Cybercriminals have leaked records from National Public Data, a data scraping service that provides background checks.

Cybercriminals are offering a large database for sale that may include your data without you even being aware of its existence.

The stolen data comes from a data scraping service trading under the name “scraping” which was allegedly breached by a cybercriminal group by the name of USDoD.

In April, a member of this group posted the database, which contains the data of some 2.9 billion people, up for sale for $3.5 million. Then, earlier this week, the 277 GB of data was offered for download for free on the notorious BreachForums by another member of the USDoD group.

USDoD member posted links to database

The database contains records that, among others, contain the fields:

*   First name
*   Last name
*   Middle name
*   Date of Birth
*   Address
*   City
*   County
*   State
*   Zip code
*   Phone number
*   Social Security Number

The publication of the data came a few days after a complaint was filed in the US District Court for the Southern District of Florida. The complaint against Jerico Pictures Inc, trading as National Public Data, accuses the defendant of failure to properly secure and safeguard the personally identifiable information (PII) that it collected as part of its regular business practices.

Jerico Pictures is a background check company that allows its customers to instantly search their database containing billions of records. The data in these records is scraped from non-public sources without knowledge or consent. A major problem with this is that the company has no ties with the victims, so most of them will have no idea that their data has been made public.

The plaintiff filed the complaint after they found out about the breach when an identity theft protection service notified him in July that their personal information had been compromised and leaked on the dark web.

This, while apparently some of the victims have already noticed the misuse of their Social Security Numbers.

One of the requests of the plaintiff is for the court to require National Public Data to purge the personal information of all the individuals affected and to encrypt all data collected going forward.

We have voiced our objections against data brokers in the past. The same is true for data scrapers like National Public Data, because, as we have seen, breaches at these data brokers can be combined with others and result in a veritable treasure trove of personal data ending up in the hands of cybercriminals. This database by itself qualifies as such a treasure trove and it is now available to every cybercriminal out there.

If you want to find out how much of your data has been exposed online, you can try our free Digital Footprint scan. Fill in the email address you’re curious about (it’s best to submit the one you most frequently use) and we’ll send you a free report.

**We don’t just report on threats – we help safeguard your entire digital identit**y

Cybersecurity risks should never spread beyond a headline. Protect your—and your family’s—personal information by using identity protection.

 Stolen data from scraping service National Public Data leaked online 

Google has issued security updates for 46 vulnerabilities, including a patch for a remote code execution flaw which has been used in limited targeted attacks.

Google has released patches for 46 vulnerabilities in Android, including a remote code execution (RCE) vulnerability that it says has been used in limited, targeted attacks.

You can find your device’s Android version number, security update level, and Google Play system level in your Settings app. You’ll get notifications when updates are available for you, but you can also check for updates.

If your Android phone is at patch level 2024-08-01 or later then the issues discussed below have been fixed. The updates have been made available for Android 12, 12L, 13, and 14. Android partners, such as Samsung, Sony, etc, are notified of all issues at least a month before publication, however, this doesn’t always mean that the patches are available for devices from all vendors.

For most Android devices, you can check for new updates like this: Under **About phone** or **About device** you can tap on **Software updates**, although there may be slight differences based on the brand, type, and Android version.

**Technical details**

The Common Vulnerabilities and Exposures (CVE) database lists publicly disclosed computer security flaws. The actively exploited vulnerability is listed as:

CVE-2024-36971 is a use after free (UAF) vulnerability in the Linux kernel. The vulnerability could lead to remote code execution with System execution privileges needed.

This Linux kernel vulnerability affects the Android OS because the Android kernel is based on an upstream Linux Long Term Supported (LTS) kernel. This kernel is like the engine of the operating system, managing the hardware and basic functions.

The Android kernel is based on a version of the Linux kernel, which is a popular core for many operating systems. Specifically, Android uses a version of the Linux kernel that is designated as “Long Term Supported” (LTS). This means it’s a version that gets updates and fixes for a longer period than regular versions, ensuring it stays secure and stable over time.

UAF is a type of vulnerability that happens when a program incorrectly handles its memory. When a program frees up a piece of memory but still tries to use it afterward, an attacker can exploit this mistake. This can cause the program to crash, behave unpredictably, or even run harmful code. In this case it allows the attacker to remotely execute code on the device if they have enough privileges.

Attackers would need to gain the needed privileges to use this vulnerability by combining it with other vulnerabilities.

**We don’t just report on phone security—we provide it**

Cybersecurity risks should never spread beyond a headline. Keep threats off your mobile devices by downloading Malwarebytes for iOS, and Malwarebytes for Android today.

 Android vulnerability used in targeted attacks patched by Google 

Men face more pressure—and threats—from significant others to grant access to their personal devices, online accounts, and locations.

Men report facing more pressure than women—and more threats of retaliation—to grant access to their locations and online accounts when in a committed relationship, according to a new analysis of data released this summer by Malwarebytes.

The same analysis also revealed that, while men report more regret in sharing their locations, women report less awareness in how their locations can be accessed, particularly through food delivery apps, ride-hailing services, vacation rental platforms, and other location-based tools.

The data from Malwarebytes paints a nuanced portrait of the struggles that men and women face when deciding how much of their digital lives to share with spouses, boyfriends, girlfriends, and partners. Often, the struggles intersect with parts of modern dating that people have little control over, including how companies track, collect, and share their data, and how easy it is for other people to access that data.

In looking more closely at the research released earlier this year in the report, “What’s mine is yours: How couples share an all-access pass to their digital lives,” Malwarebytes hopes to once again spread awareness and education about secure dating practices in the internet age.

Access our full “Modern Love in the Digital Age” guidance hub below.

Men are going through a loneliness epidemic in America right now.

But even for men in romantic relationships, where companionship should be a salve, other problems emerge. In particular, as Malwarebytes found, these problems include disparate feelings of pressure and regret in sharing their devices, account passwords, and locations.

For example, of partners who shared their location with one another, 36% of men said they’d “felt pressure” to do so, compared with 20% of women who said the same. And a shocking 9% of men who share their account access clarified that such access may be imbalanced, as they agreed: “My partner has threatened me over sharing account access,” compared to 4% of women—a more than two-fold increase. The threats included things like being broken up with, being harmed physically or emotionally, or being shut out and ignored.  

Men were also more likely to report a one-sided consent model for how their partners accessed their devices, accounts, and locations (a model that we’re not entirely ready to call “sharing” because of the clearly communicated lack of consent).

When asked about the way in which they “shared” _any_ type of digital and device access, which included smartphones, tablets, computers, online accounts for multiple apps, and location data, 23% of men said “Yes \[my partner\] has access but I wish they didn’t.” That rate was 12% for women.

Similar disparities arose when men and women answered the same way regarding device access (14% of men compared to 7% of women), social media access (9% of men compared to 4% of women), and access to apps that can share your location (16% of men compared to 9% of women).

But not all location apps are the same, and when asked specifically about apps that are designed to share locations between individuals—such as FindMy on iOS, Find My Device for Google, or third-party tools like Life360—the data revealed the largest discrepancy.

A shocking 400% more men said they only share their locations through those apps “because my partner insists” (8% of men compared with 2% of women).

In the research, men openly shared their feelings on all this, as 14% (compared to 8% of women) agreed: “If I could do it all over again, I wouldn’t share as much personal account information with my partner.”  

In safe and consensual arrangements between couples, a shared location can show up as a little blue dot on a devoted smartphone app.

But for apps that rely on location data to function—like ride-hailing apps, food delivery services, and vacation rental platforms—location “sharing” can feel a lot more like location “leaking.” A shared Airbnb account, for example, could reveal a spouse’s active vacation rental address to another partner logged into the same account. A shared Uber account could reveal ride history, and potentially even a new address, to an ex-boyfriend who never logged out after a breakup. And DoorDash orders could expose when a domestic abuse survivor is at home, so long as their abuser is monitoring the app from the same account.

But these examples, research shows, are not common knowledge, with women showing less awareness than men for every type of account.

Women were less likely to be aware of how their locations could be exposed to another user logged into the same account for vacation rental platforms (68% of women were unaware compared to 49% of men), health and fitness tracking apps like FitBit and Strava (57% of women compared to 43% of men), ride-hailing apps (50% of women compared to 37% of men), and food and grocery delivery apps (49% of women compared to 39% of men).

Women were also more likely to say they were unaware of how the companion apps for many modern vehicles—which can be used to find a car in a large parking lot or to help locate a stolen sedan—can also reveal their location on a shared account (60% of women compared to 41% of men).

This relatively new location-tracking method has caused serious problems for spouses being followed by their exes, and the blame cannot fall on users who are tasked with, as usual, managing even more parts of their lives online.

****Shifting perspectives****

Data alone never presents a full story, and data that compares men and women can be vulnerable to misinterpretation.

The varying issues facing men and women should not be interpreted as problems of their own making—men cannot be said to regret sharing account access because they have “something to hide,” and women cannot be said to be poorer users of technology because of lower reported awareness in location sharing mechanisms.

If anything, the overlap in responses shows the work to be done.

When 68% of women _and_ 49% of men are unaware of how their locations can be accessed through shared accounts on vacation rental platforms, perhaps this isn’t a problem of user awareness. Perhaps it is a problem of unclear communication and lacking transparency from the largest and most popular apps today.

**We don’t just report on threats—we remove them**

Cybersecurity risks should never spread beyond a headline. Keep threats off your devices by downloading Malwarebytes today.

 Men report more pressure and threats to share location and accounts with partners, research shows 

Home users are being targeted by a ransomware called Magniber which locks up files and demands money for the key.

If you’ve been following any news about ransomware, you may be under the impression that ransomware groups are only after organizations rather than individual people, and for the most part that’s true.

However, Magniber is one ransomware that does target home users. And it’s back, with full force, demanding four figure ransoms to unencrypt data.

BleepingComputer, which has a dedicated forum for ransomware victims, reports:

> “A massive Magniber ransomware campaign is underway, encrypting home users’ devices worldwide and demanding thousand-dollar ransoms to receive a decryptor.”

This surge was confirmed by ID-Ransomware, which helps users to identify the ransomware family that has infected their systems. ID-Ransomware has received well over 700 requests from visitors who had their files encrypted by Magniber since July 20, 2024. Malwarebytes’ telemetry also shows an uptick in Magniber detections in July.

Magniber first emerged in 2017 when it 2024 targeted South Korean systems. In 2018, it started infecting computers with a much more developed version which also targeted other Asian countries like Malaysia, Taiwan, and Hong Kong.

The new campaign does not limit itself to specific regions and uses tried and trusted methods to reach home users’ systems. The ransomware is often disguised in downloads for cracks or key generators of popular software, as well as fake updates for Windows or browsers. In some cases, the group takes advantage of unpatched Windows vulnerabilities.

When infected, victims are presented with this ransom notice:

> Your important files have been encrypted due to the suspicion of the illegal content download!
> 
> Your files are not damaged! Your files are modified only. This modification is reversible.
> 
> Any attempts to restore your files with the third party software will be fatal to your files!
> 
> To receive the private key and decryption program follow the instructions below:

The instructions will tell you to visit a website which can only be reached by using the Tor browser.

Once the ransomware has encrypted the targeted files, it will typically request a ransom in the region of $1,000 which is raised to around $5,000 if the victim does not pay within three days. Unfortunately, old decryptors that were available for free don’t work for this version.

**How home users can prevent ransomware**

There are some rules that can help you avoid falling victim to this type of ransomware:

*   Make sure your system and software are on the latest version. Criminals will exploit known holes that have been patched by the vendors but not updated everywhere.
*   Run a trusted anti-malware solution.
*   Never download illegal software, cracks, and key generators.
*   Use a malicious content blocker to stop your browser from visiting bad sites.
*   Don’t open unexpected email attachments.
*   Don’t click on links before checking where they will take you.

If you do accidentally get caught by ransomware, we recommend you don’t pay. There’s no guarantee you’ll get your files back, and you’ll be helping to line the pockets of criminals.

Malwarebytes Artificial Intelligence module blocks the latest Magniber versions as Malware.AI.{ID-nr}. Older versions will be detected as Ransom.Magniber or Ransom.Magniber.Generic.

**We don’t just report on threats—we remove them**

Cybersecurity risks should never spread beyond a headline. Keep threats off your devices by downloading Malwarebytes today.

 Magniber ransomware targets home users 

A list of topics we covered in the week of July 29 to August 4 of 2024

August 2, 2024 - The FBI warns about scammers that impersonate employees of cryptocurrrency exchanges as a means to defraud victims

July 31, 2024 - Meta has settled a Texas lawsuit over gathering biometric data for Facebook's "Tag Suggestions" feature without informed consent.

July 31, 2024 - Apple has released security updates that patch vulnerabilities in Siri and VoiceOver that could be used to access sensitive user data.

July 30, 2024 - Only trust official sources they say, but what happens when a Google vetted ad is for a Google product?

July 29, 2024 - This week on the Lock and Code podcast, we speak with Jess Dodson about SIEM selection, management, and proper data collection.

 A week in security (July 29 &#8211; August 4) 

The FBI warns about scammers that impersonate employees of cryptocurrrency exchanges as a means to defraud victims

The Federal Bureau of Investigation (FBI) issued a public service announcement warning the public about scammers impersonating cryptocurrency exchange employees to steal funds.

There are many types of crypto related scams, but in this case, the FBI provided an advisory about scammers that contact the target and pretend to be employees of a cryptocurrency exchange.

As scammers almost always do, they try to impose a feeling of urgency on the target, making potential victims feel as though they must act quickly because of, say, an acute problem with their account. Such an account may be allegedly compromised, or scammers could trick a victim into thinking that a third party is trying to gain access and withdraw funds from the account.

The scammer then offers to help the target to secure their funds, but to do so, the scammer—posing as a legitimate employee of the cryptocurrency exchange—first needs the victim’s log in credentials. Sometimes, scammers also send a malicious link to the victim which takes the victim to a illegitimate site that can collect identification information.

Armed with the information the target provided, the scammer drains the account. In a sense, the false warning that first came from the scammer was true—someone was after their account, it’s just that this specific someone was the person talking to the victim themselves.

Very similar scams exist that involve bank accounts, but most people are aware of how they can check and verify that the person they are in contact with actually works for their bank. With cryptocurrency exchanges, this is often not true.

Also, we see a lot of scary stories in the news about exchanges getting robbed or even disappearing with their customer’s money. Some crypto-related scams often deploy imposter websites which are hard to discern from the real ones.

Recovery services are another successful avenue for scammers. In June, the FBI warned of fraudsters posing as lawyers representing fictitious law firms that contact scam victims and offer their services, claiming to have the authorization to investigate fund recovery cases.

These scammers are usually after more money or personal information that could lead to identity theft.

The California Department of Financial Protection & Innovation (DFPI) has a very useful crypto scam tracker that allows visitors to read and search through hundreds of different real-life scenarios of crypto-related scams.

The most important ground rule when it comes to cryptocurrency or financial scams of any kind is: if it sounds too good to be true, it likely is.

Besides that, there are a few other guidelines that can keep you out of trouble.

*   Don’t respond to messages, emails or other communications that arrive unexpectedly or from strange senders/phone numbers.
*   First verify that the person you are communicating with represents the company they claim to work for. Do this using another channel. A call to a number you know to be legitimate, for example.
*   Don’t let scammers rush you into decisions or actions. They try to make you feel a sense of urgency, so you don’t take the necessary time to think things through.
*   Always research whether the cryptowallet, cryptoexchange, or app they are sending you to is trustworthy before signing up for it or installing something.
*   Use multi-factor authentication (MFA) for existing accounts which makes it harder for anyone to take over your account.
*   Never give out more information than absolutely necessary. A legitimate company will not ask for more information.

The FBI requests victims report activity associated with this scam to the FBI IC3 at www.ic3.gov.

The FBI also requests victims provide any transaction information associated with the scam. For more information on what to provide the FBI, see prior IC3 PSA Alert Number I-082423-PSA.

**We don’t just report on threats – we help safeguard your entire digital identit**y

Cybersecurity risks should never spread beyond a headline. Protect your—and your family’s—personal information by using identity protection.

 Scammers are impersonating cryptocurrency exchanges, FBI warns 

Meta has settled a Texas lawsuit over gathering biometric data for Facebook's "Tag Suggestions" feature without informed consent.

Texas Attorney General Ken Paxton has announced a $1.4 billion settlement with Meta to “stop the company’s practice of capturing and using the personal biometric data of millions of Texans without the authorization required by law.”

The prime reason for the initial lawsuit that led to the settlement was Facebook’s “Tag Suggestions” feature that used facial recognition. This feature was rolled out in 2011 to “improve the user experience by making it easier for users to tag photographs with the names of people in the photo.”

However, Meta allegedly automatically turned this feature on for all Texans without explaining how the feature worked. This method made it possible to run facial recognition software on virtually every face contained in the photographs uploaded to Facebook, capturing records of the facial geometry of the people depicted, for a long time.

In 2019, Facebook said it had always given control to users about the use of face recognition technology to recognize users in photos, but it wasn’t until December 2017 that Facebook introduced settings that allowed users to manage whether Facebook used face recognition technology on their photos to suggest tags.

Texas’s “Capture or Use of Biometric Identifier” (CUBI) Act forbids companies from capturing biometric identifiers of Texans, including records of face geometry, unless the business first informs the person and receives their consent to capture the biometric identifier.

So, in February 2022, Attorney General Paxton sued Meta for unlawfully capturing the biometric data of millions of Texans without obtaining their informed consent as required by Texas law. Approximately two years after filing the petition, Texas reached a settlement agreement with Meta who will pay the state of Texas $1.4 billion over five years.

The face recognition setting is no longer available after Facebook reluctantly shut the Face Recognition system down by the end of 2021:

> “Making this change required careful consideration, because we have seen a number of places where face recognition can be highly valued by people using platforms.
> 
> We believe facial recognition can help for products like these with privacy, transparency and control in place, so you decide if and how your face is used. We will continue working on these technologies and engaging outside experts.”

Personally, I feel since biometrics are increasingly used for identification by more important services than social media, those platforms have no business gathering them. Therefore, we welcome Facebook’s move away from this kind of broad identification and will closely follow its planned future move toward narrower forms of personal authentication.

**We don’t just report on threats – we help protect your social media**

Cybersecurity risks should never spread beyond a headline. Protect your social media accounts by using Cyrus, powered by Malwarebytes.

 Meta to pay $1.4 billion over unauthorized facial recognition image capture 

Apple has released security updates that patch vulnerabilities in Siri and VoiceOver that could be used to access sensitive user data.

Apple has released security updates for many of its products in order to patch several vulnerabilities that could allow an attacker to steal sensitive information from a locked device.

Included in the patches for Apple Watch, iOS, and iPadOS are four vulnerabilities in Siri. While your device is locked there are several voice-commands your digital assistant can process.

Apple has restricted these options to stop an attacker with physical access from being able to access contacts from the lock screen and access other sensitive user data. Using Siri on a locked device has limitations to protect your privacy and security, and the digital assistant should only be able to perform tasks that do not require access to sensitive data locked behind the device’s security systems, such as Face ID or a passcode.

A similar vulnerability was also patched in the VoiceOver component in Apple Watch, iOS, iPadOS, and macOS Ventura. To check whether VoiceOver is on or off on your iPhone or iPad, you can check by looking at **Settings > Accessibility > VoiceOver**.

To check if you’re using the latest software version of iOS and iPadOS, go to **Settings** > **General** > **Software Update**. You want to be on iOS 17.6 or iPadOS 17.6, so update now if you’re not. It’s also worth turning on Automatic Updates if you haven’t already. You can do that on the same screen.

iPad Software update is available

Here’s an overview of the available updates for the various Apple products:

Name:

Available for:

Safari 17.6

macOS Monterey and macOS Ventura

iOS 17.6 and iPadOS 17.6

iPhone XS and later, iPad Pro 13-inch, iPad Pro 12.9-inch 2nd generation and later, iPad Pro 10.5-inch, iPad Pro 11-inch 1st generation and later, iPad Air 3rd generation and later, iPad 6th generation and later, and iPad mini 5th generation and later

iOS 16.7.9 and iPadOS 16.7.9

iPhone 8, iPhone 8 Plus, iPhone X, iPad 5th generation, iPad Pro 9.7-inch, and iPad Pro 12.9-inch 1st generation

macOS Sonoma 14.6

macOS Sonoma

macOS Ventura 13.6.8

macOS Ventura

macOS Monterey 12.7.6

macOS Monterey

watchOS 10.6

Apple Watch Series 4 and later

tvOS 17.6

Apple TV HD and Apple TV 4K (all models)

visionOS 1.3

Apple Vision Pro

iOS 15.8.3 and iPadOS 15.8.3

iPhone 6s (all models), iPhone 7 (all models), iPhone SE (1st generation), iPad Air 2, iPad mini (4th generation), and iPod touch (7th generation)

Apple also patched the regreSSHion vulnerability that allows unauthenticated Remote Code Execution (RCE) in OpenSSH.

For beta testers Apple also released the first beta of iOS 18.1 to developers. This update is available for iPhone 15 Pro and iPhone 15 Pro Max and includes the first set of Apple Intelligence features, such as Writing Tools, new features for Mail and notifications, upgrades to Photos, and more.

**We don’t just report on phone security—we provide it**

Cybersecurity risks should never spread beyond a headline. Keep threats off your mobile devices by downloading Malwarebytes for iOS, and Malwarebytes for Android today.

 Apple fixes Siri vulnerabilities that could have allowed sensitive data theft from locked device. Update now! 

Only trust official sources they say, but what happens when a Google vetted ad is for a Google product?

We have previously reported on the brand impersonation issue with Google ads: users who search for popular keywords are shown malicious ads that purport to be from an official vendor.

Not only does this trick innocent victims into downloading malware or losing their data to phishing sites, it also erodes trust in brands and by association in Google Search itself.

Today, we show yet another example of brand misuse, except that this one targets Google itself. If you were trying to download the popular Google Authenticator (a multi-factor authentication program) via a Google search in the past few days, you may have inadvertently installed malware on your computer.

A similar distribution site and the same payload were previously reported by sandbox maker AnyRun. In this blog post, we will reveal the missing piece at the top of the killchain, namely the Google ad that was involved in tricking users into visiting a decoy website.

**Trust, but ‘verified’?**

The core issue with brand impersonation comes from ads that appear as if they were from official sources and advertisers’ identities verified by Google. This was the case here with this ad for Authenticator:

The truth is Larry Marr has nothing to do with Google, and is likely a fake account. We can follow what happens when you click on the ad by monitoring web traffic. We see a number of redirects via intermediary domains controlled by the attacker, before landing on a fake site for Authenticator.

**Fake site leads to signed payload hosted on Github**

The fraudulent site _chromeweb-authenticators\[.\]com_ was registered via NICENIC INTERNATIONAL GROUP CO., LIMITED on the same day as the ad was observed.

Looking at the site’s source code, we can see the code responsible for downloading _Authenticator.exe_ from GitHub. Note the comments from the author in Russian:

Hosting the file on GitHub allows the threat actor to use a trusted cloud resource, unlikely to be blocked via conventional means. While GitHub is the de facto software repository, not all applications or scripts hosted on it are legitimate. In fact, anyone can create an account and upload files, which is exactly what the threat actor did under the username _authe-gogle_, creating the _authgg_ repository that contains the malicious _Authenticator.exe_:

Looking at the file itself, we can see that it has been digitally signed by “_Songyuan Meiying Electronic Products Co., Ltd._” just one day before, and the signature is still valid at the time of writing:

The malware, DeerStealer, is a kind of stealer that will grab and exfitrate your personal data via an attacker-controlled website hosted at _vaniloin\[.\]fun_.

**Conclusion**

Threat actors have been abusing Google ads as a way to trick users into visiting phishing and malware sites. Since the whole premise of these attacks relies on social engineering, it is absolutely critical to properly distinguish real advertisers from fake ones.

As we saw in this case, some unknown individual was able to impersonate Google and successfully push malware disguised as a branded Google product as well.

We should note that Google Authenticator is a well-known and trusted multi factor authentication tool, so there is some irony in potential victims getting compromised while trying to improve their security posture. We recommend avoiding clicking on ads to download any kind of software and instead visiting the official repositories directly.

Malwarebytes blocks access to the fake Authenticator website, and we detect the payload as Spyware.DeerStealer.

**Indicators of Compromise**

Malicious domains

vcczen\[.\]eu  
tmdr7\[.\]mom  
chromeweb-authenticators\[.\]com

Payload (stealer)

5d1e3b113e15fc5fd4a08f41e553b8fd0eaace74b6dc034e0f6237c5e10aa737

C2

vaniloin\[.\]fun

 Threat actor impersonates Google via fake ad for Authenticator 

This week on the Lock and Code podcast, we speak with Jess Dodson about SIEM selection, management, and proper data collection.

_This week on the Lock and Code podcast…_

In the world of business cybersecurity, the powerful technology known as “Security Information and Event Management” is sometimes thwarted by the most unexpected actors—the very people setting it up.

Security Information and Event Management—or SIEM—is a term used to describe data-collecting products that businesses rely on to make sense of everything going on inside their network, in the hopes of catching and stopping cyberattacks. SIEM systems can log events and information across an entire organization and its networks. When properly set up, SIEMs can collect activity data from work-issued devices, vital servers, and even the software that an organization rolls out to its workforce. The purpose of all this collection is to catch what might easily be missed.

For instance, SIEMs can collect information about repeated login attempts occurring at 2:00 am from a set of login credentials that belong to an employee who doesn’t typically start their day until 8:00 am. SIEMs can also collect whether the login credentials of an employee with typically low access privileges are being used to attempt to log into security systems far beyond their job scope. SIEMs must also take in the data from an Endpoint Detection and Response (EDR) tool, and they can hoover up nearly anything that a security team wants—from printer logs, to firewall logs, to individual uses of PowerShell.

But just because a SIEM _can_ collect something, doesn’t necessarily mean that it should.

Log activity for an organization of 1,000 employees is tremendous, and the collection of frequent activity could bog down a SIEM with noise, slow down a security team with useless data, and rack up serious expenses for a company.

Today, on the Lock and Code podcast with host David Ruiz, we speak with Microsoft cloud solution architect Jess Dodson about how companies and organizations can set up, manage, and maintain their SIEMs, along with what advertising pitfalls to avoid when doing their shopping. Plus, Dodson warns about one of the simplest mistakes in trying to save budget—setting up arbitrary data caps on collection that could leave an organization blind.

“A small SMB organization … were trying to save costs, so they went and looked at what they were collecting and they found their biggest ingestion point,” Dodson said. “And what their biggest ingestion point was was their Windows security events, and then they looked further and looked for the event IDs that were costing them the most, and so they got rid of those.”

Dodson continued:

> “Problem was the ones they got rid of were their Log On/Log Off events, which I think most people would agree is kind of important from a security perspective.”

Tune in today to listen to the full conversation.

_Show notes and credits:_

Intro Music: “Spellbound” by Kevin MacLeod (incompetech.com)  
Licensed under Creative Commons: By Attribution 4.0 License  
http://creativecommons.org/licenses/by/4.0/  
Outro Music: “Good God” by Wowa (unminus.com)

**Listen up—Malwarebytes doesn’t just talk cybersecurity, we provide it.**

Protect yourself from online attacks that threaten your identity, your files, your system, and your financial well-being with our exclusive offer for Malwarebytes Premium for Lock and Code listeners.

Source

Malwarebytes