Daily Archives: December 13, 2019

Cybersecurity Tips for Online Holiday Shopping

Reading Time: ~ 4 min.

The holiday shopping season is prime time for digital purchases and cybercriminals are cashing in on the merriment. With online shopping officially becoming more popular than traditional in-store visits this year, all signs point to an increase in cyberattacks. It’s more important than ever to be mindful of potential dangers so you can avoid getting Scrooged when buying online. Follow these top tips for secure online shopping.

Want to give the gift of cybersecurity? Internet Security Complete includes Identity Shield, designed to protect your browsing, shopping, banking, and social media.

Only use credit cards. If your debit card gets compromised, it has the potential to cascade in catastrophic ways; automatic bill payments may bounce or overdraft protections may drain secondary accounts. Some banks also have strict rules about when you need to notify them of suspected fraud, or else you could be liable for the costs.

On the other hand, the Fair Credit Billing Act provides some protections for consumers from unauthorized charges on credit cards. Additionally, it’s much easier to have your credit card replaced with new, uncompromised numbers and details than it is with bank account info.

Be cautious of deal and discount emails. During the holidays, there’s always a spike in physical and electronic mailers about special deals. At this point, we’re all used to that. We might even wait to buy something we want, knowing that it’ll probably go on sale during holiday clearance. Unfortunately, criminals use this expectation against us by sending cleverly crafted phishing emails to trick us into compromising our data.

Always be cautious about emails from unknown senders or even trusted third-party vendors, especially around the holidays. Always navigate to the deal website separately from the email — don’t just click the link. If the deal link can only be accessed through the email, it’s best to pass up on those supposed savings. It is also prime time for emails offering “free giftcards” avoid those like the plague.

Never make purchases without HTTPS. Check the URL—if it doesn’t start with HTTPS, it doesn’t have SSL encryption. SSL (secure sockets layer) encryption is a security standard for sharing information between web servers and a browser. Without it, your private information, including your credit card number, can be more easily intercepted by cybercriminals.

Keep in mind: HTTPS only ensures that the data you send will be encrypted on the way, not that the destination is legit. Cybercriminals have started to use HTTPS to trick website users into a false sense of security. That means, while you should never send private or financial data through a site that doesn’t have HTTPS, you shouldn’t rely on the presence of HTTPS alone to guarantee the security of the page.

Don’t make purchases on devices you don’t personally own. If you’re using a borrowed or shared device, such as a computer at a library or a friend’s phone, don’t make any purchases. Even if it’s a seemingly safe device that belongs to a person you know and trust, you have no way of knowing how secure it really is. It’s pretty unlikely that you’ll encounter a lightning deal that’s worth the hassle of financial fraud or identity theft. So just wait on that purchase until you can make it on your own device.

Never use unsecured public WiFi for online purchases. Many public WiFi networks, like the ones at your local café, the gym, a hotel, etc., are completely unsecured and unencrypted. That means anyone with the know-how can easily track all of your online activities while you’re using that network, including any login or banking information. Even worse, hackers are capable of dropping viral payloads onto your device through public networks, which can then spread to your other devices at home.

Always use a VPN when you’re on public WiFi, if you have to use it at all. Otherwise, we suggest using a private mobile hotspot from your phone instead. (See our section on VPNs below.)

Use a password manager to create strong passwords. You can often stop a security breach from spreading out past the initial impact point just by using a trusted password manager, such as LastPass, which will help you create strong passwords. A password manager will create and store them for you, conveniently and securely, so you don’t have to remember them or write them down somewhere. Taking this step will help protect you from potential third-party breaches as well, like the one Amazon announced just before Black Friday in 2018.

Encrypt your traffic with a virtual private network (VPN). A VPN allows you browse privately and securely by shielding your data and location in a tunnel of encryption. So even if you are unwittingly using a compromised network, such as the unsecured public WiFi at your favorite morning coffee stop, your VPN will prevent your private data from being scooped up by cybercriminals. But be sure you’re using a trusted VPN—many free options secretly collect and sell your data to turn a profit.

Install antivirus software and keep it up to date. A VPN will protect your data from being tracked and stolen, but it can’t protect you if you click on a malicious link or download a virus. Make sure your antivirus software is from a reliable provider and that it’s not only installed, but up to date. Most antivirus products today will even update themselves automatically (as long as you don’t turn that feature off), so make sure you have such settings enabled. It may make all the difference when it comes to preventing a security breach.

Keep a close eye your bank and credit accounts for suspicious activity. The fact of the matter is that the holiday season causes a peak in malicious online activity. Be proactive and check all of your financial records regularly for suspicious charges. The faster you can alert your bank or credit provider to these transactions, the faster you can get a replacement card and be back on your merry way.

Don’t fall victim to cybercrime this holiday season. Be mindful of all the links you click and online purchases you make, and be sure to protect your devices (and your data and identity) with a VPN and strong antivirus software!

The post Cybersecurity Tips for Online Holiday Shopping appeared first on Webroot Blog.

How To Get The Most Out Of Industry Analyst Reports

Whether you’re trying to inform purchasing decisions or just want to better understand the cybersecurity market and its players, industry analyst reports can be very helpful. Following our recent accolades by Forrester and IDC in their respective cloud security reports, we want to help customers understand how to use this information.

Our VP of cybersecurity, Greg Young, taps into his past experience at Gartner to explain how to discern the most value from industry analyst reports.

The post How To Get The Most Out Of Industry Analyst Reports appeared first on .

Cyber News Rundown: Zeppelin Ransomware

Reading Time: ~ 2 min.

Zeppelin Ransomware Spreading

Over the last month, researchers have been monitoring the spread of a new ransomware variant, Zeppelin. This is the latest version of the ransomware-as-a-service that started life as VegaLocker/Buran and has differentiated itself by focusing on healthcare and IT organizations in both the U.S. and Europe. This variant is unique in that extensions are not appended, but rather a file marker called Zeppelin can be found when viewing encrypted files in a hex editor.

German ISP Faces Major GDPR Fine

The German internet service provider (ISP) 1&1 was recently fined for failing to protect the identity of customers who were reaching out to their call centers for support. While the incident took place in 2018, GDPR is clear about imposing fines for organizations that haven’t met security standards, even if retroactive changes were made. 1&1 is attempting to appeal the fines and has begun implementing a new authentication process for confirming customers’ identities over the phone.

Turkish Credit Card Dump

Nearly half a million payment cards belonging to Turkish residents were found in a data dump on a known illicit card selling site. The cards in question are both credit and debit cards and were issued by a variety of banking institutions across Turkey. This likely means that a mediating payment handler was the source of the leak, rather than a specific bank. Even more worrisome, the card dump contained full details on the cardholders, including expiration dates, CVVs, and names; everything a hacker would need to make fraudulent purchases or commit identify theft.

Pensacola Ransomware Attack

The city of Pensacola, Florida was a recent victim of a ransomware attack that stole, then encrypted their entire network before demanding $1 million ransom. In an unusual message, the authors of the Maze ransomware used explicitly stated that they had no connection to the recent shootings at the Pensacola Naval Base, nor were they targeting emergency services with their cyberattack.

Birth Certificate Data Leak

An unnamed organization that provides birth certificate services to U.S. citizens was contacted earlier this week in regard to a data leak of nearly 750,000 birth certificate applications. Within the applications was sensitive information for both the child applicant and their family members, which is highly sought after by scammers because it is relatively easy to open credit accounts for children with no prior credit history. Researchers are still waiting to hear back from the organization after finding this data dump in an unsecured Amazon Web Services bin.

The post Cyber News Rundown: Zeppelin Ransomware appeared first on Webroot Blog.

Weekly Update 169

Weekly Update 169

I recorded this right before heading out for my final conference talk of the year at YOW! Melbourne where I was due to do the closing keynote of the event. That's now done, questions answered and beers drunk and I left the event feeling great. One of the things I get the most pleasure out of at conferences is hanging around talking to people so a big thanks to everyone who made the time today to stay back on a Friday evening and cap a very busy year of conferences off in this fashion. I'm going to leave that intro here, push this week's update then do it all again (hopefully also on time!) a week from now.

Weekly Update 169
Weekly Update 169
Weekly Update 169
Weekly Update 169

References

  1. Why No HTTPS? is getting a complete update (new data, new ranking criteria, still not enough HTTPS!)
  2. Go home GoGetSSL, your ad is drunk! (this is just complete and utter rubbish)
  3. Oh look, a kid's tracking watch with serious security vulnerabilities! (this is such an alarmingly predictable trend now)
  4. Sponsored by: Whois XML API: The top domain WHOIS, DNS, IP and Threat Intelligence solution provider for MDR, SIEM, digital forensics, and threat hunting.