Lock and Code

The podcast discusses the cyber attack on MGM Resorts, including disrupted reservations and non-functional gambling machines. They explore the implications of cyber attacks on businesses and the importance of quick recovery. The need for planning and road mapping in cybersecurity is highlighted. Challenges in implementing cybersecurity changes in reactive industries are discussed. The targeting of law firms by cyber criminals is examined. The future of cybersecurity and potential catalysts for prioritizing it are explored.

What are you most worried about online? And what are you doing to stay safe? Depending on who you are, those could be very different answers, but for teenagers and members of Generation Z, the internet isn't so scary because of traditional threats like malware and viruses. Instead, the internet is scary because of what it can expose. To Gen Z, a feared internet is one that is vindictive and cruel—an internet that reveals private information that Gen Z fears could harm their relationships with family and friends, damage their reputations, and even lead to their being bullied and physically harmed. Those are some of the findings from Malwarebytes' latest research into the cybersecurity and online privacy beliefs and behaviors of people across the United States and Canada this year.Titled "Everyone's afraid of the internet and no one's sure what to do about it," Malwarebytes' new report shows that 81 percent of Gen Z worries about having personal, private information exposed—like their sexual orientations, personal struggles, medical history, and relationship issues (compared to 75 percent of non-Gen Zers). And 61 percent of Gen Zers worry about having embarrassing or compromising photos or videos shared online (compared to 55% of non Gen Zers). Not only that, 36 percent worry about being bullied because of that info being exposed, while 34 percent worry about being physically harmed. For those outside of Gen Z, those numbers are a lot lower—only 22 percent worry about bullying, and 27 percent worry about being physically harmed.Does this mean Gen Z is uniquely careful to prevent just that type of information from being exposed online? Not exactly. They talk more frequently to strangers online, they more frequently share personal information on social media, and they share photos and videos on public forums more than anyone—all things that leave a trail of information that could be gathered against them.Today, on the Lock and Code podcast with host David Ruiz, we drill down into what, specifically, a Bay Area teenager is afraid of when using the internet, and what she does to stay safe. Visiting the Lock and Code podcast for the second year in the row is Nitya Sharma, discussing AI "sneak attacks," political disinformation campaigns, the unannounced location tracking of Snapchat, and why she simply cannot be bothered about malware. "I know that there's a threat of sharing information with bad people and then abusing it, but I just don't know what you would do with it. Show up to my house and try to kill me?" Tune in today for the full conversation.You can read our full report here: "Everyone's afraid of the internet and no one's sure what to do about it."You can also find us on Apple Podcasts, Spotify, and whatever preferred podcast platform you use.For all our cybersecurity coverage, visit Malwarebytes Labs at malwarebytes.com/blog.Show notes and credits:Intro Music: “Spellbound” by Kevin MacLeod (incompetech.com)Licensed under Creative Commons: By Attribution 4.0 Licensehttp://creativecommons.org/licenses/by/4.0/Outro Music: “Good God” by Wowa (unminus.com)

When you think of the modern tools that most invade your privacy, what do you picture?There's the obvious answers, like social media platforms including Facebook and Instagram. There's email and "everything" platforms like Google that can track your locations, your contacts, and, of course, your search history. There's even the modern web itself, rife with third-party cookies that track your browsing activity across websites so your information can be bundled together into an ad-friendly profile. But here's a surprise answer with just as much validity: Cars. A team of researchers at Mozilla which has reviewed the privacy and data collection policies of various product categories for several years now, named "Privacy Not Included," recently turned their attention to modern-day vehicles, and what they found shocked them. Cars are, to put it shortly, a privacy nightmare. According to the team's research, Nissan says it can collect “sexual activity” information about consumers. Kia says it can collect information about a consumer's “sex life.” Subaru passengers allegedly consent to the collection of their data by simply being in the vehicle. Volkswagen says it collects data like a person's age and gender and whether they're using your seatbelt, and it can use that information for targeted marketing purposes. But those are just some of the highlights from the Privacy Not Included team. Explains Zoë MacDonald, content creator for the research team: "We were pretty surprised by the data points that the car companies say they can collect... including social security number, information about your religion, your marital status, genetic information, disability status... immigration status, race. And of course, as you said.. one of the most surprising ones for a lot of people who read our research is the sexual activity data."Today on the Lock and Code podcast with host David Ruiz, we speak with MacDonald and Jen Caltrider, Privacy Not Included team lead, about the data that cars can collect, how that data can be shared, how it can be used, and whether consumers have any choice in the matter.We also explore the booming revenue stream that car manufacturers are tapping into by not only collecting people's data, but also packaging it together for targeted advertising. With so many data pipelines being threaded together, Caltrider says the auto manufacturers can even make "inferences" about you.  "What really creeps me out [is] they go on to say that they can take all the information they collect about you from the cars, the apps, the connected services, and everything they can gather about you from these third party sources," Caltrider said, "and they can combine it into these things they call 'inferences' about you about things like your intelligence, your abilities, your predispositions, your characteristics." Caltrider continued:"And that's where it gets really creepy because I just imagine a car company knowing so much about me that they've determined how smart I am."Tune in today. 

In 2022, Malwarebytes investigated the blurry, shifting idea of “identity” on the internet, and how online identities are not only shaped by the people behind them, but also inherited by the internet’s youngest users, children. Children have always inherited some of their identities from their parents—consider that two of the largest indicators for political and religious affiliation in the US are, no surprise, the political and religious affiliations of someone’s parents—but the transfer of online identity poses unique risks. When parents create email accounts for their kids, do they also teach their children about strong passwords? When parents post photos of their children online, do they also teach their children about the safest ways to post photos of themselves and others? When parents create a Netflix viewing profile on a child's iPad, are they prepared for what else a child might see online? Are parents certain that a kid is ready to watch before they can walk?Those types of questions drove a joint report that Malwarebytes published last year, based on a survey of 2,000 people in North America. That research showed that, broadly, not enough children and teenagers trust their parents to support them online, and not enough parents know exactly how to give the support their children need.But stats and figures can only tell so much of the story, which is why last year, Lock and Code host David Ruiz spoke with a Bay Area high school graduate about her own thoughts on the difficulties of growing up online. Lock and Code is re-airing that episode this week because, in less than one month, Malwarebytes is releasing a follow-on report about behaviors, beliefs, and blunders in online privacy and cybersecurity. And as part of that report, Lock and Code is bringing back the same guest as last year, Nitya Sharma. Before then, we are sharing with listeners our prior episode that aired in 2022 about the difficulties that an everyday teenager faces online, including managing her time online, trying to meet friends and complete homework, the traps of trading online interaction with in-person socializing, and what she would do differently with her children, if she ever started a family, in preparing them for the Internet.Tune in today. You can also find us on Apple Podcasts, Spotify, and whatever preferred podcast platform you use.For all our cybersecurity coverage, visit Malwarebytes Labs at malwarebytes.com/blog.Show notes and credits:Intro Music: “Spellbound” by Kevin MacLeod (incompetech.com)Licensed under Creative Commons: By Attribution 4.0 Licensehttp://creativecommons.org/licenses/by/4.0/Outro Music: “Good God” by Wowa (unminus.com)

Becky Holmes is a big deal online. Hugh Jackman has invited her to dinner. Prince William has told her she has "such a beautiful name." Once, Ricky Gervais simply needed her photos ("I want you to take a snap of yourself and then send it to me on here...Send it to me on here!" he messaged on Twitter), and even Tom Cruise slipped into her DMs (though he was a tad boring, twice asking about her health and more often showing a core misunderstanding of grammar). Becky has played it cool, mostly, but there's no denying the "One That Got Away"—Official Keanu Reeves. After repeatedly speaking to Becky online, convincing her to download the Cash app, and even promising to send her $20,000 (which Becky said she could use for a new tea towel), Official Keanu Reeves had a change of heart earlier this year: "I hate you," he said. "We are not in any damn relationship." Official Keanu Reeves, of course, is not Keanu Reeves. And hughjackman373—as he labeled himself on Twitter—is not really Hugh Jackman. Neither is "Prince William," or "Ricky Gervais," or "Tom Cruise." All of these "celebrities" online are fake, and that isn't commentary on celebrity culture. It's simply a fact, because all of the personas online who have reached out to Becky Holmes are romance scammers. Romance scams are serious crimes that follow similar plots. Online, an attractive stranger or celebrity—coupled with an appealing profile picture—will send a message to a complete stranger, often on Twitter, Instagram, Facebook, or LinkedIn. They will flood the stranger with affectionate messages and promises of a perfect life together, sometimes building trust and emotional connection for weeks or even months. As time continues, they will also try to remove the conversation away from the social media platform where it started, instead moving it to WhatsApp, Telegram, Messages, or simple text. Here, the scam has already started. Away from the major social media and networking platforms, the scammers persistent messages cannot be flagged for abuse or harassment, and the scammer is free to press on. Once an emotional connection is built, the scammer will suddenly be in trouble, and the best way out, is money—the victim’s money.These crimes target vulnerable people, like recently divorced individuals, widows, and the elderly. But when these same scammers reach out to Becky Holmes, Becky Holmes turns the tables.Becky once tricked a scammer into thinking she was visiting him in the far-off Antarctic. She has led one to believe that she had accidentally murdered someone and she needed help hiding the body. She has given fake, lewd addresses, wasted their time, and even shut them down when she can by coordinating with local law enforcement.And today on the Lock and Code podcast with host David Ruiz, Becky Holmes returns to talk about romance scammer "education" and the potential involvement in pyramid schemes, a disappointing lack of government response to protect victims, and the threat of Twitter removing its block function, along with some of the most recent romance scams that Becky has encountered online.“There’s suddenly been this kind of influx of Elons. Absolutely tons of those have come about… I think I get probably at least one, maybe two a day.”Tune in today.You can also find us on Apple Podcasts, Spotify, and whatever preferred podcast platform you use.For all our cybersecurity coverage, visit Malwarebytes Labs at malwarebytes.com/blog.Show notes and credits:Intro Music: “Spellbound” by Kevin MacLeod (incompetech.com)Licensed under Creative Commons: By Attribution 4.0 Licensehttp://creativecommons.org/licenses/by/4.0/Outro Music: “Good God” by Wowa (unminus.com)

"Freedom" is a big word, and for many parents today, it's a word that includes location tracking. Across America, parents are snapping up Apple AirTags, the inexpensive location tracking devices that can help owners find lost luggage, misplaced keys, and—increasingly so—roving toddlers setting out on mini-adventures. The parental fear right now, according to The Washington Post technology reporter Heather Kelly, is that "anybody who can walk, therefore can walk away." Parents wanting to know what their children are up to is nothing new. Before the advent of the Internet—and before the creation of search history—parents read through diaries. Before GPS location tracking, parents called the houses that their children were allegedly staying at. And before nearly every child had a smart phone that they could receive calls on, parents relied on a much simpler set of tools for coordination: Going to the mall, giving them a watch, and saying "Be at the food court at noon." But, as so much parental monitoring has moved to the digital sphere, there's a new problem: Children become physically mobile far faster than they become responsible enough to own a mobile. Enter the AirTag: a small, convenient device for parents to affix to toddlers' wrists, place into their backpacks, even sew into their clothes, as Kelly reported in her piece for The Washington Post. In speaking with parents, families, and childcare experts, Kelly also uncovered an interesting dynamic. Parents, she reported, have started relying on Apple AirTags as a means to provide freedom, not restrictions, to their children. Today, on the Lock and Code podcast with host David Ruiz, we speak with Kelly about why parents are using AirTags, how childcare experts are reacting to the recent trend, and whether the devices can actually provide a balm to increasingly stressed parents who may need a moment to sit back and relax. Or, as Kelly said:"In the end, parents need to chill—and if this lets them chill, and if it doesn't impact the kids too much, and it lets them go do silly things like jumping in some puddles with their friends or light, really inconsequential shoplifting, good for them."Tune in today. You can also find us on Apple Podcasts, Spotify, and whatever preferred podcast platform you use.For all our cybersecurity coverage, visit Malwarebytes Labs at malwarebytes.com/blog.Show notes and credits:Intro Music: “Spellbound” by Kevin MacLeod (incompetech.com)Licensed under Creative Commons: By Attribution 4.0 Licensehttp://creativecommons.org/licenses/by/4.0/Outro Music: “Good God” by Wowa (unminus.com)

Earlier this month, a group of hackers was spotted using a set of malicious tools—that originally gained popularity with online video game cheaters—to hide their Windows-based malware from being detected.Sounds unique, right? Frustratingly, it isn't, as the specific security loophole that was abused by the hackers has been around for years, and Microsoft's response, or lack thereof, is actually a telling illustration of the competing security environments within Windows and macOS. Even more perplexing is the fact that Apple dealt with a similar issue nearly 10 years ago, locking down the way that certain external tools are given permission to run alongside the operating system's critical, core internals. Today, on the Lock and Code podcast with host David Ruiz, we speak with Malwarebytes' own Director of Core Tech Thomas Reed about everyone's favorite topic: Windows vs. Mac. But this isn't a conversation about the original iPod vs. Microsoft's Zune (we're sure you can find countless, 4-hour diatribes on YouTube for that), but instead about how the companies behind these operating systems can respond to security issues in their own products. Because it isn't fair to say that Apple or Microsoft are wholesale "better" or "worse" about security. Instead, they're hampered by their users and their core market segments—Apple excels in the consumer market, whereas Microsoft excels with enterprises. And when your customers include hospitals, government agencies, and pretty much any business over a certain headcount, well, it comes with complications in deciding how to address security problems that won't leave those same customers behind. Still, there's little excuse in leaving open the type of loophole that Windows has, said Reed:"Apple has done something that was pretty inconvenient for developers, but it really secured their customers because it basically meant we saw a complete stop in all kernel-level malware. It just shows you [that] it can be done. You're gonna break some eggs in the process, and Microsoft has not done that yet... They're gonna have to."Tune in today.You can also find us on Apple Podcasts, Spotify, and whatever preferred podcast platform you use.For all our cybersecurity coverage, visit Malwarebytes Labs at malwarebytes.com/blog.Show notes and credits:Intro Music: “Spellbound” by Kevin MacLeod (incompetech.com)Licensed under Creative Commons: By Attribution 4.0 Licensehttp://creativecommons.org/licenses/by/4.0/Outro Music: “Good God” by Wowa (unminus.com)

The language of a data breach, no matter what company gets hit, is largely the same. There's the stolen data—be it email addresses, credit card numbers, or even medical records. There are the users—unsuspecting, everyday people who, through no fault of their own, mistakenly put their trust into a company, platform, or service to keep their information safe. And there are, of course, the criminals. Some operate in groups. Some act alone. Some steal data as a means of extortion. Others steal it as a point of pride. All of them, it appears, take something that isn't theirs. But what happens if a cybercriminal takes something that may have already been stolen? In late June, a mobile app that can, without consent, pry into text messages, monitor call logs, and track GPS location history, warned its users that its services had been hacked. Email addresses, telephone numbers, and the content of messages were swiped, but how they were originally collected requires scrutiny. That's because the app itself, called LetMeSpy, is advertised as a parental and employer monitoring app, to be installed on the devices of other people that LetMeSpy users want to track. Want to read your child's text messages? LetMeSpy says it can help. Want to see where they are? LetMeSpy says it can do that, too. What about employers who are interested in the vague idea of "control and safety" of their business? Look no further than LetMeSpy, of course.  While LetMeSpy's website tells users that "phone control without your knowledge and consent may be illegal in your country," (it is in the US and many, many others) the app also claims that it can hide itself from view from the person being tracked. And that feature, in particular, is one of the more tell-tale signs of "stalkerware." Stalkerware is a term used by the cybersecurity industry to describe mobile apps, primarily on Android, that can access a device's text messages, photos, videos, call records, and GPS locations without the device owner knowing about said surveillance. These types of apps can also automatically record every phone call made and received by a device, turn off a device's WiFi, and take control of the device's camera and microphone to snap photos or record audio—all without the victim knowing that their phone has been compromised. Stalkerware poses a serious threat—particularly to survivors of domestic abuse—and Malwarebytes has defended users against these types of apps for years. But the hacking of an app with similar functionality raises questions. Today, on the Lock and Code podcast with host David Ruiz, we speak with the hacktivist and security blogger maia arson crimew about the data that was revealed in LetMeSpy's hack, the almost-clumsy efforts by developers to make and market these apps online, and whether this hack—and others in the past—are "good." "I'm the person on the podcast who can say 'We should hack things,' because I don't work for Malwarebytes. But the thing is, I don't think there really is any other way to get info in this industry."Tune in today. You can also find us on Apple Podcasts, Spotify, and whatever preferred podcast platform you use.For all our cybersecurity coverage, visit Malwarebytes Labs at malwarebytes.com/blog.Show notes and credits:Intro Music: “Spellbound” by Kevin MacLeod (incompetech.com)Licensed under Creative Commons: By Attribution 4.0 Licensehttp://creativecommons.org/licenses/by/4.0/Outro Music: “Good God” by Wowa (unminus.com)

In the United States, when the police want to conduct a search on a suspected criminal, they must first obtain a search warrant. It is one of the foundational rights given to US persons under the Constitution, and a concept that has helped create the very idea of a right to privacy at home and online. But sometimes, individualized warrants are never issued, never asked for, never really needed, depending on which government agency is conducting the surveillance, and for what reason. Every year, countless emails, social media DMs, and likely mobile messages are swept up by the US National Security Agency—even if those communications involve a US person—without any significant warrant requirement. Those digital communications can be searched by the FBI. The information the FBI gleans from those searches can be used can be used to prosecute Americans for crimes. And when the NSA or FBI make mistakes—which they do—there is little oversight. This is surveillance under a law and authority called Section 702 of the FISA Amendments Act. The law and the regime it has enabled are opaque. There are definitions for "collection" of digital communications, for "queries" and "batch queries," rules for which government agency can ask for what type of intelligence, references to types of searches that were allegedly ended several years ago, "programs" that determine how the NSA grabs digital communications—by requesting them from companies or by directly tapping into the very cables that carry the Internet across the globe—and an entire, secret court that, only has rarely released its opinions to the public. Today, on the Lock and Code podcast, with host David Ruiz, we speak with Electronic Frontier Foundation Senior Policy Analyst Matthew Guariglia about what the NSA can grab online, whether its agents can read that information and who they can share it with, and how a database that was ostensibly created to monitor foreign intelligence operations became a tool for investigating Americans at home. As Guariglia explains:"In the United States, if you collect any amount of data, eventually law enforcement will come for it, and this includes data that is collected by intelligence communities."Tune in today.You can also find us on Apple Podcasts, Spotify, and whatever preferred podcast platform you use.For all our cybersecurity coverage, visit Malwarebytes Labs at malwarebytes.com/blog.Show notes and credits:Intro Music: “Spellbound” by Kevin MacLeod (incompetech.com)Licensed under Creative Commons: By Attribution 4.0 Licensehttp://creativecommons.org/licenses/by/4.0/Outro Music: “Good God” by Wowa (unminus.com)

When you think about the word "cyberthreat," what first comes to mind? Is it ransomware? Is it spyware? Maybe it's any collection of the infamous viruses, worms, Trojans, and botnets that have crippled countless companies throughout modern history. In the future, though, what many businesses might first think of is something new: Disinformation. Back in 2021, in speaking about threats to businesses, the former director of the US Cybersecurity and Infrastructure Security Agency, Chris Krebs, told news outlet Axios: “You’ve either been the target of a disinformation attack or you are about to be.”That same year, the consulting and professional services firm Price Waterhouse Coopers released a report on disinformation attacks against companies and organizations, and it found that these types of attacks were far more common than most of the public realized. From the report: “In one notable instance of disinformation, a forged US Department of Defense memo stated that a semiconductor giant’s planned acquisition of another tech company had prompted national security concerns, causing the stocks of both companies to fall. In other incidents, widely publicized unfounded attacks on a businessman caused him to lose a bidding war, a false news story reported that a bottled water company’s products had been contaminated, and a foreign state’s TV network falsely linked 5G to adverse health effects in America, giving the adversary’s companies more time to develop their own 5G network to compete with US businesses.”Disinformation is here, and as much of it happens online—through coordinated social media posts and fast-made websites—it can truly be considered a "cyberthreat." But what does that mean for businesses? Today, on the Lock and Code podcast with host David Ruiz, we speak with Lisa Kaplan, founder and CEO of Alethea, about how organizations can prepare for a disinformation attack, and what they should be thinking about in the intersection between disinformation, malware, and cybersecurity. Kaplan said:"When you think about disinformation in its purest form, what we're really talking about is people telling lies and hiding who they are in order to achieve objectives and doing so in a deliberate and malicious life. I think that this is more insidious than malware. I think it's more pervasive than traditional cyber attacks, but I don't think that you can separate disinformation from cybersecurity."Tune in today. You can also find us on Apple Podcasts, Spotify, and whatever preferred podcast platform you use.For all our cybersecurity coverage, visit Malwarebytes Labs at malwarebytes.com/blog.Show notes and credits:Intro Music: “Spellbound” by Kevin MacLeod (incompetech.com)Licensed under Creative Commons: By Attribution 4.0 Licensehttp://creativecommons.org/licenses/by/4.0/Outro Music: “Good God” by Wowa (unminus.com)