Lock and Code

When Luta Security CEO and founder Katie Moussouris analyzed the popular social "listening" app Clubhouse, she found a way to eavesdrop on conversations without notifying other users. This was, Moussouris said, a serious and basic flaw, so, using her years of expertise, she documented the vulnerability and emailed some information to the company. 

Her emails went unanswered for weeks. 

Today, on Lock and Code with host David Ruiz, we speak to Moussouris about Clubhouse, vulnerability disclosure, and the imperfect implementations of "bug bounty" programs. 

The 2021 attacks on two water treatment facilities in the US—combined with ransomware attacks on an oil and gas supplier and a meat and poultry distributor—could lead most people to believe that a critical infrastructure “big one” is coming.

But, as Lesley Carhart, principal threat hunter with Dragos, tells us, the chances of such an event are remarkably slim. In fact, critical infrastructure’s regular disaster planning often leads to practices that can detect, limit, or prevent any wide-reaching cyberattack.

On April 1, a volunteer researcher for the Dutch Institute for Vulnerability Disclosure (DIVD) began poking around into Kaseya VSA, a popular software tool used to remotely manage and monitor computers. Within minutes, he found a zero-day vulnerability that allowed remote code execution—a serious flaw. Within weeks, his team had found seven or eight more. 

In today's episode, DIVD Chair Victor Gevers describes the race to prevent one of the most devastating ransomware attacks in recent history. It's a race that Gevers and his team almost won. Almost.

At 11:37 pm on the night of September 20, 2019, cybercriminals launched a ransomware attack against Northshore School District in Washington state. Early the next morning, Northshore systems administrator Ski Kacoroski arrived on scene. As Kacoroski soon found out, he and his team were on a race against time—the ransomware actively spreading across servers holding data necessary for day-to-day operations. And importantly, in just four days, the school district needed—by law—to pay its staff. That was now at risk.

Today, we speak to Kacoroski about the immediate reaction, the planned response, and the eventual recovery from a ransomware attack. Tune in to hear Kacoroski's story—and any lessons learned—on the latest episode of Lock and Code, with host David Ruiz.

Ransomware attacks are on a different scale this year, with major attacks not just dismantling the business and management of Colonial Pipeline in the US, the Health Service Executive in Ireland, and the meatpacker JBS in Australia, but also disrupting people's access to gasoline, healthcare, COVID-19 vaccinations, and more.

So, what is it going to take to stop these attacks? Brian Honan, CEO of BH Consulting, said that the process will be long and complex, but the end goal in sight should be simple: Put the cybercriminals responsible for these attacks behind bars.

Tune in to learn about how ransomware can dismantle a business, what governments are doing to fight back, and why we need better cooperation within private industry, on the latest episode of Lock and Code, with host David Ruiz.

In 2016, a mid-20s man began an intense, prolonged harassment campaign against his new roommate. He emailed her from spoofed email accounts. He texted her and referenced sensitive information that was only stored in a private, online journal. He created new Instagram accounts, he repeatedly made friend requests through Facebook to her friends and family, he even started making bomb threats. And though he tried to sometimes mask his online activity, two of the VPNs he used while registering a fake account eventually gave his information to the FBI.

This record-keeping practice, known as VPN logging, is frowned upon in the industry. And yet, it helped lead to the capture of a dangerous criminal.

Can two VPN "wrongs" make a right? Find out today on Lock and Code, with host David Ruiz.

This week on Lock and Code, we speak to cybersecurity advocate and author Carey Parker about "dark patterns," which are subtle tricks online to get you to make choices that might actually harm you. Maybe you'll be bilked out a couple dollars, maybe you'll find it nearly impossible to unsubscribe out of that newsletter, or maybe you'll see yourself signing away some of your data privacy controls just so a company can keep making more money off you. 

Tune in to learn about dark patterns—how to spot them, what any future fixes might look like, and what one company is doing to support you—on the latest episode of Lock and Code, with host David Ruiz.

This week on Lock and Code, we speak to cybersecurity and privacy attorney Jake Bernstein about ransomware attacks that don't just derail a company's reputation and productivity, but also throw them into potential legal peril.

These are "double extortion" attacks, in which ransomware operators can hit the same target two times over—encrypting a victim's files and also threatening to publish sensitive data that was stolen in the attack. And in the US, whenever data is stolen and released, there are about 50 state laws that might dictate what a victim does next, and how quickly they do it. 

Tune in to learn about these ransomware attacks, what state laws get triggered, how new privacy laws affect legal compliance, and why Bernstein does not expect any federal legislation to standardize this process, on the latest episode of Lock and Code, with host David Ruiz.

This week on Lock and Code, we speak to Malwarebytes Chief Information Security Officer John Donovan about the flaws in using VirusTotal as the one source of truth when evaluating whether or not a cybersecurity tool actually works. It's a practice that is surprisingly common among small- to medium-sized businesses (SMBs).

Tune in to learn about the smartest ways to test and implement endpoint protection into your SMB, and how to finally break free from the VirusTotal silo, on the latest episode of Lock and Code, with host David Ruiz.