Home + Mobile

Girl Scouts and OpenText empower future leaders of tomorrow with cyber resilience

The transition to a digital-first world enables us to connect, work and live in a realm where information is available at our fingertips. The children of today will be working in an environment of tomorrow that is shaped by hyperconnectivity. Operating in this...

World Backup Day reminds us all just how precious our data is

Think of all the important files sitting on your computer right now. If your computer crashed tomorrow, would you be able to retrieve your important files? Would your business suffer as a result? As more and more of our daily activities incorporate digital and online...

3 Reasons We Forget Small & Midsized Businesses are Major Targets for Ransomware

The ransomware attacks that make headlines and steer conversations among cybersecurity professionals usually involve major ransoms, huge corporations and notorious hacking groups. Kia Motors, Accenture, Acer, JBS…these companies were some of the largest to be...

How Ransomware Sneaks In

Ransomware has officially made the mainstream. Dramatic headlines announce the latest attacks and news outlets highlight the staggeringly high ransoms businesses pay to retrieve their stolen data. And it’s no wonder why – ransomware attacks are on the rise and the...

An MSP and SMB guide to disaster preparation, recovery and remediation

Introduction It’s important for a business to be prepared with an exercised business continuity and disaster recovery (BC/DR) plan plan before its hit with ransomware so that it can resume operations as quickly as possible. Key steps and solutions should be followed...

Podcast: Cyber resilience in a remote work world

The global pandemic that began to send us packing from our offices in March of last year upended our established way of working overnight. We’re still feeling the effects. Many office workers have yet to return to the office in the volumes they worked in pre-pandemic....

5 Tips to get Better Efficacy out of Your IT Security Stack

If you’re an admin, service provider, security executive, or are otherwise affiliated with the world of IT solutions, then you know that one of the biggest challenges to overcome is efficacy. Especially in terms of cybersecurity, efficacy is something of an amorphous...

How Cryptocurrency and Cybercrime Trends Influence One Another

Typically, when cryptocurrency values change, one would expect to see changes in crypto-related cybercrime. In particular, trends in Bitcoin values tend to be the bellwether you can use to predict how other currencies’ values will shift, and there are usually...

Smart Wearables: Convenience vs. Security

Fitness trackers and other digital wearables have unlocked a new era of convenience and engagement in consumer health. Beyond general fitness trackers, you can find wearables for a variety of purposes; some help diabetics, some monitor for seizure activity, and some can aid in senior citizens’ health and quality of life. But the convenience of an interconnected lifestyle may be a double-edged sword. Fitness trackers and wearables are notoriously unsecured. Wearables record and store some of our most sensitive health data—which is often 10x more valuable than a stolen credit card— making them a particularly attractive target for hackers.

So what types of data does your fitness tracker store? For a start, it holds the identifying information required to set up your account, such as your email, username, and password. But other fitness tracking specifics can make a user easier to identify, including as gender, birthdate, geographical location, height, and weight. Health and activity data provides an in-depth look at the user’s daily habits through the power of GPS monitoring. If your device is paired inside of a network, other personal device information will also be stored, such as your Unique Device IDs or MAC addresses. Depending on the device, your wearables may also store your credit card information or bank account information.

New vulnerabilities

Because of their versatility, wearables and fitness trackers leave us vulnerable in many ways. In last year’s MyFitnessPal hack, which affected 150 million users, attackers hoped to access credit card information but came away with only usernames and passwords. But what about the information that is more specific to wearables, like GPS tracking? After the fitness tracker Strava revealed hidden army bases through heatmap tracking, the Pentagon began to restrict the use of wearables by military personnel due to the potential security threat. And the recently uncovered MiSafe vulnerability left thousands of children unsecured, allowing hackers to track their movements, listen in on conversations, and actually call children on their smart watches. 

Even with these concerns, the wearables market continues to grow, with the prevalence of such devices predicted to double by 2021. Large healthcare organizations and insurance carriers are also starting to use insights from fitness trackers to influence both patient care and insurance rates. We’re even beginning to see the introduction of wearables for employee tracking, although this has met with mixed response. With this increased exposure to potentially insecure technologies, you’ll need to take extra steps to ensure your family’s security.

Where to start

Always research any fitness trackers or wearable devices before you commit, and be sure to avoid devices with any known security flaws. Notable examples to avoid are Medion’s Life S2000 Activity Tracker and Moov’s Now tracker. The Life S2000 requires no authentication and sends data unencrypted, and the Now tracker can leave users vulnerable to attack via Bluetooth connectivity. Even larger brands like Lenovo struggle to maintain an adequate level of security in their fitness trackers; the Lenovo HW01 smart band sends both registration and login data to its servers unencrypted.

Although it’s tedious, we recommend you always read the privacy policy of any wearable device or fitness tracking app before you use it. If the data storage and security measures outlined in the policy aren’t up to snuff, request a refund and let the manufacturer know why. Periodically reviewing your app’s privacy settings on your phone is also a good practice—just to make sure you’re comfortable with the app’s level of access. Take common-sense cybersecurity measures to help keep your wearables as secure as possible. Never reuse passwords or use third party login services like Facebook Login, and consider using a password manager like LastPass® instead.

Wearables and fitness trackers are here to stay, and the Internet of Things (IOT) is only going to keep growing. We have to work together to protect ourselves as we integrate these technologies into our daily lives. After all, the price of convenience cannot match the value of our personal security.

As always, be sure to check back here to stay updated on the newest cybersecurity trends.

The Must-Have Tech Accessory for Students

We live in a digital age where internet-connected devices are the norm. Our phones, our televisions, even our light bulbs are tied together in today’s tech ecosystem. For high school and college students, this degree of digital connection is the standard, and when school is in session, tech accessories are a popular way to customize the various connected devices that are now an essential part of students’ lives.

With their focus on specialized accessories, it’s easy for students to overlook the importance of securing their connected devices. What’s the point of an expensive phone case or the perfect PopSocket if you’re leaving yourself, and your data, vulnerable? Hacks, security breaches, and stolen identities are often seen as things that don’t happen to digital natives. But security breaches can happen to anyone—no matter how sophisticated a user may be—and are almost always preventable by practicing safe cyber habits and having the right security is in place. But where do you start?

Back to basics

For students at any level, these best practices may seem eye-rollingly intuitive, but they are the basic tools for staying safe and secure online. Flaws with basic cybersecurity often prove to be the catalyst for a chain reaction of breaches, so by making sure these essential fail-safes are in place, you go a long way toward protecting yourself from cybercrime.

Awareness

Being aware of your surroundings and the connectivity of your devices is the first step towards a digitally secure life. But what does awareness mean from a cybersecurity standpoint? It means turning airdrop, file sharing, and open Bluetooth connectivity off, before you use your device in a public area. It means not leaving your laptop unattended, even if you’re just running to the bathroom at the coffee shop. It means using a free tool, such as haveibeenpwned.com, to see if your data has been breached in the past and taking corrective measures if it has been. Most importantly, it means treating public networks like they are public, and not accessing sensitive information through them unless you take the proper precautions (more on that below).

Two-Factor authentication

Two-factor authentication, where a validation message is sent upon login, is a security feature that verifies that you are the one who is actually attempting to access your account, particularly if the access request is coming from an unrecognized device or location. Two-factor authentication is the best way to stop unauthorized users from logging into your accounts. Most social media services offer two-factor authentication, but if you don’t trust them to be up to the task, use a third party service such as Authy or Google Authenticator. SMS and email two-factor authentication measures are demonstrably weaker than other available two-factor measures, and should be avoided if possible (although it’s better than using only a password alone).

Multiple passwords

No one likes to remember multiple passwords, let alone multiple secure passwords. But never reusing passwords is the best way to prevent third-party breaches from affecting multiple accounts. A good tip for varied passwords you can remember? Choose a phrase (or favorite song lyric) and break it down into sections. For example, the quick brown fox jumps over the lazy dog, becomes three separate passphrases.

  • the quick brown
  • fox jumps over
  • the lazy dog

This is a handy trick to wean yourself off the same two passwords you’ve been using since middle school, and is better than password redundancy. Make sure you include spaces in your passphrases. In the rare case spaces are not allowed, then a phrase without spaces will suffice.

Digging deeper

If the tips above are the metaphorical security sign in the window of your digital life, the measures outlined below are the actual security system. A small amount of additional effort on your part will help keep you safe during your educational career. 

Antivirus software

Making sure you have trusted antivirus software running on all devices is one of the most effective ways to stay safe from online threats. A cross-device service, such as Webroot SecureAnywhere® solutions, will keep you safe from potentially malicious emails, files, or apps. An important step to never skip? Keeping your antivirus software up to date. This will help prevent newly surfaced viruses and malware from penetrating your systems. Or, chose cloud-based antivirus solutions, like Webroot’s, that do not require updates.

Password managers

Don’t want to bother with remembering passwords at all? Password managers with secure encryption make generating and storing passwords safe and easy. Many password managers are compatible with common browsers such as Chrome and Firefox, making it easy to securely auto-fill passwords and other forms online.

Message encryption

Encryption services use ciphers to convert messages into random symbols, which are only able to be converted back when accessed by the intended recipient, with a special key. Common encryption options are Apple Messages and Signal, as well as WhatsApp, which is owned by Facebook. If you prefer an encryption option that isn’t owned by a large corporation, Signal is a part of Open Whisper Systems.

Virtual private networks

If you must access sensitive information through a public network, setting up a virtual private network (VPN) will block and redirect your IP address, preventing outside parties from tracking and storing your information. Your VPN setup will largely depend on both your specific devices and price point, but with a little research and energy you can prevent anyone and anything from accessing your digital vault.

Vigilance is key

These tools are the true must-have tech accessories to support young people today and their digitally enhanced life. It’s easy to be overwhelmed as a student with school, work, and social life, but don’t let your cybersecurity defenses lag. Stay informed and stay updated.

Cybersecurity Trends to Watch Out for in 2019

The cybersecurity landscape is in constant flux, keeping our team busy researching the newest threats to keep our customers safe. As the new year approaches, we asked our cybersecurity experts to predict which security trends will have the most impact in 2019 and what consumers should prepare for.

Continued Growth of Cryptojacking

“Cryptojacking will continue to dominate the landscape. Arguably more than a third of all attacks in 2019 will be based off of leveraging hardware in your devices to mine cryptocurrency.” – Tyler Moffitt, Senior Threat Research Analyst 

The largest cyber threat of 2018 will continue its unprecedented growth in 2019. Cryptojacking—a type of hack that targets almost any device with computing power, including mobile devices, company servers, and even cable routers to mine for cryptocurrencies—grew by more than 1,000% in the first half of 2018. Compared to ransomware attacks, cryptojacking is incredibly stealthy, with many systems losing processing power while sitting idle anyway. We are now seeing cryptojacking in more significant systems, as was the case when Nova Scotia’s St. Francis Xavier University struggled for weeks to recover after cryptojacking software led to the school to disable its entire digital infrastructure in order to purge the network. For home internet users, cryptojacking can put undue stress on your computer’s processor, slowing down performance and increasing your electric bill.

But, as with any cybersecurity threat, it’s a constant cat-and-mouse game between criminals and the security industry. As cryptojacking continues to grow, so does criminals’ ability to successfully implement the attack. At the same time, so does our knowledge and ability to defend against it. This type of attack can impact your devices in multiple ways, whether via a file on your computer or a website you visit. We recommend a layered solution that can protect against these different attack vectors, like Webroot SecureAnywhere® solutions.

General Data Protection Regulation (GDPR) Influence

“We are going to see a lot more legislation proposed within the US that will be very similar to GDPR, much like California already has. These types of laws will inspire the idea that companies don’t own data that identifies people, and we need to be better stewards of that data. Data, by all accounts, is a commodity. It’s necessary for innovation and to stay competitive, but the data must be good to be of any use.” – Briana Butler, Engineering Data Analyst

The General Data Protection Regulation (GDPR) is a set of regulations put in place in 2018 that standardize data protection measures within the European Union, marking the beginning of a new era of international data protection. In the United States, California has been on the frontlines of data protection law since 2003 when bill SB1386 was passed, pioneering mandatory data-breach notifications nationwide. California continues to innovate in data privacy law with the recently passed California Consumer Privacy Act of 2018 (CCPA), possibly the toughest data privacy law in the country. Although clearly influenced by GDPR, it differs in many ways—enough that companies who are compliant with GDPR may need to take additional steps to also be compliant under the CCPA. But it’s not just lawmakers who are pushing for data protection regulation, influential tech industry leaders like Tim Cook are also calling for stronger consumer protections on data collection nationwide.

What does this mean for you? Expect another wave of “Privacy Update” emails and cookie collection pop-up notices while browsing, as well as expanded protections regarding the collection and storage of your personal data. Given the rising regularity of third party data breaches—like the one that recently left 500 million Marriott guests exposed—stronger data protection laws can only mean good things for consumers.

Biometrics on the Rise

“We will see continued growth in biometric services. Devices with usernames and passwords will become the legacy choice for authentication.” – Paul Barnes, Sr. Director of Product Strategy

Largely associated with facial and fingerprint recognition, biometrics have been on the rise since at least 2013, when the launch of TouchID placed the technology in every iPhone user’s hands. But the adoption of biometric technologies—particularly facial recognition biometrics—was dampened by cultural and ethical concerns, with some fearing the establishment of a national biometric database. But today we are beginning to see the normalization of facial recognition biometrics, like those utilized by Snapchat and Instagram. Biometrics are also now widely seen used in critical infrastructure applications. Airports use biometrics to facilitate a faster boarding process, and hospitals are adopting biometrics for both patient care and as a HIPAA security precaution.

We predict this regular exposure to biometrics will lead to a larger cultural acceptance and adoption of biometrics as a trusted security standard, leading to the eventual death of usernames and passwords. Why bother with a login when your computer knows the minute details of your iris? But convenience may come as a cost. Corresponding with rising use, biometric data will continue to become a more valuable commodity for cybercriminals to steal.

The Beginning of the End for SSNs

“There will be significant discussion around replacing Social Security numbers for a more secure, universal personal identity option.” – Kristin Miller, Director of Communications

In 2017 the Equifax breach compromised 145.5 million Social Security numbers, forcing us to face an uncomfortable truth: SSNs are a legacy system. First available in 1935 from the newly minted Social Security Administration, they were created to track accounts using Social Security programs. They were never intended to act as the secure database key we expect them to be today.

The conversation has already begun on the federal level. “I think it’s really clear there needs to be a change,” White House Cybersecurity Coordinator Rob Joyce said at the 2017 Cambridge Cyber Summit. “It’s a flawed system. If you think about it, every time we use the Social Security number you put it at risk.”

Although it will be some time until we fully replace Social Security numbers, what should you expect from a replacement? When it comes to personal identifiers that are both unique and secure, the conversations tend to center around two technologies: biometrics and blockchains. Biometrics—particularly behavioral biometrics, which derive their logic from individual’s behavioral patterns, such as the syncopation of types or taps on a screen, or even your unique heart beat—are proving to be an especially intuitive solution.

Certification for the Internet of Things

“We will finally see a consumer IoT/connected goods certification body, similar to the Consumer Electrical Safety Certifications today. This will enforce the notion of Security by Design for a smart goods manufacturer.” – Paul Barnes, Sr. Director of Product Strategy

We love the Internet of Things (IoT). It powers our smart homes, our fitness trackers, and our voice assistants. But IoT devices are notoriously insecure, oftentimes featuring overlooked flaws that can lead to exploitation in unexpected places. A recent Pew Research Center survey looked at how growing security concerns are influencing the spread of IoT connectivity reported only 15% of participants saying security concerns would cause significant numbers of people to disconnect from IoT devices. Alternatively, 85% believe most people will move more deeply into an interconnected life due to the convenience of IoT products. Recently published documents may signal that the time of putting convenience ahead of security is quickly coming to an end.

The United Kingdom’s department for Digital, Culture, Media, and Sport (DCMS) published the “Code of Practice for Consumer IoT Security.” The code outlines thirteen steps for organizations to follow for the implementation of appropriate security measures in IoT offerings. It also emphasizes the need for a secure-by-design philosophy, a belief that security measures need to be designed into products, not bolted on afterwards. This type of regulatory influence on the industry is sure to make waves across the pond, and we are already seeing this play out with California’s new IoT security law.

Keep these predictions in mind as you make your way through 2019. Staying informed is the best way to keep you and your family safe, so check back here for more cybersecurity trend updates in the future!

What Separates Webroot WiFi Security from Other VPNs?

Virtual Private Networks (VPNs) are quickly becoming a fundamental necessity for staying safe online. From large corporations to family households, people are turning to VPNs to ensure their data is encrypted end to end. But as with any emerging technology, it’s easy to become overwhelmed with new and untested VPN options. So, how does Webroot® WiFi Security distinguish itself from other VPNs?

Whether or not you can trust your VPN provider should be the first thing to consider when selecting a VPN. A recent analysis of nearly 300 mobile VPN services on the Google Play store found that, unlike Webroot WiFi Security, almost one in five didn’t encrypt data as it was transmitted through their private network, a core tenant of VPN protection. At Webroot we have decades of cybersecurity experience. We’ve built confidence with every customer, from the world’s leading IT security vendors to families just like yours. Security and privacy are what we do best, and Webroot WiFi Security was purpose-built to always encrypt your data without screening, storing, or selling your private information.

“New products from unknown companies can be risky—what data are they capturing, what are they doing with the data, and how are they protecting that information?” notes Andy Mallinger, Webroot director of product. “Webroot has been in the security business for more than 20 years, and has built machine learning-based security systems for more than a decade. We designed our products to evolve with the ever-changing threat landscape. Adding VPN protection with Webroot WiFi Security, is a perfect next step in our continued evolution.”

Best-in-class security

Webroot WiFi Security was built to provide best-in-class security, while still being easy to use. A one-click setup automatically enables security features without any confusion or missed steps. For extra security, Android®, Mac®, and Windows® users can enable Webroot WiFi Security’s unique “killswitch” feature. If your VPN connection is lost, the kill switch prevents the transmission of your data over an unsecure network until you are reconnected to the VPN.

“Webroot WiFi Security also helps protect your privacy by obscuring your location,” says Randy Abrams, senior security analyst at Webroot. “Websites are able to precisely pinpoint your location and use that information to track your browsing habits. With Webroot WiFi Security, you can be in Broomfield, Colorado, but your VPN IP address can make it look like you are in any one of the more than 30 countries where our VPN servers are located.”

Privacy plus security

Webroot WiFi Security also offers Web Filtering powered by BrightCloud® Threat Intelligence*. This feature provides an extra layer of protection that keeps your financial information, passwords, and personal files from being exploited. Webroot goes a step above other VPNs by safeguarding users from visiting malicious or risky websites known to be associated with malware, phishing, key logging spyware, and botnets. Web Filtering is a feature that the user can choose to enable or disable.

The combination of consumer trust and the power of best-in-class threat intelligence makes Webroot WiFi Security one of the most unique and secure VPN offerings on the market. Webroot has a deep history of protecting its customers’ privacy, and we are excited to showcase this dedication in the VPN market.

Ready to make the switch to Webroot WiFi Security? Learn more after the jump.

*The BrightCloud Web Filtering feature is only available on Windows®, Mac®, and Android® systems.

Charity Scams to Watch Out for During the Holidays

‘Tis the season of giving, which means scammers may try to take advantage of your good will. A surprising fact about American donation habits is that everyday folks like yourself are the single largest driver of charitable donations in the United States. Giving USA’s Annual Report on Philanthropy found that individuals gave $286.65 billion in 2017, accounting for 70 percent of all donations in the country.

Last year, Giving Tuesday donations alone grew by 22 percent, with an average household donation of $111. With the seventh annual Giving Tuesday on November 27 fast approaching and technology that makes it increasingly easier to support your favorite causes, it’s more important than ever to keep your guard up before you click the “donate” button.

Charity Scams

Unsolicited donation requests are fairly normal during the holiday season —especially since non-profits depend on year-end giving for the success of their organizations—but look out for a few behaviors as red flags. Overly aggressive pitches including multiple phone calls and emails, or high-pressure tactics that require your immediate donation, should always be avoided. Be on high alert for “phishy” emails and links; make sure to check the sender’s email address and hover over links to reveal their true destination before clicking on them. Even if a website looks legitimate, it may be a spoofed. Check that the domain matches the company you intended to visit. This can be trickier than it sounds. For instance, stjudehospital.com may appear to be genuine, but an easy Google search of “St. Jude Hospital” reveals their actual site to be stjude.org.

If you’re donating to a charity you’ve never worked with before, do a little research before committing your funds. Charity Navigator is a particularly useful resource; just type in the organization’s name and check out their rating. If they are not listed on Charity Navigator, it’s probably best to err on the side of caution and donate your hard-earned dollars elsewhere. Also, be sure to only enter sensitive or personal information into websites that have an SSL certificate; you’ll be able to tell if a page is secure if the link begins with “https”. (This is a great tip for shopping online this holiday season too.) Finally, before making any online donations, make sure you have a strong antivirus program installed that can detect phishing sites and that it’s up-to-date on all your devices.

If you are contacted by a charitable organization by telephone and want to make a donation, don’t give them your credit details over the phone. Have them mail you a donation form for you to evaluate and mail back. Remember: no legitimate charity will ask you to wire them money or pay them in gift cards. If you encounter a charity that is urging you to do so, cut all contact and block them on all platforms.

Bear in mind that not all charity scams are out for money, either—some are hoping to skim personal information. There is absolutely no reason to provide a charitable organization with information like your Social Security Number or driver’s license number—these are major red flags. Also, be especially cautious of requests to send an SMS code to donate via text message.

Social Media Scams

Social media is an easy and typically secure way to donate to legitimate charitable organizations, but scammers know how to use these platforms as well. Social media scams are on the rise, but a little bit of common sense goes a long way with donations on social channels. If you’re looking to donate to someone through a crowdfunding site, be sure the campaign fully answers these questions:

  • Can you verify if the organizer of the campaign has an existing relationship with the intended donation recipient?
  • Is there a plan for how the funds be used to aid the intended recipient?
  • Are verifiable friends and family of the intended recipient making donations and leaving supportive comments?
  • How will the intended recipient access the funds?

If you cannot easily find the answers to these questions, we recommend you avoid donating to that campaign.

Another pervasive social media scam is celebrity imposters who pretend to raise funds for charities or disaster relief. These imposters use the familiar faces of some of our favorite media personalities to gain our trust and access our wallets. If you have been solicited by a celebrity for donations, stop and take moment before you give. Make sure it’s their official social media page, which can be often verified on Twitter and Facebook by a small blue checkmark next to their name. You may also Google the celebrity’s name and “scam” to see if others have already reported a trap.

Source: @PatrickDempsey on Twitter

Attacks Targeting Seniors

While scams that target our aging loved ones are a problem year-round, the Consumer Financial Protection Bureau says scammers tend to ramp up their efforts during the holidays to take advantage of seasonal generosity. Most charity scams that target seniors are similar to the ones we all face, including phishing emails, phishing sites, and false charities. However, “Grandkid Scams” are a unique variety.

For this type of fraud, an older adult is contacted by a someone pretending to be a family member in desperate need of money or assistance, often impersonating a grandchild. Speak with the older adults in your life about the common signs of scams, like misspelled emails and requests for wire transfers, and teach them how to hover over a link to check its destination. Remind them to verify whether a family member is reaching out for money, and check in with them more often leading up to the holidays to catch any potential security issues early.

Stop Attacks Early

Vigilance is key in stopping a potential security breach in its tracks. If you believe you may have unwittingly sent money to a scam charity, reach out to the organization you used to send the money, such as your bank or credit card company. Tell them the transaction was fraudulent and ask them to cancel it, if possible. If you believe your personal information was exposed, you can freeze your credit to prevent any long-term damage. Also, if you think you may have encountered a charity scam of any type, be sure to report it to the FTC to help keep others safe.

Even if you don’t think you have suffered a breach, keep an eye on your credit score and monitor your banking and credit accounts closely this holiday season. Paying a little extra attention will help you act quickly if your information has been compromised, potentially saving you and your family major holiday heartache. For an added layer of protection, secure all of your family’s devices behind a trusted VPN, which will keep your private data encrypted and safe should anyone try to intercept information you send over WiFi.

Do you know of a common scam we missed? Have some advice you think we should have included? Let us know in the comments!

How to Keep Your Kids Safe Online

As digital natives become more immersed in and dependent upon technology, they are likely to experience “cyber fatigue,” which can be thought of cybersecurity complacency. Paired with the invincible feeling that often accompanies being young, this can be a dangerous combination. It’s easy to mistakenly believe that hacked devices and identity theft are things that only happen to adults. Kids and teenagers, however, are just as high-risk and the impacts of cybersecurity breaches could potentially affect them for years into their future. So how can we protect our kids’ digital lives in the same way we protect their offline lives?

Frank Conversations

The internet may seem like a playground of endless entertainment, but we need to educate our children about the dangers that exist there as well. Have you had a friend or family member who’s been hacked or somehow had important information compromised? Talk to your kids about it, how it happened, why it happened, and the work needed to fix it. These real-life examples may be one of your most powerful education tools, as they help children more concretely understand the concept of cybersecurity threats. Demonstrating that these things can happen to anyone, including them, is the quickest way to get their cybersecurity guard up. Looking for fresh ideas on how to talk to your kids about cybersecurity? Check out the Webroot Community for advice and tips.

Common Scams

Teach your children about the most common cybersecurity threats, especially ones that are particularly pervasive on social media, including phishing, identity theft, and malicious websites. They should never accept private messages from people they don’t know, or click on links from friends or family that seem out of character or suspect. If they aren’t sure a message from a friend is actually from that individual, they should not hesitate to verify their identity by calling them, or by asking specific questions only that individual would know. The comments sections of websites like YouTube are also potential flashpoints. Clever comments can entice users into clicking on a risky link that navigates them to a malicious site.

Illegal Downloads

The temptation to download an illegal copy of a favorite movie, game, or album can be strong, but ethical and legal implications aside, it remains one of the most risky online behaviors. In fact, a recent study found that there was a 20% increase in malware infection rates associated with visits to infringing sites. Make sure your kids know the impact illegal downloads have on their security, and inform them of alternative streaming and download options. If you’re able, give your child an allowance for services like Steam for video games, or Amazon Video for films and shows. Providing them with alternative options is the best way to keep your child from giving into the temptation of illegally torrenting content.

Mobile Safety

A recent study found that people aged 15 to 24 spend about four hours a day on their phones. This works out to roughly 1,456 hours of mobile engagement a year, making mobile devices one of the most vulnerable entry points for cybersecurity breaches. Make sure your child’s phone is protected with a pin number, password, or biometrics on the lock screen, and that they know to leave Bluetooth turned off when not in use. Connecting to public WiFi networks could also leave your child vulnerable, but you can protect their devices from open networks by securing them with a VPN.

Digital Footprint

Many young people today use anonymous or “private” messaging services, like Whisper, Sarahah, or Snapchat, believing that they are protected by the apparent anonymity. However, cybersecurity experts have long been critical of these services, as nothing online is 100% anonymous.

“There is no single app that is capable of providing complete anonymity,” says Randy Abrams, Sr. Security Analyst at Webroot. “Even though someone may think they are anonymous, our online behavior allows people to track and identify us. Apps that claim to provide anonymity often collect and sell personally identifying data left behind from internet searches.”

“Some apps may offer much higher degrees of anonymity, but it takes a tremendous amount of knowledge and discipline to be anonymous,” he adds. “If an app requires access to your contacts, pictures, storage, location or the ability to make and receive phone calls or SMS messages, anonymity quickly starts to disappear.”

Free applications have to make a profit somewhere, which often means that they are storing, tracking and selling user data. This is particularly dangerous as users are lulled into a false sense of security, which can quickly be shattered when these services are affected by a cybersecurity breach. Make sure your kids know nothing they say online is truly private, and that a negative digital footprint can drastically alter the course of their lives.

Shared Responsibility

We believe cybersecurity is a shared responsibility, and that it is not just up to parents to educate digital natives. This is why we’ve developed a cybersecurity awareness initiative with the Aurora Public School System in Colorado. In addition to providing students with online safety tips, we’ve given them insights on potential career paths, and connected them with our engineers to solve problems using skills like math and coding that could benefit them later in their careers.

We encourage parents to explore and advocate for cybersecurity and STEM education opportunities for children in their local communities. For more educational content to help keep your family safe from cyber threats, visit the Home + Mobile section of our blog.

5 Tips for Optimizing Your VPN Experience

By now, you likely know that a Virtual Private Network (VPN) is essential to remaining safe when working remotely. But, once set up, how can you optimize your VPN to work well with your devices and meet your security needs? Here are our top five tips for maximizing your VPN experience.

Pair it with an Antivirus

One of the biggest misconceptions about VPNs is that they protect your device from malicious programs. While a VPN will encrypt your network traffic, preventing others from viewing intercepted data, most do not warn you when you visit dangerous sites. If your VPN provides advanced web filtering for risky sites, that can be an additional defense against cyber threats such as malware and phishing.  Alternatively, while strong antivirus software actively monitors for viruses and malware within files and applications, it does not encrypt your data or prevent it from being monitored. Both are equally important for protecting your devices, and are ideally used together. Combining the two services provides additional security.

Enable a Kill Switch

Setting up a VPN to keep your data safe is an important first step, but what happens if your VPN server goes down or disconnects while you are entering sensitive data and you don’t notice the connection was lost? Without the protection of a VPN kill switch, your devices will often automatically reconnect to the network without alerting you, this time without the protection of your VPN. A kill switch feature blocks sending and receiving data until the VPN connection is re-established.. For maximum protection, select a VPN with a kill switch feature and ensure it has been enabled.

Understand the Impact of Setting Up a VPN on Your Router

Having a VPN on your home router may seem like a helpful boost to your cybersecurity, but it’s actually the opposite. Most routers lack the processing power of a modern CPU, meaning that even older personal devices (phones, tablets, computers) will have a much easier time handling the task of encrypting/decrypting data than your router will. Instead, set up a VPN for each personal device to prevent a bottleneck of data to your router while simultaneously securing it at all access points. Selecting an easy-to-use VPN solution with cross-device functionality will make this task much easier on the end user, while providing maximum security.

Protect All of Your Smart Devices

When it comes to cybersecurity, we tend to imagine a nefarious hacker out to steal and sell your data. But not all data collection is illegal. Your Internet Service Provider (ISP) has a vested interest in tracking your streaming habits, and they may even throttle your network depending on your usage. Our phones, computers, and tablets are each a potential interception point for our private data. Securing each of your smart devices with a VPN, even those that stay in your home, is the best way to prevent your data from potentially being monitored by third parties. 

Encrypt Your LTE Connection

While your cellular network is more secure than public WiFi options, it remains vulnerable to an attack. LTE user data can be exploited by what is known as an “aLTEr attack”. This attack redirects domain name system (DNS) requests, performing a DNS spoofing attack that can fool your device into using a malicious DNS server. This spoofed DNS server will deliver you to websites as normal until you request a high-value website the attack is targeting, like your banking or email provider. Oftentimes this fake website will scrape your data before you realize what has happened. You give yourself an extra layer of security by wrapping your LTE connection in a VPN, allowing you to access your most sensitive data confidently.

When it comes to getting the most out of your VPN, this list is just the beginning. Our privacy concerns and security needs will continue to change as our connected devices mature and we recommend keeping an eye on your VPN provider for any potential updates to their services.

Ready to take back control of your privacy? Learn how our Webroot WiFi Security VPN protects what matters most wherever you connect.

Webroot WiFi Security: Expanding Our Commitment to Security & Privacy

For the past 20 years, Webroot’s technology has been driven by our dedication to protecting users from malware, viruses, and other online threats. The release of Webroot® WiFi Security—a new virtual private network (VPN) app for phones, computers, and tablets—is the next step in fulfilling our commitment to protect everyone’s right to be secure in a connected world.

“Launching Webroot WiFi Security is a valuable and exciting progression in our mission,” said Webroot Director of Consumer Product Andy Mallinger. “Antivirus solutions protect your devices from malware and other cyber threats, and a VPN protects your data as it’s sent and received over networks—especially public networks. This combination allows us to extend our protection of personal data beyond the device to the network.”

Shifting tides

Webroot WiFi Security arrives at a time when the fragile state of our online privacy is becoming more apparent and better understood by internet users around the world. Recent revelations of government surveillance via the Snowden leaks, social media data collection like that in the Facebook/Cambridge Analytica scandal, and data breaches including the Equifax hack have fueled a palpable rise in data privacy concerns.

Over half of internet users from around the world say they are “more concerned about their online privacy than they were a year ago,” according to a 2018 CIGI-Ipsos Global Survey on Internet Security and Trust.

Another key factor with grave implications for data privacy in the United States specifically was the 2017 repeal of privacy regulations for Internet Service Providers (ISPs), which aimed to ensure broadband customers had choice, greater transparency, and strong security protections for their personal info collected by ISPs.

“ISPs are facing less regulation today, and so can continue to share, sell, and profit by passing on user information to third parties— browser history, location, communications content, financial details, etc.—without the user’s knowledge or consent,” said Webroot Sr. VP of Product Strategy & Technology Alliances Chad Bacher.

Taking control of privacy

Now more than ever, individual users must take steps to regain control over their online privacy and security. Along with keeping trusted antivirus software installed on mobile and home devices, users should actively protect their data in transit over networks with a VPN.

But it’s important to note that all VPN applications are not created equal. Many users looking for a privacy solution find themselves wondering if they can trust that their VPN provider has their interests at heart. Consumer wariness concerning the privacy of VPN products is justified—some VPN apps, especially free ones, are guilty of sharing or selling their user data to third parties, limiting bandwidth, or serving ads. Facebook’s VPN app was recently removed from the Apple App Store® following concerns over the app’s misuse of user data.

Webroot WiFi Security provides one of the most powerful forms of encryption available, AES 256-bit encryption, and protects user data from cybercriminals and ISPs alike. Webroot WiFi Security does not collect your browsing activity, the sites you visit, downloaded data (or shared or viewed), DNS queries, or IP addresses. The full Webroot WiFi Security Privacy Statement can be found here.

Privacy plus the protection of Web Filtering

In addition to the privacy safeguards of Webroot WiFi Security that protect users while they work, share, bank, and browse online, users also benefit from the integration of Webroot BrightCloud® Threat Intelligence.* The app’s Web Filtering feature provides an extra layer of protection to keep your financial information, passwords, and personal files from being exploited. Webroot WiFi Security is powered by the same threat intelligence platform the world’s leading IT security vendors trust.

“Not only is Webroot protecting user privacy, it’s also shielding users from phishing sites and websites associated with malware,” said Malinger.

Webroot WiFi Security is compatible with devices running iOS®, Android, macOS® and Windows® operating systems, and is now available to download on the Apple App Store, Google Play store, and Webroot.com.

*Only available on Windows, Mac and Android systems

Social Media Malware is Deviant, Destructive

We’ve seen some tricky techniques used by cybercriminals to distribute malware through social media. One common threat begins with a previously compromised Facebook account sending deceptive messages that contain SVG image attachments via Facebook Messenger. (The SVG extention is an XML-based vector image format for two-dimensional graphics with support for interactivity and animation.)

Cybercriminals prefer this XML-based image as it allows dynamic content. This enables the criminals to add malicious JavaScript code right inside the photo itself—in this case, linking to an external site. Users who click on the image find themselves on a website posing as YouTube that pushes a popup to install a browser extension or add-on or to view a video. There are plenty of red flags here like the URL clearly not being YouTube.com, as well as the fact that YouTube does not require any extensions to view videos.

Facebook messenger spreading an SVG image containing a harmful script

An example of a fake YouTube page with malicious browser extension popup

Worm-like propagation

If a you were to install this extension, it will take advantage of your browser access to your Facebook account to secretly mass-message your friends with the same SVG image file—like a worm, this is how it spreads. Victims don’t need to have very many friends for this tactic to be successful at propagating. For instance, if you have over 100 friends, then you only need less than 1% of your friends to fall for this for the scam for it to continue to propagate.

To make matters worse, the extension also downloads Nemucod, a generic malware downloader generally used to download and install a variety of other threats. Usually the go-to threat is ransomware given it’s proven business model for criminals.

Social media managers at risk

Those who manage social media accounts on behalf of businesses are particularly at risk of advanced malware and other cyberattacks. Earlier this spring, a new Windows trojan dubbed Stresspaint was found hidden inside a fake stress-relief app and likely spread through email and Facebook spam campaigns to infect 35,000 users, according to researchers at Radware who discovered the malware.

Stresspaint was rather deviant in the way it stole Facebook account credentials and logged into accounts looking specifically for data such as “each user’s number of friends, whether the account manages a Facebook Page or not, and if the account has a payment method saved in its settings,” according to Bleeping Computer.

Allowing cybercriminals to gain control of brand social media accounts can carry grave consequences such as reputation damage, loss of confidential information, and deeper access into an organization’s network. Last year, HBO was humiliated on their social profiles when the notorious hacker group OurMine breached several the network’s accounts and posted messages before the company finally regained control of their logins.

Source: u/marialfc on Reddit.

Crypto users targeted

Following the recent trend in malware, sophisticated variants of existing strains are now aimed at cryptocurrency users. A malicious Google Chrome extension called FacexWorm, which spreads through Facebook Messenger, was found to have morphed with a new ability to hijack cryptocurrency transactions made on a host of popular online exchanges, according to Coindesk. This further underlines the importance of exercising caution with the information you share on social media to avoid being a target, particularly if you are a user of cryptocurrency.

Cryptocurrency scams are another common threat that spreads throughout social media. Twitter is particularly notorious an outbreak of crypto scam bots that pose as high-profile tech leaders and industry influencers. Learn more about this type scam in my previous post.

Don’t let your guard down

Given the nature of social networks, many are likely to consider themselves to be in the company of friends on sites like Facebook, Instagram and Twitter. However, this assumption can be dangerous when you begin to trust links on social sites more than you would in your email inbox or other websites. For instance, a simple bot-spam message on Twitter was able to grant a hacker access to a Pentagon official’s computer, according to a New York Times report published last year.

It’s wise to be wary of clicking on all links, even those sent by friends, family or professional connections, as compromised social media accounts are often used to spread scams, phishing, and other types of cyberattacks. After all, just one wrong click can lead to an avalanche of cyber woes, such as identity theft, data loss, and damaged devices.

Have you encountered malware or other threats on social media? Share your story or ask a question in the comments below!

American Cybercrime: The Riskiest States in 2018

Nearly 50 percent of Americans don’t use antivirus software

That’s right; something as basic as installing internet security software (which we all know we’re supposed to use) is completely ignored by about half the US. You’d be amazed how common this and other risky online behaviors are. We did a survey of people’s internet habits across the United States, and the numbers aren’t pretty.

For reference, some very common (and very risky) online behaviors include:

  • Not using antivirus software
  • Sharing your account passwords
  • Using too-simple passwords, or reusing the same password for multiple accounts
  • Not using an ad or pop-up blocker
  • Opening emails, clicking links, and downloading files from unknown sources
  • Not installing security on mobile devices

State-by-state Breakdown of the Riskiest Cyber Behaviors

We analyzed all 50 states and Washington, D.C., to rank them on their cyber hygiene habits. This ranking system uses positive and negative survey questions weighted by the relative importance of each question. These questions address several topics, including infection incidents, identity theft, password habits, computer sharing, software update habits, antivirus/internet security usage, backup habits, understanding of phishing, etc.

*Read the full report here.

Florida wins the dubious distinction of riskiest state with the worst cyber hygiene. But before anyone pokes fun, we’d like to point out that the average resident of any state in the nation has pretty poor cyber hygiene. Only 6 states in the nation had good cyber hygiene scores.

Impacts of Risky Behavior

When you engage practice poor cyber hygiene, you’re not just running the risk of getting infected or losing a few files.

In our research, we asked respondents who had suffered identity theft, “what were the main consequences of the identity theft incident?” Some of the self-reported fall-out was both surprising and tragic, including responses like divorced spouse, bankruptcy, failed to obtain mortgage, had to get second job, had to sell house, increased alcohol consumption, delayed retirement, and diminished physical health.

When we consider that identity theft can mean such devastating consequences as divorce, bankruptcy, and even damage to our health, it becomes clear just how important good cyber hygiene really is.

What the Riskiest States are Doing Wrong

Stats from the 5 riskiest states (Florida, Wyoming, Montana, New Mexico, and Illinois):

  • Identity theft had little to no impact on their cyber hygiene habits. That means even after learning the consequences first hand, very few people changed their habits.
  • These states had the highest per-person average (28 percent) of having experienced 10+ malware infections in a single year.
  • 50 percent+ of respondents in Florida, Illinois, Montana, and 45 percent of respondents from New Mexico and Wyoming said they don’t use any kind of antivirus or internet security.
  • 47 percent of respondents never back up their data.
  • An average of 72 percent share their passwords.

What the Safest States are Doing Right

The 5 safest states had many behaviors in common that kept them ahead of the malware curve.

  • Following cases of identity theft, nearly 80 percent of respondents from the 5 safest states reported that they had altered their online habits, and almost 60 percent changed their passwords.
  • Only 14.4 percent of respondents the safe states experienced 10 or more infections a year.
  • The safest states typically reported running paid-for antivirus/security solutions, rather than freeware, unlike their risky counterparts.
  • Finally, nearly half (43 percent) of the 5 safest states automatically update their operating systems, and 35 percent of respondents regularly back up their data, either on a daily or continuous basis.
  • And of the top 4, password sharing was hardly an issue (88 percent of respondents from those states reported they don’t share passwords at all.)

The Role of Demographics and additional findings

Given Florida’s reputation as a retirement hotspot, we wanted to point out that 50 percent of Florida’s respondents in our study were age 30 or below, and the national average of respondents aged 30 or below was 47 percent. This means age demographics in our survey were consistent throughout all 50 states and D.C. and our responses actually skew younger rather than older.

How to Increase Your Personal Cyber Hygiene Score (It’s not too late!)

Here’s a quick to-do list that will help keep you safe from malware, identity theft, and other online risks. It’s not as hard as you might think.

  1. Use antivirus software. And keep in mind, while there are plenty of free tools out there that are better than nothing, you get what you pay for. Your online security, and that of your family, is worth a little investment.
  2. Create strong passwords for each account, change them often, make sure each one is unique, and, if possible, add spaces for increased security. If you’re worried about keeping track of them all, use a password manager.
  3. Stop sharing your login credentials with friends, family, and coworkers. We mean it.
  4. Closely monitor your financial accounts for any fraudulent activity, and consider using a credit monitoring or identity protection service.
  5. Regularly update your operating system and software applications. Lots of infections start by exploiting out-of-date systems.
  6. Don’t open emails from people you don’t know, and don’t download anything from an email unless you’re certain it’s legitimate. And if you get a message that appears to be from an official or financial institution asking you to take an action, don’t click any links. Go straight to the institution’s official website, or call them to confirm whether the message you received was real.
  7. Back up your files and important data regularly to a secure cloud or physical drive.

There are a lot of risks out there, and as an internet user, you have a responsibility to use good judgement when you work, bank, shop, browse, and take other actions online. But by following these easy tips, you can dramatically change your cyber hygiene score, and reduce your risk of falling victim to cybercrime.

Update 8/15/18: The cyber hygiene survey previously embedded in this blog is now closed.

Bad Apps: Protect Your Smartphone from Mobile Malware

Smartphone apps make life easier, more productive, and more entertaining. But can you trust every app you come across? Malicious mobile apps create easy access to your devices for Android and iOS malware to wreak havoc. And there are many untrusted and potentially dangerous apps lurking around in app stores determined to outsmart your smartphone. With the average user having 35 apps installed on their phone, according to Google, it’s easy to see why smartphones can be such a easy target.

But my iPhone is safe, right?

Both Apple iOS and Android devices are targeted by hackers, and while the latter is a more popular target,  both platforms are both susceptible to various types of cyberattacks. After all, Apple’s latest version of iOS 11 was cracked just one day after its release via vulnerabilities in the Safari web browser, according to ZDNet.

Protect yourself from bad apps:

All of this means that unprotected smartphones are soft targets for cybercriminals, with weaknesses that hackers can ultimately exploit to generate revenue. The first defense is knowing that you can’t trust all apps. These tips will also help you stay protected as you search for the good ones:

  1. Download apps from reputable stores. The major, reliable providers are Galaxy Apps (Samsung), the App Store (iOS), Amazon App Store, and Google Play (Android).
    Google Play, for example, scans 50 billion apps daily to detect malware before publishing new ones.
  2. Disable “Unknown Sources” for Android devices, which prevents installing apps from sources other than the Google Play Store. So, if you use Amazon App Store, you’ll need to enable “Unknown Sources”. In that case, be mindful before allowing any other app or website to install something on your phone. It should also be noted that changes to this functionality are coming with the latest update to Android’s Oreo operating system.
  3. Keep Android USB debugging off. It can prevent outside malware from accessing your phone through corded connections, such as from a public charging station.
  4. Don’t jailbreak your iPhone. Allowing access and changes to your phone’s software can allows outsider apps that may not be trustworthy.
  5. Beware of any website, text, email, or anything asking you to install an app. Search for your own apps at the store and research all apps before installing.
  6. Beware of granting excessive permissions. Apps that perform basic functions, such as a flashlight, don’t need to access your personal information, for example.
  7. Read app reviews before installing, and review and report sinister apps. Users working together as a community can help alert unsuspecting victims to phony apps.
  8. Be cautious about providing your credit card or banking information. Avoid making transactions over apps that are not well known to you or the user community and be careful about hidden charges such as microtransactions.
  9. Install OS and other software updates. It always recommended to keep your OS and apps updated with the latest patches. It’s also smart to consider phones from vendors that release prompt security patches. Many software updates are designed to defend against malware and other emergent threats.
  10. Use trusted internet security software. No matter how careful you are, it is wise to employ a reputable layer of online security.

Prevention, prevention, prevention.

Sometimes free mobile apps, including free security software apps from unknown providers, are suspect. The convenience of a quick download and excessive trust are not worth saving a few seconds or cents. Do your research, follow these 10 tips, and protect your well-being on any mobile device.

 

Tech Support Scams: From Bad to Worse

Fake tech support scams aren’t going anywhere. In fact, recent data shows this type of social engineering attack is on the rise—with phony tech support calls, emails, and pop-ups peddling the digital equivalent of snake oil to unsuspecting internet users around the world.

While many people have grown wise enough to spot the warning signs of the typical tech support scam, a significant percentage fall victim, and exploiting their naivety can prove quite profitable for cybercriminals. A recent report from Microsoft describes a growing global problem: 153,000 reports were received from Microsoft customers involved in tech support scams in 2017, leading to a 24 percent rise in tech scams reported by Microsoft from the previous year. Those who lost money forked over an average of $200 and $400.

“It doesn’t require a great deal of technical knowledge to carry out a support scam, so it’s easy to see why criminals are choosing to jump into this field,” said Marcus Moreno, Supervisor of Threat Research at Webroot. “All that’s is needed is gaining the user’s trust and knowing more than they do about their computer. Whether criminals pay websites to host their fake support banners, or they proactively reach out to you, it doesn’t take much expertise.”

Due to the lucrative nature and relative success rate of these social engineering tactics, tech support fraud continues to propagate. The FBI’s Internet Crime Complaint Center (IC3) received around 11,000 cases of tech support scams in 2017, with victims claiming nearly $15 million in losses. That’s a shocking 86 percent increase from 2016!

The IC3 report also noted new variations of the typical tech support scam, with attackers resorting to posing as law enforcement to re-target previous victims by offering phony recovery assistance in exchange for a fee. Tech support scams are also turning to target cryptocurrency users, where the stakes can be higher, netting potentially thousands of dollars from a single victim.

Cold calls? Hold the phone!

The number one thing to keep in mind is that major tech companies—whether that’s Microsoft, your security software provider, or your device manufacturer—will never call you out of the blue. Beyond attempting to dupe a victim out of a fee for fake support services, cybercriminals can also try to gain remote access to your computer to steal personal information and install malware that can carry on the attack after the phone call has ended.

It’s also important to know that tech support scams also appear in the form of malvertising, such as pop-ups that can be found even on legitimate websites. These scam ads try to trick users with various fake system errors or malware infection warnings. Thousands of websites were recently discovered to be infected with malicious ads that lock users’ browsers and display a fake infection warning, according to SC Magazine. Web-based threats like this highlight the importance of keeping your devices updated and secure, as well as practicing safe browsing habits.

Visit our Cybersecurity Education Resources to understand more about common tech support scams and how to avoid falling victim. There you can also find blacklists of URLs and phone numbers known to impersonate Webroot and target our customers.