Lock and Code Malwarebytes

When you think of the modern tools that most invade your privacy, what do you picture?
There's the obvious answers, like social media platforms including Facebook and Instagram. There's email and "everything" platforms like Google that can track your locations, your contacts, and, of course, your search history. There's even the modern web itself, rife with third-party cookies that track your browsing activity across websites so your information can be bundled together into an ad-friendly profile. 
But here's a surprise answer with just as much validity: Cars. 
A team of researchers at Mozilla which has reviewed the privacy and data collection policies of various product categories for several years now, named "Privacy Not Included," recently turned their attention to modern-day vehicles, and what they found shocked them. Cars are, to put it shortly, a privacy nightmare. 
According to the team's research, Nissan says it can collect “sexual activity” information about consumers. Kia says it can collect information about a consumer's “sex life.” Subaru passengers allegedly consent to the collection of their data by simply being in the vehicle. Volkswagen says it collects data like a person's age and gender and whether they're using your seatbelt, and it can use that information for targeted marketing purposes. 
But those are just some of the highlights from the Privacy Not Included team. Explains Zoë MacDonald, content creator for the research team: 
"We were pretty surprised by the data points that the car companies say they can collect... including social security number, information about your religion, your marital status, genetic information, disability status... immigration status, race. And of course, as you said.. one of the most surprising ones for a lot of people who read our research is the sexual activity data."
Today on the Lock and Code podcast with host David Ruiz, we speak with MacDonald and Jen Caltrider, Privacy Not Included team lead, about the data that cars can collect, how that data can be shared, how it can be used, and whether consumers have any choice in the matter.
We also explore the booming revenue stream that car manufacturers are tapping into by not only collecting people's data, but also packaging it together for targeted advertising. With so many data pipelines being threaded together, Caltrider says the auto manufacturers can even make "inferences" about you.  
"What really creeps me out [is] they go on to say that they can take all the information they collect about you from the cars, the apps, the connected services, and everything they can gather about you from these third party sources," Caltrider said, "and they can combine it into these things they call 'inferences' about you about things like your intelligence, your abilities, your predispositions, your characteristics." 
Caltrider continued:
"And that's where it gets really creepy because I just imagine a car company knowing so much about me that they've determined how smart I am."Tune in today. 

In 2022, Malwarebytes investigated the blurry, shifting idea of “identity” on the internet, and how online identities are not only shaped by the people behind them, but also inherited by the internet’s youngest users, children. Children have always inherited some of their identities from their parents—consider that two of the largest indicators for political and religious affiliation in the US are, no surprise, the political and religious affiliations of someone’s parents—but the transfer of online identity poses unique risks. 
When parents create email accounts for their kids, do they also teach their children about strong passwords? When parents post photos of their children online, do they also teach their children about the safest ways to post photos of themselves and others? When parents create a Netflix viewing profile on a child's iPad, are they prepared for what else a child might see online? Are parents certain that a kid is ready to watch before they can walk?
Those types of questions drove a joint report that Malwarebytes published last year, based on a survey of 2,000 people in North America. That research showed that, broadly, not enough children and teenagers trust their parents to support them online, and not enough parents know exactly how to give the support their children need.
But stats and figures can only tell so much of the story, which is why last year, Lock and Code host David Ruiz spoke with a Bay Area high school graduate about her own thoughts on the difficulties of growing up online. Lock and Code is re-airing that episode this week because, in less than one month, Malwarebytes is releasing a follow-on report about behaviors, beliefs, and blunders in online privacy and cybersecurity. And as part of that report, Lock and Code is bringing back the same guest as last year, Nitya Sharma. 
Before then, we are sharing with listeners our prior episode that aired in 2022 about the difficulties that an everyday teenager faces online, including managing her time online, trying to meet friends and complete homework, the traps of trading online interaction with in-person socializing, and what she would do differently with her children, if she ever started a family, in preparing them for the Internet.
Tune in today. 
You can also find us on Apple Podcasts, Spotify, and Google Podcasts, plus whatever preferred podcast platform you use.
For all our cybersecurity coverage, visit Malwarebytes Labs at malwarebytes.com/blog.
Show notes and credits:
Intro Music: “Spellbound” by Kevin MacLeod (incompetech.com)
Licensed under Creative Commons: By Attribution 4.0 License
http://creativecommons.org/licenses/by/4.0/
Outro Music: “Good God” by Wowa (unminus.com)

Becky Holmes is a big deal online. 
Hugh Jackman has invited her to dinner. Prince William has told her she has "such a beautiful name." Once, Ricky Gervais simply needed her photos ("I want you to take a snap of yourself and then send it to me on here...Send it to me on here!" he messaged on Twitter), and even Tom Cruise slipped into her DMs (though he was a tad boring, twice asking about her health and more often showing a core misunderstanding of grammar). 
Becky has played it cool, mostly, but there's no denying the "One That Got Away"—Official Keanu Reeves. 
After repeatedly speaking to Becky online, convincing her to download the Cash app, and even promising to send her $20,000 (which Becky said she could use for a new tea towel), Official Keanu Reeves had a change of heart earlier this year: "I hate you," he said. "We are not in any damn relationship." 
Official Keanu Reeves, of course, is not Keanu Reeves. And hughjackman373—as he labeled himself on Twitter—is not really Hugh Jackman. Neither is "Prince William," or "Ricky Gervais," or "Tom Cruise." All of these "celebrities" online are fake, and that isn't commentary on celebrity culture. It's simply a fact, because all of the personas online who have reached out to Becky Holmes are romance scammers. 
Romance scams are serious crimes that follow similar plots. 
Online, an attractive stranger or celebrity—coupled with an appealing profile picture—will send a message to a complete stranger, often on Twitter, Instagram, Facebook, or LinkedIn. They will flood the stranger with affectionate messages and promises of a perfect life together, sometimes building trust and emotional connection for weeks or even months. As time continues, they will also try to remove the conversation away from the social media platform where it started, instead moving it to WhatsApp, Telegram, Messages, or simple text. 
Here, the scam has already started. Away from the major social media and networking platforms, the scammers persistent messages cannot be flagged for abuse or harassment, and the scammer is free to press on. Once an emotional connection is built, the scammer will suddenly be in trouble, and the best way out, is money—the victim’s money.
These crimes target vulnerable people, like recently divorced individuals, widows, and the elderly. But when these same scammers reach out to Becky Holmes, Becky Holmes turns the tables.
Becky once tricked a scammer into thinking she was visiting him in the far-off Antarctic. She has led one to believe that she had accidentally murdered someone and she needed help hiding the body. She has given fake, lewd addresses, wasted their time, and even shut them down when she can by coordinating with local law enforcement.
And today on the Lock and Code podcast with host David Ruiz, Becky Holmes returns to talk about romance scammer "education" and the potential involvement in pyramid schemes, a disappointing lack of government response to protect victims, and the threat of Twitter removing its block function, along with some of the most recent romance scams that Becky has encountered online.
“There’s suddenly been this kind of influx of Elons. Absolutely tons of those have come about… I think I get probably at least one, maybe two a day.”Tune in today.
You can also find us on Apple Podcasts, a...

"Freedom" is a big word, and for many parents today, it's a word that includes location tracking. 
Across America, parents are snapping up Apple AirTags, the inexpensive location tracking devices that can help owners find lost luggage, misplaced keys, and—increasingly so—roving toddlers setting out on mini-adventures. 
The parental fear right now, according to The Washington Post technology reporter Heather Kelly, is that "anybody who can walk, therefore can walk away." 
Parents wanting to know what their children are up to is nothing new. Before the advent of the Internet—and before the creation of search history—parents read through diaries. Before GPS location tracking, parents called the houses that their children were allegedly staying at. And before nearly every child had a smart phone that they could receive calls on, parents relied on a much simpler set of tools for coordination: Going to the mall, giving them a watch, and saying "Be at the food court at noon." 
But, as so much parental monitoring has moved to the digital sphere, there's a new problem: Children become physically mobile far faster than they become responsible enough to own a mobile. Enter the AirTag: a small, convenient device for parents to affix to toddlers' wrists, place into their backpacks, even sew into their clothes, as Kelly reported in her piece for The Washington Post. 
In speaking with parents, families, and childcare experts, Kelly also uncovered an interesting dynamic. Parents, she reported, have started relying on Apple AirTags as a means to provide freedom, not restrictions, to their children. 
Today, on the Lock and Code podcast with host David Ruiz, we speak with Kelly about why parents are using AirTags, how childcare experts are reacting to the recent trend, and whether the devices can actually provide a balm to increasingly stressed parents who may need a moment to sit back and relax. Or, as Kelly said:
"In the end, parents need to chill—and if this lets them chill, and if it doesn't impact the kids too much, and it lets them go do silly things like jumping in some puddles with their friends or light, really inconsequential shoplifting, good for them."Tune in today. 
You can also find us on Apple Podcasts, Spotify, and Google Podcasts, plus whatever preferred podcast platform you use.
For all our cybersecurity coverage, visit Malwarebytes Labs at malwarebytes.com/blog.
Show notes and credits:
Intro Music: “Spellbound” by Kevin MacLeod (incompetech.com)
Licensed under Creative Commons: By Attribution 4.0 License
http://creativecommons.org/licenses/by/4.0/
Outro Music: “Good God” by Wowa (unminus.com)

Earlier this month, a group of hackers was spotted using a set of malicious tools—that originally gained popularity with online video game cheaters—to hide their Windows-based malware from being detected.
Sounds unique, right? 
Frustratingly, it isn't, as the specific security loophole that was abused by the hackers has been around for years, and Microsoft's response, or lack thereof, is actually a telling illustration of the competing security environments within Windows and macOS. Even more perplexing is the fact that Apple dealt with a similar issue nearly 10 years ago, locking down the way that certain external tools are given permission to run alongside the operating system's critical, core internals. 
Today, on the Lock and Code podcast with host David Ruiz, we speak with Malwarebytes' own Director of Core Tech Thomas Reed about everyone's favorite topic: Windows vs. Mac. But this isn't a conversation about the original iPod vs. Microsoft's Zune (we're sure you can find countless, 4-hour diatribes on YouTube for that), but instead about how the companies behind these operating systems can respond to security issues in their own products. Because it isn't fair to say that Apple or Microsoft are wholesale "better" or "worse" about security. Instead, they're hampered by their users and their core market segments—Apple excels in the consumer market, whereas Microsoft excels with enterprises. And when your customers include hospitals, government agencies, and pretty much any business over a certain headcount, well, it comes with complications in deciding how to address security problems that won't leave those same customers behind. 
Still, there's little excuse in leaving open the type of loophole that Windows has, said Reed:
"Apple has done something that was pretty inconvenient for developers, but it really secured their customers because it basically meant we saw a complete stop in all kernel-level malware. It just shows you [that] it can be done. You're gonna break some eggs in the process, and Microsoft has not done that yet... They're gonna have to."Tune in today.
You can also find us on Apple Podcasts, Spotify, and Google Podcasts, plus whatever preferred podcast platform you use.
For all our cybersecurity coverage, visit Malwarebytes Labs at malwarebytes.com/blog.
Show notes and credits:
Intro Music: “Spellbound” by Kevin MacLeod (incompetech.com)
Licensed under Creative Commons: By Attribution 4.0 License
http://creativecommons.org/licenses/by/4.0/
Outro Music: “Good God” by Wowa (unminus.com)

The language of a data breach, no matter what company gets hit, is largely the same. There's the stolen data—be it email addresses, credit card numbers, or even medical records. There are the users—unsuspecting, everyday people who, through no fault of their own, mistakenly put their trust into a company, platform, or service to keep their information safe. And there are, of course, the criminals. Some operate in groups. Some act alone. Some steal data as a means of extortion. Others steal it as a point of pride. All of them, it appears, take something that isn't theirs. 
But what happens if a cybercriminal takes something that may have already been stolen? 
In late June, a mobile app that can, without consent, pry into text messages, monitor call logs, and track GPS location history, warned its users that its services had been hacked. Email addresses, telephone numbers, and the content of messages were swiped, but how they were originally collected requires scrutiny. That's because the app itself, called LetMeSpy, is advertised as a parental and employer monitoring app, to be installed on the devices of other people that LetMeSpy users want to track. 
Want to read your child's text messages? LetMeSpy says it can help. Want to see where they are? LetMeSpy says it can do that, too. What about employers who are interested in the vague idea of "control and safety" of their business? Look no further than LetMeSpy, of course.  
While LetMeSpy's website tells users that "phone control without your knowledge and consent may be illegal in your country," (it is in the US and many, many others) the app also claims that it can hide itself from view from the person being tracked. And that feature, in particular, is one of the more tell-tale signs of "stalkerware." 
Stalkerware is a term used by the cybersecurity industry to describe mobile apps, primarily on Android, that can access a device's text messages, photos, videos, call records, and GPS locations without the device owner knowing about said surveillance. These types of apps can also automatically record every phone call made and received by a device, turn off a device's WiFi, and take control of the device's camera and microphone to snap photos or record audio—all without the victim knowing that their phone has been compromised. 
Stalkerware poses a serious threat—particularly to survivors of domestic abuse—and Malwarebytes has defended users against these types of apps for years. But the hacking of an app with similar functionality raises questions. 
Today, on the Lock and Code podcast with host David Ruiz, we speak with the hacktivist and security blogger maia arson crimew about the data that was revealed in LetMeSpy's hack, the almost-clumsy efforts by developers to make and market these apps online, and whether this hack—and others in the past—are "good." 
"I'm the person on the podcast who can say 'We should hack things,' because I don't work for Malwarebytes. But the thing is, I don't think there really is any other way to get info in this industry."Tune in today. 
You can also find us on Apple Podcasts, Spotify, and Google Podcasts, plus whatever preferred podcast platform you use.
For all our cybersecurity coverage, visit Malwarebytes Labs at malwarebytes.com/blog.
Show notes and...