Lock and Code

At the start of the global coronavirus pandemic, nearly everyone was forced to learn about the "supply chain." Immediate stockpiling by an alarmed (and from a smaller share, opportunistic) public led to an almost overnight disappearance of hand sanitizer, bottled water, toilet paper, and face masks. In time, those items returned to stores. But then a big ship got stuck in the Suez, and once again, we learned even more about the vulnerability of supply chains. They can handle little stress. They can be derailed with one major accident. They spread farther than we know. While the calamity in the canal involved many lessons, there was another story in late 2020 that required careful study in cyberspace—an attack on the digital supply chain. That year, attackers breached a network management tool called Orion, which is developed by the Texas-based company SolarWinds. Months before the attack was caught, the attackers swapped malicious code into a legitimately produced security update from SolarWinds. This malicious code gave the attackers a backdoor into every Orion customer who both downloaded and deployed the update and who had their servers connected online. Though the initial number of customers who downloaded the update was about 18,000 companies, the number of customers infected with the attackers’ malware was far lower, somewhere around 100 companies and about a dozen government agencies. This attack, which did involve a breach of a company, had a broader focus—the many, many clients of that one company. This was an attack on the software supply chain, and since that major event, similar attacks have happened again and again. Today, on the Lock and Code podcast with host David Ruiz, we speak with Kim Lewandowski, founder and head of product at Chainguard, about the software supply chain, its vulnerabilities, and how we can fix it. Show notes, resources, and credits: Kubernetes diagram: https://user-images.githubusercontent.com/622577/170547400-ef9e2ef8-e35b-46df-adee-057cbce847d1.svg Intro Music: “Spellbound” by Kevin MacLeod (incompetech.com) Licensed under Creative Commons: By Attribution 4.0 License http://creativecommons.org/licenses/by/4.0/ Outro Music: “Good God” by Wowa (unminus.com)

Tor, which stands for "The Onion Router," has a storied reputation in the world of online privacy, but on today's episode of Lock and Code with host David Ruiz, we speak with security researcher Alec Muffett about the often-undiscussed security benefits of so-called "onion networking." The value proposition to organizations interested in using Tor goes beyond just anonymity, Muffett explains, and its a value prop that has at least persuaded the engineers at Facebook, Twitter, The New York Times, Buzzfeed, The Intercept, and The Guardian to build onion versions of their sites. Tune in to hear about the security benefits of onion networking, why an organization would want to launch an onion site for its service, and whether every site in the future should utilize Tor. Show notes and credits: Why and How you should start using Onion Networking: https://www.youtube.com/watch?v=pebRZyg_bh8 How WhatsApp uses metadata analysis for spam and abuse fighting: https://www.youtube.com/watch?v=LBTOKlrhKXk Alec Muffett's blog and about page: https://alecmuffett.com/about Intro Music: “Spellbound” by Kevin MacLeod (incompetech.com) Licensed under Creative Commons: By Attribution 4.0 License http://creativecommons.org/licenses/by/4.0/ Outro Music: “Good God” by Wowa (unminus.com)

Last year, Whitney Merrill wanted to know just how much information the company Clubhouse had on her, even though she wasn't a user. After many weeks of, at first, non-responses, she learned that her phone number had been shared with Clubhouse more than 80 times—the byproduct of her friends joining the platform. Today on Lock and Code with host David Ruiz, we speak with Merrill about why hunting down your data can be so difficult today, even though some regions have laws that specifically allow for this. We also talk about the future of data privacy and whether "data localization" will make things easier, or if it will add another layer of geopolitics to growing surveillance operations around the world. Show notes and credits: Intro Music: "Spellbound” by Kevin MacLeod (incompetech.com) Licensed under Creative Commons: By Attribution 4.0 License http://creativecommons.org/licenses/by/4.0/ Outro Music: “God God” by Wowa (unminus.com)

Earlier this year, a flashy documentary premiered on Netflix that shed light onto on often-ignored cybercrime—a romance scam. In this documentary, called The Tinder Swindler, the central scam artist relied on modern technologies, like Tinder, and he employed an entire team, which included actors posing as his bodyguard and potentially even his separated wife. After months of getting close to several women, the scam artist pounced, asking for money because he was supposedly in danger. The public response to the documentary was muddy. Some viewers felt for the victims featured by the filmmakers, but others blamed them. This tendency to blame the victims is nothing new, but according to our guest Cindy Liebes, Chief Cybersecurity Evangelist for Cybercrime Support Network, it's all wrong. That's because, as we discuss in today's episode on Lock and Code with host David Ruiz, these scam artists are professional criminals. Today, we speak with Liebes to understand how romance scams work, who the victims are, who the criminals are, what the financial and emotional damages are, and how people can find help. Show notes and credits: Intro Music: "Spellbound” by Kevin MacLeod (incompetech.com) Licensed under Creative Commons: By Attribution 4.0 License http://creativecommons.org/licenses/by/4.0/ Outro Music: “God God” by Wowa (unminus.com)

Every few months, a basic but damaging flaw is revealed in a common piece of software, or a common tool used in many types of programs, and the public will be left asking: What is going on with how our applications are developed? Today on the Lock and Code podcast with host David Ruiz, we speak to returning guest Tanya Janca to understand the many stages of software development and how security trainers can better work with developers to build safe, secure products.

Data protection, believe it or not, is not synonymous with privacy, or even data privacy. But around the world, countless members of the public often innocently misconstrue these three topics with one another, swapping the terms and the concepts behind them. Typically, that wouldn't be a problem—not every person needs to know the minute details of every data-related concept, law, and practice. But when the public is unaware of its rights under data protection, it might be unaware of how to assert those rights. Today, on the Lock and Code podcast with host David Ruiz, we speak with Gabriela Zanfir-Fortuna, the vice president for global privacy at Future of Privacy Forum, to finally clear up the air on these related topics, and to understand how US law differs from EU law, even though the US helped lead the way on data protection proposals all the way back in 1973.

In 2017, a former NSA contractor was arrested for allegedly leaking an internal report to the online news outlet The Intercept. To verify the report itself, a journalist for The Intercept sent an image of the report to the NSA, but upon further inspection, it was revealed that the image was actually a scan of a physical document. This difference—between an entirely digital, perhaps only-emailed document, and a physical piece of paper—spurred several suspicions that the news outlet had played an unintended role in identifying the NSA contractor to her employer, because the NSA did not have to find people who merely accessed the report, but only people who had printed it. This is what journalism can look like in the modern age. There are countless digital traces left behind that can puncture the safety and security of both journalists and their sources. Today, on the Lock and Code podcast with host David Ruiz, we speak with security researcher Runa Sandvik about how she helps reporters tell important stories securely and privately amongst many digital threats.

Three years ago, a journalist for Gizmodo removed five of the biggest tech companies from her life—restricting her from using services and hardware developed or owned by Google, Apple, Amazon, Facebook, and Microsoft. The experiment, according to the reporter, was "hell." But in 2022, cybersecurity evangelist Carey Parker, who also hosts the podcast Firewalls Don't Stop Dragons, wanted to do something similar, just on a smaller scale, and with a focus on privacy. Today, on Lock and Code with host David Ruiz, we speak with Parker about lessening his own interactions with one of the biggest tech companies around: Google. Tune in to hear about privacy-preserving alternatives and unforeseen obstacles in Parker's current de-Googlization effort.

How would you feel if the words you wrote to someone while in a crisis—maybe you were suicidal, maybe you were newly homeless, maybe you were suffering from emotional abuse at home—were later used to train a customer support tool? Those emotions you might behaving right now were directed last month at Crisis Text Line, after the news outlet Politico reported that the nonprofit organization had been sharing anonymized conversational data with a for-profit venture that Crisis Text Line had itself spun off at an earlier date, in an attempt to one day boost the nonprofit's own funding. Today, on Lock and Code with host David Ruiz, we’re speaking with Courtney Brown, the former director of a suicide hotline network that was part of the broader National Suicide Prevention Lifeline, to help us understand data privacy principles for crisis support services and whether sharing this type of data is ever okay.

Two years ago, the FBI reportedly purchased a copy of the world's most coveted spyware, a tool that can remotely and silently crack into Androids and iPhones without leaving a trace, spilling device contents onto a console possibly thousands of miles away, with little more effort than entering a phone number. This tool is Pegasus, and, though the FBI claimed it never used the spyware in investigations, the use of Pegasus abroad has led to surveillance abuses the world over. On Lock and Code today, host David Ruiz provides an in-depth look at Pegasus: Who makes it, how much information can steal from mobile devices, how does it get onto those devices, and who has been provably harmed by its surveillance capabilities?

You've likely fallen for it before—a simulated test sent by your own company to determine whether its employees are vulnerable to one of the most pernicious online threats today: Phishing. Those simulated phishing tests often come with a voluntary or mandatory training afterwards, with questions and lessons about what mistakes you made, right after you made them. But this extremely popular phishing defense practice might not work. In fact, it might make you worse at recognizing phishing attempts in the future. That's what Daniele Lain and his fellow PhD candidates at the ETH Zurich university in Switzerland revealed in a recent 15-month study, which we discuss today on Lock and Code, with host David Ruiz.

In 2017, the largest ransomware attack ever recorded hit the world, infecting more than 230,000 computers across more than 150 countries in just 24 hours. And it could have been solved with a patch that was released nearly two months prior. This was the WannaCry ransomware attack, and its final, economic impact—in ransoms paid but also in downtime and recovery efforts—has been estimated at about $4 billion. All of it could have been avoided if every organization running a vulnerable version of Windows 7 had patched that vulnerability, as Microsoft recommended. But that obviously didn't happen. Why is that? In today's episode of Lock and Code with host David Ruiz, we speak with cybersecurity professional Jess Dodson about why patching is so hard to get right for so many organizations, and what we could all do to better improve our patching duties.

We are only days into 2022, which means what better time for a 2021 retrospective? But rather than looking at the biggest cyberattacks of last year—which we already did—or the most surprising—like we did a couple of years ago—we wanted to offer something different for readers and listeners. On today's episode of Lock and Code, with host David Ruiz, we spoke with Malwarebytes Labs' editor-in-chief Anna Brading and Labs' writer Mark Stockley about what upset them the most about cybersecurity in 2021.

In August, the NFT for a cartoon rock sold for $1.3 million, and ever since then, much of the world has been asking: What the heck is going on? On today's episode of Lock and Code, with host David Ruiz, we speak with Malwarebytes' Mark Stockley, TechCrunch's Lucas Matney, and Pilot 44's Mike Maizels about the basics of NFTs and the cryptocurrency-related technology behind them, the implied value of NFTs and why people are paying so much money for them, and the future of NFT's both within the art world and beyond it.

In 2021, the war for computer superiority has a clear winner, and it is the Macintosh, by Apple. The company's Pro laptops are finally, belatedly equipped with ports that have been standard in other computers for years. The company's beleaguered "butterfly" keyboard has seemingly been erased from history. And the base model of company's powerhouse desktop tower could set you back a hefty $6,000. What's not to love? On Lock and Code this week, we talk to Mac security expert Thomas Reed about why Macs are clearly the best... or are they?

Cyberstalking. Harassment. Stalkerware. Nonconsensual pornography, real and digitally altered. The Internet can be a particularly ugly place for women. On Lock and Code this week, we ask why. Join a conversation with with Digitunity's Sue Krautbauer about what has gone wrong with the Internet, and what we can do to fix it.

The cybersecurity basics should be just that—basic. Easy to do, agreed-upon, and adopted at a near 100 percent rate by companies and organizations everywhere, right? You'd hope. But the reality is that basic cybersecurity blunders have led to easy-to-discover vulnerabilities in companies including John Deere, Clubhouse, and Kaseya VSA (which we've all talked about on this show), and at least for Kaseya VSA, those vulnerabilities led to one of the worst ransomware attacks in recent history. Today, on the Lock and Code podcast with host David Ruiz, we speak with security professional and recovering Windows systems administrator Jess Dodson about why we seem to keep getting the cybersecurity basics so wrong, and why getting up to speed—which can take a company more than a year—is so necessary.

What does online privacy mean to you? Maybe it's securing your online messages away from prying eyes. Maybe it's keeping your browsing behavior hidden from advertisers. Or maybe it's, like for many people today, using a VPN to hide your activity from your Internet Service Provider. But because online privacy can mean so many things, that also means it includes so much more than just using a VPN. Today, we speak to The Tor Project Executive Director Isabella Bagueros about what other types of online tracking users are vulnerable to, even if they're using a VPN, how else users can stay private online without becoming overwhelmed, and why users should be careful about trusting any one, single VPN.

On September 14, the US Department of Justice announced that it had resolved an earlier investigation into an international cyber hacking campaign coming from the United Arab Emirates, called Project Raven, that has reportedly impacted hundreds of journalists, activists, and human rights defenders in Yemen, Iran, Turkey, and Qatar. But in a bizarre twist, this tale of surveillance abroad tapered inwards into a tale of privacy at home, as one of the three men named by the DOJ is Daniel Gericke, the chief information officer at ExpressVPN. Which, as it just so happens, is the preferred VPN vendor of our host David Ruiz, who, as it just so happens, has spent much of his career explicitly fighting against government surveillance. And he has some thoughts on the whole thing.

Internet safety for kids is hard enough as it is, but what about Internet safety for children with special needs? How do you teach strong password creation for children with learning disabilities? How do you teach children how to separate fact from fiction when they have a different grasp of social cues? And how do you make sure these lessons are not only remembered for years to come, but also rewarding for the children themselves? Today on Lock and Code, we speak with Alana Robinson, a special education technology and computer science teacher for K – 8, about cybersecurity trainings for children with special needs, and about how, for some lessons, her students are better at remembering the rules of online safety than some adults.

A recent spate of ransomware attacks have derailed major corporations, spurring a fuel shortage on the US East Coast, shuttering grocery stores in Sweden, and sending students home from grade schools. The solution, so many cybersecurity experts say, is to implement backups. But if backups are so useful, why aren't they visibly working? Companies with backups have found them misconfigured, or they've ended up paying a ransom anyways. On Lock and Code this week, we speak with VMware technical account manager Matt Crape about backups, a complex defense to ransomware.

No one ever wants a group of hackers to say about their company: “We had the keys to the kingdom.” But that’s exactly what the hacker Sick Codes said on this week’s episode of Lock and Code, with host David Ruiz, when talking about his and fellow hackers’ efforts to peer into John Deere’s data operations center, where the company receives a near-endless stream of data from its Internet-connected tractors, combines, and other smart farming equipment.

When Luta Security CEO and founder Katie Moussouris analyzed the popular social "listening" app Clubhouse, she found a way to eavesdrop on conversations without notifying other users. This was, Moussouris said, a serious and basic flaw, so, using her years of expertise, she documented the vulnerability and emailed some information to the company. Her emails went unanswered for weeks. Today, on Lock and Code with host David Ruiz, we speak to Moussouris about Clubhouse, vulnerability disclosure, and the imperfect implementations of "bug bounty" programs.

The 2021 attacks on two water treatment facilities in the US—combined with ransomware attacks on an oil and gas supplier and a meat and poultry distributor—could lead most people to believe that a critical infrastructure “big one” is coming. But, as Lesley Carhart, principal threat hunter with Dragos, tells us, the chances of such an event are remarkably slim. In fact, critical infrastructure’s regular disaster planning often leads to practices that can detect, limit, or prevent any wide-reaching cyberattack.

On April 1, a volunteer researcher for the Dutch Institute for Vulnerability Disclosure (DIVD) began poking around into Kaseya VSA, a popular software tool used to remotely manage and monitor computers. Within minutes, he found a zero-day vulnerability that allowed remote code execution—a serious flaw. Within weeks, his team had found seven or eight more. In today's episode, DIVD Chair Victor Gevers describes the race to prevent one of the most devastating ransomware attacks in recent history. It's a race that Gevers and his team almost won. Almost.

At 11:37 pm on the night of September 20, 2019, cybercriminals launched a ransomware attack against Northshore School District in Washington state. Early the next morning, Northshore systems administrator Ski Kacoroski arrived on scene. As Kacoroski soon found out, he and his team were on a race against time—the ransomware actively spreading across servers holding data necessary for day-to-day operations. And importantly, in just four days, the school district needed—by law—to pay its staff. That was now at risk. Today, we speak to Kacoroski about the immediate reaction, the planned response, and the eventual recovery from a ransomware attack. Tune in to hear Kacoroski's story—and any lessons learned—on the latest episode of Lock and Code, with host David Ruiz.

Ransomware attacks are on a different scale this year, with major attacks not just dismantling the business and management of Colonial Pipeline in the US, the Health Service Executive in Ireland, and the meatpacker JBS in Australia, but also disrupting people's access to gasoline, healthcare, COVID-19 vaccinations, and more. So, what is it going to take to stop these attacks? Brian Honan, CEO of BH Consulting, said that the process will be long and complex, but the end goal in sight should be simple: Put the cybercriminals responsible for these attacks behind bars. Tune in to learn about how ransomware can dismantle a business, what governments are doing to fight back, and why we need better cooperation within private industry, on the latest episode of Lock and Code, with host David Ruiz.

In 2016, a mid-20s man began an intense, prolonged harassment campaign against his new roommate. He emailed her from spoofed email accounts. He texted her and referenced sensitive information that was only stored in a private, online journal. He created new Instagram accounts, he repeatedly made friend requests through Facebook to her friends and family, he even started making bomb threats. And though he tried to sometimes mask his online activity, two of the VPNs he used while registering a fake account eventually gave his information to the FBI. This record-keeping practice, known as VPN logging, is frowned upon in the industry. And yet, it helped lead to the capture of a dangerous criminal. Can two VPN "wrongs" make a right? Find out today on Lock and Code, with host David Ruiz.

This week on Lock and Code, we speak to cybersecurity advocate and author Carey Parker about "dark patterns," which are subtle tricks online to get you to make choices that might actually harm you. Maybe you'll be bilked out a couple dollars, maybe you'll find it nearly impossible to unsubscribe out of that newsletter, or maybe you'll see yourself signing away some of your data privacy controls just so a company can keep making more money off you. Tune in to learn about dark patterns—how to spot them, what any future fixes might look like, and what one company is doing to support you—on the latest episode of Lock and Code, with host David Ruiz.

This week on Lock and Code, we speak to cybersecurity and privacy attorney Jake Bernstein about ransomware attacks that don't just derail a company's reputation and productivity, but also throw them into potential legal peril. These are "double extortion" attacks, in which ransomware operators can hit the same target two times over—encrypting a victim's files and also threatening to publish sensitive data that was stolen in the attack. And in the US, whenever data is stolen and released, there are about 50 state laws that might dictate what a victim does next, and how quickly they do it. Tune in to learn about these ransomware attacks, what state laws get triggered, how new privacy laws affect legal compliance, and why Bernstein does not expect any federal legislation to standardize this process, on the latest episode of Lock and Code, with host David Ruiz.

This week on Lock and Code, we speak to Malwarebytes Chief Information Security Officer John Donovan about the flaws in using VirusTotal as the one source of truth when evaluating whether or not a cybersecurity tool actually works. It's a practice that is surprisingly common among small- to medium-sized businesses (SMBs). Tune in to learn about the smartest ways to test and implement endpoint protection into your SMB, and how to finally break free from the VirusTotal silo, on the latest episode of Lock and Code, with host David Ruiz.

This week on Lock and Code, we speak to Point3 Security chief strategist Chloé Messdaghi, HaveIBeenPwned founder Troy Hunt, and We Hack Purple founder and CEO Tanya Janca about security fatigue. Security fatigue is exactly what it sounds like. It's the limit we all reach when security best practices become overbearing. It's what prevents us from making a strong password for a new online account. It’s why we may not update our software despite repeated notifications. And, importantly, it probably isn’t your fault. Tune in to learn about security fatigue from the experts—how does it manifest in their professions, what have they seen, and what are the unforeseen outcomes to it—on the latest episode of Lock and Code, with host David Ruiz.

This week on Lock and Code, we speak to Malwarebytes senior security researcher JP Taggart about the importance of trusting your VPN. You've likely heard the benefits of using a VPN: You can watch TV shows restricted to certain countries, you can encrypt your web traffic on public WiFi networks, and, importantly, you can obscure your Internet activity from your Internet Service Provider, which may use that activity for advertising. But obscuring your Internet activity—including the websites you visit, the searches you make, the files you download—doesn’t mean that a VPN magically disappears those things. It just means that the VPN itself gets to see that information instead. Tune in to hear about what your VPN can see, why it is important for that information to be secured, and how you can safely transfer your trust to a VPN, on the latest episode of Lock and Code, with host David Ruiz.

This week on Lock and Code, we tune in to a special presentation from Adam Kujawa about the 2021 State of Malware report, which analyzed the top cybercrime goals of 2020 amidst the global pandemic. If you just pay attention to the numbers from last year, you might get the wrong idea. After all, malware detections for both consumers and businesses decreased in 2020 compared to 2019. That sounds like good news, but it wasn't. Behind those lowered numbers were more skillful, more precise attacks that derailed major corporations, hospitals, and schools with record-setting ransom demands. You can read the full 2021 State of Malware report here, and you can follow along with everyday cybersecurity coverage from Malwarebytes Labs here.

Every few years, after the public learns about an ugly, online harassment campaign, a familiar response shoots forth: Change the way we talk to one another online, either by changing the law, or changing the rules for how we identify ourselves online. But these "solutions" could actually bring more problems, particularly for vulnerable communities. Today, we speak to Electronic Frontier Foundation's Director of Cybersecurity Eva Galperin about how removing online anonymity could harm the safety of domestic abuse survivors, and why one decades-old law protects everyone online, and not just Big Tech.

On today's show, we discuss cybersecurity's public enemy number one: Emotet. This piece of malware started in 2014 as a simple banking Trojan, but it later evolved into a fully functional malware business, as its operators sold access to other threat actors and helped load separate malware for a price. The danger was real, but on January 27, Europol announced they'd taken Emotet down. Today, we talk to Malwarebytes security evangelist Adam Kujawa about Emotet's past, its takedown, and the power vacuum it leaves behind.

For Data Privacy Day this year, Lock and Code returns with a special episode featuring guests from Mozilla, DuckDuckGo, and EFF in a discussion on how to protect your online privacy.

Education faced a crisis in the US this year, as the coronavirus forced schools across the country to develop new strategies for teaching. At Malwarebytes, we wanted to discover how these shifts impacted education cybersecurity. Today on Lock and Code, we discuss the latest findings from our report, "Lessons in cybersecurity: How education coped in the shift to distance learning," and we speak with Doug Levin, founder of K12 cybersecurity resource center and advisor to K12 Security Information Exchange, about how schools can plan for a cybersecure 2021.

Today we look at two topics that, maybe surprisingly, intersect: charity organizations and online ad tracking. Ad tracking isn't new—luxury brands used to place their advertisements specifically in newspapers that delivered to high-income zip codes. But today's ad tracking supercharges that match-making game with a complex, opaque machinery that can track what you do online, what websites you visit, what browser you use, and even your gender, religion, and political bias. To help us better understand how charity organizations utilize ad tracking tools—and why that could concern some users—we’re speaking with Chris Boyd, lead malware intelligence analyst for Malwarebytes.

Today, we’re offering Lock and Code listeners something different. We’re giving you a backstage pass to a training we held for employees during Cybersecurity Awareness Month. The topic? The future of cybersecurity for the Internet of Things. Will we ever run antivirus software on IoT devices? What predictions can we make for how the cybersecurity industry will respond to the next, possible big IoT attack? And what can we do today to stay safe? This episode was recorded live in front of our fellow Malwarebytes employees. It also includes a Q&A with our employees at the end.

Cybersecurity Awareness Month is upon us, and while the value of the once-a-year awareness campaign may be obvious to the countless employees now enrolled in cybersecurity trainings, phishing quizzes, and multi-factor authentication webinars—likely mandated by their employers—the value of this awareness campaign may be a little less obvious to the everyday consumer. To help us better understand the value of Cybersecurity Awareness Month for the consumer, we’re talking today with Jamie Court, president of the non-profit advocacy group Consumer Watchdog.

We often learn about cybersecurity issues because of reporting. And as the years have progressed, the stories have only become more intertwined into our everyday lives. Tune in to hear about the role of journalism in cybersecurity—like what makes a vulnerability newsworthy and what coverage helps readers most—on the latest episode of Lock and Code, with guests Seth Rosenblatt of The Parallax and Alfred Ng of CNET.

A recent history of hacking shows the importance of experimentation. In 2015, security researchers hacked a Jeep Cherokee and took over its steering, transmission, and brakes. In 2019, researchers accessed medical scanning equipment to alter X-ray images, inserting fraudulent, visual signs of cancer in a hypothetical patient. Today, we're discussing one such experiment—a garage door opener called “Open Sesame.” Join us for a discussion with "Open Sesame"'s developer, who is also the chief security officer and co-founder of Open Path, Samy Kamkar, to hear about how his tool works, and who holds responsibility for protecting against modern attacks.

The world of Google Chrome extensions—the sometimes helpful tools that can work directly with the Google Chrome browser to provide a variety of features—is enormous. So, with a marketplace of more than 200,000 items, quality control gets tricky. On today's episode, we speak with Pieter Arntz, malware intelligence researcher for Malwarebytes, about safely downloading Google Chrome extensions and how to avoid some of the more malicious extensions that are meant to hijack searches or sneakily deliver money for their developers.

Ask yourself, right now, on a scale from one to ten, how cybersecure are you? Are you maybe inflating that answer? Our main story today concerns “security hubris,” the simple, yet difficult-to-measure phenomenon in which businesses, and the people inside them, are less secure than they actually believe. To better understand security hubris—how businesses can identify it and what they can do to protect against it—we’re talking today to Adam Kujawa, security evangelist and director for Malwarebytes Labs and security evangelist.

Parental monitoring apps give parents the capabilities to spot where their kids go, read what their kids read, and prevent them from, for instance, visiting websites deemed inappropriate. But where these apps begin to cause concern is just how powerful they can be. To help us better understand parental monitoring apps, their capabilities, and how parents can choose to safely use these with their children, we’re talking today with Emory Roane, policy counsel at Privacy Rights Clearinghouse

Identity and access management, or IAM, is the name we use for the set of technologies and policies that control who accesses what resources inside a system—from company files being locked away for only some employees, to even your online banking account being accessible only to you. With more individuals using more accounts to access more resources than ever before, threats have similarly emerged. To better understand identity and access management, its impacts on the digital and physical world today, and who holds the responsibility to manage it, we’re talking today to Chuck Brooks, cybersecurity evangelist and adjunct professor for Georgetown University’s Applied Intelligence Program and graduate Cybersecurity Programs.

Last month, cybersecurity experts warned the public about the data collection embedded in the Donald Trump 2020 re-election campaign’s mobile app. Once downloaded, the app requests broad access to user information, including device contacts, rough location, device storage, ID, call information, Bluetooth pairing, and more. On today’s episode, we’re looking at just one of the apps’ requested permissions—Bluetooth. To help us better understand Bluetooth and beacon technology, how they are applied to online advertising, and whether apps that request access to Bluetooth functionality are a big concern, we’re talking today with Chris Boyd, lead malware intelligence analyst for Malwarebytes.

For years, Internet capabilities have crept into modern consumer products, providing sometimes convenient, sometimes extraneous Internet connectivity. This increase in IoT devices has an obvious outcome—a broader attack surface for threat actors. Not only that, but with more devices connecting to the Internet, there are also more devices collecting your data and analyzing it to send you more ads, more frequently, for more products. To help us better understand the Internet of Things—including the cybersecurity and data privacy concerns of IoT devices, and what you can do to stay safe—we’re talking today to JP Taggart, senior security researcher with Malwarebytes.

We may know it’s important to have a strong, non-guessable, lengthy password, and yet we still probably all know someone who writes their password on a post-it, which is then affixed literally onto their machine. To help us better understand the future of passwords, and any potential pitfalls for the burgeoning alternatives, we’re talking today to Matt Davey, Chief Operations Optimist at 1Password, and Kyle Swank, a member of 1Password's security team.