Steve Gibson, the man who coined the term spyware and created the first anti-spyware program, creator of SpinRite and ShieldsUP, discusses the hot topics in security today with Leo Laporte. Records live every Tuesday at 4:30pm Eastern / 1:30pm Pacific / 21:30 UTC.
Similar Podcasts
FLOSS Weekly (Audio)
We're not talking dentistry here; FLOSS all about Free Libre Open Source Software. Join host Doc Searls and his rotating panel of co-hosts every Wednesday as they talk with the most interesting and important people in the Open Source and Free Software community.
Records live every Wednesday at 12:30pm Eastern / 9:30am Pacific / 17:30 UTC.
Open Source Security Podcast
A security podcast geared towards those looking to better understand security topics of the day. Hosted by Kurt Seifried and Josh Bressers covering a wide range of topics including IoT, application security, operational security, cloud, devops, and security news of the day. There is a special open source twist to the discussion often giving a unique perspective on any given topic.
no dogma podcast
discussions on software development
SN 946: CitrixBleed - iMessage Cotact Key Verification, HackerOne bug bounty news, CISA's Logging Made Easy
What caused last week's connection interruption? Router was rebooting intermittently, but why?David Redekop of AdamNetworks explained their enterprise network security solution aims to only allow known safe connections, blocking everything else.iMessage gets Contact Key Verification to confirm new devices added to an account belong to the contact.Public Interest Research Group asks Microsoft to extend Windows 10 support beyond 2025.HackerOne breach bounties surpass $300M total payout.CISA releases free Logging Made Easy toolkit to enhance Windows logging capabilities.SpinRite 6.1 pre-release 2 published, likely final pre-release with some testing remaining before full launch.Moving the Internet fully to IPv6 likely won't happen until IPv4 addresses are fully consumed.Open source projects struggle with costly code signing certificates.Deep dive into CitrixBleed vulnerability allowing authentication bypass.Show Notes - https://www.grc.com/sn/SN-946-Notes.pdfHosts: Steve Gibson and Leo LaporteDownload or subscribe to this show at https://twit.tv/shows/security-now.Get episodes ad-free with Club TWiT at https://twit.tv/clubtwitYou can submit a question to Security Now at the GRC Feedback Page.For 16kbps versions, transcripts, and notes (including fixes), visit Steve's site: grc.com, also the home of the best disk maintenance and recovery utility ever written Spinrite 6. Sponsors: cs.co/twit bitwarden.com/twit vanta.com/SECURITYNOW
SN 945: The Power of Privilege - New cURL vulnerabilities, CVSS 10.0 Cisco Nightmare, So long VBScript!
How fake drives continue to be sold on Amazon despite negative reviewsMicrosoft is discontinuing support for the VBScript languageThe 30-year old NTLM authentication protocol will eventually be removed from WindowsTwo new vulnerabilities found in cURLA new Cisco router vulnerability rated CVSS 10.0 was used to hack over 40,000 devicesDebate over whether "lib" should rhyme with "vibe" or "air"Instructions for accessing the SpinRite 6.1 pre-release versionFeedback on passkey exportability and server IP address encryptionA listener asks if ransomware can encrypt already encrypted filesHow Privacy Badger un-rewrites Google's search result linksThe NSA and CISA warn about the power of privilege and the dangers of account misconfigurations like privilege creep, elevated service account permissions, and non-essential use of elevated accountsShow Notes - https://www.grc.com/sn/SN-945-Notes.pdfHosts: Steve Gibson and Leo LaporteDownload or subscribe to this show at https://twit.tv/shows/security-now.Get episodes ad-free with Club TWiT at https://twit.tv/clubtwitYou can submit a question to Security Now at the GRC Feedback Page.For 16kbps versions, transcripts, and notes (including fixes), visit Steve's site: grc.com, also the home of the best disk maintenance and recovery utility ever written Spinrite 6. Sponsors: drata.com/twit joindeleteme.com/twit promo code TWIT canary.tools/twit - use code: TWIT
SN 944: Abusing HTTP/2 Rapid Reset - Passkeys, ValiDrive follow-up, 2FA apps, pre-release Spinrite
ValiDrive release follow-upPasskeys exportability and phishing riskPasskeys for device verification like SSH keysPossibility of hobby browsers vs. production browsersAvailability of SpinRite 6.1 pre-releaseFilling drives with crypto noise using VeraCryptSteve and Leo's favorite OTP appsGoogle Docs link rewriting could be to prevent referrer leakageAbusing HTTP/2 Rapid ResetShow notes: https://www.grc.com/sn/SN-944-Notes.pdfHosts: Steve Gibson and Leo LaporteDownload or subscribe to this show at https://twit.tv/shows/security-now.Get episodes ad-free with Club TWiT at https://twit.tv/clubtwitYou can submit a question to Security Now at the GRC Feedback Page.For 16kbps versions, transcripts, and notes (including fixes), visit Steve's site: grc.com, also the home of the best disk maintenance and recovery utility ever written Spinrite 6. Sponsors: Melissa.com/twit cs.co/twit bitwarden.com/twit
SN 943: The Top 10 Cybersecurity Misconfigurations - MACE Act Passed, Brave Layoffs, 23andMe Breached
Steve announces the release of his new freeware utility ValiDrive for detecting fake drive capacities.23andMe claims a recent data breach exposed customer info due to credential stuffing attacks.Key stats from Microsoft's 2023 Digital Defense Report on cyberattacks, including increased attacks on open source software, growth in business email compromise, and more password attacks.Brave lays off 9% of its staff amid the tough economic climate, despite its efforts to diversify revenue with new search features.Google Docs exports replace links with tracking redirects, enabling Google to monitor clicked links from exported documents.The MOVEit breach impacted Sony, exposing employee and family data.Firefox 118 now supports Encrypted ClientHello for hiding site requests from network surveillance.Google will provide 7 years of updates for its new Pixel phones, up from 5 years previously.The MACE Act passed overwhelmingly in Congress, allowing agencies more flexibility in cybersecurity hiring.Median dwell time for ransomware dropped to less than 1 day, with human-driven attacks deploying it faster.Steve digs into the top 10 cybersecurity misconfigurations outlined in the new NSA/CISA advisory.Show notes: https://www.grc.com/sn/SN-943-Notes.pdfHosts: Steve Gibson and Leo LaporteDownload or subscribe to this show at https://twit.tv/shows/security-now.Get episodes ad-free with Club TWiT at https://twit.tv/clubtwitYou can submit a question to Security Now at the GRC Feedback Page.For 16kbps versions, transcripts, and notes (including fixes), visit Steve's site: grc.com, also the home of the best disk maintenance and recovery utility ever written Spinrite 6. Sponsors: GO.ACILEARNING.COM/TWIT drata.com/twit lookout.com
SN 942: Encrypting ClientHello - EXIM eMail Servers Exposed, Windows 11 Passkeys, Bing Chat Malware Risk
Exim email server ignored ZDI's responsible disclosure of critical remote code execution flaws for over a year, putting millions of servers at risk.Malicious ads are appearing in Bing Chat responses, promoting fake sites distributing malware.Windows 11 now natively supports passkeys, though browser support may make this redundant.Researchers exploit WiFi beamforming side-channel to potentially reveal keystrokes, but practicality is limited.The ECH TLS extension encrypts the ClientHello packet to hide SNI data.Exim disclosure timeline and impact on millions of vulnerable servers.Bing chat ads mimic search result malvertising risks amplified by chatbot trust.Show notes: https://www.grc.com/sn/SN-942-Notes.pdfHosts: Steve Gibson and Leo LaporteDownload or subscribe to this show at https://twit.tv/shows/security-now.Get episodes ad-free with Club TWiT at https://twit.tv/clubtwitYou can submit a question to Security Now at the GRC Feedback Page.For 16kbps versions, transcripts, and notes (including fixes), visit Steve's site: grc.com, also the home of the best disk maintenance and recovery utility ever written Spinrite 6. Sponsors: canary.tools/twit - use code: TWIT expressvpn.com/securitynow kolide.com/securitynow
SN 941: We told you so! - NSA hacked Huawei? MS big AI data blunder, ValiDrive update
Apple has quietly removed support for Postscript in macOS Ventura over security concerns with the outdated interpreter language.China has formally accused the NSA of hacking and maintaining access to Huawei servers since 2009, based on documents from Edward Snowden.A misconfigured Azure Shared Access Signature token resulted in 38TB of sensitive internal Microsoft data being exposed, including employee backups with passwords.The Signal messaging platform has added a post-quantum encryption protocol called PQXDH, combining its existing X3DH with the believed quantum-resistant CRYSTALS-Kyber system.A zero-day iOS exploit chain was used to target Egyptian presidential candidate Ahmed Eltantawy, redirecting his traffic to install spyware after visiting a non-HTTPS site.Steve gave an update on the status of his forthcoming ValiDrive USB validation utility, explaining delays due to challenges working at the USB level under Windows.A blog post argued that the complexity of modern web browsers has made it impossible to create competitive new browsers from scratch.An emailer claimed to have a mathematical algorithm that can generate truly random numbers.Another emailer asked whether encrypting and deleting a hard drive could substitute for overwriting with random data.There was an explanation of how public key encryption can be used bidirectionally for both encryption and authentication.Listener questions whether all stolen LastPass vaults will eventually be decrypted.Show Notes - https://www.grc.com/sn/SN-941-Notes.pdfHosts: Steve Gibson and Ant PruittDownload or subscribe to this show at https://twit.tv/shows/security-now.Get episodes ad-free with Club TWiT at https://twit.tv/clubtwitYou can submit a question to Security Now at the GRC Feedback Page.For 16kbps versions, transcripts, and notes (including fixes), visit Steve's site: grc.com, also the home of the best disk maintenance and recovery utility ever written Spinrite 6. Sponsors: joindeleteme.com/twit promo code TWIT GO.ACILEARNING.COM/TWIT Melissa.com/twit
SN 940: When Hashes Collide - Secure-wipe best practices, browser identity segregation, bye bye Twitter (X)
Last week's news about evidence of LastPass vault decryption targeting cryptocurrency keys, and the UK's backing down on its encryption monitoring legislation.How hardware security modules (HSMs) allow cryptographic operations like code signing without exposing private keys.Browser identity segregation using multiple profiles rather than separate browsers.Requirements and best practices for securely wiping data from modern solid state drives.A countdown clock for the 32-bit UNIX time rollover in the year 2038.Steve's plan to move off Twitter and onto email lists for Security Now communication.A deep dive into cryptographic hash collisions, using fewer hash bits, and balancing anonymity with statistical meaning.Show Notes - https://www.grc.com/sn/SN-940-Notes.pdfHosts: Steve Gibson and Leo LaporteDownload or subscribe to this show at https://twit.tv/shows/security-now.Get episodes ad-free with Club TWiT at https://twit.tv/clubtwitYou can submit a question to Security Now at the GRC Feedback Page.For 16kbps versions, transcripts, and notes (including fixes), visit Steve's site: grc.com, also the home of the best disk maintenance and recovery utility ever written Spinrite 6.
SN 939: LastMess - Online Safety Bill, Microsoft Outlook breach details, auto brand data privacy
UK government appears to back down on demands to break encryption in Online Safety BillMicrosoft reveals how China-based hackers acquired secret key used to breach Outlook accountsMultiple flaws allowed key to improperly leave highly secure environmentMozilla research finds all major auto brands fail on privacy protectionEvidence suggests LastPass encrypted vault data is being decryptedResearchers tie $35M in crypto thefts to compromised LastPass accountsBrute force feasible on old low iteration count passwordsShow Notes - https://www.grc.com/sn/SN-939-Notes.pdfHosts: Steve Gibson and Jason HowellDownload or subscribe to this show at https://twit.tv/shows/security-now.Get episodes ad-free with Club TWiT at https://twit.tv/clubtwitYou can submit a question to Security Now at the GRC Feedback Page.For 16kbps versions, transcripts, and notes (including fixes), visit Steve's site: grc.com, also the home of the best disk maintenance and recovery utility ever written Spinrite 6.
SN 938: Apple Says No - Topics coming to Android, Apple security research, browser extension vulnerabilities
Steve provides an update on ValiDrive, his new freeware utility for testing USB drives. It identifies bogus mass storage drives and performance differences between drives.There has been another sighting of Google's Topics API, this time on Android phones. It allows apps to get information about users' interests based on recent app usage.Apple has opened up their iPhones to security researchers through their Security Research Device program since 2019. Researchers get access to customize kernels, entitlements, and other low-level features without compromising security.Research reveals vulnerabilities in browser extensions that allow them to steal plaintext passwords from a website's HTML source code. Even sites like Google, Facebook, Amazon, IRS, and Capital One are affected.Feedback from listeners on topics like Apple's stance on scanning iCloud data for CSAM, Microsoft's broken TLS timestamp implementation, using VirusTotal to check downloaded files, ReadSpeed limitations, and downloading malware for VirusTotal checks.Apple publicly shares a letter from a CSAM activist demanding they implement scanning to detect child abuse images in iCloud Photos. Apple responds clearly stating they will not compromise user privacy and security to do so.Show Notes - https://www.grc.com/sn/SN-938-Notes.pdfHosts: Steve Gibson and Leo LaporteDownload or subscribe to this show at https://twit.tv/shows/security-now.Get episodes ad-free with Club TWiT at https://twit.tv/clubtwitYou can submit a question to Security Now at the GRC Feedback Page.For 16kbps versions, transcripts, and notes (including fixes), visit Steve's site: grc.com, also the home of the best disk maintenance and recovery utility ever written Spinrite 6. Sponsors: drata.com/twit panoptica.app canary.tools/twit - use code: TWIT
SN 937: The Man in the Middle - WinRAR v6.23, fake flash drives, Voyager2 antenna, Google Topics
Picture of the Week: Steve shares a funny "what we say vs what we mean" image about tech support conversations.WinRAR v6.23 fixes: Steve explains that updating to the latest WinRAR is more important than initially thought, with two critical vulnerabilities being actively exploited by hackers since April to install malware.HTTPS for local networks: Responding to listener email, Steve agrees HTTP is fine for local network devices like routers but notes risks in larger corporate networks.Portable domains for email: Steve endorses a listener suggestion to purchase your own domain and use third-party services, retaining control if a provider shuts down.Google Topics and monopolies: Steve and Leo debate whether Topics favors large advertisers with greater reach to get user targeting data.Voyager 2 antenna analysis: A listener calculates the antenna beam width mathematically, showing 2 degrees off-axis may not be as remarkable as it sounded.Windows time settings: Steve clarifies the STS issue does not impact end users changing Windows clock settings, it's enterprise server-side.Unix time in TLS handshakes: The hosts discuss why Unix time stamps are sent but not required for TLS, tracing back to early nonce generation.Fake flash drives: Steve warns of a slew of fake high-capacity thumb drives flooding the market, explaining how SpinRite tests detected the flaw.Man-in-the-middle attacks: While agreeing HTTPS helps prevent malicious injection, Steve examines MITM attack practicality, arguing they are difficult for hackers to pull off.Show Notes - https://www.grc.com/sn/SN-937-Notes.pdfHosts: Steve Gibson and Leo LaporteDownload or subscribe to this show at https://twit.tv/shows/security-now.Get episodes ad-free with Club TWiT at https://twit.tv/clubtwitYou can submit a question to Security Now at the GRC Feedback Page.For 16kbps versions, transcripts, and notes (including fixes), visit Steve's site: grc.com, also the home of the best disk maintenance and recovery utility ever written Spinrite 6. Sponsors: kolide.com/securitynow canary.tools/twit - use code: TWIT Building Cyber Resilience Podcast
SN 936: When Heuristics Backfire - OpenSUSE, SanDisk and Western Digital, 8Base, TSSHOCK
OpenSUSE goes private.Android to get satellite comms.SanDisk and Western Digital in hot water.You're asking for it: YouTube children's privacy.Whoopsie! 8Base.Where the money is.The TSSHOCK vulnerability.BitForge.A Quantum resilient security key.Removed Chrome extensions notifications.HTTPS by default?WinRAR 6.23 final released.Closing the Loop.When Heuristics Backfire.Show Notes - https://www.grc.com/sn/SN-936-Notes.pdfHosts: Steve Gibson and Leo LaporteDownload or subscribe to this show at https://twit.tv/shows/security-now.Get episodes ad-free with Club TWiT at https://twit.tv/clubtwitYou can submit a question to Security Now at the GRC Feedback Page.For 16kbps versions, transcripts, and notes (including fixes), visit Steve's site: grc.com, also the home of the best disk maintenance and recovery utility ever written Spinrite 6. Sponsors: panoptica.app kolide.com/securitynow joindeleteme.com/twit promo code TWIT
SN 935: "Topics" Arrives - Firefox multi-account containers, DuckDuckGo email alias, satellite crowding
Picture of the Week.Security Now!'s 18th birthday!Closing the Loop.Firefox Multi-Account Containers.A question about Full Disk Encryption on SSD's.Should I run SpinRite before I back up my drives to a NAS?Overly complex password rules.DuckDuckGo's email alias.The new Russian Astra Linux based OS can not legally be possible.Regarding satellite crowding: The skies won't be darkening anytime soon.This is what came to mind on the Voyager 2 segment with the shout.Can you please share the name of the session manager that you use in Firefox?The numbers behind the Voyager recorrection."Topics" Arrives.How Topics Works.Show Notes: https://www.grc.com/sn/SN-935-Notes.pdfHosts: Steve Gibson and Leo LaporteDownload or subscribe to this show at https://twit.tv/shows/security-now.Get episodes ad-free with Club TWiT at https://twit.tv/clubtwitYou can submit a question to Security Now at the GRC Feedback Page.For 16kbps versions, transcripts, and notes (including fixes), visit Steve's site: grc.com, also the home of the best disk maintenance and recovery utility ever written Spinrite 6. Sponsors: cs.co/twit Building Cyber Resilience Podcast bitwarden.com/twit
SN 934: Revisiting Global Privacy Control - Voyager 2, MS Security, keyboard acoustic side-channel attacks
Picture of the Week.NASA "shouted" at Voyager.Another view of Microsoft.What about this Chinese attack?AI meets Keyboard Acoustic Side-Channel attacks.Closing the Loop.Revisiting Global Privacy Control.Show Notes: https://www.grc.com/sn/SN-934-Notes.pdfHosts: Steve Gibson and Leo LaporteDownload or subscribe to this show at https://twit.tv/shows/security-now.Get episodes ad-free with Club TWiT at https://twit.tv/clubtwitYou can submit a question to Security Now at the GRC Feedback Page.For 16kbps versions, transcripts, and notes (including fixes), visit Steve's site: grc.com, also the home of the best disk maintenance and recovery utility ever written Spinrite 6.
SN 933: TETRA:BURST - Satellite Turla, Android tracker tech, VirusTotal 2023 report, open source in Russia
Picture of the Week.Satellite Turla: APT Command and Control in the Sky.OS 17 to further crack down on device fingerprinting.Android to start warning of "unknown trackers".The 7th branch of the US military.Russia criminalizes open source project contribution.VirusTotal's 2023 report.Closing the Loop.TETRA:BURST.Show Notes - https://www.grc.com/sn/SN-933-Notes.pdfHosts: Steve Gibson and Leo LaporteDownload or subscribe to this show at https://twit.tv/shows/security-now.Get episodes ad-free with Club TWiT at https://twit.tv/clubtwitYou can submit a question to Security Now! at the GRC Feedback Page.For 16kbps versions, transcripts, and notes (including fixes), visit Steve's site: grc.com, also the home of the best disk maintenance and recovery utility ever written Spinrite 6. Sponsors: podtail.com/podcast/building-cyber-resilience bitwarden.com/twit drata.com/twit
SN 932: Satellite Insecurity, Part 2 - Apple vs EU, Cyber Resilience Act, Web Environment Integrity
Picture of the Week.R.I.P. Kevin Mitnick.Apple says: "Thanks, but we'd rather leave."Web Environment Integrity.Web Analytics under the spotlight.More progress on the IoT security front.The "Expeditionary cyber force".Ransomware payouts being made much less often.MOVEit Update.TikTok + Passkeys.Closing the Loop.SpinRite.Satellite Insecurity, Part 2.Show Notes: https://www.grc.com/sn/SN-932-Notes.pdfHosts: Steve Gibson and Leo LaporteDownload or subscribe to this show at https://twit.tv/shows/security-now.Get episodes ad-free with Club TWiT at https://twit.tv/clubtwitYou can submit a question to Security Now! at the GRC Feedback Page.For 16kbps versions, transcripts, and notes (including fixes), visit Steve's site: grc.com, also the home of the best disk maintenance and recovery utility ever written Spinrite 6. Sponsors: drata.com/twit GO.ACILEARNING.COM/TWIT bitwarden.com/twit