Lock and Code
Threat hunting: How MDR secures your business

Threat hunting: How MDR secures your business

November 20, 2022

A cyberattack is not the same thing as malware—in fact, malware itself is typically the last stage of an attack, the punctuation mark that closes out months of work from cybercriminals who have infiltrated a company, learned about its systems and controls, and slowly spread across its network through various tools, some of which are installed on a device entirely by default. 

The goal of cybersecurity, though, isn't to recover after an attack, it's to stop an attack before it happens. 

On today's episode of the Lock and Code with host David Ruiz, we speak to two experts at Malwarebytes about how they've personally discovered and stopped attacks in the past and why many small- and medium-sized businesses should rely on a newer service called Managed Detection and Response for protecting their own systems. 

Many organizations today will already be familiar with the tool called Endpoint Detection and Response (EDR), the de facto cybersecurity tool that nearly every vendor makes that lets security teams watch over their many endpoints and respond if the software detects a problem. But the mass availability of EDR does not mean that cybersecurity itself is always within arm's reach. Countless organizations today are so overwhelmed with day-to-day IT issues that monitoring cybersecurity can be difficult. The expertise can be lacking at a small company. The knowledge of how to configure an EDR tool to flag the right types of warning signs can be missing. And the time to adequately monitor an EDR tool can be in short supply.

This is where Managed Detection and Response—MDR—comes in. More a service than a specific tool, MDR is a way for companies to rely on a team of experienced analysts to find and protect against cyberattacks before they happen. The power behind MDR services are its threat hunters, people who have prevented ransomware from being triggered, who have investigated attackers’ moves across a network, who have pulled the brakes on a botnet infection.

These threat hunters can pore over log files and uncover, for instance, a brute force attack against a remote desktop protocol port, or they can recognize a pattern of unfamiliar activity coming from a single account that has perhaps been compromised, or they can spot a ransomware attack in real time, before it has launched, even creating a new rule to block an entirely new ransomware variant before it has been spotted in the wild. Most importantly, these threat hunters can do what software cannot, explained Matt Sherman, senior manager of MDR delivery services. They can stop the people behind an attack, not just the malware those people are deploying. 

"Software stops software, people stop people."

Today, we speak with Sherman and MDR lead analyst AnnMarie Nayiga about how they find attacks, what attacks they've stopped in the past, why MDR offers so many benefits to SMBs, and what makes for a good threat hunter.

You can also find us on Apple PodcastsSpotify, and Google Podcasts, plus whatever preferred podcast platform you use.

Show notes and credits:

Intro Music: “Spellbound” by Kevin MacLeod (incompetech.com)
Licensed under Creative Commons: By Attribution 4.0 License
http://creativecommons.org/licenses/by/4.0/
Outro Music: “Good God” by Wowa (unminus.com)

 

How student surveillance fails everyone

How student surveillance fails everyone

November 6, 2022

Last month, when Malwarebytes published joint research with 1Password about the online habits of parents and teenagers today, we spoke with a Bay Area high school graduate on the Lock and Code podcast about how she spends her days online and what she thinks are the hardest parts about growing up with the Internet. And while we learned a lot in that episode—about time management, about comparing one's self to others, and about what gets lost when kids swap in-person time with online time—we didn't touch on an increasingly concerning issue affecting millions of children and teenagers today: Student surveillance.

Nailing down the numbers on the use of surveillance technologies in schools today is nearly impossible, as the types and the capabilities of student surveillance software are many. 

There’s the surveillance of students’ messages to one another in things like emails or chats. There’s the surveillance of their public posts, on platforms like Twitter or Instagram. There are even tools that claim they can integrate directly with Google products, like Google Docs, to try to scan for worrying language about self-harm, or harm towards others, or drug use. There's also surveillance that requires hardware. Facial recognition technology, paired with high-resolution cameras, is often sold with the promise that it can screen school staff and visitors when they approach a building. Some products even claim to detect emotion in a person’s face. Other software, when paired with microphones that are placed within classrooms, claims to detect “aggression.” A shout or a yelp or a belting of anger would, in theory, trigger a warning from these types of monitoring applications, maybe alerting a school administrator to a problem as it is happening.

All of these tools count when we talk about student surveillance, and, at least from what has been publicly reported, many forms are growing. 

In 2021, the Center for Democracy and Technology surveyed teachers in K through 12 schools and simply asked if their schools used monitoring software: 81 percent said yes. 

With numbers like that, it'd be normal to assume that these tools also work. But a wealth of investigative reporting—upon which today's episode is based—reveals that these tools often vastly over-promise their own results. If those promises only concerned, say, drug use, or bullying, or students ditching classes, these failures would already cause concern. But as we explore in today’s episode, too many of schools buy and use this software because they think it will help solve a uniquely American problem: School shootings.

Today’s episode does not contain any graphic depictions of school shootings, but it does discuss details and the topic itself.

Sources:

School Surveillance Zone, The Brennan Center for Justice at NYU
Student Activity Monitoring Software Research Insights and Recommendations, Center for Democracy and Technology
With Safety in Mind, Schools Turn to Facial Recognition Technology. But at What Cost?,  EdSurge
RealNetworks Provides SAFR Facial Recognition Solution for Free to Every K-12 School in the U.S. and Canada, RealNetworks
Under digital surveillance: how American schools spy on millions of kids, The Guardian
Facial recognition in schools: Even supporters say it won't stop shootings, CNET
Aggression Detectors: The Unproven, Invasive Surveillance Technology Schools Are Using to Monitor Students, ProPublica
Why Expensive Social Media Monitoring Has Failed to Protect Schools, Slate
Tracked: How colleges use AI to monitor student protests, The Dallas Morning News
Demonstrations and Protests: Using Social Media to Gather Intelligence and Respond to Campus Crowds, Social Sentinel
New N.C. A&T committee will address sexual assault, Winston-Salem Journal
BYU students hold ‘I Can’t Breathe’ protest on campus, Daily Herald
Thrown bagels during MSU celebration lead to arrests, Detroit Free Press

Show notes and credits:

Intro Music: “Spellbound” by Kevin MacLeod (incompetech.com)
Licensed under Creative Commons: By Attribution 4.0 License
http://creativecommons.org/licenses/by/4.0/
Outro Music: “Good God” by Wowa (unminus.com)

A gym heist in London goes cyber

A gym heist in London goes cyber

October 23, 2022

A thief has been stalking London. 

This past summer, multiple women reported similar crimes to the police: While working out at their local gyms, someone snuck into the locker rooms, busted open their locks, stole their rucksacks and gym bags, and then, within hours, purchased thousands of pounds of goods. Apple, Selfridges, Balenciaga, Harrod's—the thief has expensive taste. 

At first blush, the crimes sound easy to explain: A thief stole credit cards and used them in person at various stores before they could be caught. 

But for at least one victim, the story is more complex.  

In August, Charlotte Morgan had her bag stolen during an evening workout at her local gym in Chiswick. The same pattern of high-price spending followed—the thief spent nearly £3,000 at an Apple store in West London, another £1,000 at a separate Apple store, and then almost £700 at Selfridges. But upon learning just how much the thief had spent, Morgan realized something was wrong: She didn't have that much money in her primary account. To access all of her funds, the thief would have needed to make a transfer out of her savings account, which would have required the use of her PIN. 

"[My PIN is] not something they could guess... So I thought 'That's impossible,'" Morgan told the Lock and Code podcast. But, after several calls with her bank and in discussions with some cybersecurity experts, she realized there could be a serious flaw with her online banking app. "But the bank... what they failed to mention is that every customer's PIN can actually be viewed on the banking app once you logged in."

Today on the Lock and Code podcast with host David Ruiz, we speak with Charlotte Morgan about what happened this past summer in London, what she did as she learned about the increasing theft of her funds, and how one person could so easily abuse her information. 

Tune in today to also learn about what you can do to help protect yourself from this type of crime. 

Show notes and credits:

Intro Music: “Spellbound” by Kevin MacLeod (incompetech.com)
Licensed under Creative Commons: By Attribution 4.0 License
http://creativecommons.org/licenses/by/4.0/
Outro Music: “Good God” by Wowa (unminus.com)

Teen talk: What it’s like to grow up online, and the role of parents

Teen talk: What it’s like to grow up online, and the role of parents

October 10, 2022

Growing up is different for teens today. 

Issues with identity, self-expression, bullying, fitting in, and trusting your friends and family—while all those certainly existed decades ago, they were never magnified in quite the same way that they are today, and that's largely because of one enormous difference: The Internet. 

On the Internet, the lines of friendship are re-enforced and blurred by comments or likes on photos and videos. Bullying can reach outside of schools, in harmful texts or messages posted online. Entirely normal feelings of isolation can be negatively preyed upon in online forums where users almost radicalize one another by sharing anti-social theories and beliefs. And the opportunity to compare one’s self against another—another who is taller, or thinner, or a different color, or who lives somewhere else or has more friends—never goes away. 

The Internet is forever present for our youngest generation, and, from what we know, it’s hurting a lot of them. 

In 2021, the US Centers for Disease Control and Prevention surveyed nearly 8,000 high school students in the country and found that children today were sadder, more hopeless, and more likely to have contemplated suicide than just 12 years prior.

Despite the concerns, we still thrust children into the Internet today, either to complete a homework assignment, or to create an email account to register for other online accounts, or to simply talk with their friends. We also repeatedly post photos of them online, often without discussing whether they want that. 

In today's episode of Lock and Code with host David Ruiz, we speak to two guests so that we can better understand what it is like to grow up online today and what the challenges are of raising children in this same environment now. 

Our first guest, Nitya Sharma, is a Bay Area teenager who speaks with us about the difficulties of managing her time online and in trying to meet friends and complete homework, the traps of trading online interaction with in-person socializing, and what she would do differently with her children, if she ever started a family, in preparing them for the Internet.

"I think the things that kids find on the Internet, they're going to find anyways. I probably found some stuff too young and it was bad... I think it's more of, I don't want them to become dependent on it."

But our episode doesn't end there, as we also bring in 1Password co-founder Sara Teare to discuss how parents can help their kids navigate the Internet today and in the future. Teare's keenly attuned to this subject, not only because she is a parent, but also because her company has partnered with Malwarebytes to release new reserach this week—available October 13—on growing up and raising kids online. 

Tune in today to hear both Nitya's stories and Sara's advice on growing up and raising children online. 

Show notes and credits:

Intro Music: “Spellbound” by Kevin MacLeod (incompetech.com)
Licensed under Creative Commons: By Attribution 4.0 License
http://creativecommons.org/licenses/by/4.0/
Outro Music: “Good God” by Wowa (unminus.com)

Calling in the ransomware negotiator, with Kurtis Minder

Calling in the ransomware negotiator, with Kurtis Minder

September 25, 2022

Ransomware can send any company into crisis. 

Immediately following an attack, the notoriously disruptive malware can spread across networks and machines, locking up important files and rendering vital data almost useless for all employees. As we learned in a previous episode of Lock and Code, a ransomware attack not only threatens an organization's clients and external customers, but all the internal teams who are just trying to do their jobs. When Northshore School District was hit several years ago by ransomware, teacher and staff pay were threatened, and children's school lunches needed to be reworked because the payment system had been wiped out.

These threats are not new. If anything, the potential damage and fallout of a ransomware attack is more publicly known than ever before, which might explain why a new form of ransomware response has emerged in the past year—the ransomware negotiator.

Increasingly, companies are seeking the help of ransomware negotiators to handle their response to a ransomware attack. The negotiator, or negotiators, can work closely with a company's executives, security staff, legal department, and press handlers to accurately and firmly represent the company's needs during a ransomware attack. Does the company refuse to pay the ransom because of policy? The ransomware negotiator can help communicate that. Is the company open to paying, but not the full amount demanded? The negotiator can help there, too. What if the company wants to delay the attackers, hoping to gain some much-needed time to rebuild systems? The negotiator will help there, too. 

Today, on the Lock and Code podcast with host David Ruiz, we speak with Kurtis Minder, CEO of the cyber reconnaissance company GroupSense about the intricate work of ransomware negotiation. Minder himself has helped clients with ransomware negotiation and his company has worked to formalize ransomware negotiation training. In his experience, Minder has also learned that the current debate over whether companies should pay the ransom has too few options. For a lot of small and medium-sized businesses, the question isn't an ideological one, but an existential one: Pay the ransom or go out of business.

"What you don't hear about is the thousands and thousands of small businesses in middle America, main street America—they get hit... they're either going to pay a ransom or they're going to go out of business."

Tune in today to listen to Minder discuss how a company decides to engage a ransomware negotiator, what a ransomware negotiator's experience and background consist of, and what the actual work of ransomware negotiation involves.

Show notes and credits:

Intro Music: “Spellbound” by Kevin MacLeod (incompetech.com)
Licensed under Creative Commons: By Attribution 4.0 License
http://creativecommons.org/licenses/by/4.0/
Outro Music: “Good God” by Wowa (unminus.com)

The MSP playbook on deciphering tech promises and shaping security culture

The MSP playbook on deciphering tech promises and shaping security culture

September 11, 2022

The in-person cybersecurity conference has returned.

More than two years after Covid-19 pushed nearly every in-person event online, cybersecurity has returned to the exhibition hall. In San Francisco earlier this year, thousands of cybersecurity professionals walked the halls of Moscone Center at RSA 2022. In Las Vegas just last month, even more hackers, security experts, and tech enthusiasts flooded the Mandalay Bay hotel, attending the conferences Black Hat and DEFCON. 

And at nearly all of these conferences—and many more to come—cybersecurity vendors are setting up shop to show off their latest, greatest, you-won't-believe-we've-made-this product. 

The dizzying array of product names, features, and promises can overwhelm even the most veteran security professional, but for one specific group of attendee, sorting the value from the verve is all part of the job description. 

We're talking today about managed service providers, or MSPs. 

MSPs are the tech support and cybersecurity backbone for so many small businesses. Dentists, mom-and-pop restaurants, bakeries, small markets, local newspapers, clothing stores, bed and breakfasts off the side of the road—all of these businesses need tech support because nearly everything they do, from processing credit card fees to storing patient information to managing room reservations, all of that, has a technical component to it today.

These businesses, unlike major corporations, rarely have the budget to hire a full-time staff member to provide tech support, so, instead, they rely on a managed service provider to be that support when needed. And so much of tech support today isn't just setting up new employee devices or solving a website issue. Instead, it's increasingly about providing cybersecurity. 

What that means, then, is that wading through the an onslaught of marketing speak at the latest cybersecurity conference is actually the responsibility of some MSPs. They have to decipher what tech tools will work not just for their own employees, but for the dozens if not hundreds of clients they support. 

Today, on the Lock and Code podcast with host David Ruiz, we speak with two experts at Malwarebytes about how MSPs can go about staying up to date on the latest technology while also vetting the vendors behind it. As our guests Eddie Phillips, strategic account manager, and Nadia Karatsoreos, senior MSP growth strategist, explain, the work of an MSP isn't just to select the right tools, but to review whether the makers behind those tools are the right partners both for the MSP and its clients. 

Playing Doom on a John Deere tractor with Sick Codes

Playing Doom on a John Deere tractor with Sick Codes

August 28, 2022

In 1993, the video game developers at id Software released Doom, a first-person shooter that placed a nameless protagonist into the fiery depths of hell, equipped with an arsenal of weapons to mow down imps, demons, lost souls, and the intimidating "Barons of Hell." 

In 2022, the hacker Sick Codes installed a modified version of Doom on the smart control panel of a John Deere tractor, with the video game's nameless protagonist this time mowing down something entirely more apt for the situation: Corn.

At DEFCON 30, Sick Codes presented his work to an audience of onlookers at the conference's main stage. His efforts to run the modified version of Doom, which are discussed in today's episode of Lock and Code with host David Ruiz, are not just good for a laugh, though. For one specific community, the work represents a possible, important step forward in their own fight—the fight for the "right to repair." 

"Right to Repair" enthusiasts want to be able to easily repair the things they own. It sounds like a simple ask, but when’s the last time you repaired your own iPhone? When’s the last time you were even able to replace the battery yourself on your smartphone?

The right to repair your equipment, without intervention from an authorized dealer, is hugely important to some farmers. If their tractor breaks down because of a software issue, they don’t want to wait around for someone to have to physically visit their site to fix it. They want to be able to fix it then and there and get on with their work.

So, when a hacker shows off that he was able to do something that wasn’t thought possible on a device that can be notoriously difficult to self-repair, it garners attention.  

Today, we speak with Sick Codes about his most recent work on a John Deere tractor, and how his work represents a follow-up to what he a group of researchers showed last year, when he revealed how he was able to glean an enormous amount of information about John Deere smart tractor owners from John Deere's data operations center. This time around, as Sick Codes explained, the work was less about tinkering around on a laptop and more about getting physical with a few control panels that he found online. 

“It’s kind of like surgery but for metallic objects, if that makes sense. Non-organic material.”

Tune in today to listen to Sick Codes discuss his work, why he did what he did, and how John Deere has reacted to his research. 

Show notes and credits:

Intro Music: “Spellbound” by Kevin MacLeod (incompetech.com)
Licensed under Creative Commons: By Attribution 4.0 License
http://creativecommons.org/licenses/by/4.0/
Outro Music: “Good God” by Wowa (unminus.com)

Donut breach: Lessons from pen-tester Mike Miller

Donut breach: Lessons from pen-tester Mike Miller

August 14, 2022

When Mike Miller was hired by a client to run a penetration test on one of their offices, he knew exactly where to start: Krispy Kreme. Equipped with five dozen donuts (the boxes stacked just high enough to partially obscure his face, Miller said), Miller walked briskly into a side-door of his client's offices, tailing another employee and asking them to hold the door open. Once inside, he cheerfully asked where the break room was located, dropped off the donuts, and made small talk.

Then he went to work.

By hard-wiring his laptop into the company's Internet, Miller's machine received an IP address and, immediately after, he got online. Once connected, Miller ran a few scanners that helped him take a rough inventory of the company's online devices. He could see the systems, ports, and services running on the network, and gained visibility into the servers, the work stations, even the printers. Miller also ran a vulnerability scanner to see what vulnerabilities the network contained, and, after a little probing, he learned of an easy way to access the physical printers, even peering into print histories. 

Miller's work as a penetration tester means he is routinely hired by clients to do this exact type of work—to test the security of their own systems, from their physical offices to their online networks. And while his covert work doesn't always go like this, he said that it isn't uncommon for companies to allow basic flaws. Even when he shared his story on LinkedIn, several people doubted his story. 

"It’s crazy because so many people say ‘Well, there’s no way you could’ve just plugged in.’ Well, you’re right, I should not have been able to do that,” Miller said.

Today, on Lock and Code with host David Ruiz, we speak with Miller about common problems he's seen in his work as a pen-tester, how companies can empower their employees to provide better security, and what the relationship is between physical security and cybersecurity. 

Show notes and credits:

Intro Music: “Spellbound” by Kevin MacLeod (incompetech.com)
Licensed under Creative Commons: By Attribution 4.0 License
http://creativecommons.org/licenses/by/4.0/
Outro Music: “Good God” by Wowa (unminus.com)

Have we lost the fight for data privacy?

Have we lost the fight for data privacy?

July 31, 2022

At the end of 2021, Lock and Code invited the folks behind our news-driven cybersecurity and online privacy blog, Malwarebytes Labs, to discuss what upset them most about cybersecurity in the year prior. Today, we’re bringing those same guests back to discuss the other, biggest topic in this space and on this show: Data privacy.

You see, in 2021, a lot has happened.

Most recently, with the US Supreme Court’s decision to remove the national right to choose to have an abortion, individual states have now gained control to ban abortion, which has caused countless individuals to worry about whether their data could be handed over to law enforcement for investigations into alleged criminal activity. Just months prior, we also learned about a mental health nonprofit that had taken the chat messages of at-times suicidal teenagers and then fed those messages to a separate customer support tool that was being sold to corporate customers to raise money for the nonprofit itself. And we learned about how difficult it can be to separate yourself from Google’s all-encompassing, data-tracking empire.

None of this is to mention more recent, separate developments: Facebook finding a way to re-introduce URL tracking, facial recognition cameras being installed in grocery stores, and Google delaying its scheduled plan to remove cookie tracking from Chrome.

Today, on Lock and Code with host David Ruiz, we speak with Malwarebytes Labs editor-in-chief Anna Brading and Malwarebytes Labs writer Mark Stockley to answer one, big question: Have we lost the fight to meaningfully preserve data privacy?

Show notes and credits:

Intro Music: “Spellbound” by Kevin MacLeod (incompetech.com)
Licensed under Creative Commons: By Attribution 4.0 License
http://creativecommons.org/licenses/by/4.0/
Outro Music: “Good God” by Wowa (unminus.com)

Roe v. Wade: How the cops can use your data

Roe v. Wade: How the cops can use your data

July 17, 2022

On June 24, that Constitutional right to choose to have an abortion was removed by the Supreme Court, and immediately, this legal story became one of data privacy. Today, countless individuals ask themselves: What surrounding activity is allowed?

Should Google be used to find abortion providers out of state? Can people write on Facebook or Instagram that they will pay for people to travel to their own states, where abortion is protected? Should people continue texting friends about their thoughts on abortion? Should they continue to use a period-tracking app? Should they switch to a different app that is now promising to technologically protect their data from legal requests? Should they clamp down on all their data? What should they do?

On this episode of the Lock and Code podcast with host David Ruiz, we speak with two experts on this intersection of data privacy and legal turmoil—Electronic Frontier Foundation staff attorney Saira Hussain and senior staff technologist Cooper Quintin.

As Quintin explains in the podcast, while much of the focus has recently been on the use of period-tracking apps, there are so many other forms of data out there that people should protect:

"Period-tracking apps aren’t the only apps that are problematic. The fact is that the majority of apps are harvesting data about you. Location data, data that you put into the apps, personal data. And that data is being fed to data brokers, to people who sell location data, to advertisers, to analytics companies, and we’re building these giant warehouses of data that could eventually be trawled through by law enforcement for dragnet searches."

By spotlighting how benign data points—including shopping habits and locations—have already been used to reveal pregnancies and miscarriages and to potentially identify abortion-seekers, our guests explain what data could now be of interest to law enforcement, and how people at home can keep their decisions private and secure.

Show notes and credits:

Intro Music: “SCP-x5x (Outer Thoughts)” by Kevin MacLeod (incompetech.com)

Licensed under Creative Commons: By Attribution 4.0 License

http://creativecommons.org/licenses/by/4.0/

Outro Music: “Good God” by Wowa (unminus.com)

Podbean App

Play this podcast on Podbean App