Steve Gibson, the man who coined the term spyware and created the first anti-spyware program, creator of Spinrite and ShieldsUP, discusses the hot topics in security today with Leo Laporte. Records live every Tuesday at 4:30pm Eastern / 1:30pm Pacific / 21:30 UTC.
SN 939: LastMess - Online Safety Bill, Microsoft Outlook breach details, auto brand data privacy
UK government appears to back down on demands to break encryption in Online Safety Bill
Microsoft reveals how China-based hackers acquired secret key used to breach Outlook accounts
Multiple flaws allowed key to improperly leave highly secure environment
Mozilla research finds all major auto brands fail on privacy protection
Evidence suggests LastPass encrypted vault data is being decrypted
Researchers tie $35M in crypto thefts to compromised LastPass accounts
Brute force feasible on old low iteration count passwords
Show Notes - https://www.grc.com/sn/SN-939-Notes.pdf
Hosts: Steve Gibson and Jason Howell
Download or subscribe to this show at https://twit.tv/shows/security-now.
Get episodes ad-free with Club TWiT at https://twit.tv/clubtwit
You can submit a question to Security Now at the GRC Feedback Page.
For 16kbps versions, transcripts, and notes (including fixes), visit Steve's site: grc.com, also the home of the best disk maintenance and recovery utility ever written Spinrite 6.
1/1/1 • 2 hours, 35 seconds
SN 940: When Hashes Collide - Secure-wipe best practices, browser identity segregation, bye bye Twitter (X)
Last week's news about evidence of LastPass vault decryption targeting cryptocurrency keys, and the UK's backing down on its encryption monitoring legislation.
How hardware security modules (HSMs) allow cryptographic operations like code signing without exposing private keys.
Browser identity segregation using multiple profiles rather than separate browsers.
Requirements and best practices for securely wiping data from modern solid state drives.
A countdown clock for the 32-bit UNIX time rollover in the year 2038.
Steve's plan to move off Twitter and onto email lists for Security Now communication.
A deep dive into cryptographic hash collisions, using fewer hash bits, and balancing anonymity with statistical meaning.
Show Notes - https://www.grc.com/sn/SN-940-Notes.pdf
Hosts: Steve Gibson and Leo Laporte
Download or subscribe to this show at https://twit.tv/shows/security-now.
Get episodes ad-free with Club TWiT at https://twit.tv/clubtwit
You can submit a question to Security Now at the GRC Feedback Page.
For 16kbps versions, transcripts, and notes (including fixes), visit Steve's site: grc.com, also the home of the best disk maintenance and recovery utility ever written Spinrite 6.
1/1/1 • 2 hours, 6 minutes
SN 941: We told you so! - NSA hacked Huawei? MS big AI data blunder, ValiDrive update
Apple has quietly removed support for Postscript in macOS Ventura over security concerns with the outdated interpreter language.
China has formally accused the NSA of hacking and maintaining access to Huawei servers since 2009, based on documents from Edward Snowden.
A misconfigured Azure Shared Access Signature token resulted in 38TB of sensitive internal Microsoft data being exposed, including employee backups with passwords.
The Signal messaging platform has added a post-quantum encryption protocol called PQXDH, combining its existing X3DH with the believed quantum-resistant CRYSTALS-Kyber system.
A zero-day iOS exploit chain was used to target Egyptian presidential candidate Ahmed Eltantawy, redirecting his traffic to install spyware after visiting a non-HTTPS site.
Steve gave an update on the status of his forthcoming ValiDrive USB validation utility, explaining delays due to challenges working at the USB level under Windows.
A blog post argued that the complexity of modern web browsers has made it impossible to create competitive new browsers from scratch.
An emailer claimed to have a mathematical algorithm that can generate truly random numbers.
Another emailer asked whether encrypting and deleting a hard drive could substitute for overwriting with random data.
There was an explanation of how public key encryption can be used bidirectionally for both encryption and authentication.
Listener questions whether all stolen LastPass vaults will eventually be decrypted.
Show Notes - https://www.grc.com/sn/SN-941-Notes.pdf
Hosts: Steve Gibson and Ant Pruitt
Download or subscribe to this show at https://twit.tv/shows/security-now.
Get episodes ad-free with Club TWiT at https://twit.tv/clubtwit
You can submit a question to Security Now at the GRC Feedback Page.
For 16kbps versions, transcripts, and notes (including fixes), visit Steve's site: grc.com, also the home of the best disk maintenance and recovery utility ever written Spinrite 6.
Sponsors:
joindeleteme.com/twit promo code TWIT
GO.ACILEARNING.COM/TWIT
Melissa.com/twit
1/1/1 • 2 hours, 25 minutes, 54 seconds
SN 942: Encrypting ClientHello - EXIM eMail Servers Exposed, Windows 11 Passkeys, Bing Chat Malware Risk
Exim email server ignored ZDI's responsible disclosure of critical remote code execution flaws for over a year, putting millions of servers at risk.
Malicious ads are appearing in Bing Chat responses, promoting fake sites distributing malware.
Windows 11 now natively supports passkeys, though browser support may make this redundant.
Researchers exploit WiFi beamforming side-channel to potentially reveal keystrokes, but practicality is limited.
The ECH TLS extension encrypts the ClientHello packet to hide SNI data.
Exim disclosure timeline and impact on millions of vulnerable servers.
Bing chat ads mimic search result malvertising risks amplified by chatbot trust.
Show notes: https://www.grc.com/sn/SN-942-Notes.pdf
Hosts: Steve Gibson and Leo Laporte
Download or subscribe to this show at https://twit.tv/shows/security-now.
Get episodes ad-free with Club TWiT at https://twit.tv/clubtwit
You can submit a question to Security Now at the GRC Feedback Page.
For 16kbps versions, transcripts, and notes (including fixes), visit Steve's site: grc.com, also the home of the best disk maintenance and recovery utility ever written Spinrite 6.
Sponsors:
canary.tools/twit - use code: TWIT
expressvpn.com/securitynow
kolide.com/securitynow
1/1/1 • 2 hours, 6 minutes, 4 seconds
SN 943: The Top 10 Cybersecurity Misconfigurations - MACE Act Passed, Brave Layoffs, 23andMe Breached
Steve announces the release of his new freeware utility ValiDrive for detecting fake drive capacities.
23andMe claims a recent data breach exposed customer info due to credential stuffing attacks.
Key stats from Microsoft's 2023 Digital Defense Report on cyberattacks, including increased attacks on open source software, growth in business email compromise, and more password attacks.
Brave lays off 9% of its staff amid the tough economic climate, despite its efforts to diversify revenue with new search features.
Google Docs exports replace links with tracking redirects, enabling Google to monitor clicked links from exported documents.
The MOVEit breach impacted Sony, exposing employee and family data.
Firefox 118 now supports Encrypted ClientHello for hiding site requests from network surveillance.
Google will provide 7 years of updates for its new Pixel phones, up from 5 years previously.
The MACE Act passed overwhelmingly in Congress, allowing agencies more flexibility in cybersecurity hiring.
Median dwell time for ransomware dropped to less than 1 day, with human-driven attacks deploying it faster.
Steve digs into the top 10 cybersecurity misconfigurations outlined in the new NSA/CISA advisory.
Show notes: https://www.grc.com/sn/SN-943-Notes.pdf
Hosts: Steve Gibson and Leo Laporte
Download or subscribe to this show at https://twit.tv/shows/security-now.
Get episodes ad-free with Club TWiT at https://twit.tv/clubtwit
You can submit a question to Security Now at the GRC Feedback Page.
For 16kbps versions, transcripts, and notes (including fixes), visit Steve's site: grc.com, also the home of the best disk maintenance and recovery utility ever written Spinrite 6.
Sponsors:
GO.ACILEARNING.COM/TWIT
drata.com/twit
lookout.com
ValiDrive release follow-up
Passkeys exportability and phishing risk
Passkeys for device verification like SSH keys
Possibility of hobby browsers vs. production browsers
Availability of SpinRite 6.1 pre-release
Filling drives with crypto noise using VeraCrypt
Steve and Leo's favorite OTP apps
Google Docs link rewriting could be to prevent referrer leakage
Abusing HTTP/2 Rapid Reset
Show notes: https://www.grc.com/sn/SN-944-Notes.pdf
Hosts: Steve Gibson and Leo Laporte
Download or subscribe to this show at https://twit.tv/shows/security-now.
Get episodes ad-free with Club TWiT at https://twit.tv/clubtwit
You can submit a question to Security Now at the GRC Feedback Page.
For 16kbps versions, transcripts, and notes (including fixes), visit Steve's site: grc.com, also the home of the best disk maintenance and recovery utility ever written Spinrite 6.
Sponsors:
Melissa.com/twit
cs.co/twit
bitwarden.com/twit
1/1/1 • 2 hours, 25 minutes, 57 seconds
SN 945: The Power of Privilege - New cURL vulnerabilities, CVSS 10.0 Cisco Nightmare, So long VBScript!
How fake drives continue to be sold on Amazon despite negative reviews
Microsoft is discontinuing support for the VBScript language
The 30-year old NTLM authentication protocol will eventually be removed from Windows
Two new vulnerabilities found in cURL
A new Cisco router vulnerability rated CVSS 10.0 was used to hack over 40,000 devices
Debate over whether "lib" should rhyme with "vibe" or "air"
Instructions for accessing the SpinRite 6.1 pre-release version
Feedback on passkey exportability and server IP address encryption
A listener asks if ransomware can encrypt already encrypted files
How Privacy Badger un-rewrites Google's search result links
The NSA and CISA warn about the power of privilege and the dangers of account misconfigurations like privilege creep, elevated service account permissions, and non-essential use of elevated accounts
Show Notes - https://www.grc.com/sn/SN-945-Notes.pdf
Hosts: Steve Gibson and Leo Laporte
Download or subscribe to this show at https://twit.tv/shows/security-now.
Get episodes ad-free with Club TWiT at https://twit.tv/clubtwit
You can submit a question to Security Now at the GRC Feedback Page.
For 16kbps versions, transcripts, and notes (including fixes), visit Steve's site: grc.com, also the home of the best disk maintenance and recovery utility ever written Spinrite 6.
Sponsors:
drata.com/twit
joindeleteme.com/twit promo code TWIT
canary.tools/twit - use code: TWIT
1/1/1 • 2 hours, 10 minutes, 1 second
SN 946: CitrixBleed - iMessage Cotact Key Verification, HackerOne bug bounty news, CISA's Logging Made Easy
What caused last week's connection interruption? Router was rebooting intermittently, but why?
David Redekop of AdamNetworks explained their enterprise network security solution aims to only allow known safe connections, blocking everything else.
iMessage gets Contact Key Verification to confirm new devices added to an account belong to the contact.
Public Interest Research Group asks Microsoft to extend Windows 10 support beyond 2025.
HackerOne breach bounties surpass $300M total payout.
CISA releases free Logging Made Easy toolkit to enhance Windows logging capabilities.
SpinRite 6.1 pre-release 2 published, likely final pre-release with some testing remaining before full launch.
Moving the Internet fully to IPv6 likely won't happen until IPv4 addresses are fully consumed.
Open source projects struggle with costly code signing certificates.
Deep dive into CitrixBleed vulnerability allowing authentication bypass.
Show Notes - https://www.grc.com/sn/SN-946-Notes.pdf
Hosts: Steve Gibson and Leo Laporte
Download or subscribe to this show at https://twit.tv/shows/security-now.
Get episodes ad-free with Club TWiT at https://twit.tv/clubtwit
You can submit a question to Security Now at the GRC Feedback Page.
For 16kbps versions, transcripts, and notes (including fixes), visit Steve's site: grc.com, also the home of the best disk maintenance and recovery utility ever written Spinrite 6.
Sponsors:
cs.co/twit
bitwarden.com/twit
vanta.com/SECURITYNOW
1/1/1 • 2 hours, 1 minute, 35 seconds
SN 947: Article 45 - Citrix Bleed update, Ace Hardware cyberattack, Bitwarden get Passkeys
Microsoft announced storing their Azure keys in an HSM after previously losing control of a private signing key
A quartet of new 0-day vulnerabilities in Exchange Server that Microsoft declined to fix
Apache ActiveMQ servers under attack exploiting a 0-day, with over half of publicly exposed servers vulnerable
Update on the Citrix Bleed vulnerability with evidence of hackers gaining access and post-exploitation activity
CVSS version 4 released with new metrics for better granularity and clarity of vulnerability scores
Ace Hardware suffered a cyberattack impacting servers and systems
Google abandons controversial "Web DRM" proposal to let sites restrict browser extensions
Analysis of "BadCandy" malware infecting vulnerable Cisco routers
Bitwarden password manager adds support for FIDO2 passkeys in browser extension
Rescuing a severely degraded SSD and bringing it back to life with SpinRite
Feedback from listeners on IPv6 adoption, factors for choosing crypto primes, installing Windows 11, and more
The brewing battle in the EU over proposed eIDAS regulation Article 45 that could ban security checks on root certificates and undermine encrypted web traffic
Show Notes - https://www.grc.com/sn/SN-947-Notes.pdf
Hosts: Steve Gibson and Leo Laporte
Download or subscribe to this show at https://twit.tv/shows/security-now.
Get episodes ad-free with Club TWiT at https://twit.tv/clubtwit
You can submit a question to Security Now at the GRC Feedback Page.
For 16kbps versions, transcripts, and notes (including fixes), visit Steve's site: grc.com, also the home of the best disk maintenance and recovery utility ever written Spinrite 6.
Sponsors:
lookout.com
canary.tools/twit - use code: TWIT
Melissa.com/twit
1/1/1 • 2 hours, 13 minutes, 25 seconds
SN 948: What if a Bit Flipped? - Privacy Badger, Downfall, OpenVPN, Windshield Barnacle, Article 45
Privacy Badger blocks trackers on news sites and prevents browser exposure to unwanted domains like TikTok and Datadog.
No major updates on EU's controversial Article 45 in eIDAS 2.0. Industry pushback continues as implementation would threaten encryption.
Cryptocurrency exchange Poloniex lost $130M in a hot wallet hack, the 14th largest crypto theft.
Decentralized finance platform Raft lost $3.3M due to an exploit.
Crook operated website iotaseed.io to generate wallet seed phrases, then recorded and stole them.
New Intel processor vulnerability called Downfall leaks encryption keys and sensitive data between users on shared systems.
Russia moves to formally ban all VPN use in the country.
Two new flaws found in OpenVPN software, one allowing memory access.
SpinRite development paused as DOS and Windows versions are complete.
Understanding assembly language helps malware analysis and exploit development, but high-level decompilers also useful.
Quantum-safe symmetric cryptography is limited compared to asymmetric crypto.
EU's Article 45 allows transparent decryption and traffic interception, supposedly for security purposes.
"Windshield Barnacle" parking enforcement device uses suction cups and 1000 lbs of force to immobilize vehicles until parking tickets are paid.
Sci-fi book series Aeon 14 by M.D. Cooper offers fun military space opera adventure.
27-year-old theoretical crypto attack now shown practical. Passive network observers can steal SSH RSA keys if faulty signature generated, allowing impersonation.
Show Notes - https://www.grc.com/sn/SN-948-Notes.pdf
Hosts: Steve Gibson and Leo Laporte
Download or subscribe to this show at https://twit.tv/shows/security-now.
Get episodes ad-free with Club TWiT at https://twit.tv/clubtwit
You can submit a question to Security Now at the GRC Feedback Page.
For 16kbps versions, transcripts, and notes (including fixes), visit Steve's site: grc.com, also the home of the best disk maintenance and recovery utility ever written Spinrite 6.
Sponsors:
kolide.com/securitynow
bitwarden.com/twit
GO.ACILEARNING.COM/TWIT
1/1/1 • 2 hours, 12 minutes, 10 seconds
SN 949: Ethernet Turned 50 - Signal funding, X (Twitter) ad fallout, RCS for iPhone, TETRA review
Privacy and Funding Challenges Facing Signal Messaging App
Loss of Advertisers for Twitter After Controversial Tweet by Elon Musk
Ransomware Group Files SEC Complaint Against Breached Company
Europe Opening Up Radio Encryption Standard TETRA for Public Review
Apple Announcing Adoption of RCS Messaging for iPhones
Steve's Progress on Dynamic Code Signing for SpinRite Releases
Removing Suction Cup Barnacles from Windshields
Recommendations for Benchmarking USB Drive Read/Write Speeds
Concerns Over EU's Proposed eIDAS 2.0 QWACs Legislation
Why Protectli Routers Are Preferred for pfSense Setups
Credit Card Security Precautions for Ex-LastPass Users
Origins and Evolution of Ethernet Networking Over 50 Years
Show Notes - https://www.grc.com/sn/SN-949-Notes.pdf
Hosts: Steve Gibson and Leo Laporte
Download or subscribe to this show at https://twit.tv/shows/security-now.
Get episodes ad-free with Club TWiT at https://twit.tv/clubtwit
You can submit a question to Security Now at the GRC Feedback Page.
For 16kbps versions, transcripts, and notes (including fixes), visit Steve's site: grc.com, also the home of the best disk maintenance and recovery utility ever written Spinrite 6.
Sponsors:
vanta.com/SECURITYNOW
kolide.com/securitynow
securemyemail.com/twit Use Code TWIT
1/1/1 • 2 hours, 12 minutes, 54 seconds
SN 950: Leo Turns 67 - Fingerprint Security, Do-Not-Track
Adobe Flash Player Updater is (still) desperately trying to update
Veracrypt password security
Firefox moves to 120 with a bunch of very nice new features
Do-Not-Track is back on track
"ownCloud" -or- "PwnCloud" ?
CrushFTP Critical Vulnerability
Bypassing fingerprint authentication
ApacheMQ
TransUnion & Experian both hacked
Show Notes - https://www.grc.com/sn/SN-950-Notes.pdf
Hosts: Steve Gibson and Leo Laporte
Download or subscribe to this show at https://twit.tv/shows/security-now.
Get episodes ad-free with Club TWiT at https://twit.tv/clubtwit
You can submit a question to Security Now at the GRC Feedback Page.
For 16kbps versions, transcripts, and notes (including fixes), visit Steve's site: grc.com, also the home of the best disk maintenance and recovery utility ever written Spinrite 6.
Sponsors:
paloaltonetworks.com/ot-security-tco
Melissa.com/twit
GO.ACILEARNING.COM/TWIT
How masked domain owners can be unmasked through ICANN's new Registration Data Request Service (RDRS)
WhatsApp's addition of Secret Code for extra privacy protection in Chat Lock
Iranian hackers exploited default passwords in programmable logic controllers at US water facilities
Attempt by Montana to ban TikTok statewide was stalled by a federal judge ruling
Over 1 billion Android devices now have RCS messaging enabled
EU Cyber Resilience Act will improve security of Internet of Things devices sold in the EU
Black Basta ransomware group has netted over $107 million since early 2022
Google's new .meme top-level domain allowing meme-related web properties
CISA's Secure by Design initiative echoes security best practices frequently recommended on the podcast
France plans to ban use of "foreign" end-to-end encrypted messaging apps like Telegram and require use of French app Olvid instead
Concerns raised by industry experts Ivan Ristic and Ryan Hurst about EU's eIDAS 2.0 legislation undermining certificate authority trust
Show Notes - https://www.grc.com/sn/SN-951-Notes.pdf
Hosts: Steve Gibson and Leo Laporte
Download or subscribe to this show at https://twit.tv/shows/security-now.
Get episodes ad-free with Club TWiT at https://twit.tv/clubtwit
You can submit a question to Security Now at the GRC Feedback Page.
For 16kbps versions, transcripts, and notes (including fixes), visit Steve's site: grc.com, also the home of the best disk maintenance and recovery utility ever written Spinrite 6.
Sponsors:
canary.tools/twit - use code: TWIT
vanta.com/SECURITYNOW
1/1/1 • 2 hours, 10 minutes, 58 seconds
SN 952: Quantum Computing Breakthrough - The Clear/Deep/Dark Web, Quad 9 victory, Telegram Flaw
The government collection of push notification metadata
Facebook Messenger sets end to end encryption as the default
Iran's Cyber Av3ngers
Cisco's Talos Top 10 cyber security exploits this year
Over 30% of apps are still using a using a vulnerable version the Log4J library
Quad 9 speaks on their legal victory against Sony
What are the "Clear Web", "Dark Web", and "Deep Web"?
A Flaw in Telegram
Xfinity Mobile wants you to accept a root CA, DO NOT
Hardware VPN alternative
A breakthrough in quantum computing
Show Notes - https://www.grc.com/sn/SN-952-Notes.pdf
Hosts: Steve Gibson and Leo Laporte
Download or subscribe to this show at https://twit.tv/shows/security-now.
Get episodes ad-free with Club TWiT at https://twit.tv/clubtwit
You can submit a question to Security Now at the GRC Feedback Page.
For 16kbps versions, transcripts, and notes (including fixes), visit Steve's site: grc.com, also the home of the best disk maintenance and recovery utility ever written Spinrite 6.
Sponsors:
GO.ACILEARNING.COM/TWIT
lookout.com
bitwarden.com/twit
1/1/1 • 2 hours, 4 minutes, 35 seconds
SN 953: Active Listening - KOSA, Cloudflare's Numbers, SpinRite Update
Child protection legislation in the US
Meta pushes back on the $200 billion FTC fine for COPPA violation
Age verification on the internet
Google moving from 3rd party cookies to topics
A look at Cloudflare's metrics
SpinRite update
Cox Media admits that it spys on you
Show Notes - https://www.grc.com/sn/SN-953-Notes.pdf
Hosts: Steve Gibson and Leo Laporte
Download or subscribe to this show at https://twit.tv/shows/security-now.
Get episodes ad-free with Club TWiT at https://twit.tv/clubtwit
You can submit a question to Security Now at the GRC Feedback Page.
For 16kbps versions, transcripts, and notes (including fixes), visit Steve's site: grc.com, also the home of the best disk maintenance and recovery utility ever written Spinrite 6.
Sponsors:
securemyemail.com/twit Use Code TWIT
drata.com/twit
GO.ACILEARNING.COM/TWIT
1/1/1 • 2 hours, 16 seconds
SN 954: Best of 2023 - Security Now's Best Moments of 2023
Leo looks back at the year's top security stories of 2023.
Steve's Next Password Manager After the LastPass Hack
CHESS is Safe
Here Come the Fake AI-generated "News" Sites
How Bad Guys Use Satellites
Microsoft's "Culture of Toxic Obfuscation"
Steve announces his commitment to SN
Apple Says No
NSA's Decade of Huawei Hacking
ValiDrive announcement
Host: Leo Laporte
Download or subscribe to this show at https://twit.tv/shows/security-now.
Get episodes ad-free with Club TWiT at https://twit.tv/clubtwit
You can submit a question to Security Now at the GRC Feedback Page.
For 16kbps versions, transcripts, and notes (including fixes), visit Steve's site: grc.com, also the home of the best disk maintenance and recovery utility ever written Spinrite 6.
1/1/1 • 1 hour, 37 minutes, 24 seconds
SN 955: The Mystery of CVE-2023-38606 - SpinRite Update, Nebula Mesh, Apple's Backdoor
SpinRite 6.1 update
Pruning Root Certificates
A solution to Schrodinger's Bowl
DNS Benchmark and anti-virus tools
Nebula Mesh
SpinRite 7 is coming
The Mystery of CVE-2023-38606
Show Notes - https://www.grc.com/sn/SN-955-Notes.pdf
Hosts: Steve Gibson and Leo Laporte
Download or subscribe to this show at https://twit.tv/shows/security-now.
Get episodes ad-free with Club TWiT at https://twit.tv/clubtwit
You can submit a question to Security Now at the GRC Feedback Page.
For 16kbps versions, transcripts, and notes (including fixes), visit Steve's site: grc.com, also the home of the best disk maintenance and recovery utility ever written Spinrite 6.
Sponsors:
bitwarden.com/twit
kolide.com/securitynow
Melissa.com/twit
drata.com/twit
1/1/1 • 1 hour, 52 minutes, 54 seconds
SN 956: The Inside Tracks - 23andME Mess, Ukraine Telecom Hack, LastPass
More on Apple's hardware backdoor
Russian Hacking of Ukranian cameras
Russian hackers were inside Ukraine telecoms giant for months
Things are still a mess at 23andMe
CoinsPaid was the victim of another cyberattack
Crypto Hacking in 2023
Mandiant Twitter scam
Defining "cyber warfare"
LastPass is making some changes
Windows Watch
Google settles $5 billion lawsuit
Return Oriented Programming
Shutting Down Edge
Root Certificates
Credit freezing
SpinRite Update
Show Notes - https://www.grc.com/sn/SN-956-Notes.pdf
Hosts: Steve Gibson and Leo Laporte
Download or subscribe to this show at https://twit.tv/shows/security-now.
Get episodes ad-free with Club TWiT at https://twit.tv/clubtwit
You can submit a question to Security Now at the GRC Feedback Page.
For 16kbps versions, transcripts, and notes (including fixes), visit Steve's site: grc.com, also the home of the best disk maintenance and recovery utility ever written Spinrite 6.
Sponsors:
lookout.com
paloaltonetworks.com/ot-security-tco
kolide.com/securitynow
bitwarden.com/twit
1/1/1 • 1 hour, 53 minutes, 33 seconds
SN 957: The Protected Audience API - Hacked Washing Machine, Quantum Crypto Troubles
What would an IoT device look like that HAD been taken over?
And speaking of DDoS attacks
Trouble in the Quantum Crypto world
The Browser Monoculture
Question about the Apple backdoor
Getting into infosec
proton drive vs sync
SpinRite update
The Protected Audience API
Show Notes - https://www.grc.com/sn/SN-957-Notes.pdf
Hosts: Steve Gibson and Leo Laporte
Download or subscribe to this show at https://twit.tv/shows/security-now.
Get episodes ad-free with Club TWiT at https://twit.tv/clubtwit
You can submit a question to Security Now at the GRC Feedback Page.
For 16kbps versions, transcripts, and notes (including fixes), visit Steve's site: grc.com, also the home of the best disk maintenance and recovery utility ever written Spinrite 6.
Sponsors:
meraki.cisco.com/twit
kolide.com/securitynow
lookout.com
bitwarden.com/twit
joindeleteme.com/twit promo code TWIT
1/1/1 • 1 hour, 45 minutes, 16 seconds
SN 958: A Week of News and Listener Views - HSS Breach, CISA's Policing Results
Microsoft's Top Execs' Emails Breached in Sophisticated Russia-Linked APT Attack
US Health and Human Services Breached
Firefox vs "The Competition"
Brave reduces its anti-fingerprinting protections
CISA's proactive policing results one year later
Longer Life For Samsung Updates
Google Incognito Mode "Misunderstanding"
Show Doc Not showing images on iOS Safari
Generated AI Media Authentication
Which computer languages to learn?
Flashlight app subscription
Google's Privacy Sandbox system
Malware and IoT devices
Protected Audience API vs. Malvertising
Defensive computing
Why ISPs don't do anything about DDoS attacks
SpinRite Update
Show Notes - https://www.grc.com/sn/SN-958-Notes.pdf
Hosts: Steve Gibson and Leo Laporte
Download or subscribe to this show at https://twit.tv/shows/security-now.
Get episodes ad-free with Club TWiT at https://twit.tv/clubtwit
You can submit a question to Security Now at the GRC Feedback Page.
For 16kbps versions, transcripts, and notes (including fixes), visit Steve's site: grc.com, also the home of the best disk maintenance and recovery utility ever written Spinrite 6.
Sponsors:
paloaltonetworks.com/ot-security-tco
bitwarden.com/twit
drata.com/twit
kolide.com/securitynow
1/1/1 • 2 hours, 14 minutes, 58 seconds
SN 959: Stamos on "Microsoft Security" - HP Printer Bricking, Mercedes Benz Source Code
iOS to allow native Chromium and Firefox engines.
An OS immune to ransomware?
HP back in the doghouse over "anti-virus" printer bricking
The mother of all breaches
New "Thou shall not delete those chats" rules
Fewer ransoms are being paid
Verified Camera Images
More on the $15/month flashlight app
What happens when apps change publishers
Microsoft hating on Firefox
Credit Karma is storing 1GB of data on the iPhone
Staying on Windows 7
Sci-Fi recommendations
Windows 7 and HSTS sites
TOTP codes/secrets and Bitwarden
SpinRite on Mac
SpinRite v6.1 is done!
LearnDMARC.com
Alex Stamos on "Microsoft Security"
Show Notes - https://www.grc.com/sn/SN-959-Notes.pdf
Hosts: Steve Gibson and Leo Laporte
Download or subscribe to this show at https://twit.tv/shows/security-now.
Get episodes ad-free with Club TWiT at https://twit.tv/clubtwit
You can submit a question to Security Now at the GRC Feedback Page.
For 16kbps versions, transcripts, and notes (including fixes), visit Steve's site: grc.com, also the home of the best disk maintenance and recovery utility ever written Spinrite 6.
Sponsors:
expressvpn.com/securitynow
panoptica.app
kolide.com/securitynow
canary.tools/twit - use code: TWIT
1/1/1 • 2 hours, 17 minutes, 2 seconds
SN 960: Unforeseen Consequences - CISA's "Secure by Design" Initiative, Fastly's BoringSSL
CISA's "Secure by Design" Initiative
The GNU C Library Flaw
Fastly CDN switches from OpenSSL to BoringSSL
Roskomnadzor asserts itself
Google updates Android's Password Manager
Firefox gets post-quantum crypto
Get your TOTP tokens from LastPass
Inflated iOS app data
LearnDMARC
Sync mobile app bug
SpinRite and Windows Defender
Crypto signing camera
Analog hole in digital camera authentication
iOS and Google's Topics
The gathering of the Stephvens
Programmable Logic Controllers
SpinRite update
Malware-infected Toothbrush
The Unforeseen Consequences of Google's 3rd-party Cookie Cutoff
Show Notes - https://www.grc.com/sn/SN-960-Notes.pdf
Hosts: Steve Gibson and Leo Laporte
Download or subscribe to this show at https://twit.tv/shows/security-now.
Get episodes ad-free with Club TWiT at https://twit.tv/clubtwit
You can submit a question to Security Now at the GRC Feedback Page.
For 16kbps versions, transcripts, and notes (including fixes), visit Steve's site: grc.com, also the home of the best disk maintenance and recovery utility ever written Spinrite 6.
Sponsors:
Melissa.com/twit
joindeleteme.com/twit promo code TWIT
GO.ACILEARNING.COM/TWIT
vanta.com/SECURITYNOW
1/1/1 • 2 hours, 4 minutes, 13 seconds
SN 961: Bitlocker: Chipped or Cracked? - Honeypots, Toothbrush Botnet, Bitlocker Cracked
Toothbrush Botnet
"There are too many damn Honeypots!"
Remotely accessing your home network securely
Going passwordless as an ecommerce site
Facebook "old password" reminders
Browsers on iOS
More UPnP Issues
A password for every website?
"Free" accounts
Keeping phones plugged in
Running your own email server in 2024
iOS app sizes
SpinRite 6.1 running on an iMac
SpinRite update
Bitlocker's encryption cracked in minutes
Show Notes - https://www.grc.com/sn/SN-961-Notes.pdf
Hosts: Steve Gibson and Leo Laporte
Download or subscribe to this show at https://twit.tv/shows/security-now.
Get episodes ad-free with Club TWiT at https://twit.tv/clubtwit
You can submit a question to Security Now at the GRC Feedback Page.
For 16kbps versions, transcripts, and notes (including fixes), visit Steve's site: grc.com, also the home of the best disk maintenance and recovery utility ever written Spinrite 6.
Sponsors:
joindeleteme.com/twit promo code TWIT
bitwarden.com/twit
kolide.com/securitynow
robinhood.com/boost
1/1/1 • 2 hours, 3 minutes, 44 seconds
SN 962: The Internet Dodged a Bullet - Wyze Breach, Patch Tuesday, KeyTrap
Wyze breach
Microsoft patch Tuesday fixes 15 remote code execution flaws
Why are there password restrictions?
The Canadian Flipper Zero Ban
Security on the old internet
Using Old Passwords
Passwordless login
TOTP as a second factor
German ISP using default router passwords
Email encryption in transit
pfSense Tailscale integration
DuckDuckGo's email protection integration with Bitwarden
The KeyTrap Vulnerability
Show Notes - https://www.grc.com/sn/SN-962-Notes.pdf
Hosts: Steve Gibson and Leo Laporte
Download or subscribe to this show at https://twit.tv/shows/security-now.
Get episodes ad-free with Club TWiT at https://twit.tv/clubtwit
You can submit a question to Security Now at the GRC Feedback Page.
For 16kbps versions, transcripts, and notes (including fixes), visit Steve's site: grc.com, also the home of the best disk maintenance and recovery utility ever written Spinrite 6.
Sponsors:
panoptica.app
kolide.com/securitynow
vanta.com/SECURITYNOW
GO.ACILEARNING.COM/TWIT
1/1/1 • 2 hours, 14 minutes, 19 seconds
SN 963: Web portal? Yes please! - Firefox v123, LockBit Disrupted
Nevada attempts to block Meta's end-to-end encryption for minors.
A survey of security breaches
Edge's Super-Duper Secure Mode moves into Chrome
DoorDash dashes our privacy
Avast charged $16.5 million for selling user browsing data
No charge for extra logging!
European Parliament's IT service has found traces of spyware on the smartphones of its security and defense subcommittee members
LockBit RaaS group disrupted
Firefox v123
The ScreenConnect Authentication Bypass
SpinRite update
Introducing BootAble
Cox moving to Yahoo Mail for users
Credit Card security
Exploiting password complexity reqirements?
Email only logins
Flipper Zero in Canada
German Router security
More Flipper Zero in Canada
Throwaway email addresses
Shared email accounts
Password quality enforcement
Fingerprint tech and some future stories
Show Notes - https://www.grc.com/sn/SN-963-Notes.pdf
Hosts: Steve Gibson and Leo Laporte
Download or subscribe to this show at https://twit.tv/shows/security-now.
Get episodes ad-free with Club TWiT at https://twit.tv/clubtwit
You can submit a question to Security Now at the GRC Feedback Page.
For 16kbps versions, transcripts, and notes (including fixes), visit Steve's site: grc.com, also the home of the best disk maintenance and recovery utility ever written Spinrite 6.
Sponsors:
canary.tools/twit - use code: TWIT
vanta.com/SECURITYNOW
robinhood.com/boost
joindeleteme.com/twit promo code TWIT
"Death, Lonely Death" by Doug Muir, about the decades-old Voyager 1 explorer
Cory Doctorow's Visions of the Future Humble Book Bundle
CTRL-K shortcut for search on a browser
Direct bootable image downloading for GRC's servers
Closing the loop on compromised emails
Taco Bell's passwordless app
A solution for Bcrypt's password length limit of 72 bytes
Data as the missing piece for law enforcement and privacy advocates
The token solution for email-only login
Apple's Password Manager Resources on Github
The risk of long-term persistent cookies in browsers
Why mainframe industries still require weak passwords
A conundrum involving an exploitable Response Header error and a bounty payment.
An inspection of Apple's new Post-Quantum Encryption upgrade
Show Notes - https://www.grc.com/sn/SN-964-Notes.pdf
Hosts: Steve Gibson and Leo Laporte
Download or subscribe to this show at https://twit.tv/shows/security-now.
Get episodes ad-free with Club TWiT at https://twit.tv/clubtwit
You can submit a question to Security Now at the GRC Feedback Page.
For 16kbps versions, transcripts, and notes (including fixes), visit Steve's site: grc.com, also the home of the best disk maintenance and recovery utility ever written Spinrite 6.
Sponsors:
GO.ACILEARNING.COM/TWIT
Melissa.com/twit
bitwarden.com/twit
kolide.com/securitynow
1/1/1 • 2 hours, 12 minutes, 18 seconds
SN 965: Passkeys vs. 2FA - Unhelpful CERT, VMware patch, Signal 7.0 Beta
VMware needs immediate patching
Midnight Blizzard still on the offensive
China is quietly "de-American'ing" their networks
Signal Version 7.0, now in beta
Meta, WhatsApp, and Messenger -meets- the EU's DMA
The Change Healthcare cyberattack
SpinRite update
Telegram's end-to-end encryption
KepassXC now supports passkeys
Login accelerators
Sites start rejecting @duck.com emails
Tool to detect chrome extensions change owners
Sortest SN title
Passkeys vs 2FA
Show Notes - https://www.grc.com/sn/SN-965-Notes.pdf
Hosts: Steve Gibson and Mikah Sargent
Download or subscribe to this show at https://twit.tv/shows/security-now.
Get episodes ad-free with Club TWiT at https://twit.tv/clubtwit
You can submit a question to Security Now at the GRC Feedback Page.
For 16kbps versions, transcripts, and notes (including fixes), visit Steve's site: grc.com, also the home of the best disk maintenance and recovery utility ever written Spinrite 6.
Sponsors:
vanta.com/SECURITYNOW
joindeleteme.com/twit promo code TWIT
kolide.com/securitynow
business.eset.com/twit
1/1/1 • 2 hours, 23 minutes, 27 seconds
SN 966: Morris The Second - Voyager 1, The Web Turns 35
Voyager 1 update
The Web turned 35 and Dad is disappointed
Automakers sharing driving data with insurance companies
A flaw in Passkey thinking
Passkeys vs 2fa
Sharing accounts with Passkeys
Passkyes vs. Passwords/MFA
Workaround to sites that block anonymous email addresses
Open Bounty programs on HackerOne
Steve on Twitter
Ways to disclose bugs publicly
Security by obscurity
Something you have/know/are vs Passkeys
Passkeys vs TOTP
Inspecting Chrome extensions
Passkey transportability
Morris the Second
Show Notes - https://www.grc.com/sn/SN-966-Notes.pdf
Hosts: Steve Gibson and Mikah Sargent
Download or subscribe to this show at https://twit.tv/shows/security-now.
Get episodes ad-free with Club TWiT at https://twit.tv/clubtwit
You can submit a question to Security Now at the GRC Feedback Page.
For 16kbps versions, transcripts, and notes (including fixes), visit Steve's site: grc.com, also the home of the best disk maintenance and recovery utility ever written Spinrite 6.
Sponsors:
robinhood.com/boost
GO.ACILEARNING.COM/TWIT
joindeleteme.com/twit promo code TWIT
vanta.com/SECURITYNOW
1/1/1 • 2 hours, 7 minutes, 48 seconds
SN 967: GoFetch - Apple vs. DOJ, ".INTERNAL" TLD
Apple vs U.S. DoJ
G.M.'s Unbelievably Horrible Driver Data Sharing Ends
Super Sushi Samurai
Apple has effectively abandoned HomeKit Secure Routers
The forthcoming ".INTERNAL" TLD
The United Nations vs AI.
Telegram now blocked throughout Spain
Vancouver Pwn2Own 2024
China warns of incoming hacks
Annual Tax Season Phishing Deluge
SpinRite update
Authentication without a phone
Are Passkeys quantum safe?
GoFetch: The Unpatchable vulnerability in Apple chips
Show Notes - https://www.grc.com/sn/SN-967-Notes.pdf
Hosts: Steve Gibson and Leo Laporte
Download or subscribe to this show at https://twit.tv/shows/security-now.
Get episodes ad-free with Club TWiT at https://twit.tv/clubtwit
You can submit a question to Security Now at the GRC Feedback Page.
For 16kbps versions, transcripts, and notes (including fixes), visit Steve's site: grc.com, also the home of the best disk maintenance and recovery utility ever written Spinrite 6.
Sponsors:
zscaler.com/zerotrustAI
bitwarden.com/twit
canary.tools/twit - use code: TWIT
panoptica.app
kolide.com/securitynow
1/1/1 • 2 hours, 1 minute, 48 seconds
SN 968: A Cautionary Tale - XZ Outbreak, AT&T Data Breach
A near-Universal (Local) Linux Elevation of Privilege vulnerability
TechCrunch informed AT&T of a 5 year old data breach
Signal to get very useful cloud backups
Telegram to allow restricted incoming
HP exits Russia ahead of schedule
Advertisers are heavier users of Ad Blockers than average Americans!
The Google Incognito Mode Lawsuit
Canonical fights malicious Ubuntu store apps
Spinrite update
A Cautionary Tale
Show Notes - https://www.grc.com/sn/SN-968-Notes.pdf
Hosts: Steve Gibson and Leo Laporte
Download or subscribe to this show at https://twit.tv/shows/security-now.
Get episodes ad-free with Club TWiT at https://twit.tv/clubtwit
You can submit a question to Security Now at the GRC Feedback Page.
For 16kbps versions, transcripts, and notes (including fixes), visit Steve's site: grc.com, also the home of the best disk maintenance and recovery utility ever written Spinrite 6.
Sponsors:
1bigthink.com
kolide.com/securitynow
Melissa.com/twit
vanta.com/SECURITYNOW
1/1/1 • 1 hour, 45 minutes, 55 seconds
SN 969: Minimum Viable Secure Product - Dlink NAS Backdoor, Privnote, Crowdefense
Out-of-support DLink NAS devices contain hard coded backdoor credentials
Privnote is not so "Priv"
Crowdfense is willing to pay millions
Engineers Pinpoint Cause of Voyager 1 Issue, Are Working on Solution
SpinRite Update
Minimum Viable Secure Product
Show Notes - https://www.grc.com/sn/SN-969-Notes.pdf
Hosts: Steve Gibson and Leo Laporte
Download or subscribe to this show at https://twit.tv/shows/security-now.
Get episodes ad-free with Club TWiT at https://twit.tv/clubtwit
You can submit a question to Security Now at the GRC Feedback Page.
For 16kbps versions, transcripts, and notes (including fixes), visit Steve's site: grc.com, also the home of the best disk maintenance and recovery utility ever written Spinrite 6.
Sponsors:
zscaler.com/zerotrustAI
business.eset.com/twit
lookout.com
joindeleteme.com/twit promo code TWIT
An update on the AT&T data breach
340,000 social security numbers leaked
Cookie Notice Compliance
The GDPR does enforce some transparency
Physical router buttons
Wifi enabled button pressers
Netsecfish disclosure of Dlink NAS vulnerability
Chrome bloat
SpinRite update
GhostRace
Show Notes - https://www.grc.com/sn/SN-970-Notes.pdf
Hosts: Steve Gibson and Leo Laporte
Download or subscribe to this show at https://twit.tv/shows/security-now.
Get episodes ad-free with Club TWiT at https://twit.tv/clubtwit
You can submit a question to Security Now at the GRC Feedback Page.
For 16kbps versions, transcripts, and notes (including fixes), visit Steve's site: grc.com, also the home of the best disk maintenance and recovery utility ever written Spinrite 6.
Sponsors:
kolide.com/securitynow
bitwarden.com/twit
vanta.com/SECURITYNOW
1bigthink.com
1/1/1 • 1 hour, 52 minutes, 46 seconds
SN 971: Chat (out of) Control - Fuxnet, Android Quarantine, Gentoo
What do you call "Stuxnet on steroids"??
Voyager 1 update
Android 15 to quarantine apps
Thunderbird & Microsoft Exchange
China bans Western encrypted messaging apps
Gentoo says "no" to AI
Cars collecting diving data
Freezing your credit
Investopedia
Computer Science Abstractions
Lazy People vs. Secure Systems
Actalis issues free S/MIME certificates
PIN Encryption
DRAM and GhostRace
AT&T Phishing Scam
Race Conditions and Multi-core processors
An Alternative to the Current Credit System
SpinRite Updates
Chat (out of) Control
Show Notes - https://www.grc.com/sn/SN-971-Notes.pdf
Hosts: Steve Gibson and Leo Laporte
Download or subscribe to this show at https://twit.tv/shows/security-now.
Get episodes ad-free with Club TWiT at https://twit.tv/clubtwit
You can submit a question to Security Now at the GRC Feedback Page.
For 16kbps versions, transcripts, and notes (including fixes), visit Steve's site: grc.com, also the home of the best disk maintenance and recovery utility ever written Spinrite 6.
Sponsors:
canary.tools/twit - use code: TWIT
lookout.com
kolide.com/securitynow
zscaler.com/zerotrustAI
1/1/1 • 2 hours, 15 minutes, 59 seconds
SN 972: Passkeys: A Shattered Dream? - IoT Default Passwords, Passkeys
GCHQ: No more default passwords for consumer IoT devices!
What happened with Chrome and 3rd-party cookies?
Race conditions and multi-threading
GM "accidentally" enrolled millions into "OnStar Smart Driver +" program
Steve recommends Ryk Brown's "Frontiers Saga"
SpinRite update
Passkeys: A Shattered Dream?
Show Notes - https://www.grc.com/sn/SN-972-Notes.pdf
Hosts: Steve Gibson and Leo Laporte
Download or subscribe to this show at https://twit.tv/shows/security-now.
Get episodes ad-free with Club TWiT at https://twit.tv/clubtwit
You can submit a question to Security Now at the GRC Feedback Page.
For 16kbps versions, transcripts, and notes (including fixes), visit Steve's site: grc.com, also the home of the best disk maintenance and recovery utility ever written Spinrite 6.
Sponsors:
business.eset.com/twit
vanta.com/SECURITYNOW
1bigthink.com
lookout.com
1/1/1 • 2 hours, 11 minutes, 22 seconds
SN 973: Not So Fast - GPS Vulnerabilites, VPN Flaw
The vulnerability of GPS
Is the sky falling on all VPN systems?
Multi-user Passkeys, YubiKeys?
The iCloud Keychain
The UK and Google's Topics
Show Notes - https://www.grc.com/sn/SN-973-Notes.pdf
Hosts: Steve Gibson and Leo Laporte
Download or subscribe to this show at https://twit.tv/shows/security-now.
Get episodes ad-free with Club TWiT at https://twit.tv/clubtwit
You can submit a question to Security Now at the GRC Feedback Page.
For 16kbps versions, transcripts, and notes (including fixes), visit Steve's site: grc.com, also the home of the best disk maintenance and recovery utility ever written Spinrite 6.
Sponsors:
Melissa.com/twit
kolide.com/securitynow
lookout.com
bitwarden.com/twit
1/1/1 • 2 hours, 24 minutes, 22 seconds
SN 974: Microsoft's Head in the Clouds - 4-Digit Pins, Long Range Navigation, Microsoft
Picture of the Week.
Most to least common 4-digit pins.
Enhanced LORAN.
Passkeys.
Microsoft's Head in the Clouds.
Show Notes - https://www.grc.com/sn/SN-974-Notes.pdf
Hosts: Steve Gibson and Leo Laporte
Download or subscribe to this show at https://twit.tv/shows/security-now.
Get episodes ad-free with Club TWiT at https://twit.tv/clubtwit
You can submit a question to Security Now at the GRC Feedback Page.
For 16kbps versions, transcripts, and notes (including fixes), visit Steve's site: grc.com, also the home of the best disk maintenance and recovery utility ever written Spinrite 6.
Sponsors:
1bigthink.com
zscaler.com/zerotrustAI
kolide.com/securitynow
joindeleteme.com/twit promo code TWIT
When you're the biggest target...
Searching for Search
How long will a Windows XP machine survive unprotected on the Internet?
Free Laundry
VPNs and Firewalls
Netgate SG1100
Ad Industry vs. Google Privacy Sandbox
Bitwarden and passkeys
Token2 passkey dongle
312 Scientists & Researchers Respond
Show Notes - https://www.grc.com/sn/SN-975-Notes.pdf
Hosts: Steve Gibson and Leo Laporte
Download or subscribe to this show at https://twit.tv/shows/security-now.
Get episodes ad-free with Club TWiT at https://twit.tv/clubtwit
You can submit a question to Security Now at the GRC Feedback Page.
For 16kbps versions, transcripts, and notes (including fixes), visit Steve's site: grc.com, also the home of the best disk maintenance and recovery utility ever written Spinrite 6.
Sponsors:
canary.tools/twit - use code: TWIT
1bigthink.com
business.eset.com/twit
mylio.com/TWIT25
1/1/1 • 2 hours, 14 minutes, 17 seconds
SN 976: The 50 Gigabyte Privacy Bomb - Google AI Workarounds, Microsoft Recall
The bigger problem with AI Overview
https://udm14.com/ -and- https://tenbluelinks.org/
The horses have left the barn
VPNs and Firewalls
Email @ GRC
Extension to fix Google search
Passwords and SPAM
Fixing motherboard components
Vertical tabs in Firefox
FritzBox routers
Too many PINs
More Google search fixes
Testing Windows XP
The 50 Gigabyte Privacy Bomb
Show Notes - https://www.grc.com/sn/SN-976-Notes.pdf
Hosts: Steve Gibson and Leo Laporte
Download or subscribe to this show at https://twit.tv/shows/security-now.
Get episodes ad-free with Club TWiT at https://twit.tv/clubtwit
You can submit a question to Security Now at the GRC Feedback Page.
For 16kbps versions, transcripts, and notes (including fixes), visit Steve's site: grc.com, also the home of the best disk maintenance and recovery utility ever written Spinrite 6.
Sponsors:
kolide.com/securitynow
joindeleteme.com/twit promo code TWIT
bitwarden.com/twit
1bigthink.com
1/1/1 • 2 hours, 13 minutes, 33 seconds
SN 977: A Large Language Model in Every Pot - Problems With Recall, End of ICQ, Email @ GRC
"Tornado Notes"
Email @ GRC
Have I Been Pwned?
A new "supply chain" attack vector
Another CA in the DogHouse
ICQ to shutter its service
Steve reviews "Déjà vu"
Hide my email
Security in Windows
SpinRite update
A Large Language Model in Every Pot
Show Notes - https://www.grc.com/sn/SN-977-Notes.pdf
Hosts: Steve Gibson and Leo Laporte
Download or subscribe to this show at https://twit.tv/shows/security-now.
Get episodes ad-free with Club TWiT at https://twit.tv/clubtwit
You can submit a question to Security Now at the GRC Feedback Page.
For 16kbps versions, transcripts, and notes (including fixes), visit Steve's site: grc.com, also the home of the best disk maintenance and recovery utility ever written Spinrite 6.
Sponsors:
GO.ACILEARNING.COM/TWIT - code TWIT30
kolide.com/securitynow
zscaler.com/zerotrustAI
Melissa.com/twit
1/1/1 • 1 hour, 55 minutes, 29 seconds
SN 978: The Rise and Fall of code.microsoft.com - Apple Password Manager, AI Coding
MS on Recall changes
Thanks for the "Memory"
New York Times (and Wordle) leak
Apple's own password manager app
DJI drones on the defensive
SlashData reveals some interesting developer statistics
Are we going to turn programming over to AIs?
The Linux Kernel Project goes CVE crazy
Email @ GRC
Pizza in 2024
Microsoft Recall at work
Google Domains to Squarespace DNS migration
T2F2-NFC-Dual keys
The rise and fall of code.microsoft.com
Show Notes - https://www.grc.com/sn/SN-978-Notes.pdf
Hosts: Steve Gibson and Leo Laporte
Download or subscribe to this show at https://twit.tv/shows/security-now.
Get episodes ad-free with Club TWiT at https://twit.tv/clubtwit
You can submit a question to Security Now at the GRC Feedback Page.
For 16kbps versions, transcripts, and notes (including fixes), visit Steve's site: grc.com, also the home of the best disk maintenance and recovery utility ever written Spinrite 6.
Sponsors:
mylio.com/twit
joindeleteme.com/twit promo code TWIT
1bigthink.com
kolide.com/securitynow
1/1/1 • 2 hours, 20 minutes, 54 seconds
SN 979: The Angle of the Dangle - "Recall" Recall, IT at the NYT, Private Cloud Compute
CVE-2024-30078
"Recall" has been recalled
Matthew Green on Apple's Private Cloud Compute
A WGET flaw with a CVSS of 10.0?
Thou shall not Resolve!
Email @ GRC
Downloading email with MailStore Home
IT at The New York Times
ReMarkable
The Angle of the Dangle
Show Notes - https://www.grc.com/sn/SN-979-Notes.pdf
Hosts: Steve Gibson and Leo Laporte
Download or subscribe to this show at https://twit.tv/shows/security-now.
Get episodes ad-free with Club TWiT at https://twit.tv/clubtwit
You can submit a question to Security Now at the GRC Feedback Page.
For 16kbps versions, transcripts, and notes (including fixes), visit Steve's site: grc.com, also the home of the best disk maintenance and recovery utility ever written Spinrite 6.
Sponsors:
bitwarden.com/twit
1bigthink.com
kolide.com/securitynow
GO.ACILEARNING.COM/TWIT - code TWIT30
1/1/1 • 2 hours, 14 minutes, 7 seconds
SN 980: The Mixed Blessing of Lousy PRNG - Kaspersky Ban, EU vs. Google's Privacy Sandbox
Expected follow-up on CVE-2024-30078
From Russia with Love
An EU privacy agency complains about Google's Privacy Sandbox?
Email @ GRC
Security Now SPAM?
Orange Tsai needs help!
Recall and 3rd Party Leakage
Errata
The Mixed Blessing of a Crappy PRNG
Show Notes - https://www.grc.com/sn/SN-980-Notes.pdf
Hosts: Steve Gibson and Leo Laporte
Download or subscribe to this show at https://twit.tv/shows/security-now.
Get episodes ad-free with Club TWiT at https://twit.tv/clubtwit
You can submit a question to Security Now at the GRC Feedback Page.
For 16kbps versions, transcripts, and notes (including fixes), visit Steve's site: grc.com, also the home of the best disk maintenance and recovery utility ever written Spinrite 6.
Sponsors:
joindeleteme.com/twit promo code TWIT
1password.com/securitynow
mylio.com/twit
canary.tools/twit - use code: TWIT
1/1/1 • 2 hours, 3 minutes, 44 seconds
SN 981: The End of Entrust Trust - Open SSH Vulnerability, SyncThing, Endtrust
The regreSSHion Bug
50BTC moved
Voyager 1 Update
Email @ GRC
SyncThing
DNS queries
Recall
The End of Entrust Trust
Show Notes - https://www.grc.com/sn/SN-981-Notes.pdf
Hosts: Steve Gibson and Leo Laporte
Download or subscribe to this show at https://twit.tv/shows/security-now.
Get episodes ad-free with Club TWiT at https://twit.tv/clubtwit
You can submit a question to Security Now at the GRC Feedback Page.
For 16kbps versions, transcripts, and notes (including fixes), visit Steve's site: grc.com, also the home of the best disk maintenance and recovery utility ever written Spinrite 6.
Sponsors:
bigid.com/securitynow
joindeleteme.com/twit promo code TWIT
panoptica.app
lookout.com
1/1/1 • 2 hours, 27 minutes, 44 seconds
SN 982: The Polyfill.io Attack - Entrust Responds, Passkey Redaction Attacks
Entrust Responds
Other major Certificate Authorities respond
Passkey Redaction Attacks
Syncing passkeys
Port Knocking
Fail2Ban
The Polyfill.io Attack
Show Notes - https://www.grc.com/sn/SN-982-Notes.pdf
Hosts: Steve Gibson and Leo Laporte
Download or subscribe to this show at https://twit.tv/shows/security-now.
Get episodes ad-free with Club TWiT at https://twit.tv/clubtwit
You can submit a question to Security Now at the GRC Feedback Page.
For 16kbps versions, transcripts, and notes (including fixes), visit Steve's site: grc.com, also the home of the best disk maintenance and recovery utility ever written Spinrite 6.
Sponsors:
lookout.com
vanta.com/SECURITYNOW
bitwarden.com/twit
panoptica.app
1/1/1 • 1 hour, 57 minutes, 22 seconds
SN 983: A Snowflake's Chance - CDN Safety, Microsoft's Behavior, CDK Ransomware Attack
Using Content Delivery Networks Safely
The CDK Global Ransomware Attack
The IRS and Entrust
Polyfill.io fallout
Microsoft's Behavior
A Snowflake's Chance
Show Notes - https://www.grc.com/sn/SN-983-Notes.pdf
Hosts: Steve Gibson and Leo Laporte
Download or subscribe to this show at https://twit.tv/shows/security-now.
Get episodes ad-free with Club TWiT at https://twit.tv/clubtwit
You can submit a question to Security Now at the GRC Feedback Page.
For 16kbps versions, transcripts, and notes (including fixes), visit Steve's site: grc.com, also the home of the best disk maintenance and recovery utility ever written Spinrite 6.
Sponsors:
vanta.com/SECURITYNOW
panoptica.app
lookout.com
joindeleteme.com/twit promo code TWIT
1/1/1 • 2 hours, 7 minutes, 11 seconds
SN 984: CrowdStruck - Crowdstrike, Cellebrite, More Entrust
Cellebrite unlocks Trump's would-be assassin's phone.
Cisco reported on a CVSS of 10.0
Entrust drops the other shoe
Google gives up on removing 3rd-party cookies
Miscellany
Snowflake and data warehouse applications
CDK auto dealership outage
Polyfill.io and resource hashes
MITM
Blocking Copilot
Blocking incoming connections via IP
CrowdStruck
Show Notes - https://www.grc.com/sn/SN-984-Notes.pdf
Hosts: Steve Gibson and Leo Laporte
Download or subscribe to this show at https://twit.tv/shows/security-now.
Get episodes ad-free with Club TWiT at https://twit.tv/clubtwit
You can submit a question to Security Now at the GRC Feedback Page.
For 16kbps versions, transcripts, and notes (including fixes), visit Steve's site: grc.com, also the home of the best disk maintenance and recovery utility ever written Spinrite 6.
Sponsors:
panoptica.app
canary.tools/twit - use code: TWIT
vanta.com/SECURITYNOW
bigid.com/securitynow
1/1/1 • 2 hours, 27 minutes, 5 seconds
SN 985: Platform Key Disclosure - Crowdstrike Post-mortem, Entrust Update
Crowdstrike post-mortem
PiDP-11
What Crowdstrike is fixing
Marcus Hutchins on who is to blame
Entrust's Updated Info
3rd-Party Cookie Surprise
Security training firm mistakenly hires a North Korean attacker
Google and 3rd party cookies
Google's influence
The auto industry and data brokers
DNS Benchmark on Mac
Platform Key Disclosure
Show Notes - https://www.grc.com/sn/SN-985-Notes.pdf
Hosts: Steve Gibson and Leo Laporte
Download or subscribe to this show at https://twit.tv/shows/security-now.
Get episodes ad-free with Club TWiT at https://twit.tv/clubtwit
You can submit a question to Security Now at the GRC Feedback Page.
For 16kbps versions, transcripts, and notes (including fixes), visit Steve's site: grc.com, also the home of the best disk maintenance and recovery utility ever written Spinrite 6.
Sponsors:
lookout.com
GO.ACILEARNING.COM/TWIT code SN100
panoptica.app
bitwarden.com/twit
1/1/1 • 2 hours, 30 minutes, 19 seconds
SN 986: How Revoking! - Crowdstrike Damage, Firefox Cookies
Platform Key Disclosure
Firefox's 3rd-party Cookie mess
The W3C Finally Weighs-in
CrowdStrike Damages.
GRC's Email
How Revoking!
Show Notes - https://www.grc.com/sn/SN-986-Notes.pdf
Hosts: Steve Gibson and Leo Laporte
Download or subscribe to this show at https://twit.tv/shows/security-now.
Get episodes ad-free with Club TWiT at https://twit.tv/clubtwit
You can submit a question to Security Now at the GRC Feedback Page.
For 16kbps versions, transcripts, and notes (including fixes), visit Steve's site: grc.com, also the home of the best disk maintenance and recovery utility ever written Spinrite 6.
Sponsors:
threatlocker.com for Security Now
joindeleteme.com/twit promo code TWIT
bigid.com/securitynow
vanta.com/SECURITYNOW
1/1/1 • 2 hours, 2 minutes, 9 seconds
SN 987: Rethinking Revocation - SinkClose, IsBootSecure, Another Bad RCE
Sitting Ducks DNS attack
A Bad RCE in another Microsoft server
SinkClose
The CLFS.SYS BSoD
IsBootSecure
Rethinking Revocation
Show Notes - https://www.grc.com/sn/SN-987-Notes.pdf
Hosts: Steve Gibson and Leo Laporte
Download or subscribe to this show at https://twit.tv/shows/security-now.
Get episodes ad-free with Club TWiT at https://twit.tv/clubtwit
You can submit a question to Security Now at the GRC Feedback Page.
For 16kbps versions, transcripts, and notes (including fixes), visit Steve's site: grc.com, also the home of the best disk maintenance and recovery utility ever written Spinrite 6.
Sponsors:
joindeleteme.com/twit promo code TWIT
bigid.com/securitynow
vanta.com/SECURITYNOW
1password.com/securitynow
1/1/1 • 2 hours, 18 minutes, 21 seconds
SN 988: National Public Data - Big Patch Tuesday, The Biggest Data Breach
Revocation Update
GRC's next experiment
Patch Tuesday
"The Famous Computer Café"
IsBootSecure
GRC Email
Working through WiFi Firewalls
Transferring DNS
OCSP attestation vs. TLS expiration
Platform key expiration
National Public Data
Show Notes - https://www.grc.com/sn/SN-988-Notes.pdf
Hosts: Steve Gibson and Leo Laporte
Download or subscribe to this show at https://twit.tv/shows/security-now.
Get episodes ad-free with Club TWiT at https://twit.tv/clubtwit
You can submit a question to Security Now at the GRC Feedback Page.
For 16kbps versions, transcripts, and notes (including fixes), visit Steve's site: grc.com, also the home of the best disk maintenance and recovery utility ever written Spinrite 6.
Sponsors:
bitwarden.com/twit
vanta.com/SECURITYNOW
threatlocker.com for Security Now
joindeleteme.com/twit promo code TWIT
CrowdStrike Exec's 'Most Epic Fail' Award
Hardware backdoors discovered in Chinese-made key cards
Counterfeit CISCO networking gear
SpinRite
Errata
NPD breach updates from listeners
Looking back at old SN episodes
Cascading Bloom Filters
Show Notes - https://www.grc.com/sn/SN-989-Notes.pdf
Hosts: Steve Gibson and Leo Laporte
Download or subscribe to this show at https://twit.tv/shows/security-now.
Get episodes ad-free with Club TWiT at https://twit.tv/clubtwit
You can submit a question to Security Now at the GRC Feedback Page.
For 16kbps versions, transcripts, and notes (including fixes), visit Steve's site: grc.com, also the home of the best disk maintenance and recovery utility ever written Spinrite 6.
Sponsors:
canary.tools/twit - use code: TWIT
1password.com/securitynow
e-e.com/twit
GO.ACILEARNING.COM/TWIT code SN100
1/1/1 • 2 hours, 10 minutes, 5 seconds
SN 990: Is Telegram an Encrypted App? - CrowdStrike Exodus, DDoS-as-a-Service, 'Active Listening' Ad Tech?
Telegram puts End-to-End Privacy in the Crosshairs
Free security logging is good for everyone
CrowdStrike hemorrhaging customers
Microsoft to meet privately with EDR (Endpoint Detection & Response) vendors
Yelp's Unhappy with Google
Telegram as the hotbed for DDoSass – DDoS as a Service
Chrome grows more difficult to exploit
Cox Media Group's "Active Listening" has apparently not ended
Cascading Bloom Filter follow-up
Closing the Loop
Is Telegram an encrypted app?
Show Notes - https://www.grc.com/sn/SN-990-Notes.pdf
Hosts: Steve Gibson and Leo Laporte
Download or subscribe to this show at https://twit.tv/shows/security-now.
Get episodes ad-free with Club TWiT at https://twit.tv/clubtwit
You can submit a question to Security Now at the GRC Feedback Page.
For 16kbps versions, transcripts, and notes (including fixes), visit Steve's site: grc.com, also the home of the best disk maintenance and recovery utility ever written Spinrite 6.
Sponsors:
bigid.com/securitynow
threatlocker.com for Security Now
vanta.com/SECURITYNOW
joindeleteme.com/twit promo code TWIT
1/1/1 • 2 hours, 9 minutes, 19 seconds
SN 991: RAMBO - Cloned YubiKeys, Telegram vs. Signal, French Elevators, Unix Time
Offer to uninstall Recall was a bug, not a feature
YubiKeys can be cloned
Miscellany
Is WhatsApp secure?
Telegram vs Signal
French elevators
Freezing your credit
The Quiet Canine
Unix time
Bobiverse book 5
Exodus: The Achemedes Engine
Watching SpinRite
RAMBO
Show Notes - https://www.grc.com/sn/SN-991-Notes.pdf
Hosts: Steve Gibson and Mikah Sargent
Download or subscribe to this show at https://twit.tv/shows/security-now.
Get episodes ad-free with Club TWiT at https://twit.tv/clubtwit
You can submit a question to Security Now at the GRC Feedback Page.
For 16kbps versions, transcripts, and notes (including fixes), visit Steve's site: grc.com, also the home of the best disk maintenance and recovery utility ever written Spinrite 6.
Sponsors:
flashpoint.io
bigid.com/securitynow
Melissa.com/twit
bitwarden.com/twit
Windows Endpoint Security Ecosystem Summit
Aging storage media does NOT last forever
How Navy chiefs conspired to get themselves illegal warship Wi-Fi
adam:ONE named the #1 best Secure Access Service Edge (SASE) solution
AI Talk
Password Manager Injection Attacks
Show Notes - https://www.grc.com/sn/SN-992-Notes.pdf
Hosts: Steve Gibson and Mikah Sargent
Download or subscribe to this show at https://twit.tv/shows/security-now.
Get episodes ad-free with Club TWiT at https://twit.tv/clubtwit
You can submit a question to Security Now at the GRC Feedback Page.
For 16kbps versions, transcripts, and notes (including fixes), visit Steve's site: grc.com, also the home of the best disk maintenance and recovery utility ever written Spinrite 6.
Sponsors:
threatlocker.com for Security Now
joindeleteme.com/twit promo code TWIT
1password.com/securitynow
vanta.com/SECURITYNOW
1/1/1 • 2 hours, 23 minutes, 39 seconds
SN 993: Kaspersky exits the U.S. - Exploding Pagers, Passkeys in Chrome
The case of the exploding pagers and walkie-talkies
"Ford seeks patent for tech that listens to driver conversations to serve ads"
Another large chunk of personal data exposed
Passkeys takes a big step forward: Now supported by Chrome
A nascent 9.9 Linux Unauthenticated RCE?
Freezing Credit
Credit Bureaus
Drobo 5N
SN email labeled as spam
Public Wi-fi saftey
SN for Certs
Windows Defender
Kaspersky exits the U.S.
Show Notes - https://www.grc.com/sn/SN-993-Notes.pdf
Hosts: Steve Gibson and Leo Laporte
Download or subscribe to this show at https://twit.tv/shows/security-now.
Get episodes ad-free with Club TWiT at https://twit.tv/clubtwit
You can submit a question to Security Now at the GRC Feedback Page.
For 16kbps versions, transcripts, and notes (including fixes), visit Steve's site: grc.com, also the home of the best disk maintenance and recovery utility ever written Spinrite 6.
Sponsors:
GO.ACILEARNING.COM/TWIT code SN100
canary.tools/twit - use code: TWIT
bigid.com/securitynow
e-e.com/twit
1/1/1 • 2 hours, 27 minutes, 5 seconds
SN 994: Recall's Re-Rollout - Domain Security, Tor + Tails, VLC Update
The Linux remote code execution flaw
The CRUCIAL importance of Domain Control Security
Roskomnadzor strikes a discordant note
VLC gets a security update
Tor and Tails Merge
Telegram changes its long-standing "zero cooperation" policy
Enshittification
Bobiverse book 5
Windows 10 notifications
Experian woes
Nuevomailer
SpinRite
Peter F. Hamilton
Recall's Re-Rollout
Show Notes - https://www.grc.com/sn/SN-994-Notes.pdf
Hosts: Steve Gibson and Leo Laporte
Download or subscribe to this show at https://twit.tv/shows/security-now.
Get episodes ad-free with Club TWiT at https://twit.tv/clubtwit
You can submit a question to Security Now at the GRC Feedback Page.
For 16kbps versions, transcripts, and notes (including fixes), visit Steve's site: grc.com, also the home of the best disk maintenance and recovery utility ever written Spinrite 6.
Sponsors:
vanta.com/SECURITYNOW
bitwarden.com/twit
joindeleteme.com/twit promo code TWIT
threatlocker.com for Security Now
1/1/1 • 2 hours, 16 minutes, 22 seconds
SN 995: uBlock Origin & Manifest V3 - DDoS Record, N. Korean Workers, Vitamin D
Facebook's parent Meta not hashing passwords
A New, forthcoming PayPal default opts their users into merchant data sharing
DDoS breaks another record
Speaking of these ASUS routers
Do you know who you're hiring?
Vitamin D
The CUPS vulnerablility
Routers for normal people
uBlock Origin & Manifest V3
Show Notes: https://www.grc.com/sn/SN-995-Notes.pdf
Hosts: Steve Gibson and Leo Laporte
Download or subscribe to this show at https://twit.tv/shows/security-now.
Get episodes ad-free with Club TWiT at https://twit.tv/clubtwit
You can submit a question to Security Now at the GRC Feedback Page.
For 16kbps versions, transcripts, and notes (including fixes), visit Steve's site: grc.com, also the home of the best disk maintenance and recovery utility ever written Spinrite 6.
Sponsors:
bitwarden.com/twit
Melissa.com/twit
threatlocker.com for Security Now
flashpoint.io
1/1/1 • 2 hours, 35 minutes, 21 seconds
SN 996: BIMI (up Scotty) - NPD Goes Broke, Firefox Under Attack, .io
uBlock Origin to the rescue
National Public Data files for bankruptcy
Will the .IO top level domain be disappearing?
Patch Tuesday
Firefox under attack
Miscellany
Sci-Fi
The Sequence
uBlock Origin
Eero Routers
Pep Link Router
BIMI (up Scotty)
Show Notes - https://www.grc.com/sn/SN-996-Notes.pdf
Hosts: Steve Gibson and Leo Laporte
Download or subscribe to this show at https://twit.tv/shows/security-now.
Get episodes ad-free with Club TWiT at https://twit.tv/clubtwit
You can submit a question to Security Now at the GRC Feedback Page.
For 16kbps versions, transcripts, and notes (including fixes), visit Steve's site: grc.com, also the home of the best disk maintenance and recovery utility ever written Spinrite 6.
Sponsors:
1password.com/securitynow
threatlocker.com for Security Now
joindeleteme.com/twit promo code TWIT
vanta.com/SECURITYNOW
1/1/1 • 2 hours, 32 minutes, 24 seconds
SN 997: Credential Exchange Protocol - DJI Sues DoD, Quantum Vs. RSA, Lost MS Logs
Did Chinese researchers really break RSA encryption? What did they do?
What next-level terror extortion is being powered by the NPD breach data?
The EU to hold software companies liable for software security?
Microsoft lost weeks of security logs. How hard did the try to fix the problem?
The Chinese drone company DJI has sued the DoJ over its ban on DJI's drones.
The DoJ wishes to acquire "DeepFake" technology to create fake people.
Microsoft has bots pretending to fall for phishing campaigns, then leading the bad guys to their honeypots. It's diabolical and brilliant.
A bit of BIMI logo follow-up, then...
A look at the operation of the FIDO Alliance's forthcoming Credential Exchange Protocol which promises to create passkey collection portability
Show Notes - https://www.grc.com/sn/SN-997-Notes.pdf
Hosts: Steve Gibson and Leo Laporte
Download or subscribe to this show at https://twit.tv/shows/security-now.
Get episodes ad-free with Club TWiT at https://twit.tv/clubtwit
You can submit a question to Security Now at the GRC Feedback Page.
For 16kbps versions, transcripts, and notes (including fixes), visit Steve's site: grc.com, also the home of the best disk maintenance and recovery utility ever written Spinrite 6.
Sponsors:
threatlocker.com for Security Now
flashpoint.io
lookout.com
bitwarden.com/twit
1/1/1 • 2 hours, 18 minutes, 35 seconds
SN 938: Apple Says No - Topics coming to Android, Apple security research, browser extension vulnerabilities
Steve provides an update on ValiDrive, his new freeware utility for testing USB drives. It identifies bogus mass storage drives and performance differences between drives.
There has been another sighting of Google's Topics API, this time on Android phones. It allows apps to get information about users' interests based on recent app usage.
Apple has opened up their iPhones to security researchers through their Security Research Device program since 2019. Researchers get access to customize kernels, entitlements, and other low-level features without compromising security.
Research reveals vulnerabilities in browser extensions that allow them to steal plaintext passwords from a website's HTML source code. Even sites like Google, Facebook, Amazon, IRS, and Capital One are affected.
Feedback from listeners on topics like Apple's stance on scanning iCloud data for CSAM, Microsoft's broken TLS timestamp implementation, using VirusTotal to check downloaded files, ReadSpeed limitations, and downloading malware for VirusTotal checks.
Apple publicly shares a letter from a CSAM activist demanding they implement scanning to detect child abuse images in iCloud Photos. Apple responds clearly stating they will not compromise user privacy and security to do so.
Show Notes - https://www.grc.com/sn/SN-938-Notes.pdf
Hosts: Steve Gibson and Leo Laporte
Download or subscribe to this show at https://twit.tv/shows/security-now.
Get episodes ad-free with Club TWiT at https://twit.tv/clubtwit
You can submit a question to Security Now at the GRC Feedback Page.
For 16kbps versions, transcripts, and notes (including fixes), visit Steve's site: grc.com, also the home of the best disk maintenance and recovery utility ever written Spinrite 6.
Sponsors:
drata.com/twit
panoptica.app
canary.tools/twit - use code: TWIT
• 2 hours, 2 minutes, 34 seconds
SN 937: The Man in the Middle - WinRAR v6.23, fake flash drives, Voyager2 antenna, Google Topics
Picture of the Week: Steve shares a funny "what we say vs what we mean" image about tech support conversations.
WinRAR v6.23 fixes: Steve explains that updating to the latest WinRAR is more important than initially thought, with two critical vulnerabilities being actively exploited by hackers since April to install malware.
HTTPS for local networks: Responding to listener email, Steve agrees HTTP is fine for local network devices like routers but notes risks in larger corporate networks.
Portable domains for email: Steve endorses a listener suggestion to purchase your own domain and use third-party services, retaining control if a provider shuts down.
Google Topics and monopolies: Steve and Leo debate whether Topics favors large advertisers with greater reach to get user targeting data.
Voyager 2 antenna analysis: A listener calculates the antenna beam width mathematically, showing 2 degrees off-axis may not be as remarkable as it sounded.
Windows time settings: Steve clarifies the STS issue does not impact end users changing Windows clock settings, it's enterprise server-side.
Unix time in TLS handshakes: The hosts discuss why Unix time stamps are sent but not required for TLS, tracing back to early nonce generation.
Fake flash drives: Steve warns of a slew of fake high-capacity thumb drives flooding the market, explaining how SpinRite tests detected the flaw.
Man-in-the-middle attacks: While agreeing HTTPS helps prevent malicious injection, Steve examines MITM attack practicality, arguing they are difficult for hackers to pull off.
Show Notes - https://www.grc.com/sn/SN-937-Notes.pdf
Hosts: Steve Gibson and Leo Laporte
Download or subscribe to this show at https://twit.tv/shows/security-now.
Get episodes ad-free with Club TWiT at https://twit.tv/clubtwit
You can submit a question to Security Now at the GRC Feedback Page.
For 16kbps versions, transcripts, and notes (including fixes), visit Steve's site: grc.com, also the home of the best disk maintenance and recovery utility ever written Spinrite 6.
Sponsors:
kolide.com/securitynow
canary.tools/twit - use code: TWIT
Building Cyber Resilience Podcast
• 2 hours, 9 minutes, 45 seconds
SN 936: When Heuristics Backfire - OpenSUSE, SanDisk and Western Digital, 8Base, TSSHOCK
OpenSUSE goes private.
Android to get satellite comms.
SanDisk and Western Digital in hot water.
You're asking for it: YouTube children's privacy.
Whoopsie! 8Base.
Where the money is.
The TSSHOCK vulnerability.
BitForge.
A Quantum resilient security key.
Removed Chrome extensions notifications.
HTTPS by default?
WinRAR 6.23 final released.
Closing the Loop.
When Heuristics Backfire.
Show Notes - https://www.grc.com/sn/SN-936-Notes.pdf
Hosts: Steve Gibson and Leo Laporte
Download or subscribe to this show at https://twit.tv/shows/security-now.
Get episodes ad-free with Club TWiT at https://twit.tv/clubtwit
You can submit a question to Security Now at the GRC Feedback Page.
For 16kbps versions, transcripts, and notes (including fixes), visit Steve's site: grc.com, also the home of the best disk maintenance and recovery utility ever written Spinrite 6.
Sponsors:
panoptica.app
kolide.com/securitynow
joindeleteme.com/twit promo code TWIT
Picture of the Week.
Security Now!'s 18th birthday!
Closing the Loop.
Firefox Multi-Account Containers.
A question about Full Disk Encryption on SSD's.
Should I run SpinRite before I back up my drives to a NAS?
Overly complex password rules.
DuckDuckGo's email alias.
The new Russian Astra Linux based OS can not legally be possible.
Regarding satellite crowding: The skies won't be darkening anytime soon.
This is what came to mind on the Voyager 2 segment with the shout.
Can you please share the name of the session manager that you use in Firefox?
The numbers behind the Voyager recorrection.
"Topics" Arrives.
How Topics Works.
Show Notes: https://www.grc.com/sn/SN-935-Notes.pdf
Hosts: Steve Gibson and Leo Laporte
Download or subscribe to this show at https://twit.tv/shows/security-now.
Get episodes ad-free with Club TWiT at https://twit.tv/clubtwit
You can submit a question to Security Now at the GRC Feedback Page.
For 16kbps versions, transcripts, and notes (including fixes), visit Steve's site: grc.com, also the home of the best disk maintenance and recovery utility ever written Spinrite 6.
Sponsors:
cs.co/twit
Building Cyber Resilience Podcast
bitwarden.com/twit
• 1 hour, 59 minutes, 9 seconds
SN 934: Revisiting Global Privacy Control - Voyager 2, MS Security, keyboard acoustic side-channel attacks
Picture of the Week.
NASA "shouted" at Voyager.
Another view of Microsoft.
What about this Chinese attack?
AI meets Keyboard Acoustic Side-Channel attacks.
Closing the Loop.
Revisiting Global Privacy Control.
Show Notes: https://www.grc.com/sn/SN-934-Notes.pdf
Hosts: Steve Gibson and Leo Laporte
Download or subscribe to this show at https://twit.tv/shows/security-now.
Get episodes ad-free with Club TWiT at https://twit.tv/clubtwit
You can submit a question to Security Now at the GRC Feedback Page.
For 16kbps versions, transcripts, and notes (including fixes), visit Steve's site: grc.com, also the home of the best disk maintenance and recovery utility ever written Spinrite 6.
• 2 hours, 39 seconds
SN 933: TETRA:BURST - Satellite Turla, Android tracker tech, VirusTotal 2023 report, open source in Russia
Picture of the Week.
Satellite Turla: APT Command and Control in the Sky.
OS 17 to further crack down on device fingerprinting.
Android to start warning of "unknown trackers".
The 7th branch of the US military.
Russia criminalizes open source project contribution.
VirusTotal's 2023 report.
Closing the Loop.
TETRA:BURST.
Show Notes - https://www.grc.com/sn/SN-933-Notes.pdf
Hosts: Steve Gibson and Leo Laporte
Download or subscribe to this show at https://twit.tv/shows/security-now.
Get episodes ad-free with Club TWiT at https://twit.tv/clubtwit
You can submit a question to Security Now at the GRC Feedback Page.
For 16kbps versions, transcripts, and notes (including fixes), visit Steve's site: grc.com, also the home of the best disk maintenance and recovery utility ever written Spinrite 6.
Sponsors:
Building Cyber Resilience Podcast
bitwarden.com/twit
drata.com/twit
• 2 hours, 24 minutes, 48 seconds
SN 932: Satellite Insecurity, Part 2 - Apple vs EU, Cyber Resilience Act, Web Environment Integrity
Picture of the Week.
R.I.P. Kevin Mitnick.
Apple says: "Thanks, but we'd rather leave."
Web Environment Integrity.
Web Analytics under the spotlight.
More progress on the IoT security front.
The "Expeditionary cyber force".
Ransomware payouts being made much less often.
MOVEit Update.
TikTok + Passkeys.
Closing the Loop.
SpinRite.
Satellite Insecurity, Part 2.
Show Notes: https://www.grc.com/sn/SN-932-Notes.pdf
Hosts: Steve Gibson and Leo Laporte
Download or subscribe to this show at https://twit.tv/shows/security-now.
Get episodes ad-free with Club TWiT at https://twit.tv/clubtwit
You can submit a question to Security Now! at the GRC Feedback Page.
For 16kbps versions, transcripts, and notes (including fixes), visit Steve's site: grc.com, also the home of the best disk maintenance and recovery utility ever written Spinrite 6.
Sponsors:
drata.com/twit
GO.ACILEARNING.COM/TWIT
bitwarden.com/twit
• 2 hours, 12 minutes, 43 seconds
SN 931: Satellite Insecurity, Part 1 - Kaspersky on MS flaw, WormGPT, Bitcoin addresses, Twitter DM change
Picture of the Week.
Kaspersky on Microsoft's Patch Tuesday.
As the worm turns: WormGPT.
Microsoft revokes 100+ malicious drivers.
MOVEit Update.
Does Dun & Bradstreet know you?
No Threads for you! (or EU!)
All Bitcoin addresses look alike.
Twitter changes DM settings.
Closing the Loop.
SpinRite.
Satellite Insecurity, Part 1.
Show Notes: https://www.grc.com/sn/SN-931-Notes.pdf
Hosts: Steve Gibson and Leo Laporte
Download or subscribe to this show at https://twit.tv/shows/security-now.
Get episodes ad-free with Club TWiT at https://twit.tv/clubtwit
You can submit a question to Security Now! at the GRC Feedback Page.
For 16kbps versions, transcripts, and notes (including fixes), visit Steve's site: grc.com, also the home of the best disk maintenance and recovery utility ever written Spinrite 6.
Sponsors:
kolide.com/securitynow
drata.com/twit
cs.co/twit
Picture of the Week.
Another Critical Unauthenticated SQLi Flaw Discovered in MOVEit Transfer Software.
And as for MOVEit...
What's a "Rug Pull" ??
"Avast, ye Matey"
China's OpenKylin v1.
TootRoot!
Firefox 115.
Did Russia Disconnect?
Use some honey if you want to catch some flies.
Cryptocurrency losses.
International Consumer Data Transit.
Apple's emergency update retraction.
Syncthing Revisited.
Closing the Loop.
SpinRite's first RTM release.
RTOS-32.
Rowhammer Indelible Fingerprinting.
Show Notes: https://www.grc.com/sn/SN-930-Notes.pdf
Hosts: Steve Gibson and Leo Laporte
Download or subscribe to this show at https://twit.tv/shows/security-now.
Get episodes ad-free with Club TWiT at https://twit.tv/clubtwit
You can submit a question to Security Now! at the GRC Feedback Page.
For 16kbps versions, transcripts, and notes (including fixes), visit Steve's site: grc.com, also the home of the best disk maintenance and recovery utility ever written Spinrite 6.
Sponsors:
canary.tools/twit - use code: TWIT
bitwarden.com/twit
GO.ACILEARNING.COM/TWIT
Picture of the Week.
Catching Leo up to speed from last week.
DuckDuckBrowse.
And an updated Tor Browser.
Opera, now enhanced with "AI".
The KasperskyOS Phone.
The cost of doing business in Russia.
Slowly turn the wheels of justice.
The US to create a new "Cyber Force".
Apple.com now supports Passkeys.
Selective GDPR enforcement?
Facial Recognition is Photo Recognition.
Google cybersecurity clinics.
Progress/MOVEit sued.
Closing the Loop.
SpinRite.
Operation Triangulation.
Show Notes: https://www.grc.com/sn/SN-929-Notes.pdf
Hosts: Steve Gibson and Leo Laporte
Download or subscribe to this show at https://twit.tv/shows/security-now.
Get episodes ad-free with Club TWiT at https://twit.tv/clubtwit
You can submit a question to Security Now! at the GRC Feedback Page.
For 16kbps versions, transcripts, and notes (including fixes), visit Steve's site: grc.com, also the home of the best disk maintenance and recovery utility ever written Spinrite 6.
Sponsors:
drinkAG1.com/securitynow
lookout.com
drata.com/twit
• 2 hours, 6 minutes, 45 seconds
SN 928: The Massive MOVEit Maelstrom - Patch Tuesday, SpinRite 7.1, MOVEit
Picture of the Week.
Patch Tuesday.
Does EVERYTHING leak??
Closing the Loop.
SpinRite gets version 7.1!
The Massive MOVEit Maelstrom.
Show Notes: https://www.grc.com/sn/SN-928-Notes.pdf
Hosts: Steve Gibson and Jason Howell
Download or subscribe to this show at https://twit.tv/shows/security-now.
Get episodes ad-free with Club TWiT at https://twit.tv/clubtwit
You can submit a question to Security Now! at the GRC Feedback Page.
For 16kbps versions, transcripts, and notes (including fixes), visit Steve's site: grc.com, also the home of the best disk maintenance and recovery utility ever written Spinrite 6.
Sponsors:
drata.com/twit
cs.co/twit
kolide.com/securitynow
• 0
SN 927: Scanning the Internet - IoT DDoS rising, who pays for Cryptomining, WWDC security announcements
Picture of the Week.
Cryptomining Rude Surprise Billing.
Musk's Twitter is refusing to pay for Cloud Services.
IoT DDoS rapidly rising.
H1CA found executing code on client machines.
Apple's WWDC Redux.
France takes a different approach...
Russia: Scanners stay out!
Miscellany.
Closing the Loop.
SpinRite.
Scanning the Internet.
Show Notes: https://www.grc.com/sn/SN-927-Notes.pdf
Hosts: Steve Gibson and Leo Laporte
Download or subscribe to this show at https://twit.tv/shows/security-now.
Get episodes ad-free with Club TWiT at https://twit.tv/clubtwit
You can submit a question to Security Now! at the GRC Feedback Page.
For 16kbps versions, transcripts, and notes (including fixes), visit Steve's site: grc.com, also the home of the best disk maintenance and recovery utility ever written Spinrite 6.
Sponsors:
GO.ACILEARNING.COM/TWIT
bitwarden.com/twit
athleticgreens.com/securitynow
• 2 hours, 27 minutes, 52 seconds
SN 926: Windows Platform Binary Table - OWASP, Tor anti-DoS protection, Mandatory SMB Signing on Win 11
Picture of the Week.
Another week of silence from HP.
Mandatory "SMB Signing" coming to Windows 11.
OWASP.
Did Apple help the NSA attack the Kremlin?
Kaspersky's analysis of this iPhone attack and compromise.
The Trifecta Jackpot!
Who wrote that?
Tor gets anti-DoS protection.
Cybersecurity at Educational institutions.
Civilian Surveillance Cameras in Ukraine.
Cyber Mercenaries.
Closing the Loop.
Windows Platform Binary Table.
Show Notes: https://www.grc.com/sn/SN-926-Notes.pdf
Hosts: Steve Gibson and Leo Laporte
Download or subscribe to this show at https://twit.tv/shows/security-now.
Get episodes ad-free with Club TWiT at https://twit.tv/clubtwit
You can submit a question to Security Now! at the GRC Feedback Page.
For 16kbps versions, transcripts, and notes (including fixes), visit Steve's site: grc.com, also the home of the best disk maintenance and recovery utility ever written Spinrite 6.
Sponsors:
meraki.cisco.com/twit
joindeleteme.com/twittv
canary.tools/twit - use code: TWIT
• 2 hours, 15 minutes
SN 925: Brave's Brilliant Off the Record Request - .ZIP TLD, Bitwarden Passkey support, PyPi
Picture of the Week.
HP = "Huge Pile"
The ".ZIP" TLD — What could possibly go wrong?
PyPI gets more serious about security AND privacy.
"No logs saved anywhere"???
Twitter in the EU?
Bitwarden's support for Passkeys.
A €1.2 billion fine will grab your attention.
Editing WhatsApp messages.
A new Google Bug Bounty.
SpinRite.
Brave's Brilliant Off the Record Request.
Show Notes: https://www.grc.com/sn/SN-925-Notes.pdf
Hosts: Steve Gibson and Leo Laporte
Download or subscribe to this show at https://twit.tv/shows/security-now.
Get episodes ad-free with Club TWiT at https://twit.tv/clubtwit
You can submit a question to Security Now! at the GRC Feedback Page.
For 16kbps versions, transcripts, and notes (including fixes), visit Steve's site: grc.com, also the home of the best disk maintenance and recovery utility ever written Spinrite 6.
Sponsors:
cs.co/twit
drata.com/twit
Melissa.com/twit
• 1 hour, 37 minutes, 17 seconds
SN 924: VCaaS – Voice Cloning as a Service - HP printer update, KeePass vulnerability, SpinRite bug
Picture of the Week.
Tracker Follow-Up.
Automatic IoT device updating.
HP 9020e - error code 83C0000B.
Section 230 Stands.
The KeePass Vulnerability.
Apple joins Samsung, Amazon and Verizon in banning ChatGPT.
Google's Privacy Sandbox moves forward.
The FBI heavily misused FISA powers.
Supply Chain Nightmare.
SpinRite.
VCaaS – Voice Cloning as a Service.
Show Notes: https://www.grc.com/sn/SN-924-Notes.pdf
Hosts: Steve Gibson and Leo Laporte
Download or subscribe to this show at https://twit.tv/shows/security-now.
Get episodes ad-free with Club TWiT at https://twit.tv/clubtwit
You can submit a question to Security Now! at the GRC Feedback Page.
For 16kbps versions, transcripts, and notes (including fixes), visit Steve's site: grc.com, also the home of the best disk maintenance and recovery utility ever written Spinrite 6.
Sponsors:
expressvpn.com/securitynow
athleticgreens.com/securitynow
lookout.com
• 1 hour, 49 minutes, 11 seconds
SN 923: Location Tracker Behavior - Diving deep into Google and Apple's tracker spec, SpinRite update
Picture of the Week.
SpinRite.
Location Tracker Behavior.
Formal definitions from the specification.
Bluetooth LE devices have MAC addresses and therein lies a problem.
All devices are serialized.
And now, that "pairing registry".
Privacy considerations.
Show Notes: https://www.grc.com/sn/SN-923-Notes.pdf
Hosts: Steve Gibson and Leo Laporte
Download or subscribe to this show at https://twit.tv/shows/security-now.
Get episodes ad-free with Club TWiT at https://twit.tv/clubtwit
You can submit a question to Security Now! at the GRC Feedback Page.
For 16kbps versions, transcripts, and notes (including fixes), visit Steve's site: grc.com, also the home of the best disk maintenance and recovery utility ever written Spinrite 6.
Sponsors:
bitwarden.com/twit
GO.ACILEARNING.COM/TWIT
• 1 hour, 58 minutes, 13 seconds
SN 922: Detecting Unwanted Location Trackers - Google Passkeys, Chrome lock icon, AI news sites, Vint Cerf
Picture of the Week.
Google & Passkeys.
TP-Link routers DO auto-update.
US Marshals Service: Where's the backup??
T-Mobile keeps getting breached.
Chrome: No more LOCK icon.
Apple's new "Rapid Security Response" system.
Elon Musk, making friends wherever he goes...
A quick Mastodon aside.
Here come the fake AI-generated "news" sites.
Russia to replace "American" TCP/IP with "Russian Internet".
Vint Serf's 3 mistakes.
Detecting Unwanted Location Trackers.
Show Notes: https://www.grc.com/sn/SN-922-Notes.pdf
Hosts: Steve Gibson and Leo Laporte
Download or subscribe to this show at https://twit.tv/shows/security-now.
Get episodes ad-free with Club TWiT at https://twit.tv/clubtwit
You can submit a question to Security Now! at the GRC Feedback Page.
For 16kbps versions, transcripts, and notes (including fixes), visit Steve's site: grc.com, also the home of the best disk maintenance and recovery utility ever written Spinrite 6.
Sponsor:
kolide.com/securitynow
• 2 hours, 7 minutes, 17 seconds
SN 921: OSB OMG and Other News! - Age verification, Google Authenticator E2EE, VirusTotal AI, cURL
Picture of the Week.
The Encryption Debate.
Age does matter...
Age Verification.
WhatsApp: Rather be blocked in UK than weaken security.
Exposing Side-Channel Monitoring.
Closing the Loop.
A new UDP reflection attack vector.
Google Authenticator Updated.
Does Israel use NSO Group commercial spyware?
A Russian OS?
TP-Link routers compromised.
A pre-release security audit.
Another Intel side-channel attack.
Windows users: Don't remove cURL!
AI comes to VirusTotal.
Show Notes https://www.grc.com/sn/SN-921-Notes.pdf
Hosts: Steve Gibson and Leo Laporte
Download or subscribe to this show at https://twit.tv/shows/security-now.
Get episodes ad-free with Club TWiT at https://twit.tv/clubtwit
You can submit a question to Security Now! at the GRC Feedback Page.
For 16kbps versions, transcripts, and notes (including fixes), visit Steve's site: grc.com, also the home of the best disk maintenance and recovery utility ever written Spinrite 6.
Sponsors:
canary.tools/twit - use code: TWIT
joindeleteme.com/twittv
drata.com/twit
• 0
SN 920: An End-to-End Encryption Proposal - Wipe those routers, Lockdown Mode, ChatGPT black market
Picture of the Week.
Lockdown Mode seen succeeding.
A growing black market for ChatGPT accounts.
Decommissioned Corporate Routers Leak Secrets.
Jaguar Tooth: Cisco router vulnerabilities.
Security Research Legal Defense Fund.
A quick Firefox fix.
Kubernetes security audit.
Google Chrome zero-day.
An End-to-End Encryption Proposal.
Show Notes https://www.grc.com/sn/SN-920-Notes.pdf
Hosts: Steve Gibson and Leo Laporte
Download or subscribe to this show at https://twit.tv/shows/security-now.
Get episodes ad-free with Club TWiT at https://twit.tv/clubtwit
You can submit a question to Security Now! at the GRC Feedback Page.
For 16kbps versions, transcripts, and notes (including fixes), visit Steve's site: grc.com, also the home of the best disk maintenance and recovery utility ever written Spinrite 6.
Sponsors:
athleticgreens.com/securitynow
lookout.com
• 2 hours, 3 minutes, 38 seconds
SN 919: Forced Entry - Patch Tuesday, Google Assured Open Source Software, WhatsApp Improvements
Picture of the Week.
Patch Tuesday Review.
Risky Business News.
Google Assured Open Source Software.
WhatsApp Improvements.
Bad Security? Go to jail!
Forced Entry.
Show Notes https://www.grc.com/sn/SN-919-Notes.pdf
Hosts: Steve Gibson and Jason Howell
Download or subscribe to this show at https://twit.tv/shows/security-now.
Get episodes ad-free with Club TWiT at https://twit.tv/clubtwit
You can submit a question to Security Now! at the GRC Feedback Page.
For 16kbps versions, transcripts, and notes (including fixes), visit Steve's site: grc.com, also the home of the best disk maintenance and recovery utility ever written Spinrite 6.
Sponsors:
meraki.cisco.com/twit
bitwarden.com/twit
GO.ACILEARNING.COM/TWIT
• 1 hour, 45 minutes, 9 seconds
SN 918: A Dangerous Interpretation - H26FORGE, Privatized ChatGPT, Mozilla Site Breach Monitor
Picture of the Week.
Microsoft and Fortra go on the offensive.
Can ChatGPT keep a secret?
Apple updates their OS's.
Wordpress under attack... again.
Mozilla's Site Breach Monitor.
Another ChatGPT investigation.
Samsung handsets reaching EoL.
Less access for loan apps.
The right to be forgotten.
SpinRite.
A Dangerous Interpretation.
Show Notes: https://www.grc.com/sn/SN-918-Notes.pdf
Hosts: Steve Gibson and Jason Howell
Download or subscribe to this show at https://twit.tv/shows/security-now.
Get episodes ad-free with Club TWiT at https://twit.tv/clubtwit
You can submit a question to Security Now! at the GRC Feedback Page.
For 16kbps versions, transcripts, and notes (including fixes), visit Steve's site: grc.com, also the home of the best disk maintenance and recovery utility ever written Spinrite 6.
Sponsors:
joindeleteme.com/twittv
meraki.cisco.com/twit
kolide.com/securitynow
• 2 hours, 4 minutes, 36 seconds
SN 909: How ESXi Fell - EU Internet Surveillance, QNAP returns, .DEV is always HTTPS
Picture of the Week.
The European Union's Internet Surveillance Proposal.
30,000 patient records online?
.DEV is always HTTPS!
Google changes Chrome's release strategy.
Russia shoots the messenger.
A fool and his Crypto...
QNAP is back.
CVSS severity discrepancy.
Closing the Loop.
How ESXi Fell.
Show Notes: https://www.grc.com/sn/SN-909-Notes.pdf
Hosts: Steve Gibson and Leo Laporte
Download or subscribe to this show at https://twit.tv/shows/security-now.
Get episodes ad-free with Club TWiT at https://twit.tv/clubtwit
You can submit a question to Security Now! at the GRC Feedback Page.
For 16kbps versions, transcripts, and notes (including fixes), visit Steve's site: grc.com, also the home of the best disk maintenance and recovery utility ever written Spinrite 6.
Sponsors:
drata.com/twit
barracuda.com/securitynow
canary.tools/twit - use code: TWIT
• 2 hours, 13 minutes, 5 seconds
SN 912: The NSA @ Home - LastPass hack details, Signal says no to UK, more PyPI troubles, QNAP bug bounty
Picture of the Week.
Windows 11? ... anyone?
As Plain as Ever.
Edge's new built-in VPN?
LastPass Incident Update.
Signal says NO to the UK.
More PyPI troubles.
The QNAP bug bounty program.
SpinRite.
The NSA @ Home.
Show Notes: https://www.grc.com/sn/SN-912-Notes.pdf
Hosts: Steve Gibson and Leo Laporte
Download or subscribe to this show at https://twit.tv/shows/security-now.
Get episodes ad-free with Club TWiT at https://twit.tv/clubtwit
You can submit a question to Security Now! at the GRC Feedback Page.
For 16kbps versions, transcripts, and notes (including fixes), visit Steve's site: grc.com, also the home of the best disk maintenance and recovery utility ever written Spinrite 6.
Sponsor:
kolide.com/securitynow
• 1 hour, 44 minutes, 2 seconds
SN 913: A Fowl Incident - DDoS'ing Fosstodon, Strategic Objective 3.3, CISA's Covert Red-Team
Picture of the Week.
DDoS'ing Fosstodon.
DDoS for Hire takedowns.
TikTok Insanity.
Illegal Warrantless Surveillance.
Strategic Objective 3.3.
GitHub Secret Scanning.
CISA's Covert Red-Team.
What's left?
What's old is new again.
TCG TPM vulnerabilities.
WordPress "All In One SEO".
Russia fines Wikipedia.
A Fowl Incident.
Show Notes: https://www.grc.com/sn/SN-913-Notes.pdf
Hosts: Steve Gibson and Leo Laporte
Download or subscribe to this show at https://twit.tv/shows/security-now.
Get episodes ad-free with Club TWiT at https://twit.tv/clubtwit
You can submit a question to Security Now! at the GRC Feedback Page.
For 16kbps versions, transcripts, and notes (including fixes), visit Steve's site: grc.com, also the home of the best disk maintenance and recovery utility ever written Spinrite 6.
Sponsors:
canary.tools/twit - use code: TWIT
drata.com/twit
kolide.com/securitynow
• 1 hour, 48 minutes, 28 seconds
SN 916: Microsoft's Email Extortion - Pwn2Own, Edge Crypto Wallet
Picture of the Week.
Synacktiv wins this year's CanSecWest Pwn2Own
GitHub: Mistakes happen
DDoS for Hire. . .Or Not
144,000 malicious packages published
No iPhones For Russian Presidential Staff
I NUIT
Edge Gets Crypto
Microsoft's Email Extortion
Show Notes: https://www.grc.com/sn/sn-916-notes.pdf
Hosts: Steve Gibson and Leo Laporte
Download or subscribe to this show at https://twit.tv/shows/security-now.
Get episodes ad-free with Club TWiT at https://twit.tv/clubtwit
You can submit a question to Security Now! at the GRC Feedback Page.
For 16kbps versions, transcripts, and notes (including fixes), visit Steve's site: grc.com, also the home of the best disk maintenance and recovery utility ever written Spinrite 6.
Sponsors:
lookout.com
kolide.com/securitynow
Melissa.com/twit
• 1 hour, 37 minutes, 30 seconds
SN 915: Flying Trojan Horses - Exynos 0-days, TikTok Tick Tock, 90-day TLS cert life, CHESS is safe!
Picture of the Week.
Multiple Exploitable Samsung 0-Days.
A good idea for NPM.
The TikTok Tick Tock.
Google pushes for 90-day TLS certificate life.
CHESS is safe.
CISA has begun scanning!
Flying Trojan Horses.
Show Notes: https://www.grc.com/sn/SN-915-Notes.pdf
Hosts: Steve Gibson and Leo Laporte
Download or subscribe to this show at https://twit.tv/shows/security-now.
Get episodes ad-free with Club TWiT at https://twit.tv/clubtwit
You can submit a question to Security Now! at the GRC Feedback Page.
For 16kbps versions, transcripts, and notes (including fixes), visit Steve's site: grc.com, also the home of the best disk maintenance and recovery utility ever written Spinrite 6.
Sponsors:
drata.com/twit
GO.ACILEARNING.COM/TWIT
expressvpn.com/securitynow
• 2 hours, 2 minutes, 7 seconds
SN 910: Ascon - Malicious ChatGPT Use, Google Security Key Giveaway, OTPAuth
Picture of the Week
ESXiArgs follow-up
ChatGPT's Malicious Use
Google Security Key Giveaway
Brave goes HTTPS-by-default
1Password Makes Another Passkeys Move
Russian Patriotic Hackers
Amazon to FINALLY Secure Its AWS S3 Instances
More Anti-Chinese Camera Removals
Microsoft to embed Adobe Acrobat PDF reader into Edge
Password Exhaustion
One Time Passowrd OTPAuth
Password Exhaustion
Ascon
Show Notes https://www.grc.com/sn/sn-910-notes.pdf
Hosts: Steve Gibson and Leo Laporte
Download or subscribe to this show at https://twit.tv/shows/security-now.
Get episodes ad-free with Club TWiT at https://twit.tv/clubtwit
You can submit a question to Security Now! at the GRC Feedback Page.
For 16kbps versions, transcripts, and notes (including fixes), visit Steve's site: grc.com, also the home of the best disk maintenance and recovery utility ever written Spinrite 6.
Sponsors:
bitwarden.com/twit
plextrac.com/twit
fortra.com
• 2 hours, 52 seconds
SN 908: Data Operand Independent Timing - Old Android apps, Kevin Rose, iOS 6.3 and FIDO, Hive hacked
Android to start blocking old and unsafe apps.
Microsoft to block Internet sourced Excel add-ins.
An example of saying "no" even when it may hurt.
Hacked Wormhole funds on the move.
Kevin Rose Hacked.
Facebook will be moving more users into E2EE.
iOS 6.3 and FIDO.
Scan thy Citizenry.
The Hive ransomware organization takedown.
Errata.
Closing the Loop.
SpinRite.
Data Operand Independent Timing.
Show Notes: https://www.grc.com/sn/SN-908-Notes.pdf
Hosts: Steve Gibson and Leo Laporte
Download or subscribe to this show at https://twit.tv/shows/security-now.
Get episodes ad-free with Club TWiT at https://twit.tv/clubtwit
You can submit a question to Security Now! at the GRC Feedback Page.
For 16kbps versions, transcripts, and notes (including fixes), visit Steve's site: grc.com, also the home of the best disk maintenance and recovery utility ever written Spinrite 6.
Sponsors:
Melissa.com/twit
kolide.com/securitynow
• 1 hour, 44 minutes, 48 seconds
SN 911: A Clever Regurgitator - GoneDaddy, Section 230, NPM malware, Hyundai Kia mess, Meta Verified
GoneDaddy, Section 230, NPM malware, Hyundai Kia mess, Meta Verified
Picture of the Week.
GoneDaddy.
Section 230.
No Blue, No SMS-based 2FA.
Bitwarden gets Argon.
"Meta Verified".
Emsisoft Fake Code Signing.
Attacks breaking records.
More Mirai.
NPM malware.
Patch Tuesday.
Samsung announces "Message Guard".
The Hyundai & Kia mess.
A Clever Regurgitator.
Show Notes https://www.grc.com/sn/sn-911-notes.pdf
Hosts: Steve Gibson and Leo Laporte
Download or subscribe to this show at https://twit.tv/shows/security-now.
Get episodes ad-free with Club TWiT at https://twit.tv/clubtwit
You can submit a question to Security Now! at the GRC Feedback Page.
For 16kbps versions, transcripts, and notes (including fixes), visit Steve's site: grc.com, also the home of the best disk maintenance and recovery utility ever written Spinrite 6.
Sponsors:
drata.com/twit
GO.ACILEARNING.COM/TWIT
• 1 hour, 51 minutes, 36 seconds
SN 914: Sony Sues Quad9 - Polynonce attack, Germany Huawei ban, Plex Media Server defect, Andor review
Picture of the Week.
Another Malicious Chrome Extension.
Germany to join the Huawei & ZTE ban.
Putting "phishing" into perspective.
The Polynonce attack.
Plex's RCE now in CISA's KEV.
Sci-Fi: Andor.
Sony Sues Quad9.
Show Notes: https://www.grc.com/sn/SN-914-Notes.pdf
Hosts: Steve Gibson and Leo Laporte
Download or subscribe to this show at https://twit.tv/shows/security-now.
Get episodes ad-free with Club TWiT at https://twit.tv/clubtwit
You can submit a question to Security Now! at the GRC Feedback Page.
For 16kbps versions, transcripts, and notes (including fixes), visit Steve's site: grc.com, also the home of the best disk maintenance and recovery utility ever written Spinrite 6.
Sponsors:
fortra.com
bitwarden.com/twit
plextrac.com/twit
• 2 hours, 8 minutes, 55 seconds
SN 917: Zombie Software - ChatGPT Ban, Hacking the Pentagon
Picture of the Week
So... Not an attack, then?
AI Overlord Hysteria
Italy says NO to ChatGPT
It's illegal... How much will that be?
The U.S. FDA & medical device security
Hack the Pentagon
Firefox 3dr-party DLL check-up
Microsoft's Extortion?
The Silver Ships
Zombie Software
Show Notes: https://www.grc.com/sn/sn-917-notes.pdf
Hosts: Steve Gibson and Ant Pruitt
Download or subscribe to this show at https://twit.tv/shows/security-now.
Get episodes ad-free with Club TWiT at https://twit.tv/clubtwit
You can submit a question to Security Now! at the GRC Feedback Page.
For 16kbps versions, transcripts, and notes (including fixes), visit Steve's site: grc.com, also the home of the best disk maintenance and recovery utility ever written Spinrite 6.
Sponsors:
kolide.com/securitynow
canary.tools/twit - use code: TWIT
meraki.cisco.com/twit