Lock and Code

A digital form of protest could become the go-to response for the world’s largest porn website as it faces increased regulations: Not letting people access the site.In March, PornHub blocked access to visitors connecting to its website from Texas. It marked the second time in the past 12 months that the porn giant shut off its website to protest new requirements in online age verification.The Texas law, which was signed in June 2023, requires several types of adult websites to verify the age of their visitors by either collecting visitors’ information from a government ID or relying on a third party to verify age through the collection of multiple streams of data, such as education and employment status.PornHub has long argued that these age verification methods do not keep minors safer and that they place undue onus on websites to collect and secure sensitive information.The fact remains, however, that these types of laws are growing in popularity.Today, Lock and Code revisits a prior episode from 2023 with guest Alec Muffett, discussing online age verification proposals, how they could weaken security and privacy on the internet, and whether these efforts are oafishly trying to solve a societal problem with a technological solution.“The battle cry of these people have has always been—either directly or mocked as being—’Could somebody think of the children?’” Muffett said. “And I’m thinking about the children because I want my daughter to grow up with an untracked, secure private internet when she’s an adult. I want her to be able to have a private conversation. I want her to be able to browse sites without giving over any information or linking it to her identity.”Muffett continued:“I’m trying to protect that for her. I’d like to see more people grasping for that.”Alec MuffettTune in today.You can also find us on Apple Podcasts, Spotify, and whatever preferred podcast platform you use.For all our cybersecurity coverage, visit Malwarebytes Labs at malwarebytes.com/blog.Show notes and credits:Intro Music: “Spellbound” by Kevin MacLeod (incompetech.com)Licensed under Creative Commons: By Attribution 4.0 Licensehttp://creativecommons.org/licenses/by/4.0/Outro Music: “Good God” by Wowa (unminus.com)Listen up—Malwarebytes doesn't just talk cybersecurity, we provide it.Protect yourself from online attacks that threaten your identity, your files, your system, and your financial well-being with our exclusive offer for Malwarebytes Premium for Lock and Code listeners.

Expert in home network security, Carey Parker, discusses the importance of securing home networks, including the necessity of accurate enumeration, upgrading to modern routers, securing IoT devices, and monitoring outbound traffic for enhanced security measures.

A disappointing meal at a restaurant. An ugly breakup between two partners. A popular TV show that kills off a beloved, main character.In a perfect world, these are irritations and moments of vulnerability. But online today, these same events can sometimes be the catalyst for hate. That disappointing meal can produce a frighteningly invasive Yelp review that exposes a restaurant owner’s home address for all to see. That ugly breakup can lead to an abusive ex posting a video of revenge porn. And even a movie or videogame can enrage some individuals into such a fury that they begin sending death threats to the actors and cast mates involved.Online hate and harassment campaigns are well-known and widely studied. Sadly, they’re also becoming more frequent.In 2023, the Anti-Defamation League revealed that 52% of American adults reported being harassed online at least some time in their life—the highest rate ever recorded by the organization and a dramatic climb from the 40% who responded similarly just one year earlier. When asking teens about recent harm, 51% said they’d suffered from online harassment in strictly the 12 months prior to taking the survey itself—a radical 15% increase from what teens said the year prior.The proposed solutions, so far, have been difficult to implement.Social media platforms often deflect blame—and are frequently shielded from legal liability—and many efforts to moderate and remove hateful content have either been slow or entirely absent in the past. Popular accounts with millions of followers will, without explicitly inciting violence, sometimes draw undue attention to everyday people. And the increasing need to have an online presence for teens—even classwork is done online now—makes it near impossible to simply “log off.”Today, on the Lock and Code podcast with host David Ruiz, we speak with Tall Poppy CEO and co-founder Leigh Honeywell, about the evolution of online hate, personal defense strategies that mirror many of the best practices in cybersecurity, and the modern risks of accidentally becoming viral in a world with little privacy.“It's not just that your content can go viral, it's that when your content goes viral, five people might be motivated enough to call in a fake bomb threat at your house.”Leigh Honeywell, CEO and co-founder of Tall PoppyTune in today. You can also find us on Apple Podcasts, Spotify, and whatever preferred podcast platform you use.For all our cybersecurity coverage, visit Malwarebytes Labs at malwarebytes.com/blog.Show notes and credits:Intro Music: “Spellbound” by Kevin MacLeod (incompetech.com)Licensed under Creative Commons: By Attribution 4.0 Licensehttp://creativecommons.org/licenses/by/4.0/Outro Music: “Good God” by Wowa (unminus.com)Listen up—Malwarebytes doesn't just talk cybersecurity, we provide it.Protect yourself from online attacks that threaten your identity, your files, your system, and your financial well-being with our exclusive offer for Malwarebytes Premium for Lock and Code listeners.

For decades, fake IDs had roughly three purposes: Buying booze before legally allowed, getting into age-restricted clubs, and, we can only assume, completing nation-state spycraft for embedded informants and double agents.In 2024, that’s changed, as the uses for fake IDs have become enmeshed with the internet.Want to sign up for a cryptocurrency exchange where you’ll use traditional funds to purchase and exchange digital currency? You’ll likely need to submit a photo of your real ID so that the cryptocurrency platform can ensure you’re a real user. What about if you want to watch porn online in the US state of Louisiana? It’s a niche example, but because of a law passed in 2022, you will likely need to submit, again, a photo of your state driver’s license to a separate ID verification mobile app that then connects with porn sites to authorize your request.The discrepancies in these end-uses are stark; cryptocurrency and porn don’t have too much in common with Red Bull vodkas and, to pick just one example, a Guatemalan coup. But there’s something else happening here that reveals the subtle differences between yesteryear’s fake IDs and today’s, which is that modern ID verification doesn’t need a physical ID card or passport to work—it can sometimes function only with an image.Last month, the technology reporting outfit 404 Media investigated an online service called OnlyFake that claimed to use artificial intelligence to pump out images of fake IDs. By filling out some bogus personal information, like a made-up birthdate, height, and weight, OnlyFake would provide convincing images of real forms of ID, be they driver’s licenses in California or passports from the US, the UK, Mexico, Canada, Japan, and more. Those images, in turn, could then be used to fraudulently pass identification checks on certain websites.When 404 Media co-founder and reporter Joseph Cox learned about OnlyFake, he tested whether an image of a fake passport he generated could be used to authenticate his identity with an online cryptocurrency exchange.In short, it did.By creating a fraudulent British passport through OnlyFake, Joseph Cox—or as his fake ID said, “David Creeks”—managed to verify his false identity when creating an account with the cryptocurrency market OKX.Today, on the Lock and Code podcast with host David Ruiz, we speak with Cox about the believability of his fake IDs, the capabilities and limitations of OnlyFake, what’s in store for the future of the site— which went dark after Cox’s report—and what other types of fraud are now dangerously within reach for countless threat actors.Making fake IDs, even photos of fake IDs, is a very particular skill set—it’s like a trade in the criminal underground. You don’t need that anymore.Joseph Cox, 404 Media co-founderTune in today.You can also find us on Apple Podcasts, Spotify, and whatever preferred podcast platform you use.For all our cybersecurity coverage, visit Malwarebytes Labs at malwarebytes.com/blog.Show notes and credits:Intro Music: “Spellbound” by Kevin MacLeod (incompetech.com)Licensed under Creative Commons: By Attribution 4.0 Licensehttp://creativecommons.org/licenses/by/4.0/Outro Music: “Good God” by Wowa (unminus.com)Listen up—Malwarebytes doesn't just talk cybersecurity, we provide it.Protect yourself from online attacks that threaten your identity, your files, your system, and your financial well-being with our exclusive offer for Malwarebytes Premium for Lock and Code listeners.

If your IT and security teams think malware is bad, wait until they learn about everything else.In 2024, the modern cyberattack is a segmented, prolonged, and professional effort, in which specialists create strictly financial alliances to plant malware on unsuspecting employees, steal corporate credentials, slip into business networks, and, for a period of days if not weeks, simply sit and watch and test and prod, escalating their privileges while refraining from installing any noisy hacking tools that could be flagged by detection-based antivirus scans. In fact, some attacks have gone so "quiet" that they involve no malware at all. Last year, some ransomware gangs refrained from deploying ransomware in their own attacks, opting to steal sensitive data and then threaten to publish it online if their victims refused to pay up—a method of extracting a ransom that is entirely without ransomware. Understandably, security teams are outflanked. Defending against sophisticated, multifaceted attacks takes resources, technologies, and human expertise. But not every organization has that at hand. What, then, are IT-constrained businesses to do? Today, on the Lock and Code podcast with host David Ruiz, we speak with Jason Haddix, the former Chief Information Security Officer at the videogame developer Ubisoft, about how he and his colleagues from other companies faced off against modern adversaries who, during a prolonged crime spree, plundered employee credentials from the dark web, subverted corporate 2FA protections, and leaned heavily on internal web access to steal sensitive documentation. Haddix, who launched his own cybersecurity training and consulting firm Arcanum Information Security this year, said he learned so much during his time at Ubisoft that he and his peers in the industry coined a new, humorous term for attacks that abuse internet-connected platforms: "A browser and a dream." "When you first hear that, you're like, 'Okay, what could a browser give you inside of an organization?'" But Haddix made it clear: "On the internal LAN, you have knowledge bases like SharePoint, Confluence, MediaWiki. You have dev and project management sites like Trello, local Jira, local Redmine. You have source code managers, which are managed via websites—Git, GitHub, GitLab, Bitbucket, Subversion. You have repo management, build servers, dev platforms, configuration, management platforms, operations, front ends. These are all websites."Tune in today. You can also find us on Apple Podcasts, Spotify, and whatever preferred podcast platform you use.For all our cybersecurity coverage, visit Malwarebytes Labs at malwarebytes.com/blog.Show notes and credits:Intro Music: “Spellbound” by Kevin MacLeod (incompetech.com)Licensed under Creative Commons: By Attribution 4.0 Licensehttp://creativecommons.org/licenses/by/4.0/Outro Music: “Good God” by Wowa (unminus.com)LLM Prompt Injection Game: https://gandalf.lakera.ai/Overwhelmed by modern cyberthreats? ThreatDown can help.The 2024 ThreatDown State of Malware report is a comprehensive analysis of six pressing cyberthreats this year—including Big Game ransomware, Living Off The Land (LOTL) attacks, and malvertising—with strategies on how IT and security teams can protect against them.Read the report here.

If the internet helped create the era of mass surveillance, then artificial intelligence will bring about an era of mass spying.That’s the latest prediction from noted cryptographer and computer security professional Bruce Schneier, who, in December, shared a vision of the near future where artificial intelligence—AI—will be able to comb through reams of surveillance data to answer the types of questions that, previously, only humans could.  “Spying is limited by the need for human labor,” Schneier wrote. “AI is about to change that.”As theorized by Schneier, if fed enough conversations, AI tools could spot who first started a rumor online, identify who is planning to attend a political protest (or unionize a workforce), and even who is plotting a crime.But “there’s so much more,” Schneier said.“To uncover an organizational structure, look for someone who gives similar instructions to a group of people, then all the people they have relayed those instructions to. To find people’s confidants, look at whom they tell secrets to. You can track friendships and alliances as they form and break, in minute detail. In short, you can know everything about what everybody is talking about.”Today, on the Lock and Code podcast with host David Ruiz, we speak with Bruce Schneier about artificial intelligence, Soviet era government surveillance, personal spyware, and why companies will likely leap at the opportunity to use AI on their customers.“Surveillance-based manipulation is the business model [of the internet] and anything that gives a company an advantage, they’re going to do.”Tune in today to listen to the full conversation.You can also find us on Apple Podcasts, Spotify, and whatever preferred podcast platform you use.For all our cybersecurity coverage, visit Malwarebytes Labs at malwarebytes.com/blog.Show notes and credits:Intro Music: “Spellbound” by Kevin MacLeod (incompetech.com)Licensed under Creative Commons: By Attribution 4.0 Licensehttp://creativecommons.org/licenses/by/4.0/Outro Music: “Good God” by Wowa (unminus.com)Listen up—Malwarebytes doesn't just talk cybersecurity, we provide it.Protect yourself from online attacks that threaten your identity, your files, your system, and your financial well-being with our exclusive offer for Malwarebytes Premium for Lock and Code listeners.

On Thursday, December 28, at 8:30 pm in the Utah town of Riverdale, the city police began investigating what they believed was a kidnapping.17-year-old foreign exchange student Kai Zhuang was missing, and according to Riverdale Police Chief Casey Warren, Zhuang was believed to be “forcefully taken” from his home, and “being held against his will.”The evidence leaned in police’s favor. That night, Zhuang’s parents in China reportedly received a photo of Zhuang in distress. They’d also received a ransom demand.But as police in Riverdale and across the state of Utah would soon learn, the alleged kidnapping had a few wrinkles.For starters, there was no sign that Zhuang had been forcefully removed from his home in Riverdale, where he’d been living with his host family. In fact, Zhuang’s disappearance was so quiet that his host family was entirely unaware that he’d been missing until police came and questioned them. Additionally, investigators learned that Zhuang had experienced a recent run-in with police officers nearly 75 miles away in the city of Provo. Just eight days before his disappearance in Riverdale, Zhuang caught the attention of Provo residents because of what they deemed strange behavior for a teenager: Buying camping gear in the middle of a freezing winter season. Police officers who intervened at the residents’ requests asked Zhuang if he was okay, he assured them he was, and a ride was arranged for the teenager back home.But what Zhuang didn’t tell Provo police at the time was that, already, he was being targeted in an extortion scam. But when Zhuang started to push back against his scammers, it was his parents who became the next target.Zhuang—and his family—had become victims of what is known as “virtual kidnapping.”For years, virtual kidnapping scams happened most frequently in Mexico and the Southwestern United States, in cities like Los Angeles and Houston. But in 2015, the scams began reaching farther into the US.The scams themselves are simple yet cruel attempts at extortion. Virtual kidnappers will call phone numbers belonging to affluent neighborhoods in the US and make bogus threats about a holding a family member hostage.As explained by the FBI in 2017, virtual kidnappers do not often know the person they are calling, their name, their occupation, or even the name of the family member they have pretended to abduct:“When an unsuspecting person answered the phone, they would hear a female screaming, ‘Help me!’ The screamer’s voice was likely a recording. Instinctively, the victim might blurt out his or her child’s name: ‘Mary, are you okay?’ And then a man’s voice would say something like, ‘We have Mary. She’s in a truck. We are holding her hostage. You need to pay a ransom and you need to do it now or we are going to cut off her fingers.’”Today, on the Lock and Code podcast with host David Ruiz, we are presenting a short, true story from December about virtual kidnapping. Today’s episode cites reporting and public statements from the Associated Press, the FBI, ABC4.com, Fox 6 Milwaukee, and the Riverdale Police Department.Tune in todayYou can also find us on Apple Podcasts, Spotify, and whatever preferred podcast platform you use.For all our cybersecurity coverage, visit Malwarebytes Labs at malwarebytes.com/blog.Show notes and credits:Intro Music: “Spellbound” by Kevin MacLeod (incompetech.com)Licensed under Creative Commons: By Attribution 4.0 Licensehttp://creativecommons.org/licenses/by/4.0/Outro Music: “Good God” by Wowa (unminus.com)

Hackers want to know everything about you: Your credit card number, your ID and passport info, and now, your DNA.On October 1 2023, on a hacking website called BreachForums, a group of cybercriminals claimed that they had stolen—and would soon sell—individual profiles for users of the genetic testing company 23andMe.23andMe offers direct-to-consumer genetic testing kits that provide customers with different types of information, including potential indicators of health risks along with reports that detail a person’s heritage, their DNA’s geographical footprint, and, if they opt in, a service to connect with relatives who have also used 23andMe’s DNA testing service.The data that 23andMe and similar companies collect is often seen as some of the most sensitive, personal information that exists about people today, as it can expose health risks, family connections, and medical diagnoses. This type of data has also been used to exonerate the wrongfully accused and to finally apprehend long-hidden fugitives.In 2018, deputies from the Sacramento County Sherriff’s department arrested a serial killer known as the Golden State Killer, after investigators took DNA left at decades-old crime scenes and compared it to a then-growing database of genetic information, finding the Golden State Killer’s relatives, and then zeroing in from there.And while the story of the Golden State Killer involves the use of genetic data to solve a crime, what happens when genetic data is part of a crime? What law enforcement agency, if any, gets involved? What rights do consumers have? And how likely is it that consumer complaints will get heard?For customers of 23andMe, those are particularly relevant questions. After an internal investigation from the genetic testing company, it was revealed that 6.9 million customers were impacted by the October breach.What do they do?Today on the Lock and Code podcast with host David Ruiz, we speak with Suzanne Bernstein, a law fellow at Electronic Privacy Information Center (EPIC) to understand the value of genetic data, the risks of its exposure, and the unfortunate reality that consumers face in having to protect themselves while also trusting private corporations to secure their most sensitive data.“We live our lives online and there's certain risks that are unavoidable or that are manageable relative to the benefit that a consumer might get from it,” Bernstein said.“Ultimately, while it's not the consumer's responsibility, an informed consumer can make the best choices about what kind of risks to take online.”Tune in today.You can also find us on Apple Podcasts, Spotify, and whatever preferred podcast platform you use.For all our cybersecurity coverage, visit Malwarebytes Labs at malwarebytes.com/blog.Show notes and credits:Intro Music: “Spellbound” by Kevin MacLeod (incompetech.com)Licensed under Creative Commons: By Attribution 4.0 Licensehttp://creativecommons.org/licenses/by/4.0/Outro Music: “Good God” by Wowa (unminus.com)

It talks, it squawks, it even blocks! The stocking-stuffer on every hobby hacker’s wish list this year is the Flipper Zero.“Talk” across low-frequency radio to surreptitiously change TV channels, emulate garage door openers, or even pop open your friend’s Tesla charging port without their knowing! “Squawk” with the Flipper Zero’s mascot and user-interface tour guide, a “cyber-dolphin” who can “read” the minds of office key fobs and insecure hotel entry cards. And, introducing in 2023, block iPhones running iOS 17!No, really, for a couple of months near the end of 2023, this consumer-friendly device could crash iPhones (a vulnerability that Apple fixed in a software update in mid-December), and in the United States, it is entirely legal to own.The Flipper Zero is advertised as a “multi-tool device for geeks.” It’s an open-source tool that can be used to hack into radio protocols, access control systems, hardware, and more. It can emulate keycards, serve as a universal remote for TVs, and make attempts to brute force garage door openers.But for security researcher Jeroen van der Ham, the Flipper Zero also served as a real pain in the butt one day in October, when, aboard a train in the Netherlands, he got a popup on his iPhone about a supposed Bluetooth pairing request with a nearby Apple TV. Strange as that may be on a train, van der Ham soon got another request. And then another, and another, and another.In explaining the problem to the outlet Ars Technica, van der Ham wrote:“My phone was getting these popups every few minutes and then my phone would reboot. I tried putting it in lock down mode, but it didn’t help.”Later that same day, on his way back home, once again aboard the train, van der Ham noticed something odd: the iPhone popups came back, and this time, he noticed that his fellow passengers were also getting hit.What van der Ham soon learned is that he—and the other passengers on the train—were being subjected to a Denial-of-Service attack, which weaponized the way that iPhones receive Bluetooth pairing requests. A Denial-of-Service attack is simple. Essentially, a hacker, or more commonly, an army of bots, will flood a device or a website with requests. The target in these attacks cannot keep up with the requests, so it often locks up and becomes inaccessible. That can be a major issue for a company that is suffering from having its website attacked, but it’s also dangerous for everyday people who may need to use their phones to, say, document something important, or reach out to someone when in need.In van der Ham’s case, the Denial-of-Service attack was likely coming from one passenger on the train, who was aided by the small, handheld device, the Flipper Zero.Today, on the Lock and Code podcast, with host David Ruiz, we speak with Cooper Quintin, senior public interest technologist with Electronic Frontier Foundation—and Flipper Zero owner—about what the Flipper Zero can do, what it can’t do, and whether governments should get involved in the regulation of the device (that’s a hard “No,” Quintin said).“Governments should be welcoming this device,” Quintin said. “Every government right now is saying, ‘We need more cyber security capacity. We need more cyber security researchers. We got cyber wars to fight, blah, blah, blah,’ right?”Quintin continued:“Then, when you make this amazing tool that is, I think, a really great way for people to start interacting with cybersecurity and getting really interested in it—then you ban that?”Tune in today.You can also find us on Apple Podcasts, Spotify, and whatever preferred podcast platform you use.For all our cybersecurity coverage, visit Malwarebytes Labs at malwarebytes.com/blog.Show notes and credits:Intro Music: “Spellbound” by Kevin MacLeod (incompetech.com)Licensed under Creative Commons: By Attribution 4.0 Licensehttp://creativecommons.org/licenses/by/4.0/Outro Music: “Good God” by Wowa (unminus.com)

Like the grade-school dweeb who reminds their teacher to assign tonight’s homework, or the power-tripping homeowner who threatens every neighbor with an HOA citation, the ransomware group ALPHV can now add itself to a shameful roster of pathetic, little tattle-tales.In November, the ransomware gang ALPHV, which also goes by the name Black Cat, notified the US Securities and Exchange Commission about the Costa Mesa-based software company MeridianLink, alleging that the company had failed to notify the government about a data breach. Under newly announced rules by the US Securities and Exchange Commission (SEC), public companies will be expected to notify the government agency about “material cybersecurity incidents” within four days of determining whether such an incident could have impacted the company’s stock prices or any investment decisions from the public.According to ALPHV, MeridianLink had violated that rule. But how did ALPHV know about this alleged breach?Simple. They claimed to have done it.“It has come to our attention that MeridianLink, in light of a significant breach compromising customer data and operational information, has failed to file the requisite disclosure under Item 1.05 of Form 8-K within the stipulated four business days, as mandated by the new SEC rules,” wrote ALPHV in a complaint that the group claimed to have filed with the US government.The victim, MeridianLink, refuted the claims. According to a MeridianLink spokesperson, while the company confirmed a cybersecurity incident, it denied the severity of the incident.“Based on our investigation to date, we have identified no evidence of unauthorized access to our production platforms, and the incident has caused minimal business interruption,” a MeridianLink spokesperson said at the time. “If we determine that any consumer personal information was involved in this incident, we will provide notifications as required by law.”This week on the Lock and Code podcast with host David Ruiz, we speak to Recorded Future intelligence analyst Allan Liska about what ALPHV could hope to accomplish with its SEC complaint, whether similar threats have been made in the past under other regulatory regime, and what organizations everywhere should know about ransomware attacks going into the new year. One big takeaway, Liska said, is that attacks are getting bigger, bolder, and brasher.“There are no protections anymore,” Liska said. “For a while, some ransomware actors were like, ‘No, we won’t go after hospitals, or we won’t do this, or we won’t do that.’ Those protections all seem to have flown out the window, and they’ll go after anything and anyone that will make them money. It doesn’t matter how small they are or how big they are.”Liska continued:“We’ve seen ransomware actors go after food banks. You’re not going to get a ransom from a food bank. Don’t do that.”Tune in today to listen to the full conversation.You can also find us on Apple Podcasts, Spotify, and whatever preferred podcast platform you use.For all our cybersecurity coverage, visit Malwarebytes Labs at malwarebytes.com/blog.Show notes and credits:Intro Music: “Spellbound” by Kevin MacLeod (incompetech.com)Licensed under Creative Commons: By Attribution 4.0 Licensehttp://creativecommons.org/licenses/by/4.0/Outro Music: “Good God” by Wowa (unminus.com)