A recent spate of ransomware attacks have derailed major corporations, spurring a fuel shortage on the US East Coast, shuttering grocery stores in Sweden, and sending students home from grade schools. The solution, so many cybersecurity experts say, is to implement backups. But if backups are so useful, why aren't they visibly working? Companies with backups have found them misconfigured, or they've ended up paying a ransom anyways. On Lock and Code this week, we speak with VMware technical acco...
Sep 13, 2021•41 min•Season 2Ep. 17
No one ever wants a group of hackers to say about their company: “We had the keys to the kingdom.” But that’s exactly what the hacker Sick Codes said on this week’s episode of Lock and Code, with host David Ruiz, when talking about his and fellow hackers’ efforts to peer into John Deere’s data operations center, where the company receives a near-endless stream of data from its Internet-connected tractors, combines, and other smart farming equipment.
Aug 30, 2021•45 min•Season 2Ep. 16
When Luta Security CEO and founder Katie Moussouris analyzed the popular social "listening" app Clubhouse, she found a way to eavesdrop on conversations without notifying other users. This was, Moussouris said, a serious and basic flaw, so, using her years of expertise, she documented the vulnerability and emailed some information to the company. Her emails went unanswered for weeks. Today, on Lock and Code with host David Ruiz, we speak to Moussouris about Clubhouse, vulnerability disclosure, a...
Aug 16, 2021•46 min•Season 2Ep. 15
The 2021 attacks on two water treatment facilities in the US—combined with ransomware attacks on an oil and gas supplier and a meat and poultry distributor—could lead most people to believe that a critical infrastructure “big one” is coming. But, as Lesley Carhart, principal threat hunter with Dragos, tells us, the chances of such an event are remarkably slim. In fact, critical infrastructure’s regular disaster planning often leads to practices that can detect, limit, or prevent any wide-reachin...
Aug 02, 2021•41 min•Season 2Ep. 14
On April 1, a volunteer researcher for the Dutch Institute for Vulnerability Disclosure (DIVD) began poking around into Kaseya VSA, a popular software tool used to remotely manage and monitor computers. Within minutes, he found a zero-day vulnerability that allowed remote code execution—a serious flaw. Within weeks, his team had found seven or eight more. In today's episode, DIVD Chair Victor Gevers describes the race to prevent one of the most devastating ransomware attacks in recent history. I...
Jul 19, 2021•44 min•Season 2Ep. 13
At 11:37 pm on the night of September 20, 2019, cybercriminals launched a ransomware attack against Northshore School District in Washington state. Early the next morning, Northshore systems administrator Ski Kacoroski arrived on scene. As Kacoroski soon found out, he and his team were on a race against time—the ransomware actively spreading across servers holding data necessary for day-to-day operations. And importantly, in just four days, the school district needed—by law—to pay its staff. Tha...
Jul 06, 2021•42 min•Season 2Ep. 12
Ransomware attacks are on a different scale this year, with major attacks not just dismantling the business and management of Colonial Pipeline in the US, the Health Service Executive in Ireland , and the meatpacker JBS in Australia, but also disrupting people's access to gasoline, healthcare, COVID-19 vaccinations, and more. So, what is it going to take to stop these attacks? Brian Honan, CEO of BH Consulting, said that the process will be long and complex, but the end goal in sight should be s...
Jun 21, 2021•45 min•Season 2Ep. 11
In 2016, a mid-20s man began an intense, prolonged harassment campaign against his new roommate. He emailed her from spoofed email accounts. He texted her and referenced sensitive information that was only stored in a private, online journal. He created new Instagram accounts, he repeatedly made friend requests through Facebook to her friends and family, he even started making bomb threats. And though he tried to sometimes mask his online activity, two of the VPNs he used while registering a fak...
Jun 07, 2021•27 min•Season 2Ep. 10
This week on Lock and Code, we speak to cybersecurity advocate and author Carey Parker about "dark patterns," which are subtle tricks online to get you to make choices that might actually harm you. Maybe you'll be bilked out a couple dollars, maybe you'll find it nearly impossible to unsubscribe out of that newsletter, or maybe you'll see yourself signing away some of your data privacy controls just so a company can keep making more money off you. Tune in to learn about dark patterns—how to spot...
May 24, 2021•51 min•Season 2Ep. 9
This week on Lock and Code, we speak to cybersecurity and privacy attorney Jake Bernstein about ransomware attacks that don't just derail a company's reputation and productivity, but also throw them into potential legal peril. These are "double extortion" attacks, in which ransomware operators can hit the same target two times over—encrypting a victim's files and also threatening to publish sensitive data that was stolen in the attack. And in the US, whenever data is stolen and released, there a...
May 10, 2021•40 min•Season 2Ep. 8
This week on Lock and Code, we speak to Malwarebytes Chief Information Security Officer John Donovan about the flaws in using VirusTotal as the one source of truth when evaluating whether or not a cybersecurity tool actually works. It's a practice that is surprisingly common among small- to medium-sized businesses (SMBs). Tune in to learn about the smartest ways to test and implement endpoint protection into your SMB, and how to finally break free from the VirusTotal silo, on the latest episode ...
Apr 26, 2021•28 min•Season 2Ep. 7
This week on Lock and Code, we speak to Point3 Security chief strategist Chloé Messdaghi, HaveIBeenPwned founder Troy Hunt, and We Hack Purple founder and CEO Tanya Janca about security fatigue. Security fatigue is exactly what it sounds like. It's the limit we all reach when security best practices become overbearing. It's what prevents us from making a strong password for a new online account. It’s why we may not update our software despite repeated notifications. And, importantly, it probably...
Apr 12, 2021•1 hr 3 min•Season 2Ep. 6
This week on Lock and Code, we speak to Malwarebytes senior security researcher JP Taggart about the importance of trusting your VPN. You've likely heard the benefits of using a VPN: You can watch TV shows restricted to certain countries, you can encrypt your web traffic on public WiFi networks, and, importantly, you can obscure your Internet activity from your Internet Service Provider, which may use that activity for advertising. But obscuring your Internet activity—including the websites you ...
Mar 29, 2021•38 min•Season 2Ep. 5
This week on Lock and Code, we tune in to a special presentation from Adam Kujawa about the 2021 State of Malware report, which analyzed the top cybercrime goals of 2020 amidst the global pandemic. If you just pay attention to the numbers from last year, you might get the wrong idea. After all, malware detections for both consumers and businesses decreased in 2020 compared to 2019. That sounds like good news, but it wasn't. Behind those lowered numbers were more skillful, more precise attacks th...
Mar 15, 2021•37 min•Season 2Ep. 4
Every few years, after the public learns about an ugly, online harassment campaign, a familiar response shoots forth: Change the way we talk to one another online, either by changing the law, or changing the rules for how we identify ourselves online. But these "solutions" could actually bring more problems, particularly for vulnerable communities. Today, we speak to Electronic Frontier Foundation's Director of Cybersecurity Eva Galperin about how removing online anonymity could harm the safety ...
Mar 01, 2021•40 min•Season 2Ep. 3
On today's show, we discuss cybersecurity's public enemy number one: Emotet. This piece of malware started in 2014 as a simple banking Trojan, but it later evolved into a fully functional malware business, as its operators sold access to other threat actors and helped load separate malware for a price. The danger was real, but on January 27, Europol announced they'd taken Emotet down. Today, we talk to Malwarebytes security evangelist Adam Kujawa about Emotet's past, its takedown, and the power ...
Feb 15, 2021•44 min•Season 2Ep. 2
For Data Privacy Day this year, Lock and Code returns with a special episode featuring guests from Mozilla, DuckDuckGo, and EFF in a discussion on how to protect your online privacy.
Jan 28, 2021•45 min•Season 2Ep. 1
Education faced a crisis in the US this year, as the coronavirus forced schools across the country to develop new strategies for teaching. At Malwarebytes, we wanted to discover how these shifts impacted education cybersecurity. Today on Lock and Code, we discuss the latest findings from our report, "Lessons in cybersecurity: How education coped in the shift to distance learning," and we speak with Doug Levin, founder of K12 cybersecurity resource center and advisor to K12 Security Information E...
Dec 07, 2020•41 min•Season 1Ep. 21
Today we look at two topics that, maybe surprisingly, intersect: charity organizations and online ad tracking. Ad tracking isn't new—luxury brands used to place their advertisements specifically in newspapers that delivered to high-income zip codes. But today's ad tracking supercharges that match-making game with a complex, opaque machinery that can track what you do online, what websites you visit, what browser you use, and even your gender, religion, and political bias. To help us better under...
Nov 23, 2020•42 min•Season 1Ep. 20
Today, we’re offering Lock and Code listeners something different. We’re giving you a backstage pass to a training we held for employees during Cybersecurity Awareness Month. The topic? The future of cybersecurity for the Internet of Things. Will we ever run antivirus software on IoT devices? What predictions can we make for how the cybersecurity industry will respond to the next, possible big IoT attack? And what can we do today to stay safe? This episode was recorded live in front of our fello...
Nov 10, 2020•42 min•Season 1Ep. 19
Cybersecurity Awareness Month is upon us, and while the value of the once-a-year awareness campaign may be obvious to the countless employees now enrolled in cybersecurity trainings, phishing quizzes, and multi-factor authentication webinars—likely mandated by their employers—the value of this awareness campaign may be a little less obvious to the everyday consumer. To help us better understand the value of Cybersecurity Awareness Month for the consumer, we’re talking today with Jamie Court, pre...
Oct 26, 2020•31 min•Season 1Ep. 18
We often learn about cybersecurity issues because of reporting. And as the years have progressed, the stories have only become more intertwined into our everyday lives. Tune in to hear about the role of journalism in cybersecurity—like what makes a vulnerability newsworthy and what coverage helps readers most—on the latest episode of Lock and Code, with guests Seth Rosenblatt of The Parallax and Alfred Ng of CNET.
Oct 12, 2020•38 min•Season 1Ep. 17
A recent history of hacking shows the importance of experimentation. In 2015, security researchers hacked a Jeep Cherokee and took over its steering, transmission, and brakes. In 2019, researchers accessed medical scanning equipment to alter X-ray images, inserting fraudulent, visual signs of cancer in a hypothetical patient. Today, we're discussing one such experiment—a garage door opener called “Open Sesame.” Join us for a discussion with "Open Sesame"'s developer, who is also the chief securi...
Sep 28, 2020•32 min•Season 1Ep. 16
The world of Google Chrome extensions—the sometimes helpful tools that can work directly with the Google Chrome browser to provide a variety of features—is enormous. So, with a marketplace of more than 200,000 items, quality control gets tricky. On today's episode, we speak with Pieter Arntz, malware intelligence researcher for Malwarebytes, about safely downloading Google Chrome extensions and how to avoid some of the more malicious extensions that are meant to hijack searches or sneakily deliv...
Sep 14, 2020•29 min•Season 1Ep. 15
Ask yourself, right now, on a scale from one to ten, how cybersecure are you? Are you maybe inflating that answer? Our main story today concerns “security hubris,” the simple, yet difficult-to-measure phenomenon in which businesses, and the people inside them, are less secure than they actually believe. To better understand security hubris—how businesses can identify it and what they can do to protect against it—we’re talking today to Adam Kujawa, security evangelist and director for Malwarebyte...
Aug 31, 2020•35 min•Season 1Ep. 14
Parental monitoring apps give parents the capabilities to spot where their kids go, read what their kids read, and prevent them from, for instance, visiting websites deemed inappropriate. But where these apps begin to cause concern is just how powerful they can be. To help us better understand parental monitoring apps, their capabilities, and how parents can choose to safely use these with their children, we’re talking today with Emory Roane, policy counsel at Privacy Rights Clearinghouse
Aug 17, 2020•36 min•Season 1Ep. 13
Identity and access management, or IAM, is the name we use for the set of technologies and policies that control who accesses what resources inside a system—from company files being locked away for only some employees, to even your online banking account being accessible only to you. With more individuals using more accounts to access more resources than ever before, threats have similarly emerged. To better understand identity and access management, its impacts on the digital and physical world...
Aug 03, 2020•30 min•Season 1Ep. 12
Last month, cybersecurity experts warned the public about the data collection embedded in the Donald Trump 2020 re-election campaign’s mobile app. Once downloaded, the app requests broad access to user information, including device contacts, rough location, device storage, ID, call information, Bluetooth pairing, and more. On today’s episode, we’re looking at just one of the apps’ requested permissions—Bluetooth. To help us better understand Bluetooth and beacon technology, how they are applied ...
Jul 20, 2020•38 min•Season 1Ep. 11
For years, Internet capabilities have crept into modern consumer products, providing sometimes convenient, sometimes extraneous Internet connectivity. This increase in IoT devices has an obvious outcome—a broader attack surface for threat actors. Not only that, but with more devices connecting to the Internet, there are also more devices collecting your data and analyzing it to send you more ads, more frequently, for more products. To help us better understand the Internet of Things—including th...
Jul 07, 2020•40 min•Season 1Ep. 10
We may know it’s important to have a strong, non-guessable, lengthy password, and yet we still probably all know someone who writes their password on a post-it, which is then affixed literally onto their machine. To help us better understand the future of passwords, and any potential pitfalls for the burgeoning alternatives, we’re talking today to Matt Davey, Chief Operations Optimist at 1Password, and Kyle Swank, a member of 1Password's security team.
Jun 21, 2020•34 min•Season 1Ep. 9
