Joaquín Ruiz Security Vulnerabilities

Fighting online censorship, or, encryption's latest surprise use-case, with Mallory Knodel: Lock and Code S04E05

Government threats to end-to-end encryption--the technology that secures your messages and shared photos and videos--have been around for decades, but the most recent threats to this technology are unique in how they intersect with a broader, sometimes-global effort to control information on the...

What is AI good at (and what the heck is it, actually), with Josh Saxe: Lock and Code S04E04

In November of last year, the AI research and development lab OpenAI revealed its latest, most advanced language project: A tool called ChatGPT. ChatGPT is so much more than "just" a chatbot. As users have shown with repeated testing and prodding, ChatGPT seems to "understand" things. It can give.....

A private moment, caught by a Roomba, ended up on Facebook. Eileen Guo explains how: Lock and Code S04E03

In 2020, a photo of a woman sitting on a toilet--her shorts pulled half-way down her thighs--was shared on Facebook, and it was shared by someone whose job it was to look at that photo and, by labeling the objects in it, help train an artificial intelligence system for a vacuum. Bizarre? Yes....

Fighting technology's gender gap with TracketPacer: Lock and Code S04E02

Last month, the TikTok user TracketPacer posted a video online called "Network Engineering Facts to Impress No One at Zero Parties." TracketPacer regularly posts fun, educational content about how the Internet operates. The account is run by a network engineer named Lexie Cooper, who has worked...

Why does technology no longer excite us? Lock and Code S04E01

When did technology last excite you? If Douglas Adams, author of The Hitchhiker's Guide to the Galaxy, is to be believed, your own excitement ended, simply had to end, after turning 35 years old. Decades ago, at first writing privately and later having those private writings published after his...

Chasing cryptocurrency through cyberspace, with Brian Carter: Lock and Code S03E26

On June 7, 2021, the US Department of Justice announced a breakthrough: Less than one month after the oil and gas pipeline company Colonial Pipeline had paid its ransomware attackers roughly $4.4 million in bitcoin in exchange for a decryption key that would help the company get its systems back...

Security advisories are falling short. Here's why, with Dustin Childs: Lock and Code S03E25

Decades ago, patching was, to lean into a corny joke, a bit patchy. In the late 90s, the Microsoft operating system (OS) Windows 98 had a supportive piece of software that would find security patches for the OS so that users could then download those patches and deploy them to their computers....

A gym heist in London goes cyber

A thief has been stalking London. This past summer, multiple women reported similar crimes to the police: While working out at their local gyms, someone snuck into the locker rooms, busted open their locks, stole their rucksacks and gym bags, and then, within hours, purchased thousands of pounds...

Teen talk: What it's like to grow up online, and the role of parents: Lock and Code S03E21

Growing up is different for teens today. Issues with identity, self-expression, bullying, fitting in, and trusting your friends and family--while all those certainly existed decades ago, they were never magnified in quite the same way that they are today, and that's largely because of one...

Calling in the ransomware negotiator, with Kurtis Minder: Lock and Code S03E20

Ransomware can send any company into crisis. Immediately following an attack, the notoriously disruptive malware can spread across networks and machines, locking up important files and rendering vital data almost useless for all employees. As we learned in a previous episode of Lock and Code, a...

The MSP playbook on deciphering tech promises and shaping security culture

The in-person cybersecurity conference has returned. More than two years after Covid-19 pushed nearly every in-person event online, cybersecurity has returned to the exhibition hall. In San Francisco earlier this year, thousands of cybersecurity professionals walked the halls of Moscone Center at.....

Playing Doom on a John Deere tractor with Sick Codes: Lock and Code S03E18

In 1993, the video game developers at id Software released Doom, a first-person shooter that placed a nameless protagonist into the fiery depths of hell, equipped with an arsenal of weapons to mow down imps, demons, lost souls, and the intimidating "Barons of Hell." In 2022, the hacker Sick Codes.....

10-Strike Network Inventory Explorer 9.3 Buffer Overflow

...

10-Strike Network Inventory Explorer 9.3 Buffer Overflow Vulnerability

10-Strike Network Inventory Explorer versions 9.3 and below are vulnerable to a SEH based buffer overflow which leads to code execution or local privilege escalation. The vulnerable part of the program is the functionality to add computers from a text...

Donut breach: Lessons from pen-tester Mike Miller: Lock and Code S03E17

When Mike Miller was hired by a client to run a penetration test on one of their offices, he knew exactly where to start: Krispy Kreme. Equipped with five dozen donuts (the boxes stacked just high enough to partially obscure his face, Miller said), Miller walked briskly into a side-door of his...

Have we lost the fight for data privacy? Lock and Code S03E16

At the end of 2021, Lock and Code invited the folks behind our news-driven cybersecurity and online privacy blog, Malwarebytes Labs, to discuss what upset them most about cybersecurity in the year prior. Today, we're bringing those same guests back to discuss the other, biggest topic in this space....

Have we lost the fight for data privacy? Lock and Code S03E16

At the end of 2021, Lock and Code invited the folks behind our news-driven cybersecurity and online privacy blog, Malwarebytes Labs, to discuss what upset them most about cybersecurity in the year prior. Today, we're bringing those same guests back to discuss the other, biggest topic in this space....

In post-Roe US, experts share how to keep your data private

In the weeks since the Supreme Court of the United States removed a nationwide right to choose to have an abortion, millions of Americans have been forced to relearn what is and isn’t safe to do online, as their actions, words, and choices—many of which are tracked digitally—could potentially be...

Roe v. Wade: How the cops can use your data: Lock and Code S03E15

On the evening of June 23, in the United States, millions of women went to bed with a Constitutional right to choose to have an abortion, and they went to bed with the many assurances that are tied to that right—to speak about getting an abortion, to organize and provide support to those seeking...

Report: Brazil must do more to encrypt, back up data

Federal government organisations in Brazil may need to reassess their approach to cyberthreats, according to a new report by the country's Federal Audit Court. It outlines multiple key areas of concern across 29 key areas of risk. One of the biggest problems in the cybercrime section of the report....

When good-faith hacking gets people arrested, with Harley Geiger: Lock and Code S03E14

When Lock and Code host David Ruiz talks to hackers—especially good-faith hackers who want to dutifully report any vulnerabilities they uncover in their day-to-day work—he often hears about one specific law in hushed tones of fear: the Computer Fraud and Abuse Act. The Computer Fraud and Abuse...

5 pro-freedom technologies that could change the Internet

In the digital era, freedom is inextricably linked to privacy. After a good start, the Internet-enabled, technological revolution we are living through has hit some bumps in the road. We have already lost a lot of control over who and what has access to our data, and there are further threats to...

My Body, My Data Act would lock down reproductive and sexual health data

A new bill entered into both the House of Representatives and the Senate proposes the strongest Federal data privacy protections yet for an increasingly scrutinized form of data in the United States—reproductive and sexual health data. The “My Body, My Data Act of 2022” was announced in early June....

Securing the software supply chain, with Kim Lewandowski: Lock and Code S03E13

At the start of the global coronavirus pandemic, nearly everyone was forced to learn about the "supply chain." Immediate stockpiling by an alarmed (and from a smaller share, opportunistic) public led to an almost overnight disappearance of hand sanitizer, bottled water, toilet paper, and face...

Ransomware Task Force priorities see progress in first year

This blog is part of our live coverage from RSA Conference 2022: US President Joseph R. Biden Jr., The White House, and law enforcement agencies across the world paid close attention last year when a group of more than 60 cybersecurity experts launched the Ransomware Task Force, heeding the...

Prometheus ransomware’s flaws inspired researchers to try to build a near-universal decryption tool

This blog is part of our live coverage from RSA Conference 2022: Prometheus—a ransomware build based on Thanos that locked up victims’ computers in the summer of 2021—included a major “vulnerability” that led security researchers at IBM to try and build a one-size-fits-all ransomware decryptor...

Tor’s (security) role in the future of the Internet, with Alec Muffett

Tor has a storied reputation in the world of online privacy. The open-source project lets people browse the Internet more anonymously by routing their traffic across different nodes before making a final connection between their device and a desired website. It's something we've discussed...

Internet Safety Month: Avoiding the consequences of unsafe Internet practices

Welcome to Internet Safety Month, a once-a-year event in which you, the public, are told that anywhere between three and 30 different best practices will simplify your approach to staying safe online. Unfortunately, much of the well-intentioned advice surrounding Internet Safety Month ignores one.....

Hunting down your data with Whitney Merrill: Lock and Code S03E11

Depending on where you live, you can ask a company to hand over all the data it has collected about you and, in a matter of weeks as mandated by law, that company has to fork that information over. Whether the company will abide on time, however, is a different story. In the European Union, the...

Recovering from romance scams with Cindy Liebes: Lock and Code S03E10

Earlier this year, many members of the public were introduced to the facets of a long-ignored crime in cyberspace: The romance scam. A flashy documentary called The Tinder Swindler had premiered on Netflix, and in it, filmmakers documented the efforts of one man to manipulate several women into...

How to remove Google from your life

Swearing off a company used to be easier. Rude customer service, an unfortunate bout of food poisoning, even standing up for workers’ rights against the alleged involvement of a private company to order a country’s military to brutally quash a strike—almost every facet of an individual boycott...

FBI warns food and agriculture to brace for seasonal ransomware attacks

The Federal Bureau of Investigation (FBI) recently released a Private Industry Notification warning agriculture cooperatives (also known as "farmers' co-ops") of the looming danger of well-timed ransomware attacks. The agency warns that during the critical planting and harvesting seasons, attacks.....

Why software has so many vulnerabilities, with Tanya Janca: Lock and Code S03E09

Less than one year ago, the worst ransomware attack in history struck dozens of organizations. Threat actors had exploited a serious flaw in the remote monitoring and management tool Kaseya VSA that, when discussed on the Lock and Code podcast, was revealed to be "not advanced at all." This was...

Pegasus spyware found on UK government office phone

“When we found the No. 10 case, my jaw dropped." John Scott-Railton recalled after finding out on July 7, 2020 that Pegasus, the highly sophisticated flagship spyware of Israel's NSO Group, was used to infect a phone linked to the network at 10 Downing Street, the UK Prime Minister's home and...

US warns of APT groups that can “gain full system access” to some industrial control systems

An "exceptionally rare and dangerous" advanced persistent threat (APT) malware kit, containing custom-made tools designed to target some of North America’s industrial control systems (ICS) and supervisory control and data acquisition (SCADA) devices, appears to have been caught before it could be.....

Stalkerware-type detections hit record high in 2021, but fell in second half

After having tracked stalkerware for years, Malwarebytes can reveal that in 2021, detections for apps that can non-consensually monitor another person's activity reached their highest peak ever, but that, amidst the record-setting numbers, the volume of detections actually began to significantly...

Why data protection and privacy are not the same, and why that matters: Lock and Code S03E09

There's a mistake commonly made in the United States that a law that was passed to help people move their healthcare information to a new doctor or provider was actually passed to originally implement universal, wide-ranging privacy controls on that same type of information. This is the mixup with....

Telling stories securely, with Runa Sandvik: Lock and Code S03E07

In 2017, a former NSA contractor named Reality Winner was arrested for allegedly leaking an internal report to the online news outlet The Intercept. To verify the report itself, a journalist for The Intercept sent an image of the report to the NSA, but upon further inspection, it was revealed that....

De-Googling Carey Parker’s (and your) life: Lock and Code S03E06

Three years ago, a journalist for Gizmodo named Kashmir Hill wanted to understand what life was like without "Big Tech." Far from a "digital detox" retreat—the kind of which were popular with exceedingly plugged-in, very online types of mid-20s and early-30s folks—Hill's experiment with technology....

Four key cybersecurity practices during geopolitical upheaval

Russia’s continued invasion of Ukraine has altered the landscape of cybersecurity threats facing organizations both near and far from the physical threat of war. Disinformation is spreading and being actively fought. The old hacker group Anonymous promised “cyber war” against Russia. One...

Potential cybersecurity impacts of Russia’s invasion of Ukraine

On Thursday night, Russia launched a military invasion of its neighbor and former Soviet Union member Ukraine, drawing a broad rebuke from international leaders, along with significant protest from the Russian public. The toll of human life from this war is unknown, and, like the many...

“Ethnicity recognition” tool listed on surveillance camera app store built by fridge-maker’s video analytics startup

The bizarre promotional video promises “Face analysis based on best of breed Artificial Intelligence algorithms for Business Intelligence and Digital Signage applications.” What follows is footage of a woman pushing her hair behind her ears, a man grimacing and baring his teeth, and an actor in a.....

Ransomware gang hits 49ers’ network before Super Bowl kick off

The San Francisco 49ers has confirmed that it has been hit by a ransomware attack. The announcement came just hours before the biggest football game of the year, Sunday's Super Bowl between the Cincinnati Bengals and the Los Angeles Rams. In a boilerplate statement to BleepingComputer, the 49ers...

The world’s most coveted spyware, Pegasus: Lock and Code S03E04

Two years ago, the FBI reportedly purchased a copy of the world's most coveted spyware, a tool that can remotely and silently crack into Androids and iPhones without leaving a trace, spilling device contents onto a console possibly thousands of miles away, with little more effort than entering a...

How a few PhD students revealed that phishing trainings might just not work: Lock and Code S03E03

You've likely fallen for it before—a simulated test sent by your own company to determine whether or not its employees are vulnerable to one of the most pernicious online threats today: Phishing. Phishing has evolved in recent history, and as scammers have rolled out increasingly clever—and...

Data Privacy Day: Know your rights, and the right tools to stay private

Not all data privacy rights are the same. There’s the flimsy, the firm, the enforceable, and the antiquated, and, unfortunately, much of what determines the quality of your own data privacy rights is little more than your home address. Those in Chile, for example, enjoy a globally rare...

Why we don’t patch, with Jess Dodson: Lock and Code S03E02

In 2017, the largest ransomware attack ever recorded hit the world, infecting more than 230,000 computers across more than 150 countries in just 24 hours. And it could have been solved with a patch that was released nearly two months prior. This was the WannaCry ransomware attack, and its final,...

Google and Facebook fined $240 million for making cookies hard to refuse

French privacy watchdog, the Commission Nationale de l'Informatique et des Libertés (CNIL), has hit Google with a 150 million euro fine and Facebook with a 60 million euro fine, because their websites—google.fr, youtube.com, and facebook.com—don't make refusing cookies as easy as accepting them....

What angered us most about cybersecurity in 2021: Lock and Code S03E01

We are just three days into 2022, which means what better time for a 2021 retrospective? But rather than looking at the biggest cyberattacks of last year—which we already did—or the most surprising—like we did a couple of years ago—we wanted to offer something different for readers and listeners. ....

The three most significant cyberattacks of 2021

People that predict tomorrow’s weather by looking at today’s are often right. Cloudy today? It'll probably be cloudy tomorrow. The same is often true for cybersecurity threats. Looking back at 2021 it looks a lot like 2020: A lot of ransomware attacks. So, when I was asked to write about the...