Steve Gibson, the man who coined the term spyware and created the first anti-spyware program, creator of SpinRite and ShieldsUP, discusses the hot topics in security today with Leo Laporte. Records live every Tuesday at 4:30pm Eastern / 1:30pm Pacific / 21:30 UTC.
SN 958: A Week of News and Listener Views - HSS Breach, CISA's Policing Results
Microsoft's Top Execs' Emails Breached in Sophisticated Russia-Linked APT AttackUS Health and Human Services BreachedFirefox vs "The Competition"Brave reduces its anti-fingerprinting protectionsCISA's proactive policing results one year laterLonger Life For Samsung UpdatesGoogle Incognito Mode "Misunderstanding"Show Doc Not showing images on iOS SafariGenerated AI Media AuthenticationWhich computer languages to learn?Flashlight app subscriptionGoogle's Privacy Sandbox systemMalware and IoT devicesProtected Audience API vs. MalvertisingDefensive computingWhy ISPs don't do anything about DDoS attacksSpinRite UpdateShow Notes - https://www.grc.com/sn/SN-958-Notes.pdfHosts: Steve Gibson and Leo LaporteDownload or subscribe to this show at https://twit.tv/shows/security-now.Get episodes ad-free with Club TWiT at https://twit.tv/clubtwitYou can submit a question to Security Now at the GRC Feedback Page.For 16kbps versions, transcripts, and notes (including fixes), visit Steve's site: grc.com, also the home of the best disk maintenance and recovery utility ever written Spinrite 6. Sponsors: paloaltonetworks.com/ot-security-tco bitwarden.com/twit drata.com/twit kolide.com/securitynow
SN 957: The Protected Audience API - Hacked Washing Machine, Quantum Crypto Troubles
What would an IoT device look like that HAD been taken over?And speaking of DDoS attacksTrouble in the Quantum Crypto worldThe Browser MonocultureQuestion about the Apple backdoorGetting into infosecproton drive vs syncSpinRite updateThe Protected Audience APIShow Notes - https://www.grc.com/sn/SN-957-Notes.pdfHosts: Steve Gibson and Leo LaporteDownload or subscribe to this show at https://twit.tv/shows/security-now.Get episodes ad-free with Club TWiT at https://twit.tv/clubtwitYou can submit a question to Security Now at the GRC Feedback Page.For 16kbps versions, transcripts, and notes (including fixes), visit Steve's site: grc.com, also the home of the best disk maintenance and recovery utility ever written Spinrite 6. Sponsors: meraki.cisco.com/twit kolide.com/securitynow lookout.com bitwarden.com/twit joindeleteme.com/twit promo code TWIT
SN 956: The Inside Tracks - 23andME Mess, Ukraine Telecom Hack, LastPass
More on Apple's hardware backdoorRussian Hacking of Ukranian camerasRussian hackers were inside Ukraine telecoms giant for monthsThings are still a mess at 23andMeCoinsPaid was the victim of another cyberattackCrypto Hacking in 2023Mandiant Twitter scamDefining "cyber warfare"LastPass is making some changesWindows WatchGoogle settles $5 billion lawsuitReturn Oriented ProgrammingShutting Down EdgeRoot CertificatesCredit freezingSpinRite UpdateShow Notes - https://www.grc.com/sn/SN-956-Notes.pdfHosts: Steve Gibson and Leo LaporteDownload or subscribe to this show at https://twit.tv/shows/security-now.Get episodes ad-free with Club TWiT at https://twit.tv/clubtwitYou can submit a question to Security Now at the GRC Feedback Page.For 16kbps versions, transcripts, and notes (including fixes), visit Steve's site: grc.com, also the home of the best disk maintenance and recovery utility ever written Spinrite 6. Sponsors: lookout.com paloaltonetworks.com/ot-security-tco kolide.com/securitynow bitwarden.com/twit
SN 955: The Mystery of CVE-2023-38606 - SpinRite Update, Nebula Mesh, Apple's Backdoor
SpinRite 6.1 updatePruning Root CertificatesA solution to Schrodinger's BowlDNS Benchmark and anti-virus toolsNebula MeshSpinRite 7 is comingThe Mystery of CVE-2023-38606Show Notes - https://www.grc.com/sn/SN-955-Notes.pdfHosts: Steve Gibson and Leo LaporteDownload or subscribe to this show at https://twit.tv/shows/security-now.Get episodes ad-free with Club TWiT at https://twit.tv/clubtwitYou can submit a question to Security Now at the GRC Feedback Page.For 16kbps versions, transcripts, and notes (including fixes), visit Steve's site: grc.com, also the home of the best disk maintenance and recovery utility ever written Spinrite 6. Sponsors: bitwarden.com/twit kolide.com/securitynow Melissa.com/twit drata.com/twit
SN 954: Best of 2023 - Security Now's Best Moments of 2023
Leo looks back at the year's top security stories of 2023.Steve's Next Password Manager After the LastPass HackCHESS is SafeHere Come the Fake AI-generated "News" SitesHow Bad Guys Use SatellitesMicrosoft's "Culture of Toxic Obfuscation"Steve announces his commitment to SNApple Says NoNSA's Decade of Huawei HackingValiDrive announcementHost: Leo LaporteDownload or subscribe to this show at https://twit.tv/shows/security-now.Get episodes ad-free with Club TWiT at https://twit.tv/clubtwitYou can submit a question to Security Now at the GRC Feedback Page.For 16kbps versions, transcripts, and notes (including fixes), visit Steve's site: grc.com, also the home of the best disk maintenance and recovery utility ever written Spinrite 6.
SN 953: Active Listening - KOSA, Cloudflare's Numbers, SpinRite Update
Child protection legislation in the USMeta pushes back on the $200 billion FTC fine for COPPA violationAge verification on the internetGoogle moving from 3rd party cookies to topicsA look at Cloudflare's metricsSpinRite updateCox Media admits that it spys on youShow Notes - https://www.grc.com/sn/SN-953-Notes.pdfHosts: Steve Gibson and Leo LaporteDownload or subscribe to this show at https://twit.tv/shows/security-now.Get episodes ad-free with Club TWiT at https://twit.tv/clubtwitYou can submit a question to Security Now at the GRC Feedback Page.For 16kbps versions, transcripts, and notes (including fixes), visit Steve's site: grc.com, also the home of the best disk maintenance and recovery utility ever written Spinrite 6. Sponsors: securemyemail.com/twit Use Code TWIT drata.com/twit GO.ACILEARNING.COM/TWIT
SN 952: Quantum Computing Breakthrough - The Clear/Deep/Dark Web, Quad 9 victory, Telegram Flaw
The government collection of push notification metadataFacebook Messenger sets end to end encryption as the defaultIran's Cyber Av3ngersCisco's Talos Top 10 cyber security exploits this yearOver 30% of apps are still using a using a vulnerable version the Log4J libraryQuad 9 speaks on their legal victory against SonyWhat are the "Clear Web", "Dark Web", and "Deep Web"?A Flaw in TelegramXfinity Mobile wants you to accept a root CA, DO NOTHardware VPN alternativeA breakthrough in quantum computingShow Notes - https://www.grc.com/sn/SN-952-Notes.pdfHosts: Steve Gibson and Leo LaporteDownload or subscribe to this show at https://twit.tv/shows/security-now.Get episodes ad-free with Club TWiT at https://twit.tv/clubtwitYou can submit a question to Security Now at the GRC Feedback Page.For 16kbps versions, transcripts, and notes (including fixes), visit Steve's site: grc.com, also the home of the best disk maintenance and recovery utility ever written Spinrite 6. Sponsors: GO.ACILEARNING.COM/TWIT lookout.com bitwarden.com/twit
SN 951: Revisiting Browser Trust - ICANN RDRS, Beeper Mini, TikTok ban, .meme TLD
How masked domain owners can be unmasked through ICANN's new Registration Data Request Service (RDRS)WhatsApp's addition of Secret Code for extra privacy protection in Chat LockIranian hackers exploited default passwords in programmable logic controllers at US water facilitiesAttempt by Montana to ban TikTok statewide was stalled by a federal judge rulingOver 1 billion Android devices now have RCS messaging enabledEU Cyber Resilience Act will improve security of Internet of Things devices sold in the EUBlack Basta ransomware group has netted over $107 million since early 2022Google's new .meme top-level domain allowing meme-related web propertiesCISA's Secure by Design initiative echoes security best practices frequently recommended on the podcastFrance plans to ban use of "foreign" end-to-end encrypted messaging apps like Telegram and require use of French app Olvid insteadConcerns raised by industry experts Ivan Ristic and Ryan Hurst about EU's eIDAS 2.0 legislation undermining certificate authority trustShow Notes - https://www.grc.com/sn/SN-951-Notes.pdfHosts: Steve Gibson and Leo LaporteDownload or subscribe to this show at https://twit.tv/shows/security-now.Get episodes ad-free with Club TWiT at https://twit.tv/clubtwitYou can submit a question to Security Now at the GRC Feedback Page.For 16kbps versions, transcripts, and notes (including fixes), visit Steve's site: grc.com, also the home of the best disk maintenance and recovery utility ever written Spinrite 6. Sponsors: canary.tools/twit - use code: TWIT vanta.com/SECURITYNOW
SN 950: Leo Turns 67 - Fingerprint Security, Do-Not-Track
Adobe Flash Player Updater is (still) desperately trying to updateVeracrypt password securityFirefox moves to 120 with a bunch of very nice new featuresDo-Not-Track is back on track"ownCloud" -or- "PwnCloud" ?CrushFTP Critical VulnerabilityBypassing fingerprint authenticationApacheMQTransUnion & Experian both hackedShow Notes - https://www.grc.com/sn/SN-950-Notes.pdfHosts: Steve Gibson and Leo LaporteDownload or subscribe to this show at https://twit.tv/shows/security-now.Get episodes ad-free with Club TWiT at https://twit.tv/clubtwitYou can submit a question to Security Now at the GRC Feedback Page.For 16kbps versions, transcripts, and notes (including fixes), visit Steve's site: grc.com, also the home of the best disk maintenance and recovery utility ever written Spinrite 6. Sponsors: paloaltonetworks.com/ot-security-tco Melissa.com/twit GO.ACILEARNING.COM/TWIT
SN 949: Ethernet Turned 50 - Signal funding, X (Twitter) ad fallout, RCS for iPhone, TETRA review
Privacy and Funding Challenges Facing Signal Messaging AppLoss of Advertisers for Twitter After Controversial Tweet by Elon MuskRansomware Group Files SEC Complaint Against Breached CompanyEurope Opening Up Radio Encryption Standard TETRA for Public ReviewApple Announcing Adoption of RCS Messaging for iPhonesSteve's Progress on Dynamic Code Signing for SpinRite ReleasesRemoving Suction Cup Barnacles from WindshieldsRecommendations for Benchmarking USB Drive Read/Write SpeedsConcerns Over EU's Proposed eIDAS 2.0 QWACs LegislationWhy Protectli Routers Are Preferred for pfSense SetupsCredit Card Security Precautions for Ex-LastPass UsersOrigins and Evolution of Ethernet Networking Over 50 YearsShow Notes - https://www.grc.com/sn/SN-949-Notes.pdfHosts: Steve Gibson and Leo LaporteDownload or subscribe to this show at https://twit.tv/shows/security-now.Get episodes ad-free with Club TWiT at https://twit.tv/clubtwitYou can submit a question to Security Now at the GRC Feedback Page.For 16kbps versions, transcripts, and notes (including fixes), visit Steve's site: grc.com, also the home of the best disk maintenance and recovery utility ever written Spinrite 6. Sponsors: vanta.com/SECURITYNOW kolide.com/securitynow securemyemail.com/twit Use Code TWIT
SN 948: What if a Bit Flipped? - Privacy Badger, Downfall, OpenVPN, Windshield Barnacle, Article 45
Privacy Badger blocks trackers on news sites and prevents browser exposure to unwanted domains like TikTok and Datadog.No major updates on EU's controversial Article 45 in eIDAS 2.0. Industry pushback continues as implementation would threaten encryption.Cryptocurrency exchange Poloniex lost $130M in a hot wallet hack, the 14th largest crypto theft.Decentralized finance platform Raft lost $3.3M due to an exploit.Crook operated website iotaseed.io to generate wallet seed phrases, then recorded and stole them.New Intel processor vulnerability called Downfall leaks encryption keys and sensitive data between users on shared systems.Russia moves to formally ban all VPN use in the country.Two new flaws found in OpenVPN software, one allowing memory access.SpinRite development paused as DOS and Windows versions are complete.Understanding assembly language helps malware analysis and exploit development, but high-level decompilers also useful.Quantum-safe symmetric cryptography is limited compared to asymmetric crypto.EU's Article 45 allows transparent decryption and traffic interception, supposedly for security purposes."Windshield Barnacle" parking enforcement device uses suction cups and 1000 lbs of force to immobilize vehicles until parking tickets are paid.Sci-fi book series Aeon 14 by M.D. Cooper offers fun military space opera adventure.27-year-old theoretical crypto attack now shown practical. Passive network observers can steal SSH RSA keys if faulty signature generated, allowing impersonation.Show Notes - https://www.grc.com/sn/SN-948-Notes.pdfHosts: Steve Gibson and Leo LaporteDownload or subscribe to this show at https://twit.tv/shows/security-now.Get episodes ad-free with Club TWiT at https://twit.tv/clubtwitYou can submit a question to Security Now at the GRC Feedback Page.For 16kbps versions, transcripts, and notes (including fixes), visit Steve's site: grc.com, also the home of the best disk maintenance and recovery utility ever written Spinrite 6. Sponsors: kolide.com/securitynow bitwarden.com/twit GO.ACILEARNING.COM/TWIT
SN 947: Article 45 - Citrix Bleed update, Ace Hardware cyberattack, Bitwarden get Passkeys
Microsoft announced storing their Azure keys in an HSM after previously losing control of a private signing keyA quartet of new 0-day vulnerabilities in Exchange Server that Microsoft declined to fixApache ActiveMQ servers under attack exploiting a 0-day, with over half of publicly exposed servers vulnerableUpdate on the Citrix Bleed vulnerability with evidence of hackers gaining access and post-exploitation activityCVSS version 4 released with new metrics for better granularity and clarity of vulnerability scoresAce Hardware suffered a cyberattack impacting servers and systemsGoogle abandons controversial "Web DRM" proposal to let sites restrict browser extensionsAnalysis of "BadCandy" malware infecting vulnerable Cisco routersBitwarden password manager adds support for FIDO2 passkeys in browser extensionRescuing a severely degraded SSD and bringing it back to life with SpinRiteFeedback from listeners on IPv6 adoption, factors for choosing crypto primes, installing Windows 11, and moreThe brewing battle in the EU over proposed eIDAS regulation Article 45 that could ban security checks on root certificates and undermine encrypted web trafficShow Notes - https://www.grc.com/sn/SN-947-Notes.pdf Hosts: Steve Gibson and Leo LaporteDownload or subscribe to this show at https://twit.tv/shows/security-now.Get episodes ad-free with Club TWiT at https://twit.tv/clubtwitYou can submit a question to Security Now at the GRC Feedback Page.For 16kbps versions, transcripts, and notes (including fixes), visit Steve's site: grc.com, also the home of the best disk maintenance and recovery utility ever written Spinrite 6. Sponsors: lookout.com canary.tools/twit - use code: TWIT Melissa.com/twit
SN 946: CitrixBleed - iMessage Cotact Key Verification, HackerOne bug bounty news, CISA's Logging Made Easy
What caused last week's connection interruption? Router was rebooting intermittently, but why?David Redekop of AdamNetworks explained their enterprise network security solution aims to only allow known safe connections, blocking everything else.iMessage gets Contact Key Verification to confirm new devices added to an account belong to the contact.Public Interest Research Group asks Microsoft to extend Windows 10 support beyond 2025.HackerOne breach bounties surpass $300M total payout.CISA releases free Logging Made Easy toolkit to enhance Windows logging capabilities.SpinRite 6.1 pre-release 2 published, likely final pre-release with some testing remaining before full launch.Moving the Internet fully to IPv6 likely won't happen until IPv4 addresses are fully consumed.Open source projects struggle with costly code signing certificates.Deep dive into CitrixBleed vulnerability allowing authentication bypass.Show Notes - https://www.grc.com/sn/SN-946-Notes.pdfHosts: Steve Gibson and Leo LaporteDownload or subscribe to this show at https://twit.tv/shows/security-now.Get episodes ad-free with Club TWiT at https://twit.tv/clubtwitYou can submit a question to Security Now at the GRC Feedback Page.For 16kbps versions, transcripts, and notes (including fixes), visit Steve's site: grc.com, also the home of the best disk maintenance and recovery utility ever written Spinrite 6. Sponsors: cs.co/twit bitwarden.com/twit vanta.com/SECURITYNOW
SN 945: The Power of Privilege - New cURL vulnerabilities, CVSS 10.0 Cisco Nightmare, So long VBScript!
How fake drives continue to be sold on Amazon despite negative reviewsMicrosoft is discontinuing support for the VBScript languageThe 30-year old NTLM authentication protocol will eventually be removed from WindowsTwo new vulnerabilities found in cURLA new Cisco router vulnerability rated CVSS 10.0 was used to hack over 40,000 devicesDebate over whether "lib" should rhyme with "vibe" or "air"Instructions for accessing the SpinRite 6.1 pre-release versionFeedback on passkey exportability and server IP address encryptionA listener asks if ransomware can encrypt already encrypted filesHow Privacy Badger un-rewrites Google's search result linksThe NSA and CISA warn about the power of privilege and the dangers of account misconfigurations like privilege creep, elevated service account permissions, and non-essential use of elevated accountsShow Notes - https://www.grc.com/sn/SN-945-Notes.pdfHosts: Steve Gibson and Leo LaporteDownload or subscribe to this show at https://twit.tv/shows/security-now.Get episodes ad-free with Club TWiT at https://twit.tv/clubtwitYou can submit a question to Security Now at the GRC Feedback Page.For 16kbps versions, transcripts, and notes (including fixes), visit Steve's site: grc.com, also the home of the best disk maintenance and recovery utility ever written Spinrite 6. Sponsors: drata.com/twit joindeleteme.com/twit promo code TWIT canary.tools/twit - use code: TWIT
SN 944: Abusing HTTP/2 Rapid Reset - Passkeys, ValiDrive follow-up, 2FA apps, pre-release Spinrite
ValiDrive release follow-upPasskeys exportability and phishing riskPasskeys for device verification like SSH keysPossibility of hobby browsers vs. production browsersAvailability of SpinRite 6.1 pre-releaseFilling drives with crypto noise using VeraCryptSteve and Leo's favorite OTP appsGoogle Docs link rewriting could be to prevent referrer leakageAbusing HTTP/2 Rapid ResetShow notes: https://www.grc.com/sn/SN-944-Notes.pdfHosts: Steve Gibson and Leo LaporteDownload or subscribe to this show at https://twit.tv/shows/security-now.Get episodes ad-free with Club TWiT at https://twit.tv/clubtwitYou can submit a question to Security Now at the GRC Feedback Page.For 16kbps versions, transcripts, and notes (including fixes), visit Steve's site: grc.com, also the home of the best disk maintenance and recovery utility ever written Spinrite 6. Sponsors: Melissa.com/twit cs.co/twit bitwarden.com/twit