over $2 million in stolen cryptocurrency. The group operated by illicitly gaining access to phone accounts by having the phone swapped to a SIM card in their control. The group would then fraudulently access cryptocurrency accounts by bypassing 2-factor authentication, since login codes were sent to devices under their control. Three of the group were former telecom employees with access to the systems needed to execute the scam.

Web Trust Seal Injected with Keylogger

A recent announcement revealed that scripts for the “Trust Seals” provided by Best of the Web to highly-rated websites were compromised and redesigned to capture keystrokes from site visitors. While Best of the Web was quick to resolve the issue, at least 100 sites are still linking customers to the compromised seals. This type of supply chain attack has risen in popularity recently. Hackers have been seen injecting payment stealing malware into several large online retailer’s websites since the beginning of the year.

Fast Retailing Data Breach

The online vendor Fast Retailing is currently investigating a data breach that gave attackers full access to nearly half a million customer accounts for two of the brand’s online stores. The attack took place within the last three weeks and targeted payment information with names and addresses for customers of UNIQLO Japan and GU Japan. Fast Retailing has since forced a password reset for all online customers and delivered emails with further information for those affected by the attack.

Data Leak in Linksys Routers

Last week researchers discovered a flaw in over 25,000 Linksys routers that could give attackers access to not only the device’s MAC address, but also device names and other critical settings that could compromise the security of anyone using the router. Additionally, by identifying the device’s IP address, attackers could even use geolocation to gauge the approximate location of the exploited device, all without authentication.

Cloud Services in the Crosshairs of Cybercrime

Reading Time: ~ 3 min.

It’s a familiar story in tech: new technologies and shifting preferences raise new security challenges. One of the most pressing challenges today involves monitoring and securing all of the applications and data currently undergoing a mass migration to public and private cloud platforms.

Malicious actors are motivated to compromise and control cloud-hosted resources because they can gain access to significant computing power through this attack vector. These resources can then be exploited for a number of criminal money-making schemes, including cryptomining, DDoS extortion, ransomware and phishing campaigns, spam relay, and for issuing botnet command-and-control instructions. For these reasons—and because so much critical and sensitive data is migrating to cloud platforms—it’s essential that talented and well-resourced security teams focus their efforts on cloud security.

The cybersecurity risks associated with cloud infrastructure generally mirror the risks that have been facing businesses online for years: malware, phishing, etc. A common misconception is that compromised cloud services have a less severe impact than more traditional, on-premise compromises. That misunderstanding leads some administrators and operations teams to cut corners when it comes to the security of their cloud infrastructure. In other cases, there is a naïve belief that cloud hosting providers will provide the necessary security for their cloud-hosted services.

Although many of the leading cloud service providers are beginning to build more comprehensive and advanced security offerings into their platforms (often as extra-cost options), cloud-hosted services still require the same level of risk management, ongoing monitoring, upgrades, backups, and maintenance as traditional infrastructure. For example, in a cloud environment, egress filtering is often neglected. But, when egress filtering is invested in, it can foil a number of attacks on its own, particularly when combined with a proven web classification and reputation service. The same is true of management access controls, two-factor authentication, patch management, backups, and SOC monitoring. Web application firewalls, backed by commercial-grade IP reputation services, are another often overlooked layer of protection for cloud services.

Many midsize and large enterprises are starting to look to the cloud for new wide-area network (WAN) options. Again, here lies a great opportunity to enhance the security of your WAN, whilst also achieving the scalability, flexibility, and cost-saving outcomes that are often the primary goals of such projects.  When selecting these types of solutions, it’s important to look at the integrated security options offered by vendors.

Haste makes waste

Another danger of the cloud is the ease and speed of deployment. This can lead to rapidly prototyped solutions being brought into service without adequate oversight from security teams. It can also lead to complacency, as the knowledge that a compromised host can be replaced in seconds may lead some to invest less in upfront protection. But it’s critical that all infrastructure components are properly protected and maintained because attacks are now so highly automated that significant damage can be done in a very short period of time. This applies both to the target of the attack itself and in the form of collateral damage, as the compromised servers are used to stage further attacks.

Finally, the utilitarian value of the cloud is also what leads to its higher risk exposure, since users are focused on a particular outcome (e.g. storage) and processing of large volumes of data at high speeds. Their solutions-based focus may not accommodate a comprehensive end-to-end security strategy well. The dynamic pressures of business must be supported by newer and more dynamic approaches to security that ensure the speed of deployment for applications can be matched by automated SecOps deployments and engagements.

Time for action

If you haven’t recently had a review of how you are securing your resources in the cloud, perhaps now is a good time. Consider what’s allowed in and out of all your infrastructure and how you retake control. Ensure that the solutions you are considering have integrated, actionable threat intelligence for another layer of defense in this dynamic threat environment.

Have a question about the next steps for securing your cloud infrastructure? Drop a comment below or reach out to me on Twitter at @zerobiscuit.

Cyber News Rundown: Dharma Diversion

Reading Time: ~ 2 min.

Dharma Ransomware Employs Diversion Tactics

Researchers recently discovered a new ransomware variant that displays an ESET AV removal screen once launched in order to divert the a victim’s attention from the silent encryption taking place. Initially dropped by an email spam campaign, the payload comes as a password protected zip archive, with the password made available in the body of the email to entice curious readers. In addition to the ESET removal instructions, the archive also contains a traditional ransom demand with instructions for purchasing and transferring Bitcoin.

Binance Crypto-Exchange Hacked

At least 7,000 Bitcoin were illicitly removed from the hot wallet of Binance, an international cryptocurrency exchange, in a single transaction. By compromising the personal API keys and bypassing two-factor authentication, the hackers were able to access the wallet and steal roughly $41 million worth of Bitcoin. The complete details of the breach are still unknown.

Global Malvertiser Sentenced in US

A man operating several fake companies distributing hundreds of millions of malicious ads across the globe has been arrested and is facing charges after his extradition to the U.S. For nearly five years, Mr. Ivanov and his co-conspirators created dozens of malvertising campaigns, usually starting a new one immediately after the previous one was flagged by a legitimate ad network. While this is not the only case of malvertising campaigns causing chaos on the web, it is one of the first to see actual indictments.

Robbinhood Ransomware Shuts Down Two US Cities

Both Baltimore City Hall and the city of Amarillo, Texas, were victims of a variant of Robbinhood ransomware this week. Following the attack, citizens of both cities will be seeing online bill payment options temporarily offline as they work to restore networks that were damaged or disconnected to stop the spread of the infection. This is the second cyber attack to hit both cities within the past year, with Potter County, Texas recovering from a similar attack just a couple weeks ago. Neither city has released more information on the ransom amount or when the attack began.

Freedom Mobile Exposes Payment Credentials

An unencrypted database containing millions of customer records for Freedom Mobile, a Canadian telecom provider, was discovered to be left freely available to the public. While the database was secured in less than a week, the time it was left accessible to criminals is cause for concern. The data contained full payment card information, including essentially everything a criminal would need to commit identity fraud against millions of people. Though Freedom Mobile claims the 15,000 were affected, it calls into question the practices used to store their sensitive data.

Webroot Spotlight: Michael Balloni, Senior Manager of Software Development

Reading Time: ~ 3 min.

No one can say that Senior Software Manager Michael Balloni isn’t a team player. Because Michael is constantly tasked with tackling multiple advanced technical projects at once, he relies on his top-notch engineering team to prioritize and keep projects moving while he orchestrates the collective.  

Loyal to the end, Michael Balloni has seen a promising career as a software developer under the tutelage of Webroot CTO, Hal Lonas. This is the second company he’s worked at with Hal, and he’s found the Webroot culture of innovation and teamwork unparalleled.

What are some projects you are currently working on and how do you prioritize them?

I’m on the DNS team and we’re currently improving the security and scalability of the product. The team strives to provide DNS protection in all networking situations: in the office, home, coffee shop, airport, you name it. With any project, prioritization is key. You have to pick your battles, and work with the product manager to stay informed of business trends and needs. We also have bi-weekly “sprint planning” where our team goes over what we had set out to do in the previous two weeks and decides what to finish it in the next two weeks, and what new work to take on.

How do you promote technical leadership?

Technical leadership involves staying up to date on our industry and technical craft, then sharing that information with the broader team. It also involves staying current on the development of the products and steering in that direction as needed. Most of the time, there’s no need to change direction but sometimes there is, and can be tough to identify. I’ve learned that getting clarification and input should happen before prescribing a fix to what may not be a problem at all.

What is your greatest accomplishment in your career at Webroot so far?

There was a misunderstanding between a development team and their management. Management did not think the development team had a plan to move forward with a pressing need in an area, and created their own plan for getting it across the goal line. Unaware of this, development went ahead and made their own plan for solving the problem. I put together a meeting for development and later met with the product manager from the team’s management. We took everyone’s perspective into account, and both teams proceeded informed and respected from there. It helped me hone my cross-team management skills a lot.

What brought you to Webroot after your last job?

I had fun working with Webroot’s CTO Hal Lonas in the 2000s at a previous company. He’s such a clear-headed individual. He really listens to your ideas and excels at communication. He was able to teach me about prioritizing pretty early on. He taught me to identify if something isn’t going to work early and to know where to focus. We luckily haven’t had many projects where that has happened here, but it’s a good skill to have. There’s a reason he’s a CTO—he’s technical, but also a people person for sure.

How did you get into the technology field?

When I was a little kid I used to work on these electronic kits that would come with wires and springs. It was a circuit board with different electronic pieces like restrictors and capacitors. I would wire them together to make circuits that all did different things. In high school, I would build loudspeakers and amplifiers, I was always attracted to tech in that way.

What is your favorite thing about working at Webroot?

Everybody says it, but it’s the people. Everyone is sharp, hardworking, and friendly. We have a good thing here. It’s an environment of good intentions and backing each other up. Simply put, this is a great place to work!

Check out career opportunities at Webroot here: www.webroot.com/careers

Why Simplified Security Awareness Training Matters for MSPs and SMBs

Reading Time: ~ 3 min.

In a recent report by the firm 451 Research, 62 percent of SMBs reported having a security awareness training program in place for their employees, with half being “homegrown” training courses. The report also found that most complained their programs were difficult to implement, track, and manage.

Like those weights in the garage you’ve been meaning to lift or the foreign language textbook you’ve been meaning to study, even our most well-intentioned efforts flounder if we’re not willing to put to use the tools that can help us achieve our goals.

So it goes with cybersecurity training. If it’s cumbersome to deploy and manage, or isn’t able to clearly display its benefits, it will be cast aside like so many barbells and Spanish-language dictionaries. But unfortunately, until now, centralized management and streamlined workflows across client sites have eluded the security awareness training industry.

The Importance of Effective Security Awareness Training

The effectiveness of end user cybersecurity training in preventing data breaches and downtime has been demonstrated repeatedly. Webroot’s own research found security awareness training cut clicks on phishing links by 70 percent, when delivered with regularity. And according to the 2018 Data Breach Investigation Report by Verizon, 93 percent of all breaches were the result of social engineering attacks like phishing.

With the average cost of a breach at around $3.62 million, low-overhead and effective solutions should be in high demand. But while 76 percent of MSPs reported using some type of security awareness tool, many still rely on in-house solutions that are siloed from the rest of their cybersecurity monitoring and reporting.

“MSPs should consider security awareness training from vendors with cybersecurity focus and expertise, and who have deep visibility and insights into the changing threat landscape,” says 451 Research Senior Analyst Aaron Sherrill.

“Ideally, training should be integrated into the overall security services delivery platform to provide a unified and cohesive approach for greater efficacy.”

Simple Security Training is Effective Security Training

Security awareness training that integrates with other cybersecurity solutions—like DNS and endpoint protection—is a good first step in making sure the material isn’t brushed aside like other implements of our best intentions.

Global management of security awareness training—the ability to initiate, monitor, and report on the effectiveness of these programs from a single pane of glass across all of your customers —is the next.

When MSPs can save time by say, rolling out a simulated phishing campaign or training course to one, many or allclient’s sites across the globe with only a few clicks, they both save time and money in management overhead, and are more likely to offer it as a service to their clients. Everyone wins.

With a console that delivers intuitive monitoring of click-through rates for phishing campaigns or completion rates for courses like compliance training, across all client sites, management is simplified. And easily exportable phishing and campaign reports help drive home a client’s progress.

“Automation and orchestration are the force multipliers MSPs need to keep up with today’s threats and provide the best service possible to their clients,” says Webroot SVP of Product Strategy and Technology Alliances Chad Bacher.”

So as a growing number of MSPs begin to offer security awareness training as a part of their bundled services, and more small and medium-sized businesses are convinced of its necessity, choosing a product that’s easy to implement and manage becomes key.

Otherwise, the tool that could save a business from a breach becomes just another cob-webbed weight bench waiting for its day.

To learn about security training that’s effective, efficient, and easy to use, read about our new Webroot® Security Awareness Training release.

A False Sense of Cybersecurity: The Riskiest States in America

Reading Time: ~ 5 min.

Like many Americans, you might think your online habits are safe enough—or, at least, not so risky as to put you in danger for cybercrime. As it happens, most of us in the U.S. are nowhere near as secure as we think we are.

As part of our recent survey to better understand people’s attitudes, perspectives, and behaviors relating to online cyber-safety (or “cyber-hygiene”), we calculated each state’s cyber-hygiene score, which you can think of like a test score on people’s understanding and practice of good online habits. I’ve repaired computers and worked in the cybersecurity business for almost 15 years now, and I was shocked by some of the results.

Cut to the chase: just how bad were the results?

Bad. The average across all 50 states was only 60% (that’s a D in letter grades) on our scale. In fact, only 10% of Americans got a 90% or higher (i.e. an A). The riskiest states—Mississippi, Louisiana, California, Alaska, and Connecticut— combined for an average score of 56%. So what made their scores so low?

  • In Mississippi, almost 1 in 4 people don’t use any kind of antivirus and don’t know if they’ve ever been infected by malware.
  • Only 44% of Louisiana residents take any precautions before clicking links in emails leaving themselves vulnerable. (This is a great way to get scammed by a phishing email and end up with a nasty infection on your computer.)
  • Over 43% of Californians and Alaskans share their passwords with friends or family.

What does people’s perception vs. reality look like?

Americans in every state were overconfident. An astounding 88% feel they take the right steps to protect themselves. But remember, only 10% of people scored an A on our test, and the highest scoring state (New Hampshire) still only got an average of 65% (that’s still only a D).

While the average American has a surface level understanding of common cyber threats, there’s a lot of room for education. Many of those interviewed have heard of malware (79%), phishing (70%), and ransomware (49%), but few could explain them. Defending against the most common online threats in today’s landscape requires a basic understanding of how they work. After all, the more cyber aware you are of an attack such as phishing, the greater chance you have to spot and avoid it.

Along with understanding common cyberattacks, it’s also important to recognize threats to your online privacy. An alarming amount of Americans don’t keep their social media accounts private (64%) and reuse their passwords across multiple accounts (63%).

Given the number of news reports involving major companies getting breached, huge worldwide ransomware attacks, etc., we were pretty surprised by these numbers. As you’re reading these, you might be checking off a mental list of all the things you do and don’t know, the actions you do and don’t take when it comes to cybersecurity. What’s important here is that this report should act as a reminder that understanding what kinds of threats are out there will help you take the proper precautions. And, following a few simple steps can make a huge difference in your online safety.

How about some good news?

There is good news. There are some who scored a 90% or above on our test. We call them Cyber-Hygiene Superstars, because they not only take all the basic steps to protect themselves and their data online, but they go above and beyond. Cyber-Hygiene Superstars are evenly spread across the entirety of the U.S., and they help demonstrate to the rest of us that it’s easy to raise our own cyber-hygiene scores.  

Some of the standout behavior of superstars included regularly backing up their data in multiple ways, always using antivirus, and using a VPN when connecting to public WiFi hotspots.

Superstars can also explain common attacks and are less likely to fall victim of phishing attacks and identity theft. They frequently monitor their bank and credit card statements and regularly check their credit scores.

What can you do to improve your cyber-hygiene score?

All in all, it’d be pretty easy for the average American to take their score from a D to at least a B, if not higher. You won’t have to do anything drastic. But just making a few small tweaks to your regular online behavior could work wonders to keep you and your family safe from cybercrime.

  1. Use antivirus/antimalware software.
    There are a lot of free solutions out there. While you typically get what you pay for in terms of internet security, even a free solution is better than no protection at all.
  2. Keep all your software and your operating system up to date.
    This one’s super easy. Most applications and operating systems will tell you when they need an update. All you have to do is click OK instead of delaying the update to a later date.
  3. Don’t share or reuse passwords, and make sure to use strong ones.
    You might think password sharing is no big deal, especially when it comes to streaming or gaming sites, but the more you share, the more likely it is that your passwords could end up being misused. And if the password to just one of your accounts is compromised, then any of your other accounts that use that password could also become compromised. If you’re concerned about having to create and remember a lot of unique passwords, use a secure password manager.
  4. Lock down your social media profiles.
    Making your posts and personal details public and searchable means scammers can find your details and increase their chances of successfully stealing your identity or tricking you into handing over money or sensitive personal information.
  5. If you connect to public WiFi, use a VPN.
    Antivirus software protects the device, but a VPN protects your actual connection to the internet, so what you do and information you send online stays private.
  6. Back up your data.
    Cloud storage is a great solution. But it’s a good idea to do a regular physical backup to an external drive, too, particularly for important files like tax documents.
  7. Don’t enable macros in Microsoft® Office documents.
    If you’re ever trying to open a document and it tells you to enable macros, don’t do it. This is a common tactic for infections.
  8. Use caution when opening email attachments.
    Only open attachments from people you know and trust, and, even then, be extra careful. If you’re really not sure, call the person and confirm that they really sent the file.

Want to see where your state ranks? See the full list or read more about our study and findings here.

Test your knowledge and see where the Webroot Community stacks up against the rest of America: Join our daily contest for a chance to win prizes! Contest ends at 4:00pm MT on May 21, 2019.

Methodology
Webroot partnered with Wakefield Research to survey 10,000 Americans, ages 18 and up, with 200 interviews in each of the 50 states. This survey was conducted between February 11 and February 25, 2019, using an email invitation and an online survey instrument. The margin of error is +/- 0.98 percentage points for the total audience of this study and +/- 6.9 percentage points for each state at the 95% confidence level.

Cyber News Rundown: FBI Phishing Scam

Reading Time: ~ 2 min.

“FBI Director” Phishing Campaign

A new email phishing campaign has been making its way around the web that claims to be from “FBI Director Christopher Wray,” who would love to assist with a massive wire transfer to the victim’s bank account. Unfortunately for anyone hoping for a quick payday, the $10 million check from Bank of America won’t be arriving anytime soon, unless they are willing to enter more personal information and send it to a Special FBI agent using a Yahoo email address. While most phishing campaigns use scare tactics to scam victims, taking the opposite approach of offering a large payout seems less likely to get results.

Magecart Skimming Script Works on Dozens of Sites

Following the many Magecart attacks of recent years, a new payment skimming script has been found that allows attackers to compromise almost any online checkout page without the need to customize it for the specific site. The script currently works on 57 unique payment card gateways from around the world and begins injecting both the loader and the exfiltration script when the keyword “checkout” is searched for in the address bar.

Scammers Target Google Search Ads

Scammers are now turning towards Google Ads to post fake phone numbers posing to be customer support for popular websites such as eBay and Amazon. These phone scammers will often tell those who call that there is something wrong with their account and ask for a Google Play gift card code before they can help. The ads will look as if they are legitimate which causes confusion to those who call the phony numbers listed.  

Citycomp Data Dumped After Blackmail Attempt

Shortly after discovering that their systems had been breached, Citycomp announced they would not be paying a ransom for a large chunk of stolen client data. Unfortunately for Citycomp, the hackers decided to make the data publicly available after not receiving their requested $5,000. Amongst the stolen data is financial and personal information for dozens of companies for which Citycomp provides infrastructure services, though it may only be an initial dump and not the entire collection.

Email Scam Robs Catholic Church of Over $1.7 Million

The Saint Ambrose Catholic Parish in Ohio recently fell victim to email scammers who took nearly $2 million from the church currently undergoing a major renovation. The scammers targeted monthly transactions made between the church and the construction company by providing “updated” bank information for the payments and sending appropriate confirmations for each transfer. The church was only made aware of the breach after the construction company called to inquire about two months of missing payments.