How a never-disclosed Windows vulnerability was quickly reverse-engineered from the patches to fix it and turned into more than 12 potent and damaging Internet worms in three days. What does this mean for the future of Internet security?
How Microsoft's "HoneyMonkey" system works, how it finds malicious web sites before they find you, and what Microsoft is doing (and NOT doing) with this valuable security information it is now collecting.
Most people don't think of common NAT routers as hardware firewalls, but ANY NAT router inherently provides terrific security and protection against incoming malicious traffic. Learn how and why this is, and which default settings MUST be changed to lock down the security of your NAT router.
Everyone who uses web-based services such as eBay, Amazon, and Yahoo, needs to authenticate their identity with passwords. Password quality is important since easily guessable passwords can be easily defeated. Leo and I recap a bit from last week's program, then discuss passwords. We suggest an approach that anyone can use to easily create unbreakable passwords.
Our previous episode (#4), which discussed personal password policies, generated so much great listener feedback, thoughts, ideas, and reminders about things we didn't mention, that we decided to wrap up this important topic with a final episode to share listeners' ideas and to clarify some things we left unsaid.
Triggered by a recent report of three UC Berkeley researchers recovering text typed at a keyboard (any keyboard) after simply listening to ten minutes of typing, Leo and I discuss the weird realm of "alternative information leakage" — from CRT glowing, to radio emissions, to LEDs lamps on the front of network equipment . . . to a microphone listening to anyone typing.
Any contemporary discussion of threats to Internet security must discuss the history, current situation, and future of spyware. Leo and I spend a little more time than usual covering many aspects of this important topic. DON'T MISS the Episode Notes Page for this episode!
Distributed Denial of Service (DDoS) attacks are occurring with ever-greater frequency every day. Although these damaging attacks are often used to extort high-profile gaming and gambling sites before major gambling events, attacks are also launched against individual users who do something to annoy "zombie fleet masters" while they are online. Some router and firewall vendors claim that their devices prevent DDoS attacks. Is that possible? What can be done to dodge the bullet of a DDoS attack launched against you while you're online?
This week we discuss "rootkit technology". We examine what rootkits are, why they have suddenly become a problem, and how that problem is rapidly growing in severity. We also discuss their detection and removal and point listeners to some very effective free rootkit detection solutions.
Leo and I examine the security and privacy considerations of using non-encrypted (i.e. 'Open') wireless access points at home and in public locations. We discuss the various ways of protecting privacy when untrusted strangers can 'sniff' the data traffic flowing to and from your online PC.
Leo and I answer some questions arising from last week's episode, then plow into a detailed discussion of the lack of security value of MAC address filtering, the futility of disabling SSID's for security, and the extremely poor security offered by the first-generation WEP encryption system.
Leo and I discuss details and consequences of Sony Corporation's alarming "Rootkit" DRM (digital rights management) copy protection scheme. This poorly written software unnecessarily employs classic rootkit technology (see episode #9) to hide from its users after installation. It can not be uninstalled easily, it can be easily misused for malicious purposes, and it has been implicated in many repeated BSOD "blue screen of death" PC crashes.
Leo and I follow-up on last week's discussion of the Sony Rootkit debacle with the distressing news of "phoning home" (spyware) behavior from the Sony DRM software, and the rootkit's exploitation by a new malicious backdoor Trojan. We then return to complete our discussion of WiFi security, demystifying the many confusing flavors of WPA encryption and presenting several critical MUST DO tips for WPA users.
Leo and I first follow-up on the past two episodes, discussing new developments in the continuing Sony Rootkit DRM drama, and clearing up some confusion over the crackability of WPA passphrases. Then, in this first of our two-part series on VPNs, we discuss the theory of VPN connections and tunnels, explaining how they work and why they represent such a terrific solution for anyone who needs security while they're away from home.
Leo and I discuss the use of SSL and SSH encrypted tunneling for providing privacy and security whenever an insecure local network is being used — such as at an open WiFi hotspot or when using a hotel's network. These solutions are not transparent and tend to be configuration intensive. They also require the use of a "server" of some sort at the user's home or office. This makes these approaches less suitable for casual users, but offers a solution for the more technically inclined road warriors.
Leo and I discuss questions asked by listeners of our previous episodes. We tie up loose ends, explore a wide range of topics that are too small to fill their own episode, clarify any confusion from previous installments, and present real world 'application notes' for any of the security technologies we have previously discussed.
In our continuing exploration of VPN technology for protecting network users on networks they don't control, Leo and I discuss the oldest "original" VPN protocols: Industry standard IPSec, and Microsoft's own PPTP and L2TP/IPSec. We examine and explain the trouble with interconnecting Windows machines to third-party VPN routers and examine the many reasons these older technologies are probably not optimal for on-the-go road warriors.
This week Leo and I discuss and describe the brand new, ready to emerge from a its long development beta phase, ultra-secure, lightweight, high-performance, highly-polished, multi-platform, peer-to-peer and FREE! personal virtual private networking system known as "Hamachi". After two solid weeks of testing and intense dialog with Hamachi's lead developer and designer, I have fully vetted the system's security architecture and have it running on many of my systems. While I am travelling to Toronto this week, Hamachi is keeping my roaming laptop securely and directly connected to all of my machines back home. Don't miss this one!
Leo and I wrap up our multi-week, in-depth coverage of PC VPN solutions by discussing some aftermath of the zero-configuration Hamachi system; introducing "iPig," a very appealing new zero-configuration VPN contender; and describing the many faces of OpenVPN, the "Swiss army knife" of VPN solutions.
On December 28th a serious new Windows vulnerability has appeared and been immediately exploited by a growing number of malicious web sites to install malware. Many worse viruses and worms are expected soon. We start off discussing this and our show notes provides a quick necesary workaround until Microsoft provides a patch. Then we spend the next 45 minutes answering and discussing interesting listener questions.
Leo and I discuss everything known about the first serious Windows security exploits of the New Year, caused by the Windows MetaFile (WMF) vulnerability. In our show's first guest appearance, we are joined by Ilfak Guilfanov, the developer of the wildly popular -- and very necessary -- temporary patch that was used by millions of users to secure Windows systems while the world waited for Microsoft to respond.
Leo and I carefully examine the operation of the recently patched Windows MetaFile vulnerability. I describe exactly how it works in an effort to explain why it doesn't have the feeling of another Microsoft "coding error". It has the feeling of something that Microsoft deliberately designed into Windows. Given the nature of what it is, this would make it a remote code execution "backdoor". We will likely never know if this was the case, but the forensic evidence appears to be quite compelling.
Leo and I "close the backdoor" on the controversial Windows WMF Metafile image code execution (MICE) vulnerability. We discuss everything that's known about it, separate the facts from the spin, explain exactly which Windows versions are vulnerable and why, and introduce a new piece of GRC freeware: MouseTrap which determines whether any Windows or Linux/WINE system has 'MICE'.
Leo and I discuss questions asked by listeners of our previous episodes. We tie up loose ends, explore a wide range of topics that are too small to fill their own episode, clarify any confusion from previous installments, and present real world "application notes" for any of the security technologies we have previously discussed.
Steve talks about the Kama Sutra virus, scheduled to strike tomorrow, and PC World's anti-virus roundup. Then we delve into How the Internet Works, part 1. We'll wrap things up next week.
Part 2 of Steve's discussion of how the fundamental Internet technologies work. This and the previous episode will provide the foundation for our future podcasts on Internet security issues.
Steve continues to lay a foundation on understanding networking. This week, part one of how LANs work. We cover DHCP, Subnet Masks, Routers, and hubs. We'll conclude with part two on episode 29.
Steve answers your questions on this episide. With further clarification on VPN security, Hamachi, and the answer to the eternal question, which operating system is the most secure.
In this week's marathon edition Steve tackles security issues inherent to Ethernet, including ARP spoofing.
This week Steve takes a look at how cryptography is used and the difficult issues strong crypto raises.
This week Steve continues his discussion of crypto with a look at secret decoder rings and one-time pads.
Episode 32 is our monthly question and answer session.
Part three of Steve's overview of cryptography looks at symmetric block ciphers.
This week Steve explains how public key cryptography works, and we welcome our new sponsor, Astaro! Thanks so much for the support guys.
This week Steve talks about how cryptographic hashes work and are used to verify the integrity of files and email. We also talk about email signing and recommend the Gnu Privacy Guard.
As usual on every fourth episode, Steve answers listener questions.
We wrap up our talk about cryptography with a discussion of prime number generation, key recovery, and digital certificates.
Why is Internet Explorer so insecure? What can you do to secure it? And why is it so hard to make a secure browser? Steve talks about security policy vs. browser flaws, how he uses IE safely, and why Java and Javascript are inherently more secure than ActiveScript and ActiveX.
Buffer overflows... they're the most common kind of security flaw, but what are they and how do they happen? Finally, how can we protect ourselves from them? Steve explains all.
As he does every fourth episode, Steve answers your questions. But first, an update on some recent security news...
The ultimate encryption program, free, open source, strong, and flexible: Truecrypt.
Steve explains the clever technique that Skype and other programs use to end around NAT routers.
Ever wonder what a port is? Steve explains what they are and what terms like "stealth ports" and "port sniffing mean." Leo reads a little poetry.
On this episode, one dozen questons and answers
This week Steve explains the mysterious HOSTS file - part of Windows, OS X, Linux, and many other operating systems. He talks about how malicious programs may misuse it, and how you can use it to protect yourself.
This week Steve tells us what to do with the router logs. What a router can (and can't) tell you about your security situation?
This week Steve tells us about distributed denial of service attacks and how hackers use IRC botnets to create them.
How big can a HOSTS file get? Does a firewall slow you down? A plan to fight phishers. All on this week's edition of Security Now! with Steve Gibson.
How can you tell what your computer is doing on the net? Netstat. This handy program comes with almost all operating systems. On Windows, click Start, then select Command Prompt from the Programs->Accessories menu. To run Netstat, type netstat at the command prompt. For more readable output type netstat -ab.
Virtualization, its history and uses in security.
Will Windows Vista be secure? According to a new study from Symantec, the decision to re-write the networking stack from the ground up means it will be much less secure than XP.
Steve normally answers questions on shows divisible by four, but not this week. There's just too much security news including javascript exploits, Ebay gaming, and the sale of Hamachi.
More on Virtualization technology, with a special focus on VMWare's Virtual Appliances.
The Blue Pill demonstrates a serious security concern with the Hypervisor mode in Windows Vista. Steve discusses the threat and arguments against it.
Sandboxing your browser to keep your system secure.
Our regular session of questions and answers deals with Vista security, remote access, the HOSTS files, and Zone Alarm.
Steve wraps up his rundown of Virtualization programs with a look at Microsoft's free Virtual PC.
Guest: Eric Sites, VP R&D Sunbelt Software Two serious Windows flaws have surfaced today. One, a zero-day exploit, makes it possible for any web site (or HTML email) to take over a Windows machine, even if it's been fully patched. The other is a file corruption error on Windows 2000 NTFS systems introduced by a Microsoft patch.
We conclude our coverage of virtual machine software with a review of Parallels - the fastest of the VM programs.
First a review of three more zero day exploits in Windows XP, then a look at what your ISP knows about you and how to protect your privacy.
How proxy servers work to both speed up access and protect users.
MojoPac software lets you put your entire Windows configuration on a thumbdrive or portable disk and take it with you anywhere. It works surprisingly well, but there are some caveats. Steve reviews.
What makes it so hard to secure Windows? Steve says ultimate security is ultimately impossible.
Why the 64-bit version of Windows is both more secure and less compatible. Steve explains why.
Microsoft is touting PatchGuard, a new security feature in 64-bit versions of XP and Vista. Steve explains how easy it is to hack, and what it's really for if it's not for deterring hackers.
Our monthly question and answer session goes long - but there's lots of good information.
Is there such a thing as anonymity on the Internet? How important is it?
Two interesting implementations of Internet anonymization: The Freenet Project for anonymously storing and transmitting files, and Tor, "the onion router" which can anonymize all your Internet accesses.
Steve's latest free security application is called Securable. It's not quite ready yet, but Steve gives us a preview in this episode.
Our monthly question and answer segment covers TOR details, overheating hard drives, and what happens to your data when you die...
Steve and Leo survey the history and evolution of media property rights and the technologies used to enforce them as they prepare for next week's show: a look at AACS, the most pervasive and invasive system for digital rights management ever created.
Steve and Leo interview Peter Gutmann about his paper A Cost Analysis of Windows Vista Content Protection.
We wrap up our discussion of the premium content protection features in Vista and announce Steve's newest free security utility: Securable.
Our monthly question and answer segment covers DEP on the Mac, HD-DVD decryption, and email privacy...
Steve and Leo discuss Dave Marsh's response on behalf of Microsoft to Peter Gutmann's paper about Windows Vista Content Protection.
Hardware Data Execution Protection is one of the best ways to protect your PC from hackers. Steve discusses how it works, how to turn it on, and the possible pitfalls of using it.
How do spambots work, why do spammers need them, and the best way to block them and prevent spam.
Our monthly question and answer segment covers spam spoofing, VPN mysteries, and online backup security...
Google's massive study of hard drive reliability yields some surprising results. Read more at http://www.grc.com/sn/notes-081.htm
Steve comments on the Federal Computer Week article Cyber officials: Chinese hackers attack 'anything and everything'.
A closer look at Vista's User Access Control.
Jikto is a Javascript tool that can take over your computer and use it to find sites with vulnerabilities. We describe it and the cross-site scripting flaws it looks for.
Updates on the Animated Cursor Vulnerability, a recommendation for security software from eEye, and how the Sony Reader works, plus an in depth discussion of scripting vulnerabilities.
Another common attack vector in web software is the SQL injection. Steve explains what it is and how it happens.
WEP gets even more insecure with a new cracking technique that's 1000 times faster.
Steve explains the theory and practice of multifactor authentication which uses combinations of "something you know," "something you have," and "something you are" to provide stronger remote authentication than traditional, unreliable single-factor username and password authentication.
Guest: Marc Maiffret of eEye Digital Security Marc talks about Windows and Mac security, the coming threat from web applications, and eEye's free, all-in-one protection program, Blink Personal Edition.
Steve looks at software patents and the Microsoft challenge to open source software from the point of view of a developer, patent holder, and expert witness in patent cases.
We've already talked about the three factors of authentication: something you know (e.g. a password), something you have (a passcard), and something you are (a fingerprint). Now Steve talks about the fourth factor of authentication: someone you know, or who knows you.
Open ID, how it works and what it means to you (not having to remember so many passwords for starters).
Steve answers listener mail on subjects like authentication and more...
The FBI says it has uncovered one million computers that are being used by hackers without their owners' knowledge. Today Steve talks about BotNets and the FBI's Operation Bot Roast.
Steve continues our discussion of authentication with a look at Internet identity metasystems.
The Trusted Platform Module - a hardware solution to security now shipping on many computers.
Your questions, Steve's answers as we complete 100 consecutive weeks of shows!
Steve looks at Captcha and Re-Captcha - the pros and cons of trying to distinguish humans from robots, with a side look at Alan Turing and Jeff Hawkins's On Intelligence.
Our first mailbag episode with 20 questions and comments from our listeners.
A closer look at the Paypal Security Key with Michael Vergara, Director of Account Protections at Paypal.
For 16Kbps versions, transcripts, and notes (including fixes), visit Steve's site: grc.com, also the home of the best disk maintenance and recovery utility ever written - Spinrite 6.
Steve, the creator of the original leak test program, talks about leak testing and how hackers work to get around them.
Our second mailbag episode with a dozen questions and comments from our listeners.
Steve looks at Verisign's Personal Identity Provider, an OpenID service that works with the Paypal token, and talks about updates to his Perfect Password page.
Steve talks about developing his in-house E-Commerce system, and how he solved some issues other e-commerce system handle poorly. We also talk about the pleasures of assembly language programming.
Our regular mailbag episode with a dozen questions and comments from our listeners, plus an extra one for fun.
Steve responds to criticisms of the OpenID system and offers some issues to consider when you use it.
How do you solve the problem of secure access to data on the road? Steve shows how he tackled roaming authentication at grc.com and proposes a general solution for everyone.
Our regular mailbag episode with a dozen questions and comments from our listeners including our Great Idea of the Week...
Following up on Episode 113, Roaming Authentication, Steve proposes a great way to strengthen remote access using Perfect Paper Passwords.
Perfect Paper Passwords version two!
Why does Paypal secretly send you through Doubleclick to get to some of its web pages? Steve explains how third-party cookies can violate your privacy and what to do about it.
Is it possible to preserve your privacy in the digital age? It's certainly worth trying.
Our regular mailbag episode with a dozen questions and comments from our listeners...
Steve interviews Dave Wright of JungleDisk, a data storage optimization product for Amazon's S3...
Steve further elaborates on symmetric ciphers, the workhorses of encryption.
Steve discusses Treewalkdns.com, OpenDNS, Rijndael encryption Flash animation, Ironkey, and Opera mini security FAQ.
Steve talks about the challenges of corporate IT security policy and enforcement and the inherent tension between IT security staff and employees.
Steve talks about the remote code execution exploit of the Microsoft Windows TCP/IP vulnerability and answers your questions.
Steve discusses how network administrators can protect their systems using Windows SteadyState.
Microsoft's Super Patch Tuesday, Macintosh updates, Adobe Acrobat exploit, Firefox patch, Vista SP-1, and more.
Steve explores whole-drive encryption and details the release of TrueCrypt 5.0.
Guest: Dave Jevans, CEO of IronKey Steve interviews Dave Jevans of IronKey.
Steve breaks down the concept of dynamic RAM hijacking raised by the recent Princeton study.
The logistics of network congestion, network neutrality and prioritized packets.
ClamAV security flaw, ICQ vulnerability, Opera and more.
Leo and I delve into the detailed operation of the YubiKey, the coolest new secure authentication device I discovered at the recent RSA Security Conference. Our special guest during the episode is Stina Ehrensvrd, CEO and Founder of Yubico, who describes the history and genesis of the YubiKey, and Yubico's plans for this cool new technology.
The free vulnerability scanner and update management tool Secunia PSI.
Two useful but lesser-known Microsoft security utilities.
An overview of next-generation behavioral tracking and profiling systems.
How third parties are gaining footholds in ISP facilities in order to access your data.
More on the privacy threat from the Phorm system.
The nuts and bolts of DNS and the DNS cache poisoning attacks.
A follow-up on the serious, and somewhat still present, DNS protocol spoofability flaw.
Black Hat Conference revelations, where Vista's security improvements fall short, and more.
Steve drills down to determine the security levels offered by Google Chrome.
The benefits, challenges, and nuances of secure DNS.
Steve explains yet another security flaw in the TCP stack.
Airport security checks and balances, white knuckle Disney adventures, and the limits of spyware infestations?
Steve tells you why you must always explicitly log out from banking and other important sites.
Steve discusses clickjacking, aka UI redressing, which tricks users into unintended web-based actions.
Why you shouldn't worry about the TKIP crack.
Steve and Leo return to take a much closer look at "Sandboxie", an extremely useful, powerful, and highly recommended Windows security tool they first mentioned two years ago. This time, after interviewing Sandboxie's creator, Ronen Tzur, Steve explains why he is totally hooked and why Leo is wishing it was available for his Macs.
The limitations of sandboxing in preventing the negative impacts of malware.
How to use Microsoft's little-known DropMyRights utility for safer browsing.
Breaking SSL, PDP-8s, and Ultracapacitors. Full show notes are available at grc.com.
How security certificates are created and signed, what they do for us, and the MD5 hash.
Steve gives an overview of the major concepts and components of encryption.
Windows Update, IE7 Problems, ActiveX and Windows 7 issues, SQL attacks, and more.
MSFT Autorun updates, FreeBSD telnetd, IE7 critical exploit, Acrobat Reader, and more.
Past and recent problems with Windows Autorun.
Internet Explorer 8 speed benchmarks, cookies, Compatibly Mode, Smart Screen filter, DEP, and more.
A look into GhostNet, the alleged Chinese cyber-spying network.
This mailbag episode discusses new Firefox plugins, Conficker, buffer overflow, and more.
Steve analyzes Conficker, the sophisticated worm that has spread to more than 10 million PCs worldwide.
This mailbag episode covers Conficker, Windows process control, NeXT, Ironkey, and more.
Steve describes the Internet's most-used security protocol, SSL, now evolved into TLS.
This mailbag episode includes SSL/TLS, worms-resistant NATs, PDF JavaScript, nuclear power stations running Windows, and more.
Security changes, additions and enhancements to Microsoft Windows 7.
This mailbag episode includes FASM, scripts, sockets, SSL/TLS, HTTPS, Windows 7's XP mode, and more.
A good book, the IPv6 protocol, and Steve's secure TCP idea that doesn't use a VPN tunnel.
In this mailbag episode we discuss IPv6, Non-VPNs, Microsoft ClickOnce, expired SSL certificates, and more.
The operation, features, and security of PKWARE?s free SecureZIP file archiving and encrypting utility.
In this mailbag episode we discuss SecureZip, WPA/WPA2, home-grown VPNs, foreign ATMs, and more.
Steve tells of the Bob Boyer and J Strother Moore algorithm for finding a substring in a buffer.
An examination of Lempel-Ziv data compression, one of the most prevalent computer algorithms of all time.
Security updates in Windows Office, IAS, Virtual PC, Virtual Server, msvid control, and more.
Steve answers questions on AES-256, iPhone security, TrueCrypt, Firefox privacy, and more.
Steve answers questions on SSL encryption, 3g security, Trojans, VPNs as infection vectors, and more.
A rare off-topic discussion about Steve's research into vitamin D.
Security news and listeners' questions...
Steve covers the security implications of electronic voting machines.
Steve answers questions on iPIG VPN, Flash cookies, firewalls, parents' passwords, and more.
The inherent insecurities of GSM, the pseudo-random bitstream cipher protecting data on billions of phones.
Steve addresses feedback on GSM security, cookies, router admin passwords, proxy servers, and more.
Steve and Leo talk about various security maxims, what they mean, why you should follow them, and more.
Leo and Steve talk about Microsoft Security Essentials, your questions, and more.
How SSLs can be spoofed in man-in-the-middle attacks.
Why patches are impossible, the Total (In)security virus, and why writing software shouldn't be too easy.
The problem with Javascript and security. Guest John Graham-Cumming says it's the "elephant in your browser."
We've got the latest security news, including an SSL hack, plus eight great questions from you and Steve's answers...
Steve explains how a serious exploit in SSL works.
Security news, including the NSA's contributions to Windows 7, iPhone bot nets, plus Steve answers your questions.
Apple fixes security flaws, Ford SYNC SDK, black screen of death, same origin troubles, and more.
Digital voting goes open source, patch Tuesday news, and Steve answers your questions.
Steve covers what may be the future of conflict, Cyberwarfare.
Steve responds to questions covering Skype spam, SSL cracking, unencrypted UAV video feeds, free SSL certificates, and more.
A hard look at the costs and benefits of following all security advice.
This week's questions cover packet flow, hijacking DNS queries, router DNS, Patch Tuesday, and more.
Steve catches up with a mega security update, then gives us some of his favorite (wacky) products from CES.
Steve answers listener questions about live Linux CDs, TrueCrypt RAM encryption, resetting Thomson modem passwords, and more.
Steve explains how computers work by designing one from first principles.
Internet Explorer as a file system, using Live CDs for security, and Steve takes on the iPad...
For 16kpbs versions, transcripts, and notes (including fixes), visit Steve's site: grc.com, also the home of the best disk maintenance and recovery utility ever written Spinrite 6.
More flash vulnerabilities, security updates, fake security software, Steve answers your questions, and more.
An introduction to the use of "indirection" in computer science, security news, and more.
Steve answers your questions about webcam privacy, unencrypted data in ram, and more.
How stacks, registers and recursion are interrelated, the latest security news, and more.
Patch Tuesday, Opera vulnerabilities, the RSA conference, RealDVD, and more.
Steve continues his talk on the foundational technologies of computing. This week: how computers do more than one thing at a time using interrupts.
Critical updates from Microsoft and Apple, good news for Gmail security, and a warning for nudists...
Firefox updates, vulnerabilities in .PDFs, Steve's iPad review, SSL/TLS, and more.
Microsoft security updates, the FCC's jurisdiction on bandwidth shaping, Java flaws, iPhone OS security, the state of SSL security, and more.
Steve and Leo seriously examine the proven comparative security of open versus closed source and development software, and open versus closed execution platforms.
Stolen Google source code, GSM hacked, photocopy machine hard drive security, your questions, and more.
Opera vulnerabilities, Adobe PDF insecurities, malware from the US Treasury, Steve joins Twitter, and more.
Patch tuesday, laptop camera surveillance, Yahoo! messenger worm, and more.
Shockwave issues, Mozilla's plug-in check, weaponized email, hacking cars, your questions, and more.
Manually updating IrfanView and Free Download Manager, Google wifi litigation, how operating systems work, and more.
Tabnabbing, Adobe security rumors, iPad data plan changes, your questions, and more.
Adobe zero-day, overwrought iPad security news, the evolution of computing architectures, and more.
Mac update, AT&T hijinks, another zero-day vulnerability from Microsoft, Adobe delays pdf fix, your questions, and more.
The 25 year legacy of unbelievably complex technologies used in microprocessors to maximize performance.
Out of cycle Acrobat and Reader updates, Firefox improvements, flawed SSL study, internet kill switch, your questions, and more.
Steve thoroughly evaluates LastPass, explains why high-security passwords are necessary, and tells us how LastPass makes storing those passwords secure.
Chrome update, ClearCloud DNS, Microsoft and Russian camaraderie, LastPass, your questions, and more.
Windows shell worm in the wild, Security Essentials 2.0 beta, Secunia's 5-year analysis, and more.
Firefox mega security update, WPA2 broken?, .LNK viruses in the wild, infected Dell motherboards, your questions and more.
Windows .LNK vulnerability fixed, Google's WiFi "overcollection" in the UK, news from Blackhat, DNS rebinding, and more.
PayPal discontinues their virtual credit card service, RIM placing servers in Saudi Arabia, Firefox v4 updates silently, your questions and more.
Apple fixes the jailbreak hole, trojans on Android, Strict Transport Security (STS), and more.
Out-Of-Cycle update from Adobe, Apple security update, binary planting, Spanair 2008 crash, your questions, and more.
Consequences of the web not being designed for privacy, including non-consensual user tracking.
Fix-It for .dll hijack, danger from applications changing the working directory, first successful 64-bit Windows root kit, your questions, and more.
Microsoft's 2nd Tuesday update, new 0-day vulnerabilities in Adobe, Firefox fixes, "Stuxnet" worm, delegated access through OAuth, and more.
Flash update, Microsoft ASP .NET problem, HDCP master key leak, Twitter "OnMouseover" XSS flaw, your questions, and more.
New 0-day for Windows, HDCP decryption software, Stuxnet & Iran, COICA, cryptography systems and backdoors for law enforcement, and more.
Adobe Acrobat patched, RIM and India going 'round & 'round, Comcast VS. Bot, and more.
Microsoft breaks Patch Tuesday update record, Facebook adds OTPs and remote signout, What is The Evercookie?, and more.
Microsoft reports on Java exploits, new Adobe Reader will sandbox, feedback from MSRT, your questions, and more.
Mozilla and Real Player updates, Firefox 0-day, Wall Street Journal tracking and privacy series, session hijacking for the rest of us, and more.
Firesheep firestorm, Flash 0-day exploit in the wild, another iPhone lock screen bypass, your questions, and more.
Second Tuesday updates, critical Outlook fix, Android risks, Google expands "bug bounty", GRC's DNS Benchmark, and more.
Big Apple update, IE6/7 0-day unpatched, infected Chinese cell phones, Stuxnet's probable target, your questions, and more.
Safari update, HTTPS Everywhere, FBI wants to wiretap the Internet, comprehensive DNS spoofability test, and more.
New WIndows kernel vulnerability, Wikileaks siprnet, Vitamin D findings, your questions, and more.
Windows 7 SP1 reaches RC level, Google Chrome v8.0 released, What is SHIELD?, How to keep track of people using RFID tags, and more.
Microsoft's December security updates, backdoor in BSD, WikiLeaks DDoS, your questions, and more.
OpenBSD discredits backdoor, weak net neutrality, compromised site warnings from Google, Bluetooth in depth, and more.
An encore presentation of an enlightening story from Steve's past.
Microsoft acknowledges IE problem, hacking GSM phones, Stuxnet update, your questions, and more.
Cross Fuzz, warrantless cell phone searches, Obama's "Unified Internet Identity", flavors of bluetooth hacking, and more.
Israel and US teamed up on Stuxnet, global IPv6 test coming, your questions, and more.
Google awards first "Elite" security award, Facebook SSL and HTTPS, unprivileged work e-mail, stress testing browsers, and more.
Gingerbread data disclosure vulnerability, SourceForge hack, IPv4 depletion, zero-day attacks no more, your questions, and more.
Firefox adds "Do Not Track", Verizon alters web content, McAfee on Mobile Malware, BitCoin, and more.
A critical Microsoft vulnerability, The differences between open and closed source software, A number of questions around BitCoin, and more.
After catching up with the week's security updates and other security-related news, Steve and Leo discuss the many modes of operation of "Proxied Web Surfing" which are used to bypass firewalls and Internet filters, aid free speech, and alter the contents of web pages retrieved from the Internet.
Windows 7 service pack 1 is out, Apple's Thunderbolt security, Facebook's HTTPS security turns itself off, and more.
The anatomy of Stuxnet, plus Pwn2Own is underway meaning updates from Apple, Google, Microsoft, and more.
The consequences of Pwn2Own, Issues around the Japanese earthquake, reverse DNS, and more.
Internet Explorer 9, RSA Security comprimised, India versus Blackberry, and more.
Fraudulent SSL certificates, RSA SecurID breach update, Real Player vulnerability, your questions, and more.
RSA SecurID Break-in, YubiHSM, Epsilon security breach, DNT gets traction, and more.
64 fixes from Microsoft, Another Flash exploit, Wordpress hacked, your questions, and more.
iOS location tracking, Pass phrase security, Dropbox authentication, and more.
Sony Playstation Network breach, Mobile tracking, Disc Drive steganography, your emails, and more.
Firefox and Chrome updates, Apple tracks differently, Bin Laden's security, relying on randomness, and more.
Reasons you should change your Facebook password right now, Zero Day, a new Do Not Track bill, and more.
DIY Malware kite for Mac, Protect IP act, Achieving true randomness, and more.
Mac Defender malware, Sony's continuing security woes, Android vulnerability patched by Google, your questions, and more.
Making passwords memorable AND uncrackable, More on Mac Defender, Lockheed Martin breach, and more.
RSA SecurID token replacement, Sony breaches continue, your questions, and more.
Website surveillance monitoring and blocking, IMF breach, commercial bank fraud liability, and more.
Malware stealing Bitcoins, Dropbox security, WordPress hacked, your questions, and more.
LulzSec says farewell, cost of Citigroup attack, National Institute of Standards and Technology, and more.
Dropbox TOS update, Microsoft's Skype intercept patent, evaluating LulzSec, your questions, and more.
Steve explains how the internet works with three basic principles, plus security updates, security news, and more.
iOS updates, careers in computer security, randomness in cryptography, your questions, and more.
Apple iOS Certificate, Passware, dissecting the crypt_blowfish bug, and more.
We find a way to keep Tor from being censored, KISSmetrics's sneaky cookie and your questions answered by Steve.
Adobe patches galore, a deep look at ICMP and UDP, and more.
Tons of Firefox news, Gizmodo off the hook, lot's of questions, and more.
Caesar Cipher, Playfair Cipher, going off the grid and more.
Google's fraudulent SSL Certificate, Pakistan bans encryption software, your questions, and more.
DigiNotar mega-update, DNS hack of NetNames, TCP demystified, and more.
More on DigiNotar, GlobalSign security breach, your questions, and more.
DigiNotar bankruptcy, SSL weakness discovered, alternatives to the CA Hierarchy Model, and more.
Kindle Fire and the Silk browser, MySQL breach, your questions, and more.
HTC not sandboxing Android data, phishing on the rise, Browser Exploit Against SSL/TLS, and more.
Fighter drone's malware infection, Germany deliberately installing malware on traveller's computers, your questions and Steve's answers.
Details on the Silk browser, Google encrypted search, TCP attacks, and more.
Two Internets, Stuxnet variant "DuQu", Spanning Tree Protocol, your questions, and more.
Certificate authorities compromised, BT to block Newzbin, Mac OSX Bitcoin mining malware, "Bytes in Flight", and more.
DuQu worm, remote code execution kernel vulnerability, Adobe abandons Flash for mobile, your questions, and more.
Firefox 8, SOPA, Kindle Fire first look, and more.
SOPA, SCADA hacked, Kindle Fire extended review, your questions, and more.
Comparing Mozilla's BrowserID to other security technologies, Android malware, Malvertising, and more.
DNSCrypt Beta for Mac, Zeus banking trojan, Carrier IQ, your questions, and more.
Microsoft, Adobe, and Carrier IQ security news, and more.
Background updates of IE, more on Carrier IQ, your questions, and more.
Firefox 9, SOPA, Sci-Fi movie and book recommendations, and more.
Microsoft's Out-Of-Cycle patch, FISA constitutionality, your questions, and more.
Simple Secure Wifi isn't very secure, password recovering charger, WPA cracker, and more.
Zappos customer data breach, Slow Motion DDoS, your questions, and more.
Forcing laptop decryption, GPS tracking now requires a warrant, DNS poisoning, and more.
Google's privacy policy changes, Region's lost 401k data, pcAnywhere source stolen years ago, your questions, and more.
NSTIC update, webcam nightmare, a NoScript-like extension for Chrome, and more.
SSL's public key encryption, pcAnywhere, Google Wallet, your questions, and more.
The iOS cookie incident, whether Anonymous might take down the Internet, and more.
HTML video copy protection, protection against forced decryption, Yubico "Nano", your questions, and more.
LulzSec leader betrays Anonymous , how a site can know your social networks, comparing HTTP to SPDY, and more.
6th annual Pwn2Own, Microsoft's noisy 2nd Tuesday, Wikipedia transfer from GoDaddy complete, your questions, and more.
Buffer Bloat on the internet, NSA Super-Super Computer Center, Apache Server Status information leakage, and more.
Ten great answers and questions, buffer bloat, security news, and more.
Global Payments card processor breach, Apple holds security key for iCloud, iPhone passcode exploit, and more.
Flashback infects 670,000 Macs, safety of Safari password storage, Windows Defender Offline, your questions, and more.
Steve gathers up all the cloud storage solutions and gives us his review.
During this special Q&A episode, Iyaz and I host an entirely Twitter-driven Q&A episode, caused by the flurry of interest created by last week's focus upon Cloud Storage Solutions. After catching up with the week's security-related events, we zip through 21 tweets, then focus upon and examine the security architecture of one controversial and popular cloud storage provider: Backblaze.
After catching up with the week's news and Twitter feedback, Leo and I closely examine three remote cloud storage solutions whose Crypto was done COMPLETELY right, Offering full TNO (Trust No One) security. And one of them makes me (Steve) wish I were a Mac user!
After catching up with the week's news, Steve and Leo look at the state of the slow but sure and steady progress being made to tighten up the Internet's eMail security. Since spoofing and phishing continue to be huge problems, these problems continue to command the attention of the Internet's largest commerce, financial, and social networking domains. The good news is: There's good reason for hope!!
Steve and Leo tackle two new and interesting threats to Internet security. First, the newly discovered “Flame” / “Flamer” / “Skywiper” malware dwarfs Stuxnet and Duqu in capability and complexity. Then they examine the work of two University of Michigan researchers who have detailed a collection of new ways to attack the TCP protocol. They inject malicious content into innocent web pages and add malicious links to online chats.
This week, after catching up with a large amount of the week’s news, Leo and I carefully examine two major new discoveries about the Windows Flame worm.
After catching up with a few items of security and privacy news, Leo and I return to the Internet's "Buffer Bloat" problem to share the new solution “CoDel” (pronounced “coddle”) that has been developed by several of the Internet's original and leading technologists and designers.
After catching up with the week's security news, Leo and I take a close look at the recent “DNS Changer” malware, the FBI's role in the “takedown” of the malicious servers, and the expert technical assistance provided by Paul Vixie, one of the pioneers and principal developers of the Internet's Domain Name System (DNS).
After catching up with an eventful week of security news, Leo and I explore a variant of the story of “Ali Baba's Cave” as a means for clearly explaining the operation and requirements of cryptographic Zero-Knowledge Interactive Proofs.
After catching up with an eventful week of security news, Leo and I describe and explore the details of the “epic hack” that recently befell well-known technology writer Mat Honan.
After catching up with a collection of miscellaneous and interesting security-related news, Leo and I take a close look at the long-term consequences of the many massive password leakages which have occurred. The upshot? Hackers are getting MUCH better at cracking passwords, and “clever” techniques can no longer be regarded as safe.
We have so much security news and information to cover this week that we didn’t have time to take questions from our listeners. What we have, instead, is a LOT of interesting news about the new Java vulnerabilities, new TNO cloud storage solutions, and lots more.
After catching up with an eventful week of security news, Leo and I step back for an overview and discussion of the slowly evolving state of the art in Internet Identity Authentication.
We begin the week with a visit with our distinguished guest, Mark Russinovich, late of Sysinternals and now with Microsoft. Mark joins us to chat about the release of his second security thriller, “Trojan Horse,” and to share some of his view of the security world.
After catching up with just a tiny bit of security news (it was a very quiet week in security), Leo and I take the podcast's first-ever comprehensive look at the emerging and increasingly popular NFC (Near Field Communications) technology, which is now present in tens of millions of cell phones and other mobile and fixed-location devices.
After catching up with the week's most important security news, Leo and I wind up our propeller-cap beanies, right to the breaking point of their springs, in order to obtain enough lift to examine and explore the operation of ECC - Elliptic Curve Cryptography - the next-generation public key cryptography technology.
This week, after failing to find much in the way of interesting security news, Leo and I make up for that by introducing the concept of “Fully Homomorphic Encryption,” which allows encrypted data to be operated upon WITHOUT it first being decrypted, and results remain encrypted.
After catching up with an interesting and varied grab-bag of security news and paraphernalia, Tom and I further examine the controversy surrounding Microsoft's decision to enable the Do Not Track (DNT) "signal" header in IE10, and share some insights gained from a recent Microsoft Executive VP Keynote presentation about exactly this issue.
After catching up with lots of interesting security news, updates on Steve's Acoustic Dog Training project, and lots of other miscellany, Leo and I examine a recently developed and increasingly popular Internet security protocol, DTLS, which combines the advantages of UDP with SSL security.
After catching up with the week's news, Leo and I take a deep dive into the technology of the ever-more-ubiquitous “QR Codes” which are popping up everywhere and are increasingly being used, not only for good, but with malicious intent.
For this special year-end holiday edition of Security Now!, I dug down deep into my video archives, taking back 22 years, to 1990, to share a 45-minute presentation I gave, once upon a time, on the inner workings of the “megabyte-sized” hard disk drives that gave birth to the PC industry.
After catching up with a very busy week of interesting security news and events, Leo and I examine the growing privacy and security problems created by the ever more pervasive social widgets - Facebook's LIKE button, Google's +1, Twitter's Tweet!, and others - and they offer an easy-to-use free solution!
After catching up with a bunch of fun and interesting news of the week, Leo and I examine the future of anti-hacking password scrambling and storage with the introduction of “Memory Hard Problems,” which are provably highly resistant to massive hardware acceleration.
Leo and I discuss the week's major security events—and the disastrous news of 81 million exposed vulnerable routers!—discuss questions and comments from listeners of previous episodes. We tie up loose ends, explore a wide range of topics that are too small to fill their own episode, clarify any confusion from previous installments, and present real world 'application notes' for any of the security technologies and issues we have previously discussed.
After covering “UPnP a week later” and catching up with some interesting security industry happenings, Leo and I take a look into the controversy surrounding the security (or lack thereof) of Kim Dotcom's new “Mega” cloud storage offering.
We first converse with today's special guest, Brian Krebs, who for many years wrote for the Washington Post and is now publishing his own “Krebs on Security” blog. Our topic is “The Internet Underground.” After that, we catch up with a somewhat busy and interesting week in Internet security.
Evernote resets 50 million passwords, Oracle issues emergency JAVA update, Tor's updated operation, and more.
More JAVA vulnerabilities, more Flash vulnerabilities, DNT and IE10, your questions, and more.
Bitcoin, Carna Botnet, Krebs DDoS'd, distributed hash tables, and more.
Apple authentication, FBI and Real-Time interception, your questions, and more.
COX is blocking UPnP, "Darkleech", poor Comcast JavaScript, Distributed Database technology, and more.
Comcast's Blocked Ports, Verizon DSL begins to NAT it's users, VUDO, your questions, and more.
Wordpress botnet, another JAVA update, CRAPCHAs, Virtual Private Networks, and more.
Another JAVA flaw, Google Street View data collection in Germany, Malware in Google Play Apps, and more!
Security news, "BitTorrent Sync", and more.
Quantum Internet, BT tests IP address sharing, Syria on the Internet, your questions, and more.
iPhone cracking for law enforcement, New Yorker opens an anonymous dead-drop system, Syria dropped off the Net again, and more.
New Firefox cookie policy, Skype snooping, your questions, and more.
Login with Amazon, Google to update SSL certificates, anatomy of a hack, and more.
Car door lock mystery, Zeus Trojan on Facebook, your questions, and more.
Diving deep and defining NSA's PRISM data collection, and more.
More on PRISM, the business of secretive communication, your questions, and more.
A creepy PRISM thought, a defense against it, a big Microsoft patch Tuesday, and more.
Microsoft handing NSA encrypted messages, Feds disinvited to Def Con, and more.
Department of Homeland Security overreaction, Feds want master encryption keys, Apple's dev site hacked, and more.
XKeyscore, SkyDrive looking for a new name, Megamos Crypto, your questions, and more.
Firefox 23, Twitter multi-factor auth improvements, NSA Director's bad time at Black Hat, and more.
Lavabit, Silent Circle, Android and BitCoin, your questions, and more.
Steve and Leo cover the consequences of the Snowden leaks and, with that in mind, they examine the Pretty Good Privacy (PGP) system for encrypting email and attachments.
Kim Dotcom's secure email solution, Wickr, Cackle, Hemlis, your questions, and more.
NSA and USA in the doghouse, New Zealand bans software patents, more JAVA trouble, and more.
LastPass and the NSA, MyOpenID, Patch Tuesday, NSA versus encryption, and more.
Social media monitoring at school, unpatchable Java 6 exploits, IPv6 subversion, and more.
NSA-influenced code and backdoors, iOS7 flaws, TouchID, and more.
Fingerprints are usernames, BitTorrent Chat, Steve's practical replacement for website usernames and passwords, and more.
Secure QR Login followup, Lavabit defied the FBI, Microsoft's second Tuesday, your questions, and more.
Two new valuable features of SQRL, Internet Governance Project, Lavabit, and more.
Google's “Project Shield”, CryptoSeal, CryptoLocker, Shumway, and more.
Firefox 25, LinkedIn Intro, CryptoLocker, SQRL, your questions, and more.
TrueCrypt Audit, Google versus the NSA, LastPass update, and much more news.
Microsoft TIFF 0-day flaw, lots of Bitcoin happenings, your questions, and more.
Security news, the coin wallet idea, why does proXPN allow only twelve characters, Steve explains RADIUS, and more.
Following another week overfilled with interesting security-related news, Steve and Leo spend an hour and a half diving deeply into an updated (and likely very close to correct) understanding of the COIN payment card, news on the CryptoLocker front, a close look at a patent troll case that has so far done the wrong way, and much more.
A closer look at "BULLRUN", the NSA's code name for their Encryption Cracking initiative, TL Warp Drive, and more.
Patch Tuesday, Firefox 26, NSA and Google cookies, your questions, and more.
All things NSA, Acoustic Crypto Key leakage, FIDO Alliance and SQRL, your questions, and more.
Steve opens up his archives to show some of his first appearances with Leo on the Screen Savers.
We talk about the NSA and ANT protocols, more CryptoLocker news, the SnapChat leak of names and phone numbers, and more.
After catching up with another busy week of security news, we dive into the amazing NSA ANT documentation to learn about the NSA's field capabilities.
More point-of-sale malware news, overtrain Apple's TouchID for reliability, BlueTooth LE's pairing is "just broken" and more.
Steve and Leo examine research performed by Dashlane (makers of a password manager). They have researched and presented the current state of the Top100 web retailer's password policies.
Steve's original plan to explain Google's terrific innovations in web performance, known as "QUIC" were derailed by the overwhelmingly worrisome security news, so this week's podcast is pure, and rather sobering, news of the week.
Goto: Fail, Apple's SSL screw up, WhatsApp TOS change, Telegram, Mt. Gox & Bitcoin, and more!
Was the iOS SSL flaw done on purpose? NSA spying on Yahoo users' webcams, Steve makes a shocking admission about Windows XP, and more!
Snowden's SXSW appearance, SQRL coming in 34 languages, the deepest look yet into Apple's iOS security, and more!
More "XP Armageddon", PwnToOwn, cloud storage costs plummet, and more!
An important Fix-It for a new 0-day vulnerability in Microsoft Word, has WPA2 Wi-Fi been cracked? iOS security part 3, and more.
The NSA / Dual_EC_DRBG flaw is worse than we knew, is Google's Always HTTPS for Gmail a bad thing? A quick WiFi password install for iPhones, and more.
The end of updates for Windows XP, AnyDVD, the Heart Bleed Bug, and more.
The previous week consisted of nearly a single story: Heartbleed. It was only "nearly", though, because we also received the results from the first phase of the TrueCrypt audit.
Ladar Levinson's appeal ruling, Google could bring end-to-end encryption to the masses, Jailbreaking iOS and more!
Internet Explorer 0-day flaw, a new look for Firefox v29, what do we do when good certificates go bad? And more!
OpenID and OAuth vulnerability rediscovered, US Gov begins testing Universal CyberID, certificate revocation part 2: how practice follows theory, and more!
Microsoft's 2nd Tuesday patches, the Certificate Authority Security Council weighs in on Chrome's revocation solution, the appeal decision in Oracle vs. Google, and more!
Steve and Leo examine the practical size of randomness and the challenge of collecting Entropy in a client that may not have any built-in support for providing it, and may also be surrounded by active attackers.
During this week's Q&A we host a special guest, industry veteran and ISP, Brett Glass, who shares his views on the confusing Network Neutrality debate. We also catch up with the past week's security news and answer 10 questions and comments from our listeners.
Steve and Leo look back upon and analyze the past seven days of insanity which followed the startling surprise "self-takedown" of the long standing TrueCrypt.org website, and of TrueCrypt itself.
Google's browser-based PGP, more OpenSSL troubles, iOS8 thwarts tracking? And Steve answers your questions!
Steve and Leo discuss the need for, and the Internet industry's search for, new standards for "Authenticated Encryption" which simultaneously encrypts messages for privacy while also authenticating them against any active in-flight tampering.
The EFF wants internet users to open up their Wi-Fi networks, BoringSSL, Google to start offering domains, and more.
Paypal's security misfires, serious Android crypto key theft vulnerability affecting 86% of devices, and we announce and launch the beginning of a multi-part podcast series which will examine and analyze the many current alternatives for securely (TNO) storing our files "in the cloud."
Microsoft's Patch Tuesday & they fumble a takedown, Oracle ends XP's Java, Cloud Storage Solutions update and more!
Three Internet of Things standardization groups, Google hires a team of hackers for "Project Zero," Has CryptoLocker been neutralized? And more!
Level3 responds to Verizon's network congestion chart, Canvas Fingerprinting, Microsoft Research says not to use strong passwords? And more!
iOS v7 HAS been Jailbroken, iOS Backdoors and Canvas Fingerprinting, WhisperSystems' truly secure "Redphone" comes to iPhone as "Signal", Android found not to be checking certificate chains, Clarification in the Verizon vs Level3 argument, and Q&A #193.
HP's recent analysis of the (lack of) security in "Internet of Things" appliances, BadUSB, Steve's analysis of browser-based password managers, and more!
BadUSB follow-up, LastPass outage, Google to prioritize websites with HTTPS, and more!
Who can access your digital assets after death? HTTP Shaming, last week's internet outage, and more!
"Autonomous" vs. "Anonymous", Sony's Playstation Network DDoS attack, the first confirmed Heartbleed intrusion and more.
The iCloud iBrute iHack, more consumer Wi-Fi router security troubles, encrypting email... with PGP? And more!
The Home Depot breach, Comcast gets pretty intrusive, Google declares war on the SHA-1 hash and more!
Comcast versus TOR, a big Linked-In mistake, a serious pre-KitKat Android problem and more!
Apple's iOS 8 security, Google and Dropbox team up in a new venture, encrypting some data versus all data, and more!
After covering a very busy and interesting past week of security and privacy news, Father Robert and Steve explain, examine, and dig down deep into the many fascinating details of the worst-ever, two-decade old, latent and pervasive Internet bug known as "ShellShock."
JP Morgan Chase and the largest breach yet, Yahoo!'s servers hit by ShellShock, BadUSB exploit code posted to Github, and your Q&A!
A new Windows 0-day exploit, rumor of a pending SSLv3 flaw and Steve analyzes the next evolution in online payment technology which replaces traditional credit card numbers with "Payment Tokens."
FBI director wants Congress to fix phone encryption, Google adds Yubikey 2nd-factor authentication, and is there anything to worry about Poodle?
Apple Pay vs. CurrentC, Verizon (and AT&T) inserting a sticky cookie, RC4 gets an upgrade tweak, and listener feedback!
CurrentC already hacked, a serious OSX Yosemite vulnerability, is your TV watching you? And your questions!
Microsoft's Mega Patch Tuesday, Obama wants to reclassify ISPs as telecommunications carriers, verifying a website's authenticity with certificates and more.
Dirtboxes spying on cellphones, an update for AT&T and Verizon's Cellular Super-Cookie, worries about BitTorrent Sync's security and privacy, and your questions!
Intelligence gathering malware Regin, the Edward Snowden documentary Citizenfour, upcoming Certificate Authority Let's Encrypt and more.
Firefox v34, iOS 8 bugs, how to safely report a vulnerability and more of your questions.
Poodle Bites (again!), TURLA - an APT (Advanced Persistent Threat) targeting Linux, and very expensive lessons learned from Target and Sony's recent security breaches.
Chrome UX changes in 2015, a Las Vegas casino struck hard by a cyberattack, the ethics of disclosing illegally obtained content, your questions and Steve's answers!
Steve Gibson introduces and explains Secure Quick Reliable Login (SQRL), Steve's proposal for a replacement for website passwords at DigiCert Security Summit 2014 in Las Vegas.
Who hacked Sony? Apple deploys their first forced-update, Snowden docs revealing NSA headaches, and a look back on a busy 2014 for security!
The HSTS Super-Cookie, "ThunderStrike," CryptoLocker's successor, and questions from listeners!
Lizard Squad's DDoS network largely powered by SOHO Routers, Google abandons pre-v4.4 Android Updates, and British Prime Minister David Cameron proposes outlawing communications that the government cannot eavesdrop on.
Why the President was sure it was North Korea, a few Sci-Fi recommendations from Steve, and separating fact from fiction about Cryptographic Backdoors.
The Firefox Marketplace, Google takes a bite out of Apple too, Apple agrees to a Chinese audit of their product security, and your questions!
Regin's apparent heritage, Bad Linux "GHOST" vulnerability, and how TOR may not be so anonymous after all.
Adobe's multiple Flash patches, the U.S. Government announces a cyber threat integration center, the latest on the Anthem breach, and Steve answers listener questions!
Leo and Steve catches up with several VERY interesting security events and stories of the week, then we take a close look and a deep dive into the operation of the industry's first change in the official HTTP protocol in 15 years -- the finalization and emergence of the HTTP/2 IETF specification which significantly streamlines web browser and web server interaction.
Leo and Steve discuss the week's major security events, including the revelation of the Lenovo crapware "Superfish," the joint GCHQ/NSA Gemalto attack which rendered cellular phones insecure, and Steve answers more of your questions!
Leo and I discuss the week's tamer-than-usual news, then we host a terrific interview of the team (recently featured on Sunday's 60 Minutes) who have been working with DARPA to address the challenge of hardening high-tech networked vehicles -- autos and UAVs -- against malicious hacking attacks.
Steve and Leo catch up with several VERY interesting security events and stories of the week, then we take a deep dive into two of the week's big security stories: FREAK and RowHammer.
A look at the new TeslaCrypt, Yahoo! to eliminate passwords, InstantCryptor and Steve answers your questions!
An iPhone/iPad 4-digit PIN hack, the recent Pwn2Own hacking competition, and Steve takes a look at the evolution of booting from BIOS to UEFI and how Microsoft has leveraged this into their "Windows Secure Boot" system.
The ongoing GitHub/GreatFire.org DDoS attack, a bad vulnerability discovered in hotel/convention center/visitor routers, a detailed analysis of 10 million passwords and your questions!
CNNIC's Root CA cert to be removed from Chrome, Microsoft to change handling of Do Not Track, the "After Market" for IPv4 address space is heating up, and Steve looks at the findings of the TrueCrypt Audit.
The EFF wins its Podcast Patent Challenge, an update on CNNIC's root certificates, the Mac "Rootpipe" vulnerability, more viewer questions and Steve's Answers!
TrueCrypt audit follow up, Google search history dump, and Steve Gibson and Leo Laporte take a close look at the mechanisms China has developed - both filtering and offensive weaponry - to provide for their censorship needs and to potentially attack external internet targets.
Wi-Fi access points can crash iOS devices, CryptoWall installed via malicious ads for two months, thoughts about ad blocking, and Steve answers your questions!
The "Pixie Dust" failure of WPS, disabling RC4, Mozilla putting on the pressure to phase out HTTP, two very different and well thought out statements about law enforcement backdoors.
Appeals court rules that sweeping up Americans' data is illegal, Europe's Smart Grid crypto is dumb, SSD on-the-shelf data retention, your questions and Steve's answers!
Starbucks discovers the downside of convenience over security, the "Venom" vulnerability, and a look at how crooks are ransacking and stealing cars.
Let's Encrypt's Terms of Service, more on "plane hacker" Chris Roberts, a major new vulnerability in the Internet's TLS protocol known as "Logjam," and more!
Crashing (your friends') iPhones, a worrisome Mac firmware problem, Microsoft annoying and/or frightening users with unsolicited "Win10 upgrade" offers, Google's Vault and Soli projects, and your questions and Steve's answers!
Patch Tuesday, Federal backdoor development funding, a real HDD firmware bootkit, iOS v9, your questions and Steve's answers!
Steve Gibson and Leo Laporte discuss Firefox's Tracking Protection and the state of tracking users on the internet. The LastPass network breach, more bad news from the Office of Personnel Management, did China & Russia obtain and decrypt Snowden's document cache? And examining the revelations about the current state of Internet user tracking arising from Mozilla's Firefox tracking protection instrumentation.
How does a buffer overflow lead to an exploit? A significant cross-application security flaw in Mac OS X and iOS, the Samsung keyboard flaw, how safe is your Lastpass master password, transmitting sensitive data to "tech-unsavvy people", and more of your questions with Steve's answers!
Should we trust NoScript? Adobe issues an emergency out-of-cycle patch for FLASH, an update to Google's Chrome browser unnerves some, an AM radio that steals nearby Crypto keys, a truly fabulous site of privacy tools, a look at recent research into improving the privacy delivered to users of the Tor network.
Steve Gibson talks about his concerns of "Wi-Fi Sense" on Windows 10, a feature that shares your Wi-Fi password with your contacts in Facebook, Outlook and Skype. Firefox v39, ICANN's WHOIS privacy policy, a new old DDoS attack protocol in use, Amazon rolls their own TLS stack, ARIN runs out of IPv4 space, Italy's Hacking team gets hacked... with a surprise in the disclosed data! Juicy new details about the NSA's XKEYSCORE and international spying, Windows 10 gets privacy-worrisome "WiFi Sense" facility, and more!
Steve Gibson revisits SQRL with Fr. Robert Ballecer. More Hacking Team revelations including another Adobe Flash exploit and a UEFI rootkit, OpenSSL's latest problem, another plea to the government from encryption experts, even worse news from the OPM breach, an updated look at SQRL and more!
Steve loses his T1, the official SQRL logo, Auto hacking matures from "connect" to "Internet", Microsoft's emergency out-of-cycle update, Progress in attacking RC4, and more of your questions with Steve's answers!
A significant Android problem is found in the "StageFright" module, with almost a billion Android devices at risk. Fiat/Chrysler hacking follow-up, the Android "StageFright" flaw, the security practices of experts vs. non-experts, Major DMCA news, the Anti-Phishing Working Group's Global Phishing Survey, the right way to silence the Windows 10 upgrade pesterings, and what is HORNET?
Steve Gibson analyzes Windows 10's privacy settings. StageFright update, a DNS vulerability in BIND, PagerDuty suffered a database breach, OSX has a somewhat worrisome 0-day in the wild, NoScript versus Sandboxie, and examining what we know of the Windows 10 privacy tradeoff.
Steve Gibson and the search for safely navigating the internet. StageFright Watch, Windows 10 Tracking disable tool, was TrueCrypt decrypted by the FBI? Firefox vulnerability, and Steve's search for a low-hassle solution for safely browsing the danger-filled World Wide Web.
Steve Gibson and Leo Laporte discuss the distressing state of online web advertising. Two steps forward, one step back for Android StageFright, new Windows 10 privacy concerns, high profile malvertising surfaces, Kaspersky, Lenovo, HTC and AT&T each in their own doghouses and more!
What is the best way to securely wipe a drive? Lenovo BIOS behavior retraction and update, ransomware file encryptor appears on Github, consequences of the growing intersection of life and the Internet, the need for physical security and Hilary's email server, and Steve answers your questions!
Steve Gibson and Leo Laporte look at uBlock Origin, an add-on blocker for web browsers. Running Firefox as a "normal" user, malvertising hits MSN, Amazon & Google tighten up on Flash, Windows 7& 8 quietly get new and unwanted features, Dave Winer: "Mac OS is spyware too," and Steve Gibson goes over the features of uBlock Origin.
How is data stored on glass platters used in hard drives? Seagate Wi-Fi drive nightmare, AdBlock plus releases adblocking browsers on the eve of iOS 9, Android phones now coming with pre-installed malware, your questions and Steve's answers!
Steve Gibson talks with co-founder and CTO of Disconnect, a privacy and security tool to block trackers. Has LastPass been hacked? Matthew Green's look at iMessage's assurances, Canary Tokens, Let's Encrypt issues first certificate, and a discussion with Patrick Jackson, co-founder and CTO of Disconnect..
iOS XcodeGhost, critical Adobe FLASH update, Ashley Madison password mystery. iOS XcodeGhost discovered by Chinese developer, critical Adobe Flash update, AVG begin selling browsing and search history to advertisers, Cisco routers in at least 4 countries infected by stealthy backdoor, 11+ million Ashley Madison passwords cracked, VW & Audi recall after EPA hack programming.
Listener and columnist for ComputerWorld Michael Horowitz found that Lenovo's ThinkPad line still monitors and tracks users. Time to migrate away from TrueCrypt? AdBlocker App update, Thinkpad is, sadly no longer "clean", new concerns over Anti Virus add-on utilities and Steve answers your questions!
Linux.Wifatch is a piece of code that behaves like a worm, has infected vulnerable routers, removes malware and secures the router. Breaches at Patreon, Experian & Scottrade, Stagefright 2, Linux.Wifatch: The Router Vigilante Worm, problems with VeraCrypt, Anrdroid Marshmallow's major security improvements and more!
Joe Siegrist talks with Steve Gibson and Leo Laporte about the recent news that LogMeIn has purchased LastPass. Joe Siegrist and the LastPass acquisition, Patch Tuesday, another dent in SHA-1, U.S. Government plans not to force "cryptotapping"... for now and Steve answers your questions!
Steve Gibson takes a look at four companies getting security wrong. An emergency Adobe FLASH vunerability, sneaking naughty iOS apps pas Apple's scrutiny and a look at four examples (from this week) of companies getting security wrong.
Is it time to drop TrueCrypt for VeraCrypt? 1Password metadata, revisited, bad Western Digital hard drive encryption, how the NSA is seeing into encrypted data, an update on the "Let's Encrypt" project, the future of the beleaguered SHA-1 hash and Steve answers your questions!
Steve Gibson explores the fundamental problem with iOS application security enforcement. Brief glitch with uBlock Origin in the Chrome store, Symantec screws up cert issuance, "the Hacking Team" returns, Tor Messenger, US and UK take differing cybersecurity paths, a clever new browser fingerprinting hack, JavaScript (ECMAScript) 6 peek, Threema gets an independent audit and the disconcerting result of Steve's analysis of iOS application vetting.
A variant of the ransomware "Power Worm" can not be decrypted even after the ransom is paid. China's new hiring problem, Firefox v42 update, don't pay the "Power Worm" ransomware, CAs mis-issuing banned certificates, Microsoft rethinks their January 1st 2017 SHA-1 cutoff date, and Steve Gibson answers your questions!
The post-Paris Encryption controversy. Leo and Steve discuss a wide range of security news, Steve's feelings about the new iPad Pro, lots of interesting bit of miscellany, and we then revisit the newly controversial question of Internet encryption which has been raised with great emphasis after last week's terrorist attacks in Paris.
Dell, Lastpass, Windows 10, and Q&A with Steve. Dell steps in it big time, Windows 10's various recent struggles, a report of the Manhattan DA's office about Smartphone Encryption, various updates and miscellany including an Errata, ten listener thoughts, and questions!
A security researcher finds 600,000 Arris cable modems have two backdoor vulnerabilities. A Follow up on last week's thoughts on warranted iPhone unlocking, Mozilla's life after Google, Arris cable modems in the doghouse, Blackberry says no to a large government, another nail in the Adobe Flash coffin, and Steve answers more viewer questions!
France considers counter-terrorism measures such as blocking TOR and public Wi-Fi. Microsoft's Patch Tuesday (and Adobe Flash mega patch Tuesday!) Microsoft's new moves to force Windows 10 onto unwanting users, even bigger trouble for Dell, and trouble for AOL and Lenovo, Let's Encrypt public beta goes live, what did President Obama mean on Sunday? Perhaps France is (over)reacting? The Republic of Kazakhstan paves a worrisome path, ISIS releases an app for Android, CryptoWall gets even worse and more!
A security researcher exposes 13 million MacKeeper user data using the Shodan search engine. Is Kazakhstan's new encryption law a preview of future U.S. policy? FBI chief asks tech companies to stop offering end-to-end encryption, 13 million MacKeeper user's data exposed, Cloudflare, Facebook and others compromise on SHA-1 sunsetting, Google to deprecate one of Symantec's root certificates, major expoit in Bell Canada's routers reveal WPA2-PSK, Wired thinks it has unmasked Satoshi Nakamoto... maybe not, a suspected hit and run driver caught in Florida after car called the cops, Telegram cryptanalysis, and Steve answers possibly the coolest question he's ever been asked for a Q&A!
Should password length be kept a secret? The stunning Juniper router backdoor, Oracle gets smacked by the U.S. Federal Trade Commission, what happens if you simply press backspace 28 times at a Linux password prompt? WhatsApp briefly banned in Brazil, Hillary's call for a Manhattan-style effort on encryption, a recent audit provides an updated snaptshot of the state of web privacy, Microsoft increases the GWX controversy and Steve answers your questions!
This special episode from 2009 featured a rare off-topic discussion about Steve Gibson's research into vitamin D. This episode was originally recorded with audio only.
A look back at security vulnerability counts of 2015. Some GWX (Get Windows X) news updates, a Windows 10 market share snapshot, hysteria over Windows 10 disk encryption, Google issues critical updates for recent Android versions, ransomware goes multi-platform with JavaScript, the next IoT Wi-Fi standard is ratified, smartwatch side-channel attacks, IPv6 adoption at its 20 year mark and more!
How can LastPass' Emergency Access be TNO? TrendMicro drastically lowers the bar on "you're doing it wrong", Symantec issues banned SHA-1 certs in 2016, Firefox backs off from disallowing newly issued SHA-1 certs in 2016, a sad day has finally arrived for Windows XP Embedded SP3, how LastPass v4.0's new Emergency Access feature can be TNO, and more!
Steve Gibson analyzes the ShmooCon presentation on "LostPass" and LastPass' response. Major Internet of Things news: Ring Doorbell, Webcams, Wi-Fi passwords in the cloud, more malvertising in the news, a major internet appliance backdoor discovered, New York State Assembly Bill about phone encryption, more Microsoft and Windows 10 news and the ShmooCon presentation of the LastPass phishing hack.
How do I know that I am on the most secure connection with a VPN? More on the consumer encryption fight, a smartphone updating lawsuit, a new web compression standard, a website that (deliberately) crashes iOS, a new Firefox and Steve answers your questions!
Steve Gibsons guide to using multiple routers for a secure network. Java is finally leaving the browser, Google's February Nexus Android update, the ongoing encryption debate, and Steve talks about how to set up a secure network for all your devices with no less than three dumb routers. GRC.com: NAT Router Security Solutions - https://www.grc.com/nat/nat.htm
Steve Gibson looks at a severe vulnerability in eBay's online sales platform that could be the "hack of the decade." iOS Error 53 and an interesting Apple 3rd party service conundrum, Comodo's crummy Cromodo browser, a new Google search safely feature, an interesting audit of Windows 10 after enabling all privacy features, Steve's experience with GWX and a new Windows 7 install, the amazing clever hack of the decade, and Steve answers three listener follow-up questions from last week's "Three Dumb Routers" episode.
Steve Gibson details how vulnerable websites can be to attacks. Steve and Leo talk about what is happening to the grc.com website and how a DDoS attack brings down a website.
Steve Gibson on what has happened in the last week since the DDoS attack on GRC.com. Apple vs the FBI, Linux Mint, more Comodo bad news, Hollywood Presbyterian Medical Center pays Crypto ransom, Glibc flaw follow-up, Error 53 follow-up and Steve details everything that has transpired since last week's "GRC is Down" episode.
Steve Gibson tries to find a formal definition of a "backdoor." The ongoing Apple iPhone battle, iPhone passcode length helps a lot! So does not running as Admin under Windows, local network scanning tools, and Steve answers your questions!
Steve Gibson takes a look at the CacheBleed attack. A brief Apple decryption dispute update, the first Mac OS X ransomware strikes, will quantum computing mean the end of encryption? Verizon gets a barely noticeable slap on the wrist, Facebook missed a huge security hole, next-gen fingerprint spoofing with an inkjet printer, John McAfee, RSA, a wonderfull Let's Encrypt milesotone, and a look at the CacheBleed attack.
Storing encrypted information in the cloud. Encryption - dispute or dispute? A specific IoT nightmare example, BleepingComputer gets sued and asks for help, a new and horrifying DDoS attack amplifier, Microsoft pushes Windows 10 even harder and Steve answers your questions!
Steve Gibson takes a closer look at the D.R.O.W.N. vulnerability & attack (and why security is hard!). FBI postpones today's court hearing, Matthew Green and four students poked a hole in iMessage, another side channel attack against mobile devices, massive malvertising campaign hits many major sites, Levovo back in the dog house... again! 2016 Pwn2Own competition results, Android StageFright module even more unsafe than believed, and a closer look at the D.R.O.W.N. vulnerability & attack.
Steve Gibson unveils his free tool to hold off that Windows 10 update: Never10! U.S. says it has unlocked the iPhone without Apple, California Assembly Bill AB-1681, was TrueCrypt originally created by an international arms dealer? A major flaw in the StartSSL Certificate Authority, two more hospitals hit with ransomware, a problem found in the SAMBA protocol, good news on the IoT device setup front, GRC's Never10 freeware, and Steve gives details on his new monster PC!
IoT: Whose "lifetime" is a lifetime subscription? A quiet week gives us a chance to catch up on some listener feedback, a few words of caution about jumping in to the IoT gadget world too soon, Bruce Schneier on the FBI/Apple outcome, a bit of miscellany (some of it is amazing), ten great observations, comments and questions from our listeners.
Steve Gibson analyzes the Open Whisper "Signal" protocol that has been integrated into WhatsApp. BadLock, the latest draft of the Burr/Feinstein encryption bill, the iPhone FBI hack update, a worrisome architectural problem in Mozilla's Firefox extension handling, HTTPS gets a BIG new supporter, at least tens of thousands of commercial CCTV DVRs can be remotely hacked, Amazon is (was) selling a malware-infected Webcam system, and the results of Steve's deep dive into the security of WhatsApp.
A look at SMTP STS: a new specification to add Strict Transport Security (STS) to email. 60 Minutes expose' on the interprovider SS7 signalling system, the future appears black for BlackBerry, quicksand for QuickTime, what was found in the decrypted San Bernardino phone, Threema vs WhatsApp vs Signal, and a look at SMTP STS: a new specification to add Strict Transport Security (STS) to email.
Let's Encrypt certificate issuance update, the Net Snowden effect, the cost to unlock an (empty) iPhone, a clever AppLocker bypass to run any program, Opera's built in VPN announcement, TeslaCrypt ransomware updated again, fake DDoS extortionists, the U.S. launches first-ever public Cyberbomb at ISIS, DNSSEC and another reason to choose Hover and Steve answers your questions!
The U.S. Congress passed a new eMail privacy act, Edward Snowden and Fareed Zakaria debate, the still unresolved fingerprint question, Android's continuing troubles with "Stagefright", Brazillian judge shuts down WhatsApp for three days, will the real Satoshi Nakamura please stand up? And Steve answers more of your questions!
Today's Mega Patch Tuesday for Windows, closing the chapter on Dr. Craig Wright, Lenovo, Microsoft and Qualcomm all in separate doghouses, another fun bit on Curl bashing, the unintended consequences of "Terrorist Math," the Temperfect Mug finally arrives and a look at Samsung's not ready for prime time SmartThings.
Steve's long love affair with Windows, the Oracle/Google JAVA API lawsuit, the pending registration of "burner" phones, surveillance microphones found in public areas, John McAfee and team cracks WhatsApp encryption? The Ring Doorbell may need another update, a security-related Kickstarter which Security Now listeners would never fall for, a controversial feature being removed from Windows 10, a worrisome and exploitable heap corruption in the popular 7-Zip application and a look a the Z-Wave Home Automation system.
A surprising end to the Teslacrypt file encrypting malware, Google's plan to continue squeezing Flash off the web, anyone want 117 million (old) LinkedIn email messages and passwords? They're for sale. News of the technology underlying Google's new Allo messaging system, save Firefox and Steve answers listener questions!
Over-the-top Feinstein-Burr encryption bill dies in the Senate, Google's fair use API defense prevails, Google's increasing pressure on its Android partners, Bluecoat Systems obtains an Intermediate CA cert from Symantec/Verisign, the insecurity of add-on laptop bloatware and custom updating software, a promised update on SQRL and Rapid7's sobering analysis of Internet-connected baby monitors.
A "Reality-Check" timeout, a new 0-day Windows exploit on the market, a truly horrifying (and clever) chip-level exploit, yesterday's monthly Android Security Update, a sad side-effect of the GWX push, the LinkedIn breach apparently bites Mark Zuckerberg, Facebook plans to offer optional encryption for Messenger, five things that give self-driving cars headaches, a follow-up on SQRL's authentication management and some truly horrifying details of internet-connected baby monitor implementations.
BlueCoat Systems gets a new parent, a bad Chrome bug you never knew you had, prolific hacker "Peace" has another 51 million account credentials to sell, LetsEncrypt's mass emailer reveals a fun bug, Visual Studio 2015 C++ compiler secretly inserts telemetry code into binaries and Steve answers your questions!
Palantir got owned - in a good way, confirmation of the danger of SMS as a 2nd factor, a frightening IoT camera experience, some confusion over the GotoMyPC full password reset, the machine under the machine: do our systems have a designed-in rootkit? And Steve takes a deep dive into Intel's forthcoming anti-hacking Control-Flow Enhancement Technology!
One Windows update was expensive for Microsoft, a troubling court ruling about FBI hacking, hope for slow Windows 7 updates, Comodo dops to a new low level of slimy behavior, malware moves to pure JavaScript, stealing data by spinning your computer fans, a worrisome flaw found in most NetGear routers, and Steve answers your questions!
Leo and I catch up with another packed week of security news, including an update on mobile ransomware, the successful extraction of Android's full disk encryption (FDE) master keys, Google's Tavis Ormandy finds horrific flaws in all Symantec traffic analyzing software, a Brazilian judge is at it again with WhatsApp, this week's IoT horror story, some miscellany and errata, and finally a look at a horribly flawed attempt to copy Let's Encrypt automation of free SSL certificate issuance.
Facebook Messenger adds "Secret Conversations", Putin vs. the Internet, the fate of Russian-based VPN endpoints, Russian hackers compromising iOS devices, Steve's follow-up to the Lenovo SMM hack, is sharing your Netflix password illegal? Post-quantum crypto testing in Chrome, reconsidering anti-virus add-ons, Pokemon Go woes, a possible defense against CryptoMalware and Steve answers five viewer questions from Twitter.
Leo and I catch up with a fun and interesting week of security happenings, including a bit of daylight on the password sharing question, the trouble with self reporting security breaches, trouble in TOR-land, what future AI assistants mean for our privacy, a terrific looking new piece of security monitoring freeware, a startlingly worrisome 20-year-old fundamental Windows architectural design flaw, a problem with Juniper router's OS certificate validation, some errata, a bunch of miscellany, and the promised follow-up dissection of Facebook Messenger's extra features, the anti-ransomware CryptoDrop, and MIT's "Riffle" anonymity enforcing networking solution.
Apple gets Stagefright, is Russia trying to influence the U.S. presidential election? Microsoft's battles and wins against U.S. privacy overreach, Grace Hopper (who coined the term "software bug") brilliantly demonstrates "a nanosecond", a bug-fix update to pfSense, a "doing it weird" look at the CUJO security appliance, and Steve answers your questions!
Keysniffer: More fun with wireless keyboards. LastPass vulnerabilities, new wireless keyboard headaches, deprecating SMS as a second authentication factor, obtaining Windows 10 for free after July, the pervasive problem with website spoofing, and the power and application of multi-interface packet filtering.
Does ZFS "Scrub" on a FreeNAS replace SpinRite? A distressing quantity of Win10 news, Apple's changing bug bounty policy, newly disclosed Android takeover flaws, yet another way to track web visitors, hackers spoof Tesla auto sensors, Firefox and LastPass news, a19-year old stubborn decision by Microsoft comes home to roost, and a handful of new problems found with HTTP.
Did Microsoft really leak their secure boot "Golden Key?" AdBlock, unblock, counter-unblock, and counter-counter-unblock is well underway, Leo's story from the field about Avast A/V, a "security is hard to do" mistake in an update to the Internet's TCP protocol, Microsoft's evolving Windows Update policies, an uber-cool way for developers to decrypt and inspect their Firefox and Chrome local TLS traffic, trouble with Windows Identity leak mitigation, and discussion of micro kernels and Intel's forthcoming memory breakthrough!
Did the Shadow Brokers hack the NSA's Equation Group? Apple's bug bounty gets quickly outbid, a critical flaw discovered in the RNG of GnuPG, the EFF weighs in on Windows 10, Chrome browser is frightening people unnecessarily, a Johns Hopkins team of cryptographers, including Matthew Green, disclose a weakness in Apple's iMessage technology, unused router hardware capabilities, what's a "Micro Kernel?" And more!
The FBI has found evidence that two state election systems were attacked and hacked. Dropbox and Opera handle incidents responsibly, while a Chinese certificate authority could not have been more irresponsible. Facebook and WhatsApp announce an information sharing arrangement, the FBI discloses election site hacking, Tavis prepares DashLane and 1Password vulnerability disclosures, the threat of autonomous weapon systems and Wi-Fi router radio wave spying, the details behind Pegasus and Trident, the emergency Apple iOS v9.3.5 patch and more!
Weaponizing RowHammer with "Flip Feng Shui" - the most incredibly righteous and sublime hack... ever! The continuing woes of WoSign, autonomous micro-recon drones turn out to be real, a new crypto attack on short block ciphers prompts immediate changes oin OpenVPN and OpenSSL, introducing a new Security Now! Abbreviation: "YAWTTY": Yet Another Way To Track You, a discouraging social engineering experiment, another clever USB attack and a look at the weaponizing of RowHammer with "Flip Feng Shui" - the most incredibly righteous and sublime hack... ever!
Is secure delete still necessary on a drive with whole disk encryption? Flip Feng Shui follow-up, Apple's announcements, Android's rough week, a bank's data center shuts down due to noise, Bluetooth device privacy leakages, and Steve answers your questions! We invite you to read our show notes.
Steve Gibson recommends the best website security scanner. Concerns over a significant expansion in effectively warrantless intrusion into end-user computers, the forthcoming change in Internet governance, NTIA's contract with ICANN to handle IANA is expiring in ten days! Google's next move in using Chrome to push for improved security, the interresting details emerging from a successful NAND memory cloning attack on the iPhone 5c and Steve shares the details and findings of a recent Cross-Site Scripting (XSS) problem on GRC and his recommendation for the best website security scanner!
Brian Krebs, Akamai and Google's Project Shield, Yahoo's record-breaking, massive 500 million user data breach, Apple's acknowledged iOS 10 backup PBKDF flaw, well known teen hacker jailbreaks his new iPhone 7 in 24 hours, Microsoft formally allows removal of "Get Windows 10", a new OpenSSL SERVER DoS flaw, more WoSign/StartCom woes (Mozilla prepares to pull the plug), Bittorrent Sync renamed and more deeply documented, and more!
What is the difference between HTTPS and HSTS? An "update" on Microsoft's GWX remover, an encouraging direction for the Windows 10 Edge browser, HP's "security update" blocks non-HP ink cartridges, a clarification about how to upgrade a site's password hashing, a really terrific DNS hack, another update on Windows update, our web browsers may be fatiguing oru SSD's, and Steve answers your questions!
Yahoo security, $1.5 mil iPhone bug bounty, WoSign woes, trapdoored primes. Leo and Steve discuss today's Windows update changes for 7 and 8.1, an exploit purchaser offers a $1.5 million bounty for iOS hacks, WhisperSystems encounter first bug, an IEEE study reveals pervasive "Security Fatigue" among users, Firefox and Chrome news, following the WoSign Woes, Samsung Note 7 news, some errata, a bunch of miscellany... and a look into new Yahoo troubles and concerns over the possibility of hidden trapdoors in widely deployed prime numbers.
Feds demand fingerprints to unlock phones, VeraCrypt audited, life in a simulation. Leo and Steve discuss some serious concerns raised over compelled biometric authentication, a detailed dive into the recently completed audit of VeraCrypt (the successor to TrueCrypt), more on web browsers fatiguing system main SSD storage, a bunch of interesting miscellany (including... are we living in a simulated reality?), and eleven questions and observations from our terrific listeners.
Last Week's Botnet DDoS, Linux "Dirty COW" bug, the DRAMMER exploit. Leo and Steve discuss last week's major attack on DNS, answering the question of whether the Internet is still working?, we look at Linux's worrisome "Dirty COW" bug rediscovered in the kernel after nine years, we address the worrisome average lifetime of Linux bugs, share a bit of errata and miscellany, and offer an in-depth analysis of DRAMMER, the new, largely unpatachable, Android mobile device Rowhammer 30-second exploit.
Windows "Atom Bomb" exploit, side-channel attack on Intel processors, verifiable hacker-proof code. Leo and Steve discuss an oh-so-subtle side-channel attack on Intel processors, the quest for verifiable hacker-proof code (which oh-so-subtle side-channel attacks on processors can exploit anyway!), another compiler optimization security gotcha, the challenge of adding new web features without opening routes of exploitation, some good news about the DMCA, Matthew Green and the DMCA, the relentless MPAA and RIAA still pushing the limits and threatening the Internet, the secure ProtonMail service feels the frightening power of skewed search results, regaining control over Windows 10 upgrade insistence, a new 0-day vulnerability Google revealed before Microsoft has patched it, a bit of errata, miscellany and as many listener feedback questions and comments as we have time for.
LastPass goes mobile-free, MySQL patches, problems with OAuth, Windows Atombomb attack, and the open source LessPass app. Leo and I discuss the answer to last week’s security & privacy puzzler, Let's Encrypt Squarespace, the new open source "LessPass" app, LastPass goes mobile-free, many problems with OAuth, popular Internet services' privacy concerns, news from the IP spoofing front, Microsoft clarifies Win10 update settings and winds down EMET, a hacker finds a serious flaw in Gmail, MySQL patches need to be installed now, a tweet from Paul Thurrott, a bit of errata and... and the Windows AtomBomb attack.
The BlackNurse Attack, PwnFest. Results from our listener's informal CAIDA spoofing testing. LessPass turned out to be even less than it appeared. Steve's day at Yubico. News from PwnFest & Mobile Pwn2Own. The probable elimination of Dark Matter. A new Wi-Fi field disturbance attack. A wacky Kickstarter "fingerprint" glove. The "BlackNurse" reduced-bandwidth DoS attack.
Weaponized $5 Raspberry Pi. Samy Kamkar is back with a weaponized $5 RaspberryPI. "El Cheapo" Android phones bring new meaning to "Phoning it in". Watching a webcam getting taken over. Bruce Schneier speaks to Congress about the Internet. A(nother) iPhone Lockscreen Bypass and another iPhone lockup link. Ransomware author asks a security researcher for help fixing their broken crypto. Britain finally passed that very extreme surveillance law. Some more fun miscellany… and more!
San Francisco Muni hacked. A wonderful quote about random numbers, our standard interesting mix of security do's and dont's, new exploits (WordPress dodged a big bullet!), planned changes, tips & tricks, things to patch, a new puzzle/game discovery, some other fun miscellany... and, finally! Ten comments, thoughts and questions from our terrific listeners!
Gooligan breaches 1m Google accounts. Leo and Steve discuss Android meeting Gooligan, Windows Upgrades bypass Bitlocker, nearly one million UK routers taken down by a Mirai variant, the popular AirDroid app is "Doing it wrong", researchers invent a clever credit card disclosure hack, Cloudflare reports a new emerging botnet threat, deliberate backdoors discovered in 80 different models of Sony IP cameras, we get some closure on our SanFran MUNI hacker, a fun hack with Amazon's Echo and Google's Home, How to kill a USB port in seconds, a caution about keyless entry (and exit), too-easy-to-spoof fingerprint readers, an extremely troubling report from the UK, and finally some good news: the open-source covert USB hack defeating “BeamGun”!... plus a bunch of fun miscellany, some great Sci-Fi reader/listener book news, and... however many questions we're able to get to by the end of two hours!
A Brilliantly Horrific New Ransomware Twist. This week, Leo and Steve discuss ticket-buying bots getting their hand slapped (do they have hands?), a truly nasty new addition to encrypting ransomware operation, a really dumb old problem returns to many recent Netgear routers, Yahoo!'s being too pleased with their bug bounty program, Steganometric advertising malware that went undetected for two years, uBlock Origin readies for a big new platform, what exactly is the BitDefender "BOX"? (We wish we knew!), VeraCrypt was audited... next up is OpenVPN! (Yay!), the definitive answer to the question of where Spock's thumb should be, Steve's new relaxing and endless puzzler, and... questions from our listeners!
1 Billion Yahoo Accounts Hacked. This week, Leo and Steve discuss Russia’s hacking involvement in the US Election; that, incredibly, it gets even worse for Yahoo!, misguided anti-porn legislation in South Carolina, troubling legislation from Australia, legal confusion from the Florida appellate court, some good news from the U.S. Supreme Court, Linux security stumbling, why Mac OS X got an important fix last week, the Steganography malvertising attack that targets home routers, news of a forthcoming inter-vehicle communications mandate, professional cameras being called upon to provide built-in encryption, LetsEncrypt gets a worrisome extension, additional news, errata, miscellany… and how exactly DOES that “I really really promise I'm not a robot (really!)” non-CAPTCHA checkbox CAPTCHA work?
Steve Gibson tells how he built a device to solve a problem with a neighborhood dog. Steve Gibson tells how he built a device at 16 years old to solve a problem with a neighborhood dog. Original podcast date: May 13, 2010, Episode 248.
The Internet of Tattling Things. Law enforcement and the Internet of Tattling things, a very worrisome new and widespread PHP eMail vulnerability, Paul and Mary Jo score a big concession from Microsoft, a six-year-old "hacker" makes the news, Apple discovers how difficult it is to make developers change, hyperventilation over Russian malware found on a power utility's laptop, the required length of high entropy passwords, more pain for Netgear, an update on the just finalized v1.3 of TLS, the EFF's growing "Secure" messaging scorecard, a bunch of fun miscellany... and how does that "I'm not a Robot" checkbox work?
A TV station learns to be careful when saying the "A" word. The US Federal Trade Commission steps into the IoT and home networking malpractice world, a radio station learns a lesson in what words NOT to repeat, Google plans to even eliminate the checkbox, a crucial caveat to the "passwords are long enough" argument, more cause to be wary of third-party software downloads, a few follow-ups to last week's topics, a bit of miscellany and a close look at a well-known piece of PHP malware.
WhatsApp's non-backdoor "backdoor". A classic bug at GoDaddy bypassed domain validation for 8850 issued certificates, could flashing a peace sign compromise your biometric data?, it's not only new IoT devices that may tattle, many autos have been able to for the past 15 years, McDonald's gets caught in a web security bypass, more famous hackers have been hacked, Google uses AI to increase image resolution, more on the value or danger of password tricks, and... does WhatsApp incorporate a deliberate crypto backdoor?
A phishing attack that uses a browser's autofill. Symantec issues additional invalid certificates while on probation, Tavis Ormandy finds a very troubling problem in Cisco's Web conferencing extension for Chrome, yesterday's important update to iOS, renewed concerns about LastPass metadata leakage, the SEC looks askance at what's left of Yahoo, a troubling browser form auto-fill information leakage, Tor further hides it's hidden services, China orbits a source of entangled photons? Heartbleed three years later, a new take on compelling fingerprints, approaching the biggest Pwn2Own ever, some miscellany... and some tricks for computing password digit and bit complexity equivalence.
Robot is "Not a Robot," Netgear exploit. The best “I'm not a Robot” video ever, Cisco's WebEx problem is far more pervasive than first believed, more bad news (and maybe some good news) for Netgear, Gmail adds .js to the no-no list, a hotel finally decides to abandon electronic room keying, more arguments against the use of modern AV, another clever exploitable CSS browser hack, some (hopefully final) password complexity follow-ups, a bit of errata and miscellany, a SQRL status update, a "Luke... trust the SpinRite" story, and a very nice analysis of a little-suspected threat hiding among us.
150,000 printers "pwned". Speak of the devil... printers around the world get hacked! Vizio's TVs really were watching their watchers, Windows has a new 0-day problem, Android's easy-to-hack pattern lock, an arsonist's pacemaker rats him out, a survey finds that many iOS apps are not checking TLS certificates, the courts create continuing confusion over eMail search warrants, a blast from the past: SQL Slammer appears to return, Cellebrite's stolen cell phone cracking data begins to surface, some worrisome events in the Encrypted Web Extensions debate, Non-Windows 10 users are not alone, a couple of questions answered, my report of a terrific Sci-Fi series, a bit of miscellany... and a fun story about one-armed bandits being hacked by two armed bandits.
Uncontrolled TLS Interception. Patch Tuesday DELAYED (and we may know why!), our favorite ad-blocker embraces the last major browser, a university gets attacked by its own vending machines, PHP leaps into the future, a slick high-end Linux hack, the rise of fileless malware, some good advice for tax time, it's not only Android's pattern lock that's vulnerable to visual eavesdropping, what happens with you store a huge pile of Samsung Note 7's in one place?, some fun miscellany, a MUST NOT MISS science fiction TV series, a look at the growing worrisome security implications of uncontrolled TLS interception.
Microsoft Patch Tuesday for February is cancelled! The story behind Microsoft's Patch Tuesday security update disaster. CyberX discovered a new large-scale cyber-reconnaissance operation targeting Ukraine targets: using vulnerabilities in Dropbox data traffic, DDL malware injection. Find out how easy it is to hack and steal an internet connected car. Chrome 56 update that hides connection certificate info. The future of Firefox add-ons. The lock screen of Win 10 leaking Clipboard contents. Project Zero's Windows flaw and NVIDIA Driver. pfSense and Ubiquity follow-ups. The MMU side-channel attack: it has nothing to do with chip flaws. ASLR will need your full attention.
Cloudbleed vs. Cloudflare. This week, Leo and Steve discuss the "CloudBleed" adventure, another project zero 90-day timer expires for Microsoft, this week's IoT head-shaker, a New York airport exposes critical server data for a year, another danger created by inline third party TLS-intercepting "middleboxes", more judicial thrashing over fingerprint warrants, Amazon says no to Echo data warrant, a fun drone-enabled proof on concept is widely misunderstood, another example of A/V attack surface expansion, some additional Crypto education pointers and miscellany... and what does Google's deliberate creation of two SHA-1-colliding files actually mean?
Why Amazon AWS S3 crashed the web. Countdown to March's patch Tuesday; what was behind Amazon's S3 outage? Why don't I have a cellular connectivity backup? Some additional Cloudflare perspective, Amazon to fight another day over their Voice Assistant's privacy, an examination of the top 9 Android password managers uncovers problems, another lifeless malware campaign found in the wild, security improvements in Chrome and Firefox, a proof of concept for BIOS ransomware, a how-to walk-through for return-oriented programming, a nifty new site scanning service, Matthew Green compares desktop and mobile security, a bunch of feedback quickies, an incredibly wonderful waste of time accomplishment, the future threat of deliberately fooling AI, and the dark side of automated domain validation certificate issuance.
CIA Vault 7 Tools Analyzed. This week Steve and Leo discuss March's long-awaited patch Tuesday, the release deployment of Google Invisible reCaptcha, getting more than you bargained for with a new Android smartphone, the new "Find my iPhone" phishing campaign, the failure of Wi-Fi anti-tracking, a nasty and significant new hard-to-fix web server 0-day vulnerability, what if your ISP decides to unilaterally block a service you depend upon? Shining some much-needed light onto a poorly conceived end-to-end messaging application, two quick takes, a bit of errata and miscellany... and a look into what Wikileaks revealed about the CIA's data collection capabilities and practices.
Bye-Bye, Windows 7 Updates. This week Steve and Leo discuss developments in the new windows on old hardware front, Cisco finds a surprise in the Vault7 docs, Ubiquity was caught with the PHPs down, CheckPoint discovered problems in WhatsApp and Telegram, some interesting details about the long-running Yahoo breaches, the death of the "eBay Football", the latest amazing IoT insanity, the incredible results of the CanSecWest Pwn2Own competition, a classic "you're doing it wrong" example, Tavis pokes LastPass again, some miscellany and an interesting proposal about controlling web advertising abuse.
This week Steve and Jason discuss… Google’s Tavis Ormandy takes a shower, iOS gets a massive feature and security update, a new target for ‘Bot money harvesting appears, Microsoft suffers a rather significant user-privacy fail, the UK increases its communications decryption rhetoric, a worrisome vote in the US senate, NEST fails to respond to a researcher's report, this week in IoT nonsense, a fun quote of the week, a bit of miscellany, some quickie questions from our listeners, and a close look at the developing drama surrounding Google's enforcement of the Certificate Authority Baseline rules with Symantec.
Step-by-step digital privacy. This week Steve and Leo discuss another iOS update update, more bad news and some good news on the IoT front, the readout on Tavis Ormandy's shower revelation, more worrisome anti-encryption saber rattling from the EU, a look at a recent Edward Snowden tweet, Samsung's S8 mistake, a questionable approach to online privacy, celebrating the 40th anniversary of Alice and Bob, some quickie feedback loops from our listeners, and an update on Steve's projects.
Protecting your privacy as you surf online. This week Steve and Leo discuss Symantec finding 40 past attacks explained by the Vault7 document leaks, an incremental improvement coming to CA certificate issuance, Microsoft patches a 0-day Office vulnerability that was being exploited in the wild, what's a "BricketBot"?, why you need a secure DNS registrar, This Week in IoT Tantrums, a head shaker from our "You really can't make this stuff up" department, the present danger of fake VPN services, an older edition of Windows reaches end-of-patch-life, some "closing the loop" feedback from our listeners, a bit of miscellany, and a comprehensive survey of privacy encroaching technologies and what can be done to limit their grasp.
Stealing PINs, Fingerprint Sensors. This week Steve and Leo discuss another new side-channel attack on smartphone PIN entry (and much more), Smartphone fingerprint readers turn out to be far more spoofable that we had hoped. All Linux kernels prior to v4.5 are vulnerable to a serious remote network attack over UDP, a way to prevent Google from tracking the search links we click (and to allow us to copy the links from the search results), the latest NSA Vault7 data dump nightmare, the problem with punycode domains, four years after the public UPnP router exposure, looking closely at the mixed blessing of hiding WiFi access point SSID broadcasts, some miscellany, and then a collection of quick "Closing The Loop" follow-ups from last week's "Proactive Privacy" podcast.
DoublePulsar, Google Ad Blocking. This week Steve and Leo discuss how one of the NSA's Vault7 vulnerabilities has gotten loose, a clever hacker removes Microsoft deliberate (and apparently unnecessary) block on Win7/8.1 updates for newer processors, Microsoft refactors multifactor authentication, Google to add native ad-blocking to Chrome… and what exactly *are* abusive ads?, Mastercard to build a questionable fingerprint sensor into their cards, are Bose headphones spying on their listeners? 10 worrisome security holes discovered in Linksys routers, MIT cashes out half of its IPv4 space, and the return of two meaner BrickerBots. Then some Errata, a bit of Miscellany, and, time permitting, some "Closing the Loop" feedback from our podcast's terrific listeners.
A May Day Mayday for Intel. This week Steve and Leo discuss the long-expected remote vulnerability in Intel's super-secret motherboard Management Engine technology, exploitable open ports in Android apps, another IoT blows a suspect's timeline, newly discovered problems in the Ghostscript interpreter, yet another way for ISPs and others to see where we go, a new bad problem in the Edge browser, Chrome changes its certificate policy, an interesting new "Vigilante Botnet" is growing fast, a proposed solution to smartphone-distracted driving, Ransomware as a service, Net Neutrality heads back to the chopping block (again), an intriguing new service from Cloudflare, and the ongoing Symantec certificate issuance controversy. Then some fun errata, miscellany, and some closing-the-loop feedback from our terrific listeners.
Intel AMT Horror, Net Neutrality. This week Steve and Leo discuss much more about the Intel ATM nightmare, Tavis and Natalie discover a serious problem in Microsoft's built-in malware scanning technology, Patch Tuesday, Google's Android patches, SMS 2-factor authentication breached, Google goes phishing, the emergence of ultrasonic device tracking, lots of additional privacy news, some errata and miscellany, actions US citizens can take to express their dismay over recent Net Neutrality legislation, and some quick closing the loop feedback from our terrific listeners.
WannaCry Ransomware, FCC DDoS. This week Steve and Leo discuss an update on the FCC's Net Neutrality comments, the discovery of an active keystroke logger on dozens of HP computer models, the continuing loss of web browser platform heterogeneity, the OSTIF's just-completed OpenVPN security and practices audit, more on the dangers of using smartphones as authentication tokens, some extremely welcome news on the Android security front, long-awaited updated password recommendations from NIST, some follow-up errata, a bit of tech humor and miscellany, closing the loop with some listener feedback... then a look at last week's global explosion of the WannaCry worm.
WannaCry Aftermath, Hacking Trump. This week we examine a bunch of WannaCry follow-ups, including some new background, reports of abilities to decrypt drives, attacks on the Killswitch, and more. We also look at what the large StackOverflow site had to do to do HTTPS, the Wi-Fi security of various properties owned by the US president, more worrisome news coming from the UK's Teresa May, the still sorry state of certificate revocation, are SSDs also subject to RowHammer-like attacks? Some miscellany, and closing the loop with our listeners.
Chipotle Hack, Malware Subtitles. This week we discuss a new non-eMail medium for spear phishing, Chipotle can't catch a break, social engineering WannaCry exploits on Android, video subtitling now able to take over our machines, a serious Android UI design flaw that Google appears to be stubbornly refusing to address, Linux gets its own version of WannaCry, another dangerous NSA exploit remains unpatched and publicly exploitable on WinXP and Server 2003 machines, a look at 1Password's brilliant and perfect new "Travel Mode", Google extends its ad-tracking into the offline world, some follow-ups, miscellany, and closing-the-loop feedback from our terrific listeners... concluding with my possibly useful analogy to explain the somewhat confusing value of open versus closed source.
OneLogin Breach, Hacking Submarines. This week we discuss an embarrassing high-profile breach of an online identity company, an over-hyped problem found in Linux's sudo command, the frightening software used by the UK's Trident nuclear missile submarine launch platforms, how emerging nations prevent high school test cheating, another lesson about the danger of SMS authentication codes, another worrisome SHODAN search result, high-penetration dangerous adware from a Chinese marketer, another "that's not a bug" bug in Chrome allowing websites to surreptitiously record audio and video without the user's knowledge, the foreseeable evolution of hybrid crypto-malware, the limp return of Google Contributor, Google continues to work on end-to-end eMail encryption, a follow-up on straight-to-voicemail policy, “Homomorphic Encryption” (what the heck is that?), and "closing the loop" follow up from recent discussions.
Social media malware, Russia is hacking through AMP, Bitcoin malware. This week we discuss clever malware hiding its social media communications, the NSA documents the Russian election hacking two-factor authentication bypass, meanwhile, other Russian attackers leverage Google's own infrastructure to hide their spoofing, Tavis finds more problems in Microsoft's anti-malware protection, a cryptocurrency-stealing malware, more concerns over widespread Internet-connected camera design, malware found to be exploiting Intel's AMT motherboard features, the new danger of mouse cursor hovering, Apple's iCloud sync security claims, Azure changes their CA, a bunch of catch-up miscellany and a bit of closing the loop feedback from our listeners.
Governments Want Web Security Keys. This week we discuss France, Britain, Japan, Germany & Russia each veering around in their Crypto Crash Cars, Wikileaks' Vault7 reveals widespread CIA WiFi router penetration, why we can no longer travel with laptops, HP printer security insanity, how long are typical passwords?, Microsoft to kill off SMBv1, the all-time mega ransomware payout, Google to get into the whole-system backup business, hacking PCs with "Vape Pens", a bit of miscellany, and a bunch of Closing the Loop feedback with our terrific listeners.
Crypto in a Lightbulb. This week we discuss another terrific NIST initiative, RSA crypto in a quantum computing world, Cisco's specious malware detection claims, the meaning of post-audit OpenVPN bug findings, worrisome bugs revealed in Intel's recent Skylake and KabyLake processors, the commercialization of a malware technique, WannyCry keeps resurfacing, LinkSys responds to the CIA's Vault7 CherryBomb firmware, another government reacts to encryption, the NSA's amazing Github repository, more news about HP printer auto-updating, a piece of errata, some miscellany, and some closing the loop feedback from our listeners.
W3C adds DRM to HTML5, Facebook can track logged out users, jailbreaking drones and more! This week we have all the usual suspects: Governments regulating their citizenry, evolving Internet standards, some brilliant new attack mitigations and some new side-channel attacks, browsers responding to negligent certificate authorities, specious tracking lawsuits, flying device jailbreaking, more IoT tomfoolery, this week's horrifying Android vulnerability, more Vault7 CIA Wikileaks, a great tip about controlling the Internet through DNS... and even more! In other words, all of the usual suspects! (And two weeks until our annual BlackHat exploit extravaganza!)
MySpace Hack, Net Neutrality. This week, while waiting for news from the upcoming BlackHat & DefCon conventions, we discuss another terrific security eBook bundle offer, a Net Neutrality follow-up, a MySpace account recovery surprise, another new feature coming to Win10, the wrongheadedness of paste-blocking web forms, Australia versus the laws of math, does an implanted pacemaker meet the self-incrimination exemption?, an updated worse-case crypto-future model, it's surprising what you can find at a flea market, another example of the consumer as the product, an SQRL technology update, and some closing-the-loop feedback from our terrific listeners.
Arresting ethical hackers, Verizon caught violating Title II, Roomba maker wants to sell maps of your home. We start off this week with a fabulous picture of the week and for the first time in this podcast's 12-year history, our first quote of the week. Then we'll be discussing the chilling effects of arresting ethical hackers, the upcoming neutrality debate congressional hearing, something troubling encountered at McAfee.com, an entirely new IoT nightmare you couldn't have seen coming and just won't believe, the long-awaited Adobe Flash end-of-life schedule, welcome performance news for Firefox users, the FCC allocates new sensor spectrum for self driving cars, three bits of follow-up errata, a bit of miscellany, and then: "Crypto Tension" -- a careful look at the presently ongoing controversy surrounding the deliberate provisioning of passive eavesdropping decryption being seriously considered for inclusion in the forthcoming TLS v1.3 standard.
DEF CON Antics, Facebook Kills AI. This week we look at the expected DEF CON fallout including the hacking of US election voting machines, Microsoft's enhanced bug bounty program, the wormification of the Broadcom WiFi firmware flaw, the worries when autonomous AI agents begin speaking in their own language which we cannot understand, Apple's pulling VPN clients from its Chinese app store, a follow-up on iRobot's floor plan mapping intentions, some new on the Chrome browser front, the 18th Vault-7 Wikileaks dump, and some closing-the-loop feedback from our terrific podcast followers.
DigiCert, LastPass, IoT Security. This week we discuss and look into DigiCert's acquisition of Symantec's certificate authority business unit, LogMeIn's LastPass Premium price hike, the troubling case of Marcus Hutchins' post-Defcon arrest, another instance of WannaCry-style SMBv1 propagation, this week's horrific IoT example, some hopeful IoT legislation, the consequences of rooting early Amazon Echoes, the drip drip drip of Wikileaks Vault 7 drips again, Mozilla's VERY interesting easy-to-use secure large file encrypted store and forward service, the need to know what your VPN service is really up to, a bit of errata, miscellany, and some closing-the-loop feedback from our always-attentive terrific listeners.
Password Rules Changes. This week we have a Marcus Hutchins update, the backstory on the NIST's rewrite of their 15-year-old password guidance, can DNA be used to hack a computer? Can stop sign graffiti be used to misdirect autonomous vehicles?, the final nail in the WoSign/StartCom coffin, why we need global Internet policy treaties, this week in "researchers need protection", a VPN provider who is doing everything right, Elcomsoft's password manager cracker, a bit of errata and miscellany... and some closing the loop feedback from this podcast's terrific listeners.
Marcus Hutchins drama update, Apple's Secure Enclave decryption key, rating "Terms of Service". This week we discuss the continuing Marcus Hutchins drama, the disclosure of a potentially important Apple secret, a super-cool website and browser extension our listeners are going to appreciate, trouble with extension developers being targeted, a problem with the communication bus standard in every car, an important correction from Elcomsoft, two 0-days in Foxit's PDF products, Lava lamps for entropy, the forthcoming iOS 11 TouchID kill switch, very welcome Libsodium audit results, a mistake in AWS permissions, a refreshingly forthright security statement, a bit of errata, miscellany, and a few closing the loop bits from our terrific listeners!
CIA Hacks FBI & NSA. This week we cover a bit of the ongoing drama surrounding Marcus Hutchins, examine a reported instance of interagency hacking, follow the evolving market for 0-day exploits, examine trouble arising from the continued use of a deprecated Apple security API, discover that Intel's controversial platform management engine can , after all, be disabled, look into another SMS attack, bring note to a nice looking TOTP authenticator, recommend an alternative to the shutting-down CrashPlan, deal with a bit of errata and miscellany, then we look into an interesting bit of research which invokes "The Wrath of Kahn".
SharknAT&To Zero Day Hack. (Although there are an unbelievable FIVE Sharknado movies, this will be the first and last time we use that title for a podcast!) This week we have another update on Marcus Hutchins, we discuss the validity of Wikileaks documents, the feasibility of rigorously proving software correctness, nearly half a million people need to get their body's firmware updated, another controversial CIA project exposed by Wikileaks, a careful analysis of the FCC's Title II Net Neutrality public comments comments, a neat two factor auth tracking site, the stupid patent of the month, an example of a vanity top level domain, a bit of errata, where did SpinRite come from?, and ... utterly unconscionable security mistakes made by AT&T in their line of U-Verse routers.
Biggest. Security Leak. Ever. This week we discuss last Friday's passing of our dear friend and colleague Jerry Pournelle, when AI is turned to evil purpose, whether and when Google's Chrome browser will warn of man in the middle attacks, why Google is apparently attempting to patent pieces of a compression technology they did not invent, another horrifying router vulnerability disclosure -- including ten 0-day vulnerabilities, an update on the sunsetting of Symantec's CA business unit, another worrying failure at Comodo, a few quick bits, an update on my one commercial product SpinRite, answering a closing the loop question from a listener, and a look at the Equifax fiasco.
Equifax, EFF vs WC3, CCleaner. This week Padre and Steve discuss what was up with Security Now's recent audio troubles, more on the Equifax Fiasco, the EFF & Cory Doctorow weigh in on forthcoming browser encrypted media extensions (EME), an emerging browser-based payment standard, when 2-factor is not 2-factor, the CCleaner breach and what it means, a new Bluetooth-based attack, an incredibly welcome and brilliant cookie privacy feature in iOS 11, and a heads-up caution about the volatility of Google's Android smartphone cloud backups.
Did China Attack Equifax? CCleaner breach, DOM fuzzing at Google's Project Zero. This week, Father Robert and Steve follow more Equifax breach fallout, look at encryption standards blowback from the Edward Snowden revelations, examine more worrisome news of the CCleaner breach, see that ISPs may be deliberately infecting their own customers, warn that turning off iOS radios doesn't, look at the first news of the FTC's suit against D-Link's poor security, examine a forthcoming Broadcom GPS chip features, warn of the hidden dangers of high-density barcodes, discuss Adobe's disclosure of their own private key, close the loop with our listeners, and examine the results of DOM fuzzing at Google's Project Zero.
Moxie Marlinspike and Signal. This week we discuss some aspects of iOS v11, the emergence of browser hijack cryptocurrency mining, new information about the Equifax hack, Google security research and Gmail improvements, breaking DKIM without breaking it, concerns over many servers in small routers and aging unpatched motherboard EFI firmware, a new privacy leakage bug in IE, a bit of miscellany, some long-awaited closing the loop feedback from our listeners, and a close look at a beautiful piece of work by Moxie & Co on Signal.
D​omain N​ame S​ystem SEC​urity Extensions. This week we take a look at a well-handled breach-response at Disqus, a rather horrifying mistake Apple made in the implementation of their APFS encryption (and the difficulty to the user of fully cleaning up after it), the famous "robots.txt" file gets a brilliant new companion, somewhat shocking news about Windows XP... or is it? Firefox EOL for Windows XP support coming next summer, the sage security thought for the day, an update on "The Orville", some closing the loop comments, including a recommendation of the best Security Now series we did in the past... and finally, a look at the challenge of DNSSEC.
KRACK and ROCA. This week, we examine ROCA's easily factorable public keys, the surprising prevalence of web-based cryptocurrency mining, some interesting work in iOS password dialog spoofing, Google's Advanced Protection Program, some good "Loopback" comments from our listeners... and then we take a close look at KRACK - the Key Reinstallation AttaCK against ALL unpatched WiFi systems.
The Next Big IoT Botnet. This week we discuss some ROCA fallout specifics, an example of PRNG misuse, the Kaspersky Lab controversy, a DNS security initiative for Android, another compromised download occurrence, a browser-based cryptocurrency miner for us to play with... and Google considering blocking them natively, other new protections coming to Chrome, an update on Marcus Hutchins, Microsoft's "TruePlay" being added to the Win10 fall creators update, some interesting "Loopback" from our terrific listeners... and then we take a closer look at the rapidly growing threat of IoT-based "Flash Botnets."
An update on the Reaper botnet. This week we examine the source of WannaCry, a new privacy feature for Firefox, Google's planned removal of HPKP, the idea of visual objects as a second factor, an iOS camera privacy concern, the CAPTCHA wars, a horrifying glimpse into a non-Net Neutrality world, the CoinHive DNS hijack, the new Bad Rabbit crypto malware, a Win10 anti-crypto malware security tip, spying vacuum cleaners, a new Amazon service, some loopback Q&A with our listeners and another look at the Reaper botnet.
ROCA Crypto Key Flaw Even Worse. This week we discuss the inevitable dilution in the value of code signing, a new worrisome cross-site privacy leakage, is Unix embedded in all our motherboards? The ongoing application spoofing problem, a critical IP address leakage vulnerability in TOR and the pending major v3 upgrade to TOR, a Signal app for ALL our desktops, an embarrassing and revealing glitch in Google Docs, bad behavior by an audio driver installer, a pending RFC for IoT updating, two reactions to Win10 Controlled Folder Access, a bit of miscellany, some closing the loop with our listeners, and, three weeks after the initial ROCA disclosure I'm reminded of two lines from the movie "Serenity": Assassin:"It's worse than you know." Mal:"It usually is."
Mr. Schneier Goes to Washington. This week we discuss why Steve won't be relying upon Face ID for security, a clever new hack of longstanding NTFS and Windows behavior, the Vault8 WikiLeaks news, the predictable resurgence of the consumer device encryption battle, a new and clever data ex-filtration technique, new anti-Malware features coming to Chrome, an unbelievable discovery about access to the IME in Skylake and subsequent Intel chipsets, a look at who's doing the unauthorized cryptomining, WebAssembly is ready for prime time, a bit of miscellany, some closing the loop feedback with our listeners... and then we share Bruce Schneier's congressional testimony about the Equifax breach.
Quad 9 is the New DNS Hotness. This week we discuss Windows having a birthday, Net Neutrality about to succumb to big business despite a valiant battle, Intel's response to the horrifying JTAG over USB discovery, another surprising AWS public bucket discovery, Android phones caught sending position data when all permissions are denied, many websites found to be watching their visitors' actions, more Infineon ID card upset, the return of BlueBorne, a new arrival to our "Well... THAT didn't take long" department, speedy news for Firefox 57, some miscellany, listener feedback, and a look at the very appealing and speedy new "Quad9" alternative DNS service.
Hide Your Mac! This week we discuss a new bad bug found in the majority of SMTP mailing agents, 54 high-end HP printers found to be remotely exploitable, more than 3/4ths of 433,000 websites are using vulnerable JavaScript libraries, horrible free security software, some additional welcome Firefox news, a bit of errata, some fun miscellany, and a BUNCH of feedback from our listeners including reactions to last week's Quad 9 recommendation.
Apple Snafu, FB Wants Your Pix. This week we discuss the long-awaited end of StartCom & StartSSL, inside last week's macOS passwordless root account access and problems with Apple's patches, the question of Apple allowing 3D facial data access to apps, Facebook's new and controversial use of camera images, in-the-wild exploitation of one of last month's patched Windows vulnerabilities, an annoying evolution in browser-based cryptocurrency mining, exploitation of Unicode in email headers, Google's advancing protection for Android users, a terrific list of authentication dongle-supporting sites and services, Mirai finds another 100,000 exposed ZyXEL routers, Google moves to reduce system crashes, a bit of miscellany including another security-related Humble Bundle offering and some closing the loop feedback from our terrific listeners.
iOS Jailbreak, Cryptocurrency Woes. This week we discuss the details behind the "USB / JTAG takeover" of Intel's Management Engine, a rare Project Zero discovery, Microsoft's well-meaning but ill-tested IoT security project, troubles with EV certs, various Cryptocurrency woes, a clever DNS spoofing detection system, a terrific guide to setting up the EdgeRouterX for network segmentation, last week's emergency out-of-cycle patch from Microsoft, a mitigated vulnerability in Apple's Homekit, Valve's ending of Bitcoin for Steam purchases, finally some REALLY GOOD news in the elusive quest for encrypted eMail, a bit of miscellany, some closing the loop feedback with our listeners, and a look at the security sacrifice Apple made in the name of convenience... and what it means.
Border Gateway Protocol Security. This week we examine how Estonia handled the Infineon crypto bug, two additional consequences of the pressure to maliciously mine cryptocurrency, 0-day exploits in the popular vBulletin forum system, Mozilla in the doghouse over Mr. Robot, Win10's insecure password manager mistake, when legacy protocol comes back to bite us, hole to bulk-steal any Chrome user's entire stored password vault... and we finally know where and why the uber-potent Mirai botnet was created, and by whom. We also have a bit of errata and some fun miscellany.. then we're going to take a look at BGP, another creaky yet crucial -- and vulnerable -- protocol that glues the global Internet together.
How Bitcoin works. In this special rebroadcast of Security Now from February 9, 2011, Steve Gibson explains, in detail, exactly how Bitcoin works.
Betrayed by Our Browser's AutoFill. This week we discuss a new clever and disheartening abuse of our browser's handy-dandy username and password autofill, some recent and frantic scurrying around by many OS kernel developers, a just-released MacOS 0 day allowing full local system compromise, another massively popular router falls to the IoT botnets, even high-quality IoT devices have problems, the evolution of adblocking and countermeasures, an important update for Mozilla's Thunderbird, a bit of miscellany, listener feedback, and an update on the NSA's possible intervention into secure encryption standards.
Meltdown and Spectre Explained. This week, before we focus upon the industry-wide catastrophe enabled by precisely timing the instructed execution of all contemporary high-performance processor architectures... we examine a change in Microsoft's policy regarding non-Microsoft A/V systems, Firefox Quantum's performance when tracking protections are enabled, the very worrisome hard-coding backdoors in ten of Western Digital's MyCloud drives, and if at first (WEP) and at second (WPA) and at third (WPA2) and at forth (WPS), you don't succeed... try, try, try, try, try yet again... with WPA3... another crucial cryptographic system being developed by a closed, members-only, committee.
Steve Gibson explains his "Inspectre" utility for Meltdown and Spectre. This week we discuss more trouble with Intel's AMT, what does Skype's use of Signal really mean, the UK's data protection legislation gives researchers a bit of relief, the continuing winding down of HTTP, "progress" on the development of Meltdown attacks, Google successfully tackles the hardest-to-fix Spectre concern with a Return Trampoline, some closing the loop feedback with our terrific listeners, and the evolving landscape of Meltdown and Spectre, including Steve's just completed "InSpectre" test & explanation utility.
State-sponsored Cyber Espionage. The Meltdown and Spectre vulnerabilities continue to dominate the week’s news. So we’ll first catch up with what's new there, then discuss the new Net Neutrality violation detection apps that are starting to appear, a new app and browser plug from the search privacy provider DuckDuckGo, a bit of welcome news from Apple's Tim Cook about their planned response to the iPhone battery-life and performance debacle, a bit of errata and some feedback from our terrific listeners. Then we take a look into a state-level, state-sponsored, worldwide, decade-long cyber espionage campaign which the EFF and Lookout Security have dubbed: Dark Caracal.
Spectre Keeps on Giving. This week we discuss continuing Spectre updates, how not to treat Tavis Ormandy, a popular dating app where you'd really hope for HTTPS but be surprised to find it missing, the unintended consequences of global posting of fitness tracking data, gearing up (or not) for this year's voting machine hack'fest, another record broken by a cryptocurrency exchange heist, bad ads and fake ads, the unclear fate of the BSD operating systems, a caution about Dark Caracal's CrossRAT Trojan, another way to skin the Net Neutrality cat, a bit of errata and miscellany, one of the best SpinRite testimonials in a long time, and some closing the loop feedback from our terrific listeners.
Meltdown & Spectre in the Wild. This week we observe that the Net Neutrality battle is actually FAR from lost, ComputerWorld’s Woody Leonard enumerates a crazy January of updates, "EternalBlue" is turning out to be far more eternal than we'd wish, will Flash EVER die? A new 0-day Flash exploit in the wild, what happens when you combine Shodan with Metasploit?, Firefox 59 takes another privacy enhancing step forward, a questionable means of sneaking data between systems, another fun SpinRite report from the field, some closing the loop feedback from our listeners, and a look at the early emergence of Meltdown and Spectre exploits appearing in the wild.
5 Interesting CryptoCurrency Tales. This week we discuss today's preempted 2nd Tuesday of the month, slow progress on the Intel Spectre firmware update front, a worse-than-originally-thought Cisco firewall appliance vulnerability, the unsuspected threat of hovering hacking drones, hacking at the Winter Olympics, Kaspersky's continuing unhappiness, the historic leak of Apple's iOS boot source code, a critical WiFi update for some Lenovo laptop users, a glitch at Wordpress, a butt of miscellany -- including a passwords rap -- some closing-the-loop feedback from our listeners... and then a look at a handful of CryptoCurrency Antics.
How Russia's 2016 election information warfare worked. This week we examine and discuss the appearance of new forms of Meltdown and Spectre attacks, the legal response against Intel, the adoption of new cybersecurity responsibility in New York, some more on Salon and authorized crypto mining, more on software cheating auto emissions, a newly revealed instance of highly profitable mal-mining, checking in on Lets Encrypts steady growth, the first crack of Windows uncrackable UWP system, Apple' whacky Telugu Unicode attacks, a frightening "EternalBlue" experiment, another aspect of crypto mining annoyance, a note now that Chrome's new advertising controls are in place, a bit of closing the loop with our listeners. And then we conclude with a look at the technology that was revealed in last week's indictment of election meddling Russians... and from a practical technology standpoint, the feasibility of anything changing.
iPhones Hacked, Android P Security. This week we discuss Intel’s Spectre & Meltdown microcode update, this week in crypto jacking, Tavis strikes again, Georgia on my mind (and not in a good way), news from the iPhone hackers at Cellebrite, Apple to move its Chinese customer data, e-Passports? Not really, Firefox 60 loses a feature, the IRS, and cryptocurrencies, Android P enhances Privacy, malicious code signing news, a VERY cool Cloudfront/Troy Hunt hack, a bit of errata, miscellany, and closing the loop feedback from our terrific listeners, and a closer look at WebAssembly.
Biggest. DDoS. Ever. This week we discuss some very welcome microcode news from Microsoft, ten (yes, ten!) new 4G LTE network attacks, the battle over how secure TLS v1.3 will be allowed to be, the incredible Trustico certificate fiasco, the continually falling usage of Adobe Flash, a new and diabolical cryptocurrency-related malware, the best Sci-Fi news in a LONG time, some feedback from our terrific listeners... and a truly record smashing (and not in a good way) new family of DDoS attacks.
AMD Security Flaws, DDoS Attacks. This week we discuss the just-released news of major trouble for AMD's chipset security, ISPs actively spreading state-sponsored malware, Windows 10 S coming soon, a large pile of cryptocurrency mining-driven shenanigans, tomorrow's Pwn2Own competition start, surprising stats about Spam botnet penetration, and a week #2 update on the new Memcached DDoS attacks.
AMD Flaws, Pwn2Own winners. This week we discuss the aftermath of CTS Labs' abrupt disclosure of flaws in AMD's outsourced chipsets, Intel's plans for the future and their recent microcode update news, several of Microsoft's recent announcements and actions, the importance of testing... in this case VPNs; the first self-driving automobile pedestrian death, a SQRL update, a bit of closing the loop feedback with our listeners, and a look a the outcome of last week's annual Pwn2Own hacking competition.
Election Security, CLOUD Act. The mess with US voting machines, technology's inherent security vs convenience tradeoff, the evolving 2018 global threat landscape, welcome news on the bug bounty front from Netflix and Dropbox, we have the interesting results of Stack Overflow's 8th annual survey of 101,592 developers, worrisome news on the US government data overreach front, some useful and important new web browser features, messenger app troubles, a CRITICAL Drupal updated coming tomorrow, some welcome news for DNS security & privacy, a bit of miscellany and a look at the just-ratified TLS v1.3.
Secure Email, 1.1.1.1. This week we discuss "DrupalGeddon2", Cloudflare's new DNS offering, a reminder about GRC's DNS Benchmark, Microsoft's Meltdown meltdown, the persistent iOS QR Code flaw and its long-awaited v11.3 update, another VPN user IP leak, more bug bounty news, an ill-fated-seeming new eMail initiative, Free electricity, a policy change at Google's Chrome store, another "please change your passwords" after another website breach, a bit of miscellany, a heart-warming SpinRite report, some closing the loop feedback from our terrific listeners, and a closer look at the Swiss encrypted ProtonMail service.
Spectre, Net Neutrality, Kill TLS 1.0. This week we discuss Intel's big Spectre microcode announcement, Telegram is not long for Russia, the US law enforcement's continuing push for "lawful decryption", more state-level net neutrality news, Win10's replacement for "Disk Cleanup", a bug bounty policy update, some follow-up to last week's Quad-1 DNS conversation, why clocks had been running slow throughout Europe... then a look at the deprecation of earlier version of TLS and a big Cisco mistake.
AMD vs Spectre, Telegram vs Russia. This week we discuss AMD's release of their long-awaited Spectre variant 2 microcode patches, the end of Telegram messenger in Russia, the on-time arrival of Drupalgeddon2, Firefox and TLS v1.3, the new and widespread UPnProxy attacks, Microsoft's reversal on no longer providing Windows security updates without A/V installed, Google Chrome's decision to prematurely remove HTTP cookies, the Android "patch gap", renewed worries over old and insecure Bitcoin crypto, new attacks on old IIS, a WhatsApp photo used for police forensics, and an IoT vulnerability from our "you can't make this stuff up" department.
IoT Security. This week we discuss Drupalgeddon2 continuing to unfold right on plan, the Orangeworm takes aim at medical equipment and companies, the FDA moves forward on requiring device updates, Microsoft leads a new Cybersecurity Tech Accord, another instance of loud noises and hard drives not mixing, considerations for naming your WiFi network, the unappreciated needs of consumer routers, Google's new unencrypted messaging app push, Amazon pulls the trigger on "in-car" package delivery, the first puzzle recommendation in a long time, and Microsoft's move to secure the IoT space.
IoT Security Complications. Windows 10 got a new spring in its step, Microsoft further patches Intel microcode, even the UK's NHS plans to update, another hack of modern connected autos, Oracle's botched WebLogic patch, an interesting BSOD-on-demand Windows hack, a PDF credentials theft hack (which Adobe won't fix), your Echo may be listening to you, a powerful Hotel keycard hack, a bit of errata and feedback, and a discussion of another Microsoft-driven security initiative.
Russia v Telegram, New Spectre Bug. This week we begin by updating the status of several ongoing security stories: Russia vs Telegram, DrupalGeddon2, and the return of RowHammer. We will conclude with MAJOR new bad news related to Spectre. We also have a new cryptomalware, Twitter's in-the-clear passwords mistake, New Android 'P' security features, a crazy service for GDPR compliance, Firefox's sponsored content plan, another million routers being attacked, More deliberately compromised JavaScript found in the wild, a new Microsoft Meltdown mistake, a comprehensive Windows command reference, and signs of future encrypted Twitter DMs.
eFail and Throwhammer. This week we will examine two incredibly clever, new (and bad) attacks named eFail and Throwhammer. But first we catchup on the rest of the past week's security and privacy news, including the evolution of UPnProxy, a worrisome flaw discovered in a very popular web development platform, the 1st anniversary of EternalBlue, the exploitation of those GPON routers, this week's disgusting security head shaker, a summary of the RSA conference's security practices survey, the appearance of persistent IoT malware, a significant misconception about hard drive failure, an interesting bit of listener feedback... then a look at two VERY clever new attacks.
Next-generation of Spectre speculation flaws. This week we examine the recent flaws discovered in the secure Signal messaging app for desktops, the rise in DNS router hijacking, another seriously flawed consumer router family, Microsoft Spectre patches for Win10's April 2018 feature update, the threat of voice assistant spoofing attacks, the evolving security of HTTP, still more new trouble with GPON routers, Facebook's Android app mistake, BMW's 14 security flaws and some fun miscellany. Then we examine the news of the next-generation of Spectre processor speculation flaws and what they mean for us.
FBI Says: Reboot Your Router NOW. This week we discuss Oracle's planned end of serialization, Ghostery's GDPR faux paus, the emergence of a clever new banking Trojan, Amazon Echo and the case of the Fuzzy Match, more welcome movement from Mozilla, yet another steganographic hideout, an actual real-world appearance of HTTP Error 418 (I'm a Teapot!), the hype over Z-Wave's Z-Shave, and a deep dive into the half a million strong VPNFilter botnet.
What is "Certificate Transparency?" This week we discuss yesterday's further good privacy news from Apple, the continuation of VPNFilter, an extremely clever web browser cross-site information leakage side-channel attack, Microsoft Research's fork of OpenVPN for security in a post-quantum world, Microsoft drops the ball on a 0-day remote code execution vulnerability in JScript, Valve finally patches a longstanding and very potent RCE vulnerability, Redis caching servers continue to be in serious trouble, a previously patched IE 0-day continues to find victims, Google's latest Chrome browser has removed support for HTTP public key pinning (HPKP), and... what is "Certificate Transparency" and why do we need it?
Active Wormable Exploitation. This week we update again on VPNFilter, look at another new emerging threat, check in on Drupalgeddon2, examine a very troubling remote Android vulnerability under active wormable exploitation, take stock of Cisco's multiple firmware backdoors, look at a new cryptomining strategy, the evolution of Russian state-sponsored cybercrime, a genealogy service that lost its user database, ongoing Russian censorship, another Adobe FLASH mess, and a check-in on how Marcus Hutchins is doing. Then we look at yet another huge mess resulting from insecure interpreters.
Meltdown, Spectre & Lazy Restores. This week we examine a rather "mega" patch Tuesday, a nifty hack of Win10's Cortana, Microsoft's official "when do we patch" guidelines, the continuing tweaking of web browser behavior for our sanity, a widespread Windows 10 rootkit, the resurgence of the Satori IoT botnet, clipboard monitoring malware, a forthcoming change in Chrome's extensions policy, hacking apparent download counts on the Android store, some miscellany, an update on the status of Spectre & Meltdown... and yes, yet another brand new speculative execution vulnerability our OSes will be needing to patch against.
SCOTUS Cell Phone Location Privacy. This week we examine some new side-channel worries and vulnerabilities, did Mandiant "hack back" on China?, more trouble with browsers, the big Google Firebase mess, sharing a bit of my dead system resurrection, and a look at the recent Supreme Court decision addressing cellular location privacy.
WPA3 Wi-Fi Security on the Way. This week we discuss the interesting case of a VirusTotal upload... or was it?, newly discovered problems with our 4G LTE... and even what follows, another new EFF encryption initiative, troubles with Spectre and Meltdown in some browsers, the evolution of UPnP-enabled attacks, an unpatched Wordpress vulnerability that doesn't appear to be worrying the Wordpress devs... and an early look at next year's forthcoming WPA3 standard... which appears to fix everything!
Fortnite Malware, Email Security. This week we discuss another worrisome trend in malware, another fitness tracking mapping incident and mistake, something to warn our friends and family to ignore, the value of periodically auditing previously-granted web app permissions, when malware gets picky about the machines it infects, another kinda-well-meaning Coinhive service gets abused, what are the implications of D-Link losing control of its code signing cert?, some good news about Android apps, iOS v11.4.1 introduces "USB Restricted Mode"... but is it?, a public service reminder about the need to wipe old thumb drives and memory cards, what about those free USB fans that were handed out at the recent North Korea / US summit?... and then we take a look at eMail's STARTTLS system and the EFF's latest initiative to increase its usefulness and security.
Russian Election Hack Indictments. This week we look at even MORE, new, Spectre-related attacks, highlights from last Tuesday's monthly patch event, advances in GPS spoofing technology, GitHub's welcome help with security dependencies, Chrome's new (or forthcoming) "Site Isolation" feature, when hackers DO look behind the routers they commandeer, the consequences of deliberate BGP routing misbehavior... and reading between the lines of last Friday's DOJ indictment of the US 2016 election hacking by 12 Russian operatives -- the US appears to really have been "all up in their business."
Google, MS, FB, & Twitter Play Nice. This week as we examine still another new Spectre processor speculation attack, some news on DRAM hammering attacks and mitigation, the consequences of freely available malware source code, the reemergence of concern over DNS rebinding attacks, Venmo's very public transaction log, more Russian shenanigans, the emergence of flash botnets, Apple continuing move of Chinese data to China, another (the 5th) Cisco secret backdoor found, an optional missing Windows patch from last week, a bit of Firefox news and piece of errata... and then we look at "The Data Transfer Project" which, I think, marks a major step of maturity for our industry.
"Death Botnet," Google Titan Key. This week we examine still another new Spectre processor speculation attack, we look at the new "Death Botnet", the security of the US DoD websites, lots of Google Chrome news, a push by the US Senate toward more security, the emergence and threat of clone websites in other TLDs, more cryptocurrency mining bans, Google's Titan hardware security dongles, and we finish by examining the recently discovered flaw in the Bluetooth protocol which has device manufacturers and OS makers scrambling. (But do they really need to?)
Hacking WiFi passwords. This week we discuss yet another new and diabolical router hack and attack, Reddit's discovery of SMS 2FA failure, WannaCry refuses to die, law enforcement's ample unused forensic resources, a new and very clever BGP-based attack, Windows 10 update dissatisfaction, Google advances their state-sponsored attack notifications, what is Google's project Dragonfly?, a highly effective and highly targeted Ransomware campaign, some closing-the-loop feedback from our listeners, and a breakthrough in hacking/attacking WiFi passwords.
Black Hat and DEF CON 2018 Hacks. This week we cover lots of discoveries revealed during last week's Black Hat 2018 and DEF CON 26 Las Vegas security conferences. Among them, 47 vulnerabilities across 25 Android smartphones, Android "Disk-In-The-Middle" attacks, Google tracking when asked not to, more Brazilian DLink router hijack hijinks, a backdoor found in VIA C3 processors, a trusted-client attack on WhatsApp, a macOS 0-day, a tasty new feature for Win10 Enterprise, a new Signal-based secure eMail service, Facebook's FIZZ TLS v1.3 library, another Let's Encrypt milestone, and then "FaxSploit" the most significant nightmare in recent history (FAR worse, I think, than any of the theoretical Spectre & Meltdown attacks).
The Latest Intel Speculation Disaster. As we head into our 14th year of Security Now​, this week we look at some of the research released during last week's USENIX Security symposium, we also take a peek at last week's Patch Tuesday details, Skype's newly released implementation of Open Whisper Systems' Signal privacy protocol, Google's Chrome browser's increasing pushback against being injected into, news following last week's observation about Google's user tracking, Microsoft's announcement of more spoofed domain takedowns, another page table sharing vulnerability, believe it or not... "Malicious Regular Expressions", some numbers on how much money CoinHive is raking in, flaws in browser and their add-ons that allow tracking-block bypasses, two closing-the-loop bits of feedback, and then a look at the details of the latest Intel Speculation disaster known as "The Foreshadow Flaw".
Another busy week. This week we catch-up with another busy week. We look at Firefox's changing certificate policies, the danger of grabbing a second-hand domain, the Fortnite mess on Android, another patch-it-now Apache Struts RCE, a frightening jump in Mirai Botnet capability, an unpatched Windows 0-day privilege elevation, malware with a tricky new C&C channel, A/V companies are predictably unhappy with Chrome, Tavis found more serious problems in GhostScript, a breakthrough in contactless RSA key extraction, a worrisome flaw that has always been present in OpenSSH, and problems with never-dying Hayes AT commands in Android devices.
Turn Your Phone Into a Sonar. This week we cover the expected exploitation of the most recent Apache STRUTS vulnerability, a temporary interim patch for the Windows 0-day privilege elevation, an information disclosure vulnerability in all Android devices, Instagram's moves to tighten things up, another OpenSSH information disclosure problem, an unexpected outcome of the GDPR legislation and sky high fines, the return of the Misfortune Cookie, many thousands of Magneto commerce sites are being exploited, a fundamental design flaw in the TPM v2.0 spec, trouble with Mitre's CVE service, Mozilla's welcome plans to further control tracking, a gratuitous round of Win10 patches from Microsoft.... and then a working sonar system which tracks smartphone finger movements!
Win7 2023, Chrome 69, PWD=1234. This week we discuss Windows 7's additional three years of support life, MicroTik routers back in the news (and not in a good way), Google Chrome 69's new features, the hack of MEGA's cloud storage extension for Chrome, Week 3 of the Windows Task Scheduler 0-day, a new consequence of using '1234' as your password, Tesla makes their white hat hacking policies clear... just in time for a big new hack!, our PCs as the new malware battlefield, a dangerous OpenVPN feature is spotted, and Trend Micro, caught spying, gets kicked out of the MacOS store.
Presidential Alerts, Safari Ripper. This week we prepare for the first ever Presidential Alert unblockable nationwide text message, we examine Chrome's temporary "www" removal reversal, checkout Comodo's somewhat unsavory marketing, discuss a forthcoming solution to BGP hijacking, examine California's forthcoming IoT legislation, deal with the return of Cold Boot attacks, choose not to click on a link that promptly crashes any Safari OS, congratulate Twitter on adding some auditing, check in on the Mirai Botnet's steady evolution, look at the past year's explosion in DDoS number of size, note another new annoyance brought to us by Windows 10... Then we take a look at the state of the quietly evolving web browser extension ecosystem.
Chrome 69 Issues, Browser Reaper. This week we look at additional changes coming from Google's Chromium team, another powerful instance of newer cross-platform malware, the publication of a 0-day exploit after Microsoft missed its deadline, the return of Sabri Haddouche with browser crash attacks, the reasoning behind Matthew Green's decision to abandon Chrome after a change in release 69... and an "UnGoogled" Chromium alternative that Matthew might approve of, Western Digital's pathetic response to a very serious vulnerability, a cool device exploit collection website, a question about the future of the Internet, a sobering example of the aftermarket in unwiped hard drives, the Mirai Botnet creators are now working with and helping the FBI, another fine levied against Equifax, and a look at Cloudflare's quick move to encrypt a remaining piece of web metadata.
US Sues CA, 50M FB Accounts Hacked. This week we discuss yet another treat from Cloudflare, the growing legislative battle over Net Neutrality, the rise of Python malware, Cisco's update report on the VPNFilter malware, still more Chrome controversy and some placating, the rapid exploitation of 0-day vulnerabilities, the first UEFI rootkit found in the wild, another new Botnet discovery, the danger of the RDP protocol, a nasty website browser trick and how to thwart it, a quick update on recent non-fiction and science fiction, and then a look into the recent massive 50 million account Facebook security breach.
China Chip Hack, Google+ . An October Surprise of a different sort - Windows 10 update deletes users' files. A security researcher has massively weaponzied the existing MicroTik vulnerability and released it as a proof-of-concept. A clever voicemail WhatsApp OTP bypass. What happened with that recent Google+ breach? Google tightens up its Chrome extensions security policies WiFi radio protocol designations finally switch to simple version numbering Intel unwraps its 9th-generation processors Head-spinning PDF updates from Adobe and Foxit (this isn't a competition, guys!) Bloomberg's earth-shaking controversial report on Chinese hardware hacking
Paul Allen, Microsoft's October patching fiasco, & the end of TLS v1.0 and 1.1. This week we observe the untimely death of Microsoft’s co-founder Paul Allen, revisit the controversial Bloomberg China supply chain hacking report, catch up on Microsoft's October patching fiasco, follow-up on Facebook's privacy breach, look at the end of TLS v1.0 and 1.1, explore Google's addition of control flow integrity to Android 9, look at a GAO report about the state of US DOD weapons cybersecurity, consider the EOL of PHP 5.x chain, take a quick look at an A/V comparison test, entertain a few bits of feedback from our listeners, and then consider the implications of grey-hat vigilante hacking of others’ routers.
A Truly Gobsmacking Libssh Error. This week a widely used embedded OS (FreeRTOS) is in the doghouse, as are at least eight D-Link routers which have serious problems most of which D-Link has stated will never be patched. We look at five new problems in Drupal 7 and 8, two of which are rated critical, trouble with Live Networks RTSP streaming server, still more trouble with the now-infamous Windows 10 Build 1809 feature update, and a long standing 0-day in the widely used and most popular plugin for jQuery. We then look at what can only be described as an embarrassing mistake in the open source libssh library, and we conclude by examining a fun recent hack and pose its solution to our audience as our Security Now Puzzler of the Week!
More Zero-day exploits in Windows 10, publicly exposed Docker Engine APIs, Google's plan to fix Android, the DoD is expanding its existing "Hack the Pentagon" bug-bounty program to include hardware assets, the going rate for DDoS-for-Hire, and Steve has the answer to our vending machine conundrum from last week.
A close look at the impact and implication of the new “PortSmash” attack against Intel (and almost certainly other) processors. The new “BleedingBit” Bluetooth flaws. JavaScript is no longer optional with Google. A new Microsoft Edge browser 0-day. Windows Defender plays in its own sandbox. Microsoft and SysInternals news. The further evolution of the CAPTCHA. The 30th anniversary of the Internet's first worm. A bizarre requirement of Ransomware. A nice new bit of security non-tech from Apple.
SSD Encryption Flaws. Last month's Patch Tuesday, this month. A GDPR-inspired lawsuit filed by Privacy International. Check these two router ports to protect against a new botnet that's making the rounds. Another irresponsibly disclosed zero-day, this time in Virtual Box. CloudFlare's release of a very cool 1.1.1.1 app for iOS and Android. Microsoft's caution about the in-RAM vulnerabilities of the BitLocker whole drive encryption A deep dive into last week's worrisome revelation about the lack of true security being offered by today's Self-Encrypting SSD drives.
Pwn2Own, the Future of Passwords. All the action at last week's Pwn2Own Mobile hacking contest. The final word on processor mis-design in the Meltdown/Spectre era. A workable solution for unsupported Intel firmware upgrades for hostile environments. A forthcoming Firefox breach alert feature. The expected takeover of exposed Docker-offering servershe recently announced successor to recently ratified HTTP/2. 1.1.1.1 errata. The future of passwords: a thoughtful article written by Troy Hunt, the creator of the popular "Have I Been Pwned" web service.
The Next Evolution of Rowhammer. Yesterday, the US Supreme Court heard Apple's argument about why a class action lawsuit against their monopoly App Store should not be allowed to proceed. How could this affect iOS security? Google and Mozilla are looking to remove support for FTP from their browsers. From our “what could possibly go wrong” department, we have browsers asking for explicit permission to leave their sandboxes. The next step in the evolution of RowHammer attacks which do, as Bruce Schneier once opined, only get better… or in this case, worse!
Marriott Breach, Printer Spam. Another Lenovo SuperFish-style local security certificate screw up. The Marriott breach and several other new, large and high-profile secure breach incidents. The inevitable evolution of exploitation of publicly exposed UPnP router services. The emergence of "Printer Spam". How well does ransomware pay? We have an idea now. The story of two iOS scam apps. Progress on the DNS over HTTPS front. Rumors that Microsoft is abandoning their EdgeHTML engine in favor of Chromium We also have a bit of a Cyber Security related Humble Book Bundle just in time for Christmas. Some new research that reveals that it's possible to recover pieces of web browser page images that have been previously viewed.
Australia's recently passed anti-encryption legislation Details of a couple more mega-breaches including a bit of Marriott follow-up A welcome call for legislation from Microsoft A new twist on online advertising click fraud The DHS is interested in deanonymizing cryptocurrencies beyond Bitcoin The changing landscape of TOR funding. An entirely foreseeable disaster with a new Internet IoT-oriented protocol Google finds bugs in Google+ and acts responsibly -- again -- what that suggests for everyone else
Rhode Island's response to Google's recent API flaw Signal's response to Australia's anti-encryption legislation The return of PewDiePie US border agents retaining traveler's private data This Week in Android Hijinks Confusion surrounding the Windows v5 release Another Facebook API mistake The 8th annual most common passwords list (AKA "How's 'monkey' doing?") Why all might not be lost if someone is hit with drive encrypting malware Microsoft's recent 4-month run of 0-day vulnerability patches The Firefox 64 update A reminder of an awesome train game for iOS, Mac and Android A look at a new and very troubling flaw discovered in the massively widespread SQLite library... and what we can do.
The Best of Security Now from 2018!
The NSA announces the forthcoming release of an internal powerful reverse-engineering tool for examining and understanding other people's code. Emergency out-of-cycle patches from both Adobe and Microsoft. PewDiePie hacker strikes again. Prolific 0-day dropper SandboxEscaper ruffles some feathers. A new effort by the US government to educate industry about the risks of Cyber attacks. Welcome news on the ransomware front. VERY welcome news of a new Windows 10 feature. A note about a just-published side-channel attack on OS page caches.
The implications of the recent increase in bounty for the purchase of 0-day vulnerabilities. The intended and unintended consequences of last week's Windows Patch Tuesday. Speaking of unintended consequences, the US Government shutdown has had some, too! A significant privacy failure in WhatsApp. Another Ransomware decryptor (with a twist). Movement on the DNS-over-TLS front. An expectation of the cyberthreat landscape for 2019. A cloudy forecast for The Weather Channel App. A successful 51% attack against the Ethereum Classic cryptocurrency. Another court reversing compelled biometric authentication. An update on the lingering death of Flash... now in hospice care.
Which is the right VPN client for Android, and which should you avoid at all costs? A very worrisome WiFi bug affecting billions of devices Hack a Tesla Model 3 at Pwn2Own Russia's ongoing, failing and flailing efforts to control the Internet The return of the Anubis Android banking malware Google's changing policy for phone and SMS App access Tim Cook's note in TIME Magazine News of a nice Facebook Ad auditing page Another Cisco default password nightmare in widely used lower-end devices
Can browsers be flexible and secure? The expressive power of the social media friends we keep The persistent DNS hijacking campaign which has the US Government quite concerned Last week's iOS and macOS updates (and doubtless another one very soon!) A valiant effort to take down malware distribution domains Chrome catching up to IE and Firefox with drive-by file downloads Two particularly worrisome vulnerabilities in two Cisco router models publicly disclosed last Friday The state of the industry and the consequences of extensions to our web browsers.
Battle Typo-squatters, Linux Patch Chrome gets "spell-check for URLs" Catch up on your Linux patch up! Performance enhancements for Chrome and FireFox. Facebook must really like being in the doghouse. The Japanese government takes on IoT security. Ubiquity routers are in trouble again. Chrome "Never Slow" mode in the works.
Google Adiantum, FaceTime Fix Apple's most recent v12.1.4 iOS update and the two 0-day vulnerabilities it closed Worrisome new Android image-display vulnerability An interesting "reverse RDP" attack The new LibreOffice & OpenOffice vulnerability Microsoft's research into the primary source of software vulnerabilities MaryJo gets an early peek at enterprise pricing for extending Windows 7 support China and Russia continue their work to take control of their countries' Internet Firefox's resumption of its A/V warning in release 65. How Google does the Cha-Cha with their new "Adiantum" ultra-high-performance cryptographic cipher.
Elon's Dangerous AI, PiDP-11. Last week's doozy of a patch Tuesday for both Microsoft and Adobe An interesting twist coming to Windows 7 and Server 2008 security updates Eight mining apps pulled from the Windows Store Another positive security initiative from Google Electric scooters being hacked Chipping away at Tor's privacy guarantees A year and a half after Equifax, and where's the data? The beginnings of GDPR-like legislation for US An extremely concerning new and emerging threat for the Internet
Attacks in the Wild A number of ongoing out-in-the-wild attacks Another early-warned Drupal vulnerability A 19-year old flaw in an obscure decompress for the "ACE" archive format Microsoft reveals an abuse of HTTP/2 protocol which is DoSing its IIS servers. Mozilla faces a dilemma about a wanna-be Certificate Authority and they also send a worried letter to Australia. Microsoft's Edge browser is revealed to be secretly whitelisting 58 web domains which are allowed to bypass its "Click-To-Run" permission for Flash. ICANN renews its plea for the Internet to adopt DNSSEC. NVIDIA releases a handful of critical driver updates for Windows. Apple increases the intelligence of it's Intelligent Tracking Prevention.
The increasing feasibility of making a sustainable career out of hunting for software bugs A newly available improvement in Spectre mitigation performance and who can try it now Adobe's ColdFusion emergency and patch, More problems with A/V and self-signed certs A Docker vulnerability being exploited in the wild The end of Coinhive A new major Wireshark release A nifty web browser website screenshot hack Continuing troubles with the over-privileged Thunderbolt interface Bot-based credential stuffing attacks
0-day exploit bidding war NSA releases Ghidra v9 Firefox's adds Tor privacy A pair of nasty 0-days A worrisome breach at Citrix The risk of claiming to be an unhackable aftermarket car alarm A new and interesting "Windows developers chatting with users" idea at Microsoft A semi-solution to Windows updates crashing systems Detailed news of the Marriott/Starwood breach, a bit of miscellany from SPOILER: Another new and different consequence of speculation on Intel machines.
Last week's Patch Tuesday March Madness Win7 SHA256 Windows Update... Update Many attacks leveraging the recently discovered WinRAR vulnerability What happens when Apple, Google, and GoDaddy all drop a bit? A big recent jump in Mirai Botnet Capability Compromised Counter-Strike gaming servers Privacy enhancements coming in Android Q A pair of very odd web browser extensions for Chrome and Firefox from Microsoft A VERY exciting and encouraging project to create an entirely open eVoting system
The return of "Clippy", Microsoft's much-loathed dancing paperclip Operation "ShadowHammer" which reports say compromised ASUS (... but did it?) The ransomware attack on Norsk Hydro aluminum The surprise renaming of Windows Defender A severe bug revealed in the most popular PDF generating PHP library An early look at Microsoft's forthcoming Chromium-based web browser Hope for preventing caller ID spoofing A needed update for users of PuTTY Mozilla's decision to conditionally rely upon Windows' root store Microsoft to offer virtual Windows 7 and 10 desktops through Azure Details of the Windows 7 End of Life warnign dialog
Android Security, 10 Years Later WinRAR, a 20+ Year Old Tool With 500M Users, Acknowledged Vulnerability Russian GPS Hacking and What It Means For Us Android's April Fools Day Patches Tesla Autopilot Spoofing The ASUS "ShadowHammer" Attack Windows 10 (last) October 2018 Update A VMware Update
Your Browser is Tracking You, UK vs Social Media Yet another capitulation in the (virtually lost) battle against tracking our behavior on the Internet with URL "ping" tracking. UK government's plan to legislate, police and enforce online social media content Microsoft's Chromium-based Edge browser's security Improvements to Windows 10's update management News from the "spoofing biometrics" department The worrisome state of Android mobile financial apps NSA's GHIDRA software reverse engineering tool suite Perhaps the dumbest thing Facebook has done yet (and by policy, not by mistake) An important change in Win10 1809 external storage caching policy
DragonBlood: the first effective attack on the new WPA3 protocol • Malicious use of the URL tracking "ping" attribute • The WinRAR Nightmare • More 3rd-party A/V troubles with Microsoft • What good did April's patch Tuesday accomplish? • Adobe 's big patch Tuesday • Google considering automatically blocking "high risk" downloads • Russia's Roskomnadzor finally lowers the boom on Facebook • The incredible Taj Mahal APT framework
Top Security Stories this Week: • Google uses its "sensorvault" to help catch the bad guys. • Time to update Drupal again. • Facebook steals users' email contact lists, logs plaintext Instagram passwords • Russia moves closer to adopting "Internet Master Cutoff Switch" legislation. • A reminder that "USB Killers" are a real thing. • Marcus Hutchins' plea deal • A new(ish) actively exploited Windows 0-day • A bunch of Microsoft Edge news • Windows 7 end-of-life notices • Something from the "I did say this was bound to happen" department • Detailed threat research from Cisco's Talos group about the leveraging of DNS espionage.
The large and emerging threat of website credential stuffing attacks. • Privacy fallout from our recent coverage of Facebook and Google • The uptake rate of recent Windows 10 feature releases • The source of the A/V troubles with the April patch Tuesday updates • The NIST's formal fuzzing development • A massive and ongoing database data leak involving more than half of all American households • Windows Insiders are already finding that their systems won't update to the May 2019 feature update. • United Airlines passengers have noticed and been understandably upset by seatback cameras pointing at them.
This Week's Stories • The continuing and changing world of cryptojacking after Coinhive closed their doors last month. • Google's announcement of self-expiring data retention • The mess arising from Mozilla's intermediate certificate expiration • Another wrinkle in the exploit marketplace • Mozilla's announcement about deliberate code obfuscation • A hacker who hacked at least 29 other botnet hackers • A warning about a very popular D-Link netcam • Who's paying and who's receiving bug bounties by country • Another User-Agent gotcha with Google Docs • A problem with Google Earth on the new Chromium-Edge browser • A bit more about Edge's future just dropped at the start of Microsoft's Build 2019 conference.
This Week's Stories • Update WhatsApp NOW! • Security News from Google I/O 2019 conference • A new exploitable flaw in all Linux kernels earlier than v5.0.8 • A new set of flaws affecting all Intel processors known as "ZombieLoad" • Security enhancements in Android Q.
This Week's Stories • The next round of Intel processor information leakage problems: Microarchitectural Data Sampling vulnerabilities • Last Tuesday's patches from Microsoft, Abode and Apple includes one for Windows XP • Security problem for Cisco that ever has stock analysts taking notice • Ongoing troubles with the cryptocurrency market • Trouble with Google's Titan Bluetooth dongle • Another monthly problem with Windows 10 updates
• The Internet is Doomed: BlueKeep Attacks Windows Remote Desktop Protocol • Google Stores Unhashed G Suite Passwords • Sandbox Escaper Drops FIVE New Zero-Day Exploits • Microsoft's Just-released Win10 Feature Update 1903 • Security Enhancements in Firefox's Release 67
Checking in on the BlueKeep RDP vulnerability • The planned shutdown of one of the most "successful" affiliate-based ransomware systems • An update on the anti-Robocalling problem • Russian and Chinese militaries plan to quit using Windows • Apple's announcement yesterday of their forthcoming "Sign in with Apple" service • The Nansh0u campaign, apparently sourced from China, has successfully compromised many tens of thousands of servers exposed to the Internet.
SandboxEscaper drops another 0-day • The still-not-yet-widely-exploited BlueKeep vulnerability • GoldBrute Botnet pounding on RDP servers (but not yet using BlueKeep) • The FBI issued an interesting advisory about not trusting secure sites just because they're secure • VLC receives 33 security bug fixes • Microsoft's Edge browser takes another step forward • Mozilla reorganizes • MUST HAVE utility of the week: DNS Query Sniffer • The first formal full release of SQRL • Anyone running an Exim mail server needs to update immediately!
• A new DRAM problem called "RAMBleed" • A bad Linux TCP SACK server kernel crashing flaw • Last week's patch Tuesday • A Bluetooth surprise • Another useless warning about the BlueKeep vulnerability • Microsoft misses a 90-day Tavis Ormandy deadline • Good news about GandCrab wrapup • Yubico's entropy mistake • Post-announce SQRL news • Our favorite iOS security app • Attacks on Exim mail servers and other pending disasters
Update on the Linux TCP SACK Kernel panic • Hackers exploit a Firefox flaw and attack Coinbase • Google corrects a flaw with Nestcam • An elegant solution to OpenSSH key theft via Rowhammer attacks • Update on the BlueKeep RDP vulnerability • Verizon's negligence caused a major Cloudflare and Amazon customer outage • NASA was infected by an APT for more than a year • Should you pay ransomware? • Microsoft's Chromium-based Edge browser Update • The state of the commercial Bug Bounty Business
Ransomware in Florida and elsewhere • The "Going Dark" anti-encryption debate • A BlueKeep Proof of Concept demo produced by the guys at SophosLabs • Massive publicly-exposed databases • Chinese IoT manufacturer logs a million+ customer devices into a 2+ billion record publicly-exposed database, • The dilemma we have with the utter lack of oversight and control over our own IoT devices
• Mozilla's privacy-enhancing DNS over HTTPS support • Facial recognition and automobile license plate scanners • The future of satellite-based Internet services • How a Ruby code repository was hacked • The UK GCHQ's proposal for adding "ghost" participants into private conversations
• Bullet points from last Tuesday's monthly Windows patches as well • Notes from the end of Windows 7 • Laporte County Under Ransomware Attack • The mixed blessing of fining companies for self-reporting • A survey of enterprise malware headaches • Some Mozilla/ Firefox news • Another (kinda obvious) way of exfiltrating information from a PC • DNS Encryption
This Week's Stories • Welcome to Kazakhstan! Please check your privacy at the border. • Mozilla marking all non-HTTPS pages as "not secure" • Chrome Incognito Mode getting a bit more incognito • A forthcoming "super Incognito mode" for Firefox • Rust-TLS outperforms OpenSSL in nearly every way • Microsoft announces "ElectionGuard" during last week's Aspen Security Forum • ProFTPD Server is wide open to remote compromise • Sophos: "RDP exposed: the wolves already at your door"
This Week's Stories Marcus Hutchins … is Free! U.S. Attorney General Bill Barr on "warrant proof data encryption" What malware is the most popular underground? This Week in Ransomware Your NAS is Grass! 11 vulnerabilities in VxWorks’ TCP/IP stack
This week's stories • A widespread false alarm about Facebook's planned subversion of end-to-end encryption • Still more municipality Ransomware attacks • Anti-encryption saber rattling among the Five Eyes nations • Microsoft's discovery of Russian-backed IoT compromise • Chrome 76's changes • Black Hat and Def Con preview • The challenge of synchronizing a working set of files between two locations
This Week's Stories BlackHat and Def Con 2019 Microsoft dangles $300,000 for Azure hacks at BlackHat... Hotel chaos from Germany's Chaos Computer Club 40 dangerous drivers Google’s battle to allow its Incognito users' Incognitoness to be Incognito Microsoft ranks the industry's top bug hunters Apple bumps its bounties
• Last Tuesday was another busy and important patch Tuesday • And speaking of Patch Tuesday... 3rd-Party A/V Strikes Again! • Kaspersky facilitates independent web tracking • So, what the heck is "CTF" ?? • 23 Government agencies in Texas were hit with a well-coordinated ransomware attack last Friday, August 16th • RIP, EV: The coming demise of Extended Validation (EV) certificates • And... So long FTP! • HTTP/2 goes to the Movies • “The KNOB is Broken: Exploiting Low Entropy in the Encryption Key Negotiation Of Bluetooth BR/EDR”
• Texas Ransomware Update • Remember that Kazakhstan cert? • The mixed-blessing of "wide open" source projects • RubyGems is in trouble again • Chrome to add data breach notification • iOS v12.4 updated quickly to 12.4.1 • Next-gen ad privacy
This Week's Stories: Google expands its bug bounty program New bug bounty millionaires Google's Project Zero group dropped a bomb on iOS Ransomware attacks on local governments and businesses are on the rise
This week's stories: Get rich quick spotting deepfakes! A forced two-day recess of all schools in Flagstaff, Arizona The case of a ransomware operator being too greedy Apple's controversial response to Google's discovery of Chinese iOS hacks Zerodium's new payout schedule and what it might mean. The final full public disclosure of BlueKeep exploitation code Serious PHP flaws, some potentially serious flaws found
This Week's Stories SIMjacker allows attackers to hijack any phone just by sending it an SMS message. Here comes iOS "Lucky" 13! Chrome follows Mozilla to DoH with a twist. Want to enable DoH in Chrome right now? You can, right now, if you wish. Chrome stops showing Extended Validation certs in the URL bar. Mozilla launches 'Firefox Private Network' VPN service as a browser extension. Windows Patch Tuesday redux Chrome Remote Desktop EXIM eMail servers are in trouble again.
This Week's Stories: Cryptomining makes a comeback The top three most attacked ports Small office/home office (SOHO) routers and wireless access points: “SOHOpelessly Broken” Chrome gets an emergency update, to 77.0.3865.90 2019 CWE Top 25 Most Dangerous Software Errors
This Week's Stories The latest state-of-the-art secure solutions for cross-device, cross-location device synchronization Mozilla's recently announced plans to gradually and carefully bring DNS-over-HTTPS to all Firefox users in the US The EFF weighs in on DNS-over-HTTPS The 100% free VPN offering coming from our friends at Cloudflare
Ransomware hits schools, hospitals, and hearing aid manufacturers Sodinokibi: the latest advances in Ransomware-as-a-Service Win7 Extended Security Updates are extended A new Nasty 0-Day RCE in vBulletin There's a new WannaCry in town
This week's stories A sobering reminder about supply chain attacks Facebook's stance on end-to-end encryption raises official protests UNIX’s Co-Creator Ken Thompson's BSD UNIX Password Has Finally Been Cracked Japanese stalker finds idol using reflections in her eyes Americans and Digital Knowledge OpenPGP being built into Mozilla's Thunderbird eMail client Windows 10 Tamper Protection being enabled by default CheckM8
Pixel 4 Face Unlock is so easy you can do it with your eyes closed! Samsung Galaxy S10 and Note 10 fingerprint sensor can be foiled with a $3 screen protector. The frenzy to turn CheckM8 into a consumer-friendly iOS jailbreak. Steganography finds a new host file format. Security display changes are coming to Firefox 70. More on Microsoft's open source "ElectionGuard" election security system. A potentially serious flaw found in Realtek WiFi drivers. Yubikey for local Windows login has been officially released.
This Week's Stories 3rd-party antivirus strikes again Windows Defender offline scan Adobe databases hacked Johannesburg hit by ransomware Firefox's anti-tracking effectiveness Bad new PHP/NGINX RCE being exploited in the wild Goodbye SMS (maybe kinda) Hello RCS? Forced Password Disclosure
October's Windows Patch Tuesday BROKE Windows' ability to connect to a significant number of the Internet's websites. Here's how to fix it. Chrome 78 disables Code Integrity Check to mitigate "Aw Snap!" crashes. "Chrome 78 patches a Chrome 0-day which had been discovered by Kaspersky being exploited in the wild." News from the Edge: the first Chromium-based Microsoft Edge Stable Release Candidate. Microarchitectural Data Sampling Vulnerabilities. Trouble for QNAP NAS devices exposed to the Internet. MSP's -- Managed Service Providers -- are a major vector for ransomware delivery. Five months after returning a rental car, man still has the remote control. Chinese-made drones in the US are being grounded. The DNS-over-HTTPS (DoH) controversy. BlueKeep-based attacks have finally started, and what we predicted on this podcast has finally happened.
CheckM8 & Checkra.in moves to first public beta The case of the misbehaving transducer BlueKeep and Microsoft BlueKeep and BSODs BlueKeep and Marcus Hutchins Mozilla on DoH -vs- COMCAST Yet another approach for solving the problem of certificate revocation within a more limited scope.
November's Patch Tuesday is the antepenultimate free Windows 7 update CheckM8 & https://Checkra.in GitHub launches Security Lab to boost open-source security Warrantless searches of devices at US borders were just ruled unconstitutional Another WhatsApp bug lets hackers quietly install spyware on your device ZombieLoad v2 The ByteCode Alliance http://tpm.fail/
The future of the Linux kernel underneath the Android OS Inherent challenges presented by the nature of the Android ecosystem VNC users: Time to update! A welcome change to Twitter & SMS-based 2FA A "foregone conclusion" to law enforcement's strategy to force password divulgence Pre-announcement from Microsoft about DNS Details of the emerging DoH protocol
This Week's Stories Everyone can still upgrade to Windows 10 for free with this trick HP SSDs fail after 32768 hours The EU is not happy about a possible US encryption ban US government's formal permission to hack 110 nursing homes have been crippled by a ransomware attack Firefox is seriously pushing back on tracking signal leakage New problems with Windows DLLs The StrandHogg vulnerability
This Week's Stories Microsoft has started forcing feature updates on people who don't want them. Bypass to continue obtaining Win7 updates created. Microsoft's Project Verona continues moving forward. Microsoft's RDP client for iOS is back. Avast / AVG in the doghouse. Making a mountain out of a VPN molehill.
This Week's Stories: Google turns over 1500 users' location data to catch Milwaukee arsonist Android's Messenger app offers its users verified SMS messaging conversations with supporting companies US Senate Judiciary Committee threatens Apple and Facebook Apple's iOS v13.3 adds support for hardware key dongle authentication in Safari Patch Tuesday shuts down a widespread elevation of privilege vulnerability Researchers discover prime factor collisions in active RSA certificates New Orleans hit by a ransomware attack on Friday the 13th Chrome stops displaying "www." Google re-enables their Chrome's new code integrity protection feature Plundervolt: software-based fault injection attacks against Intel SGX
On this Eve of 2020, we look back over the hacks of the past decade: The big news of 2010 was Stuxnet -- Boy did THAT make an impression Operation Aurora - the hack that changed Google The Sony Playstation Hack And then we have... Diginotar Edward Snowden The Target hack The Adobe hack Silk Road takedown Have I Been Pwned? The hack of Sony Pictures The hack of Mt. Gox Heartbleed RowHammer Ashley Madison data breach SIM swapping The Ukraine power grid hacks DNC hack Yahoo hacks go public The Shadow Brokers The birth of IoT botnets WannaCry / Petya / NotPetya Vault7 leaks MongoDB exposed Equifax Coinhive & Cryptojacking Meltdown, Spectre, and the CPU side-channel attacks Marriott gets hacked 2019 - The Year of the Ransomware
The best of Security Now from 2019. Download or subscribe to this show at https://twit.tv/shows/security-now. You can submit a question to Security Now! at the GRC Feedback Page.
This Week's Stories The Deadly Seven top cybersecurity attacks Russia successfully cuts itself off from the rest of the internet. Love Wawa? Surprise! Your credit card has been stolen. Huge Point of Sale attack on all of Landry's restaurants, including Rainforest Cafe. Python 2.7 Reaches End of Life After 20 Years. HackerOne's 20 top bug bounty programs A proposed standard for making warrant canaries machine-readable Xiaomi IoT camera owners can watch other Xiaomi users' video feeds. Microsoft is wrong on RDP vulnerability. Download or subscribe to this show at https://twit.tv/shows/security-now. You can submit a question to Security Now! at the GRC Feedback Page. For 16kbps versions, transcripts, and notes (including fixes), visit Steve's site: grc.com, also the home of the best disk maintenance and recovery utility ever written Spinrite 6.
This Week's Stories: - Windows 7 support dies today, but 1 in 7 PCs are still running it - Cablehaunt- the remote exploit with the catchy logo that works on ALL cable modems - US government still wants backdoor access to iPhones - CheckRain iPhone jailbreak keeps getting better - How Apple scans your photos for evidence of child abuse - The sim swapping threat - Anatomy/timeline of the exploitation of an unpatched VPN bug - And speaking of patching right away… patch your Firefox browser right now! Download or subscribe to this show at https://twit.tv/shows/security-now. You can submit a question to Security Now! at the GRC Feedback Page. For 16kbps versions, transcripts, and notes (including fixes), visit Steve's site: grc.com, also the home of the best disk maintenance and recovery utility ever written Spinrite 6.
This Week's Stories: - iPhones join Android in being a Google account security key. - How much "substantive assistance" did Apple provide in the Pensacola investigation? - A brand new serious Internet Explorer 0-day - Giving Windows an additional Edge - FBI says nation-state actors breached a US city government and a US financial entity by exploiting Pulse Secure VPN servers. - Critical new Windows Remote Desktop Gateway (RD Gateway) remote code execution vulnerability - SQRL for Drupal - Microsoft issues security update to fix "CurveBall" vulnerability Download or subscribe to this show at https://twit.tv/shows/security-now. You can submit a question to Security Now! at the GRC Feedback Page. For 16kbps versions, transcripts, and notes (including fixes), visit Steve's site: grc.com, also the home of the best disk maintenance and recovery utility ever written Spinrite 6.
This Week's Stories: - Is Apple actually encrypting our iCloud storage backups? - 250 Million Microsoft Customer Support Records Exposed Online - New York state is aiming to ban the use of public funds for Ransomware - New Muhstik Botnet Attacks Target Tomato Routers - Chrome under attack from browser extensions - Firefox under attack from browser extensions - NIST publishes a new Privacy Framework - Hacker Leaks More Than 500K Telnet Credentials for IoT Devices - A Welcome “Micro Patch” for the Windows IE jscript.dll 0-day vulnerability - SHA-1 is a Shambles. Download or subscribe to this show at https://twit.tv/shows/security-now. You can submit a question to Security Now! at the GRC Feedback Page. For 16kbps versions, transcripts, and notes (including fixes), visit Steve's site: grc.com, also the home of the best disk maintenance and recovery utility ever written Spinrite 6.
This Week's Stories: - L1D Eviction Sampling becomes “CacheOut” - Only one final version of Windows? - Windows 7 and the Free Software Foundation - Windows 7's final patch broke wallpaper stretching - RCE Exploit for Windows RDP Gateway Demoed by Researcher - Google more than doubles its own bug bounty record - The return of Roskomnadzor! - Facebook DID get fined, but not by Russia - who exactly owns our biometric data? - Avast Jumpshot missed the hoop - An Update on the WireGuard VPN in the Linux kernel - In this week's Best Hack of the New Decade... a little red wagon Download or subscribe to this show at https://twit.tv/shows/security-now. You can submit a question to Security Now! at the GRC Feedback Page. For 16kbps versions, transcripts, and notes (including fixes), visit Steve's site: grc.com, also the home of the best disk maintenance and recovery utility ever written Spinrite 6.
Twitter, Google, and Facebook tell Clearview AI to stop stealing your face to catch crooks The NIST is testing methods to recover data from smashed smartphones Whoa! We get to REMAIN with Security Essentials under Windows 7! Microsoft drops a fix for the wallpaper stretch black screen Windows 7 users are being told: “You don't have permission to shut down this computer.” Win10 Firefox users being “reminded” about Edge Last week Google closed an Android RCE flaw in the BlueTooth daemon. Data Exfiltration Technique of the Week CIA Uses Crypto AG to spy on the world Chrome 80 appeared last week with its implementation of the updated handling of the optional “SameSite” enforcement cookie property We invite you to read our show notes at https://www.grc.com/sn/SN-753-Notes.pdf Download or subscribe to this show at https://twit.tv/shows/security-now. You can submit a question to Security Now! at the GRC Feedback Page. For 16kbps versions, transcripts, and notes (including fixes), visit Steve's site: grc.com, also the home of the best disk maintenance and recovery utility ever written Spinrite 6.
This Week's Stories How to fix the Windows 7 "You don’t have permission to shut down this computer." error Win10’s “One Button PC Reset” fails after KB4524244. And, also… “The new disappearing User Profile problem” (Desktop and all user data) The popular “GDPR Cookie Consent” Wordpress plugin had a critical flaw Whoa! The average tenure of a CISO is just 26 months due to high stress and burnout Microsoft’s “ElectionGuard” being used for the first time today! IoT lightbulb vulnerabilities are not such a joke, after all. SweynTooth Vulnerabilities: a set of more than 12 newly discovered vulnerabilities across a wide range of Bluetooth devices, many of which will never be updated, which allow for, among other things, full device compromise. We invite you to read our show notes at https://www.grc.com/sn/SN-754-Notes.pdf Download or subscribe to this show at https://twit.tv/shows/security-now. You can submit a question to Security Now! at the GRC Feedback Page. For 16kbps versions, transcripts, and notes (including fixes), visit Steve's site: grc.com, also the home of the best disk maintenance and recovery utility ever written Spinrite 6.
This Week's Security News: More Windows 10 lost profile pain A micropatch for the jscript.dll problem Coming in the next Feature Release (Win10 2004): optional device driver updates A new attack on 4G LTE and 5G Starting today: DoH by default on Firefox A new next-generation WebAssembly sandbox is coming first to Linux and Mac and then to Windows Chrome was just updated to close a 0-day attack Safari will only trust certificates with a validity of 398 days or less Download or subscribe to this show at https://twit.tv/shows/security-now. You can submit a question to Security Now! at the GRC Feedback Page. For 16kbps versions, transcripts, and notes (including fixes), visit Steve's site: grc.com, also the home of the best disk maintenance and recovery utility ever written Spinrite 6.
This Week's Stories Lets Encrypt hits 1 BILLION certs Pakistan passes Internet censorship law Clearview AI breach: clients and searches stolen Swiss government submits criminal complaint over CIA Crypto spying scandal Ghostcat - (Apache) Tomcat Users: Update NOW! Revisiting OCSP Must Staple Kr00k: serious WiFi vulnerability affecting more than a billion devices Download or subscribe to this show at https://twit.tv/shows/security-now. You can submit a question to Security Now! at the GRC Feedback Page. For 16kbps versions, transcripts, and notes (including fixes), visit Steve's site: grc.com, also the home of the best disk maintenance and recovery utility ever written Spinrite 6.
This Week's Stories: Microsoft, Google, LogMeIn & Cisco offer limited-time free use of telecommuting Tools: Hack the Pentagon!: The Android security dilemma: AMD processors get some unwelcome but necessary side-channel attack scrutiny: Intel also has some serious new trouble on its hands: SETI@home shuts down its distributed computing project after 21 years: Critical PPP daemon flaw opens most Linux systems to remote hackers: FuzzBench: fuzzer benchmarking as a service
This Week's Stories: Does Steve have coronavirus? Maybe? He got very sick over the weekend and is still coughing, but he couldn't get tested. Mayhem ensues after last week's Patch Tuesday List of free technology services during coronavirus, from Adobe to Zoom The state of open source vulnerabilities The “EARN IT” act is a despicable attack on encryption and freedom of speech. Please call your congressperson and tell them not to support it. The SMBGhost Fiasco
This week's stories: Two new un-patched 0-days affecting billions of Windows users - here is the fix! Mozilla reversed itself on TLS v1.0 and 1.1 deprecation... due to the coronavirus A micropatch for Win7 and Server 2008 Chrome's release schedule has been impacted by the coronavirus Avast emergency-disables their internal JavaScript emulator CookieThief - "FireSheep evolves for the 21st century" PwnToOwn Spring 2020 winners Steve's coronavirus journey The fixes for RowHammer have not worked
This week's stories: VPN bug in iOS 13.4 Folding@Home - how to donate your unused CPU cycles to help provide answers to COVID-19. RDP and VPN use skyrocketing To 'www' or not to 'www' Firefox 76 to finally stop assuming “HTTP” Google again revises its schedule for Chrome releases Microsoft moves to support “Shadow Stacks” Cloudflare's 1.1.1.1 DNS is audited by KPMG
Zoom is a security nightmare - from zoombombing to encryption issues, Steve Gibson runs down Zoom's security concerns. Plus, Jitsi is a great alternative! Mozilla just patched a pair of CRITICAL 0-days Eight security bugs eliminated from Chrome last week Safari gets a bunch of very important fixes Chrome and Edge join Mozilla in postponing the deprecation of TLS v1.0 and v1.1 Chrome team reversing themselves on the enforcement of Same Site cookies Edge with Vertical Tabs and Smart Copy The return of STIR & SHAKEN Cloudflare has added Parental Control to their 1.1.1.1 DNS service Cloudflare's new service accidentally blocks LGBTQIA+ sites
Apple+Google Covid Tracker is Secure and RIP John Conway, Creator of The Game of Life Apple & Google Virus Contact Tracing: secure and effective Zoom gets another Zoom-bombing mitigation... and a Class-Action Lawsuit Meanwhile, Zoom has enlisted the aid of Alex Stamos Zoom creates a CISO Council What’s next for Zoom? Browser Security News: Chrome 81 and Firefox 75 Android Apps Again in the Crosshairs Sandboxie goes Open Source RIP John Conway, creator of Conway's Game of Life
Zoom Fixes Security, EARN IT is Evil, Tor in Trouble Zoom gets big-name help with security fixes Google updates Chrome to v81.0.4044.113 to squash a critical flaw FTP in Chrome lives another day! Google “undepreciates” FTP. Windows Patch Tuesday for April 2020 fixes 113 vulnerabilities “Basic Authentication” lives another day! Due to COVID-19, Microsoft and Google will keep “Basic Authentication" around for a little while longer EARN IT Act: call your Senator before it is too late! Tor Project fires over 1/3 of its staff Cloudflare dumps Google's reCAPTCHA
Apple/Google Contact Tracing, Best VPNs to protect you. Apple/Google Contact Tracing Update iOS 0-Day Alert! Update Apple Mail Best VPNs to protect you from the Five Eyes TypoSquatting attacks Vitamin D linked to COVID-19 mortality Resource Public Key Infrastructure How BGP can break the Internet
China wants to rebuild the Internet. China's proposal to rebuild the internet is an authoritarian nightmare Bruce Schneier on COVID-19 Contact Tracing Apps Political Correctness hits cybersecurity DHS's CISA says no to 3rd-party DoH “POWER-SUPPLaY: Leaking Data from Air-Gapped Systems by Turning the Power-Supplies Into Speakers” An authorization bypass in SaltStack Adobe's Big Last Tuesday, Non-Patch Tuesday, Update Google has announced its impending clean-up of the Chrome Web Store Warning about RDP is not crying wolf
Thunderbolt security flaw, Zoom buys Keybase. Why the ThunderSpy Thunderbolt security flaw is such a big deal Zoom purchases Keybase to fix encryption Firefox 76 released with new features But Firefox 76 broke Amazon's Assistant! Hallelujah!! Edge moves to silence those annoying notification requests. Critical WordPress plugin bugs present on over one million sites Critical vBulletin patch Samsung has patched a CRITICAL bug affecting the past 6 years of Smartphones DefCon and Black Hat 2020 go virtual
WiFI 6, Apple vs. FBI, face masks. Last Tuesday's Windows patch Tuesday was the not the biggest ever, but it was the 3rd largest in Microsoft's history, weighing in with a whopping 111 CVE-tracked bug fixes, 16 of which were rated CRITICAL and all but one of which enabled Remote Code Execution by an attacker. The DOJ and FBI again criticize Apple over encryption When is a fix not a fix? Face masks have thwarted the London police's LFR rollout Utah chooses to roll their own contact tracing app Everything you need to know about WiFi 6
Contact tracing apps are not going to work. Why contact tracing apps are never going to work Unc0ver: There's a new iOS jailbreak in town, and as jailbreaks go, it looks VERY nice! Firefox 77 picks up a nifty new security trick New features in Chrome 83: cookie management, "Safety Check," blocking third-party cookies by default in Incognito mode, and "Tab Groups" Adobe rushes out four out-of-cycle emergency updates to fix security flaws Zerodium temporarily stops buying iOS remote code execution vulnerabilities The NXNS Attack: A group of cybersecurity researchers in Israeli have responsibly disclosed details about a new way they worked out of using the Internet's domain name resolution system to hugely amplify (by a factor of at least 1620 packets) a DDoS attack to take down targeted websites. BIAS - Bluetooth Impersonation AttackS is nothing less than a complete collapse of Bluetooth security. Is eBay port scanning its user's computers? Kinda. Security Now trivia: Steve Gibson helped develop the Speak & Spell! It did voice synthesis with only a 4K bits (0.5K bytes) processor.
Zoom gets end-to-end encryption. ACLU takes Clearview to court, but maybe they should worry about their own website first The state of drive-by malvertising downloads Google will be bad listing notification abusing sites Who else is doing the eBay-like ThreatMetrix port scanning? Facebook to require identity verification for high impact posters Google Messaging is apparently heading toward E2EE The return of a much more worrisome StrandHogg The SHA-1 hash to finally be dropped from OpenSSH What happens when you fuzz USB? Zoom’s end-to-end encryption design
Zoom's end-to-end encryption fail. Zoom will offer end-to-end encryption, but only if you pay for it IBM announces no more work on facial recognition The Odd Case of Mozilla's DoH DDoS Cisco's Talos group found two critical flaws in the Zoom client CallStranger UPnP bug has tech press in a tizzy Microsoft has started to replace old Edge with new Edge
Windows update kills printers & SSDs. Lamphone: eavesdrop on a hanging lightbulb Brave Browser caught and chastised for tweaking user-entered URLs for its benefit Microsoft breaks its own record for Patch Tuesday patches TFW Windows 10 loses your printer port Last week;s Patch Tuesday broke ALL PRINTING (even to PDFs) for many users. Fix won't come for a month Windows 10 2004 update is messing up SSDs and non-SSDs SMBleed Subject: Your Site Has Been Hacked Authentic database ransom attacks Another side-channel attack on Intel chips
Zoom encryption, Windows 10 printer error. Ripple20: a set of 19 TCP/IP vulnerabilities that could let remote attackers gain control over your device Russian government lifts its failed ban on Telegram Zoom: everybody gets optional end to end encryption Google removed 106 malicious Chrome extensions collecting sensitive user data Windows 10 update breaks printing VLC Media Player 3.0.11 fixes severe remote code execution flaw Netgear in the doghouse DDoS is alive and well... and growing How to get the new Edge for Windows 7
Congress wants to kill encryption & face recognition. New information about Ripple20 The Facial Recognition and Biometric Technology Moratorium Act wants to kill face recognition The Lawful Access to Encrypted Data Act wants to kill encryption Michigan State's legislative House passed the "Microchip Protection Act" Apple forces the industry down to one-year web browser certificate lifespans Safari to eschew 16 new web API’s for the sake of user privacy Apple also got on the DoH & DoT bandwagon Mozilla + Comcast + DoH: Strange Bedfellows Don't forget about VirusTotal
Boston bans face recognition, bad passwords. Boston bans facial recognition 123456 is still the most popular password iOS 14 catches Linked-In, Tik Tok, and others red handed! US-CERT notes two Emergency Windows Updates HackerOne shares their top 10 public bug bounty programs Sony launches PlayStation bug bounty program with rewards of $50K+ F5 Networks patches a highest-severity vulnerability
EARN IT is still evil, Google tsunami. Mozilla suspends “Send” due to persistent malware abuse Zoom fixed a new RCE affecting Windows 7 and earlier systems The EARN IT bill, take II is still just as bad as the original Google bans ads on stalkerware A Chinese Internet equipment vendor in the hot seat Locating hidden drone operators Rampant Router Insecurities Tsunami: Google's open-source enterprise network vulnerability scanner
Here's how Twitter was hacked. How can we prevent the next Twitter hack? Cloudflare outage takes out huge swath of American internet, including Down Detector. All internet got sent to Atlanta. Zoom's vanity URL flaw: when is a "zero day" not a zero day? Not all VPNs are created equal. Apple updated its iOS and macOS with a handful of useful security patches. SigRed: “This is not just another vulnerability.” And speaking of last week's July Patch Tuesday... “Firefox Send” is still not receiving. A tale of two counterfeits.
F5 Networks “Big-IP” devices in Big-Trouble Twitter bitcoin hack update GnuTLS vs OpenSSL The Garmin outage then and now Cisco's latest trouble Surprising SpinRite results
Twitter hackers arrested, Garmin hackers get ransom. Vitamin D fights death by Covid Firefox is now at v79 Twitter hackers arrested Garmin hackers rewarded Tor and Dr. Krawetz Dropping 0Days Blocking Tor Connections the Smart Way Enabling Zoom Meeting Hacking Another SHA-1 Deprecation QNAP and QSnatch BootHole
Great Firewall Of China, Black Hat/DEFCON 2020, Have I Been Pwned. It's Patch Tuesday! News from Black Hat / DEFCON 2020 Generalizing Speculative Execution Vulnerabilities Canon hit by the Maze ransomware A vBulletin Emergency DoH for Win10 Troy Hunt Hasn't Been Pwned Geneva: China's Great Firewall Tightens
Microsoft acts badly, Canon ransomware, Mozilla tries to pivot. When Microsoft doesn't act responsibly: Parts 1 and 2 Snap Your Dragon / "Achilles: Small Chip, Big Peril" 3rd largest Patch Tuesday ever Mozilla pivoting to VPN, future uncertain The other ransomware shoe drops at Canon Software glitch in California's COVID case reporting Threema gets E2EE Video Calls
Ransomware hits Jack Daniel's, Iranian Script-Kiddies, how ransomware happens. SpiKey: using the sound of a key to determine its shape What do The University of Utah, Jack Daniel’s Whiskey, and Carnival Cruise Lines all have in common? Ransomware A Remote Code Execution in Chrome’s WebGL How ransomware happens: email phishing, remote desktop protocol compromise, and software vulnerability Emergency Windows update! Iranian script-kiddies using RDP to deploy Dharma ransomware The Zero-Day Initiative turns 15
Russian tries to hack Tesla, web browser history research. Chrome 85 security features Russian Attempts to Cyber Attack Tesla More EMV Standard monetary transaction method problems Watch this video on Covid testing I Know What You Did Last Summer: research on web browsing histories
Isolate your IoT devices, Threema goes open-source. IoT Isolation Strategies DoH coming to Chrome for Android Bye Bye Drive-By Downloads Threema goes Open-Source WordPress File Manage 0-day flaw Facebook’s new VDP — Vulnerability Disclosure Policy Facebook's new “WhatsApp Security Advisories” page The Tor Project Membership Program Intel's latest microcode patches
Chrome vs abusive ads, patch Tuesday palooza. BlindSide and BLURtooth Chrome gets tough on abusive ads The last hurrah for IE & Flash exploits Chromium Edge on Win10: Forcing the issue Edge enables “Ask me...” for each download Patch Tuesday Palooza! Excessive SSD Defragging also fixed The WordPress File Manager flaw... two weeks downstream Zoom... now with 2FA New Raccoon attack
iOS 14 & Android 11 security features, DuckDuckGo gets big. The most important iOS 14 privacy & security features All of Android 11's new privacy & security features DuckDuckGo usage growth goes exponential LAN attack bug fixed in Firefox 79 for Android Goodbye Forever Firefox Send and Notes... Oh, how we loved ye Microsoft’s catastrophic Zerologon vulnerability Why we're headed toward formal verification of security protocols
Amazon flying security cam, ZeroLogon on GitHub, ransomware roundup. What could possibly go wrong: Amazon/Ring's autonomous flying home security webcam Evil ransomware gang deposited $1 million of bitcoin in a hacker recruitment drive Over this past weekend, Universal Health Services was hit by a huge Ryuk ransomware One week ago, there were three ZeroLogon exploits on GitHub. Today there are more than fit on the first page of search results Security Fixes in Chrome's v85.0.4183.121 Release The VPN you choose DOES make a difference. A “Ransomware Goldrush”
Android Security, Windows 7 Security, Microsoft Defender. Google to get even more proactive about Android security Why are people sticking with Windows 7? And Google funds a JavaScript research engine Microsoft Defender gets in Vitro Updating WSL 2 (Windows Subsystem for Linux v2) completely bypasses the hosting Windows 10 firewall Most Microsoft Exchange Servers remain unpatched after 9 eight months! Cloudflare has just added a free web API firewall service for all customers US Dept of the Treasury tightens up on Ransomware payments UEFI Bootkits are becoming more mainstream
Carnival Cruise hack, ZeroLogon, Five Eyes vs Encryption. Chrome gets 86’d! Carnival Cruise Line Hack The largest company you've never heard of gets hit by ransomware hackers No connection logs? In France, you go to jail! Hacking the Apple ZeroLogon, the FBI, DHS and our forthcoming election security The revenge of DNT, as GPC, now enhanced with legislation The Anti-E2EE drumbeat beats yet again
Zoom end-to-end encryption, Windows 10 god mode, Manifest v3. Last Wednesday, Zoom announced that THIS week their 30-evaluation of end-to-end encrypted video conferencing would begin How to enable Windows 10 “God Mode” Edge to be updated with browser extensions “Manifest v3” Last Tuesday Microsoft issued fixes for 87 security vulnerabilities - so, yeah, it was a slow month... Your SonicWall Network Security Appliance (NSA) MUST be patched now! Microsoft's two out-of-cycle patches Anatomy of a Ryuk Attack
Chrome 0-Day, Edge for Linux, WordPress Loginizer. Top 25 Vulnerabilities Critical 0-day in Chrome Chrome 86 is now blocking slippery notifications Site Isolation coming soon to Firefox Microsoft's Chredge for Linux WordPress Loginizer vulnerability
Google One VPN, WordPress update fail, Windows 7 0-Day. A new 0-day in Win7 through Win10 A public service reminder from Microsoft Google One adding an Android VPN Vulnonym: Stop the Naming Madness! WordPress fumbles an important update Chrome’s Root Program
SlipStream NAT firewall bypass, MS Police use Ring doorbell cams. Let's Encrypt's cross-signed root expires next year Chrome updates on Windows, macOS, Linux, and Android to remove 0-day vulnerability Mattel, Compel, Capcom, and Campari fall to ransomware attacks iOS 14.2 fixes three 0-day vulnerabilities Introducing the Tianfu Cup: China's version of the Pwn2Own hacker competition November’s Patch Tuesday The Great Encryption Dilemma hits Europe Ring Doorbells to be tapped in a trial by local Police WordPress plugins are a hot mess for security SlipStream NAT Firewall Bypass
Malicious Android apps, ransomware-as-a-service. Where do most malicious Android apps come from? SAD DNS is a revival of the classic DNS cache poisoning attack How many Ransomware-as-a-Service (RaaS) operations are there? Ragnar Locker ransomware gang takes out a Facebook ad Two more new 0-days revealed in Chrome Last Tuesday, Microsoft fixed 112 known vulnerabilities in Microsoft products
Ongoing WordPress attack, RCS gets End-to-end encryption. Chrome moves to release 87. Explicit Publication of Privacy Practices. Firefox 83 gets HTTPS-only Mode. Mozilla seeks consultation on implementing DNS-over-HTTPS. The comical announcement strategy of the Egregor Ransomware. Large-scale attacks targeting Epsilon Framework Themes in WordPress. Cybercrime gang installs hidden e-commerce stores on WordPress sites. 245,000 Windows systems still vulnerable to BlueKeep RDP bug. Google's Rich Communication Services is getting E2EE via Signal. Cicada, a Chinese state-sponsored advanced persistent threat group.
Generic smart doorbells, Tesla Model X key fobs, critical Drupal flaw, Spotify. Chrome Omnibox becomes more Omni. Chrome's open tabs search. Ransomware news involving Delaware County, Canon, US Fertility, Ritzau, Baltimore County Public Schools, and Banijay group SAS. Drupal's security advisory titled “Drupal core - Critical - Arbitrary PHP code execution.” The revenge of cheap smart doorbells. Tesla Key Fob Hack #3. CA's adapt to single-year certs. Nearly 50,000 Fortinet VPN credentials posted online. More than 300,000 Spotify accounts hacked. MobileIron MDM CVSS 9.8 RCE. The Salvation Trilogy. Spinrite update. DNS Consolidation.
Google Play Core Library, iOS zero-click radio proximity exploit, Apple M1 chip. Ransomware news regarding Foxconn, Egregor, and K12 Inc. The Apple iPhone zero-click radio proximity vulnerability. Oblivious DoH (ODoH). Google Play Core Library problems. The mysterious power of Apple's M1 Arm processor chip. InitDisk release 2 published. SpinRite update. Amazon Sidewalk.
Chrome throttling ads, Google outage, 2020 Pwnie Awards, JavaScript's 25th birthday. Chrome's heavy ad intervention. Adrozek. Ransomware: "Double Extortion." A 0-click wormable vulnerability in D-Link VPN servers. Google suffered an outage. Amnesia:33. Zero-day in WordPress SMTP plugin. The 2020 Pwnie Awards. The end of Flash. JavaScript is celebrating its 25th birthday. InitDisk release 4 published. A deep look at the SolarWinds hack.
Leo Laporte walks through some of the highlights of the show and most impactful stories of 2020. Stories include: Clearview AI face scanning. The "EARN IT" act. Zoom security issues. Why contact tracing apps won't work. How to prevent the next Twitter hack Ring's autonomous flying home security webcam.
Ransomware Task Force, Chrome 87, Firefox caches, preserving Flash video. Chrome 87 backs away from Insecure Form Warnings. Firefox to begin partitioning its caches. Browsers say no to Kazakhstan again. Announcing the RTF - The Ransomware Task Force. 5 million WordPress sites in critical danger. Treck's TCP/IO stack strikes again! Preserving Flash content online. SpinRite: ReadSpeed is ready! InitDisk is at release 5. Numerous updates on SolarWind, Sunburst, and Supernova.
SolarWinds' Orion software, swatting goes IoT, PHP Zend Framework vulnerability. Chrome struggles with A/V pre-scan file locking. Zyxel security products protected by a single redundant password. How Swatters are using IoT devices to increase the terror. A new serious problem in the PHP Zend Framework on WordPress. Bitcoin woes as value reaches new peaks. ReadSpeed, SSD's, and SpinRite. A new flaw discovered in SolarWinds' Orion software.
SolarWinds smoking gun, Signal influx of WhatsApp users, male chastity cage. Firefox and Chromium updates address remote system take over bugs. Tenable researchers reported a critical Chromium bug. What Firefox's backspace key does and should do. How Ryuk malware operations netted $150 million via cryptocurrency exchange. Intel: A triumph of marketing over technology. The strange case of the Male Chastity Cage. A SolarWinds smoking gun? "Sunburst backdoor." A class action lawsuit filed by shareholders of SolarWinds stock. The "Krebs Stamos Group" Zyxel security endpoints under attack. WhatsApp revises their privacy policy. Signal sees a mass influx of WhatsApp users. Out with the old: A look at the history of SpinRite code.
2021's first Patch Tuesday, Titan Security Key side-channel attack, WhatsApp. When is Chrome not Chromium? A major DuckDuckGo milestone. Project Zero in the wild. First Patch Tuesday of 2021. ZeroLogon Drop Dead. NSA warns against outsourcing DoH services. A Side-Channel in Titan. The "PayPal Football" WhatsApp's decision to bring its data into Facebook.
Browser password managers, Adobe Flash repercussions, SolarWinds. Chrome and Edge have beefed-up their built-in password managers. The random repercussions associated with the end of Adobe Flash. A new trend emerging with post-ransomware DDOS attacks. SolarWinds attack details continue to emerge. Malwarebytes was also attacked. It seems that wherever we look, we find problems. The Expanse is GOOD sci-fi. Comparative Smartphone Security: Which mobile OS is better?
SUDO was pseudo secure, BigNox supply-chain attack, iMessage in a sandbox. Picture of the Week. Chrome rescinding another CA's root cert. An urgent update to the recently released GnuPG. An interesting supply-chain attack "BigNox". Apple quietly put iMessage in a sandbox in iOS 14. For the past 10 years, “SUDO” was only pseudo secure. SpinRite: February 1st Progress Report. NAT Slipstreaming 2.0.
Defender thinks Chrome is malware, Plex Media Servers in DDoS attacks. Picture of the Week. Google has been busy with Chrome. Google Chrome Heap Buffer Overflow Vulnerability Exploited. A unique use of Chrome's “sync” feature for command & control and data exfiltration. Defender thinks Chrome is Malware. More Critical WordPress Plug-in Problems. Plex Media servers SSDP protocol being used in DDoS attacks. Three more NEW vulnerabilities discovered in SolarWinds’ software. Closing the Loop. SpinRite: “Discovering System’s Mass Storage Devices...” SCADA Scandal: Hacker's attempts to adjust chemicals in Oldsmar water supply.
Florida water supply hack update, Major patch Tuesday, Android SHAREit vulnerability. Pic of the week. New info in the Oldsmar, Florida water supply attack. Major Patch Tuesday update. Adobe released critical updates to three versions each of its Acrobat and Reader. Android SHAREit. The Rise of The Web Shells. This week's WordPress Mess: Responsive Menu plugin. SpinRite drive discovery video. What is C.O.M.B.?
SHAREit's security update, Solorigate, Brave's "Private Window with Tor". SHAREit Follow-up This Week in Web Browser Tracking Brave's “Private Window with Tor” was not so private Tracking with eMail Beacons Microsoft's final “Solorigate” update “Good App goes Bad for Profit” SpinRite: RS shows VERY obvious improvement after one pass of SR 6 Dependency Confusion
Seven Exchange 0-days, Firefox Enhanced Tracking Protection, SolarWinds Password. Chrome to default to trying HTTPS first when not specified. Firefox's “Enhanced Tracking Protection” just neutered 3rd-party cookies! As easy as “SolarWinds123”. Rockwell Automation's CVE-2021-22681 is a CRITICAL 10 out of 10. VMware's vCenter troubles. SpinRite update. Microsoft issues emergency patches for 4 exploited 0-days in Exchange. CNAME Collusion.
Dependency confusion, Intel Side Channel Attacks, Crispy Subtitles from Lay's. Picture of the week. 47 fixes in Chrome 89.0.4389.72. Crispy Subtitles from Lay’s. Google funds Linux kernel security developers. WinAmp gets a huge update! "Intel Side Channel Attacks on the CPU On-Chip Ring Interconnect Are Practical" Dependency Confusion! Listener feedback. Hafnium.
New Chrome 0-Day, Patch Tuesday Redux, Spectre Comes to Chrome. Chrome closes another 0-day. This v89 of Chrome also lost some weight. Spectre comes to Chrome! Prime+Probe: A new browser tracking side-channel. Patch Tuesday Redux. BSODs when attempting to print. Free code signing for the Open Source community. JPL’s Perseverance Rover. Feedback. Spinrite. ProxyLogon.
Automatic fix for Exchange Server flaw, Firefox 87 features, MyBB patch. Dave's Garage on YouTube. The latest update on the ProxyLogon fiasco is from Microsoft. Black Kingdom Ransomware. Firefox will be adopting a new privacy-enhancing Referrer Policy. This Week in Remote Code Execution Disasters. MyBB gets patched. CAID is able. What the FLoC? “Federated Learning of Cohorts”
Spectre returns to Linux, API Security, OpenSSL flaws, SolarWinds. Picture of the week. ProxyLogon Update. Spectre returns to Linux. OpenSSL fixes several high-severity flaws. SolarWinds keeps finding new critical problems within its own code. Cloudflare's recent moves. A focus on API Security. SpinRite update. The curious case of the PHP's Git Server Hack.
Ubiquity coverup, Facebook data dump, malicious Call of Duty cheats. The Ubiquiti Coverup. Facebook’s 533,313,128 Million User Whoopsie! Don't mess with our water! Android moves to limit inter-app visibility. Beware malicious “Call of Duty: Warzone” cheats. QNAP — Just Say No! Listener Feedback. A Spy in Our Pocket.
- Picture of the week. - The Slips keep Streaming. - Are You FLoC'ed? - The PHP GIT Hack, revisited. - CISCO abandons old routers having problems. - Failure to Patch. - PwnIt And OwnIt.
Club TWiT details. Picture of the Week. The Vivaldi Project's take on FLoC. Chrome continues to be THE high-value target. We’re at Chrome v90. Exchange Server Web Shells removed, with DOJ Permission. WordPress joins the “FLoC No!” chorus. It's Humble Bundle Book Time. Closing the Loop. A quick SpinRite progress report. Homogeneity Attacks.
Remembering Dan Kaminski. Week before last was Patch Tuesday. Google's Project Zero responds to today's patch latency reality. Baking security into IoT UNethical security research. CloudFlare refuses to knuckle under to Patent Trolls. Closing The Loop. The Mystery of AS8003.
Picture of the Week. REvil hacks Apple supplier Quanta Computer. World-famous Scripps Health taken down. The Big Emotet Botnet Takedown. Emotet’s 4,324,770 eMail addresses. Have I Been Pwned domain-wide notifications. QNAP. Gravity NNTP Newsreader updated to v3.0.11.0 Just a bit more about Dan Kaminsky. Closing the Loop. The Ransomware Task Force.
Picture of the week. TsuNAME - “DNS Configuration Flaw Lets Attackers Take Down DNS Servers” Huh Google? Tor's Exit Nodes. 21 Nails in Exim's coffin. Project Hail Mary: A Novel. Closing the loop. SpinRite update. News from the Darkside.
Picture of the week. DarkSide Follow-Up. Follow The Money. Toshiba Attacked by DarkSide. Ransomware topics off-limits here. “DarkTracer: DarkWeb Criminal Intelligence” Please Leak our Stolen Data! Patch Tuesday Review. A review of the first book of "The Frontiers Saga" 60 Minutes/UAP: Unidentified Aerial Phenomena. Closing the Loop. The WiFi Frag Attacks.
Picture of the Week. Firefox finally achieves sustained “Fission”. Conti ransomware. CNA Financial pays up big. When they say IoT do they mean us? “Mean Time to Inventory” The “Doom” CAPTCHA. The “Helios” screensaver. Closing the Loop. The Dark Escrow.
Photo of the Week. Chrome advances to 91. Emsisoft has created their own ransomware decryption tool. Stepping off the Sidewalk. Just another phishing attack. The Great Encryption Struggle. Hail Mary. Epsilon Red.
Picture of the week. The Great CyberSecurity Awakening of 2021. Firefox will soon auto-update on Windows even when it's not running. Edge takes its own approach to HTTPS switching. Three new ransomware victims. We believe we know how Colonial Pipeline was breached. The FBI strikes back... but how, exactly? WordPress force installs Jetpack security update on 5 million sites. WordPress Fancy Product Designer. GitHub Updates its formal posting policy. NAT vs IPv6. Project Hail Mary update. Extrinsic Password Managers.
Picture of the week. Being #1 is a mixed blessing. Industry wide patch Tuesday. TikTok Quietly Updated Its Privacy Policy to Collect Users' Biometric Data. iOS 14.5 requires apps to obtain explicit tracking permission. The ANOM sting operation. “Windows 10” — the last Windows ever? Project Hail Mary. SpinRite: The Curious Data Recovery Adventure. TLS Confusion Attacks.
Picture of the Week. Another day, another Chrome 0-day. Ransomware perpetrators are increasingly purchasing access. A weird bug in iOS Wi-Fi. An Early Preview of Windows 11. The Security Now! Podcast has found a new purpose... SpinRite. Avaddon Ransonomics.
Picture of the week Google's FLoC has landed with a hard thud and is now-delayed The high cost of Ireland's recovery from the Conti ransomware attack Who is responsible for damage and data loss following the remote wiping of many Western Digital My Book NAS devices? The story behind an important Edge update Where will Windows 11 run? The passing of an industry legend Steve's favorite web browser keyboard shortcut and his favorite website cloning tool
Picture of the Week. “PrintNightmare” is NOT CVE-2021-1675. The Authentication Dilemma. Western Digital steps up. WD's MyCloud OS3 Troubles. SpinRite. Miscellany & Closing The Loop. The Kaysea Saga.
Picture of the Week The “PrintNightmare Continues” Kaseya - Not nearly as bad as it could have been Ransomwhere site Microsoft Office Users: There's a new malware-protection bypass Ransomware negotiators are now in high demand Microsoft seemingly enforces the new Windows 11 Start menu Stay tuned for SpinRite v6.1 beta REvil's Clever Crypto
Picture of the week Browser News The attacks on Google Chrome continue. Firefox special-cases anti-tracking for "Login With" functions. Security News iOS WiFi SSID bug We still can't awaken from the "PrintNightmare" It's not a bug, it's a feature! Patch Tuesday Review Update Acrobat and Reader Rolling your own Crypto Pegasus Errata Windows Extended APIs REvil Vanishes
Picture of the Week. Faster and more efficient phishing detection in Chrome 92. A Universal Decryptor for all Kaseya victims. The printer driver used by millions of HP, Samsung and Xerox Printers is exploitable. Windows’ Process Hacker. “GoLang” gains supply chain security features at GitHub. Closing the Loop. SeriousSAM & PetitPotam.
Picture of the Week. Mozilla's Firefox Monthly Active Users (MAU) slowly but steadily drops. Google to finally assume HTTPS. The evolution of “Initial Access Brokers”. DarkSide Returns. “A Microsoft July 2021 Recap” Tailscale. Closing the Loop. SpinRite. The BlackMatter Interview.
Picture of the week. “You're Doing IoT RNG” The Pulse Secure VPN remains in trouble. And Cisco, too... Flaws found in another popular embedded TCP/IP library. Microsoft Edge gets “Super Duper Secure Mode” Closing the Loop. Apple’s CSAM Mistake.
Picture of the week. Firefox Update. Facebook finally adds end-to-end encryption to Messenger. Exploitation of PrintNightmare has begun. And “Magniber” Ransomware Uses PrintNightmare. Crypto-mining botnet modifies CPU configurations to increase its mining power. NortonLifeLock and Avast are merging their users. ASUS updates 207 motherboard BIOSes! Errata. Closing the Loop. Microsoft’s Culpable Negligence.
Picture of the week. Firefox soon to be blocking mixed-content downloads by default. The news from T-Mobile is all bad. Introducing ProxyLogon's kissing cousin, ProxyShell. The Razer mouse hack. A critical ThroughTek SDK flaw enables IoT spying. Overlay Networks. Closing the Loop. Microsoft’s Reasoned Neglect.
Picture of the Week. Credit Freeze vs Credit Lock. T-Mobile hacker speaks! Where will Windows 11 run? ProxyToken. Tailscale Open Source? SSD Bait & Switch. SpinRite. Life: Hanging by a PIN.
Picture of the Week. The Razor mouse & keyboard. The wishful phrase “Internet Anonymity” is an oxymoron. And speaking of Apple's client-side image matching... BlueTooth has new troubles. Attackers Can Remotely Disable Fortress Wi-Fi Home Security Alarms. Closing the Loop. "Light Chaser" by Peter F. Hamilton and Gareth L. Powell. TPM v1.2 vs 2.0.
Picture of the Week. A new worrisome 0-day attack against Office documents. Work From Home (WFH) — No problem? “Attacks only ever get better” The return of REvil — Apparently, vacation’s over. Closing the Loop. I have this next piece under “Science Fiction” — but is it fiction??? The MÄ“ris Botnet.
Picture of the week. The DDoS attack on VoIP.ms. Patch Tuesday's Mixed Blessing. Android to auto-reset app permissions on many more devices. BREAKING: FBI held back ransomware decryption key from businesses to run operation targeting hackers. Google patched the 9th & 10th ITW 0-days in Chrome this year. Was GRC Pwned? Sci-Fi to look forward to. My work on SpinRite is progressing. Cobalt Strike.
Picture of the Week. Chrome's 12th 0-day this year. Next up on this week's 0-day Watch... is Apple. Apple appears to be annoying their bug reporters. Epik Confirms Hack, Gigabytes of Data on Offer. Microsoft gets Windows 11 ready for release with a new “Release” build. Newly updated PC Health Check tool. Windows 10 emergency update “might” resolve some Patch Tuesday troubles. Is this Cert valid? A shaky Foundation. autodiscover.fiasco.
Picture of the Week. Another two, in-the-wild, true 0-days found and fixed in Chrome. Windows 11 arrives. A known memory leak in Windows Explorer. Ransomware and cyber warfare. On the topic of thwarting SIM swapping attacks... A widespread Android Trojan is making someone a bunch of money! There's a problem with Apple Pay and Visa. Foundation update. SpinRite update. “Something Went Wrong”
Picture of the week. Windows 11 Watch: “AllowUpgradesWithUnsupportedTPMOrCPU” AMD processors running some apps up to 15% slower. The Windows 10 taskbar on Windows 11. Microsoft is disagreeing... with themselves. We have an update on the Windows Explorer RAM leak I mentioned previously... VirtualBox and Windows HyperVisors don't get along. Dropped UDP packets with network optimization. Patch Tuesday. The Joy of the (new!) Default: Excel 4.0 macros to be disabled. Google warns Gmail users of phishing attempts. Google takes first step toward universal 2SV. The US Senate approves some hacking and ransomware legislation. Amazon’s “Twitch” service was hacked bigtime! A major Apache webserver update introduced a new critical 0-day error. Last Week's Mass Exodus from WhatsApp. Closing the Loop. Apple’s new “Invasion” series. SpinRite. 0-Day Angst.
Picture of the week. Windows 11 Watch - Don't update to Windows 11 unless you need to. Patch Tuesday - PrintNightmare fix to fix the previous print nightmare fix that broke other things. Point and Print feature is the problem, not a bug. On Windows 11, installing printers might also fail when using the Internet Printing Protocol (IPP) “While Microsoft provided a fix in their September 2021 update, the patch resulted in a number of new management problems." "There were a total of 74 vulnerabilities of various severities fixed with one being a true 0-day." MysterySnail has the potential to collect and exfiltrate system information from compromised hosts. REvil may finally be gone for good. Over 30 Countries Pledge to Fight Ransomware Attacks. $52.1 Billion in ransomware transactions? really? Tianfu Cup 2021. Clipboard Hijacking for fun and profit. LinkedIn to dramatically pare down its offering in China. Closing the Loop. Minh Duong's Epic Rickroll.
Picture of the Week. A sneak peak at November 9th upcoming Win11 fixes. Leo gets his wish!! REvil WAS recently re-taken down by Law Enforcement! Microsoft: “We’re Excited to Announce the Launch of Comms Hub!” Microsoft: “Windows update expiration policy explained” And while we're on the subject of Windows Updates... Windows XP’s 20th Anniversary. Last Tuesday the 19th, Zerodium tweeted... The “Devastating” Gummy Browsers attack! User-Agent Parser NPM package maliciously altered. Closing the Loop. Miscellany. SciFi - Dune / Foundation / Arrival / Invasion SpinRite. The More Things Change...
More 0-days for Chrome. Two naughty Firefox add-ons have been caught abusing an extension API. Windows 11 News: Can we print yet? A new Local Privilege Escalation affecting all versions of Windows. Ask your AI. And speaking of the PC Health Check. Stand back for the Adobe Security Patch Tsunami. The VoIP DDoS attacks continue. Closing The Loop. SpinRite. “Trojan Source”
Picture of the Week. Lots of welcome progress on the ransomware front. Pwn2Own Austin: Last Tuesday-Thursday largest ever 3-day Fall 2021 Pwn2Own. Windows 11 snipping tool, its emoji picker, and other parts are failing. Trouble being created by unpatched GitLab servers. More supply chain attacks. If it's Tuesday... Cisco's DEFAULT SSH key. U.S. Federal agencies have been ordered to patch hundreds of actively exploited flaws. Closing The Loop. SpinRite. Bluetooth Fingerprinting.
Picture of the week. ~10,000 VPN/Firewall appliances from Palo Alto Networks vulnerable. The 0-Patch Guys Produce a Micropatch This brings me to “The Zen of Code” November's Patch Tuesday November broke something, but don't ask me what... Windows 11 received KB5007215 December promises to be Christmas for Printing and more! US detains crypto-exchange exec for helping Ryuk ransomware gang launder profits How do you defraud web-based advertisers? Closing The Loop SpinRite Blacksmith
Picture of the Week. An idea whose time has passed... The stats of brute force password attacks. The Most Common Passwords. GoDaddy Breached Bigtime! A heads-up about NetGear routers. HTTP Request Smuggling.
Picture of the Week. “Super Duper Secure Mode” 37% of the world's smartphones are vulnerable. The RAT Dispenser. The Entirely Predictable 0-Day Windows Exploit. “The Frontiers Saga: Fringe Worlds” Closing the Loop. Bogons Begone!
Picture of the Week. Tavis finds a bad bug in NSS. Cheap Smartwatches for kids and babies? Additional VPN vendors just say no to Roskomnadzor! Windows 11 loosens its grip on Edge. RTF Templates being used to inject malicious content. A Malicious Botnet uses the Bitcoin Blockchain. HP's has been shipping vulnerable printers for 8 years. Sci-Fi. SpinRite. XSinator.
Picture of the Week. Amazon outage and cloud dependence. AirTag Abuse. Windows 11 vs Your Browser of Choice. WordPress once again in the crosshairs. Closing the Loop. Sci-Fi. SpinRite. Log4j & Log4Shell.
Picture of the Week. Google's 16th exploited Chrome 0-day of the year. Firefox refuses to do Microsoft.com! Firefox disabled Microsoft's Cloud Clipboard. Weaknesses in all cellular networks since 2G. Cross Wi-Fi / Bluetooth leakage. “The Matrix Resurrections” aka “The Matrix 4”. SpinRite. It's a Log4j Christmas.
Leo Laporte walks through some of the highlights of the show and most impactful stories of 2021. Stories include: SolarWinds Hack Detailed By Microsoft Crispy Subtitles from Lay’s Remembering Dan Kaminsky REvil Hacks Apple Supplier Quanta Computer The “Doom” CAPTCHA How Colonial Pipeline Was Breached When John McAfee Called Steve Gibson T-Mobile Subscribers: Do This Now Internet Anonymity” is an Oxymoron
Picture of the Week. Log4j’s 5th update. Microsoft's Log4j scanner triggers false positives. Chinese government is annoyed with Alibaba. “Hack the DHS” Bug Bounty Expanded. COVID postpones the RSA Conference. DuckDuckGo continues to grow. The cost of cyber insurance will likely be rising or perhaps terminated. “The Matrix Resurrections” what a disappointment! SpinRite. December 33rd.
Picture of the Week. The US CISA Log4J status update. The H2 Database Console vulnerability. The Federal Trade Commission gets into the act! Chrome fixed 37 known problems last week. The Privacy-first Brave browser. WordPress 5.8.3 security update. What, exactly, is a “Pluton”? The first of Dennis Taylor’s three Bobiverse novels. SpinRite. URL Parsing Vulnerabilities.
Picture of the Week "Hack the Pentagon" with Log4j Open Source Software Security Summit Microsoft's January Patch Tuesday Review: The GOOD News Microsoft's January Patch Tuesday Review: The Not So Good News Check Your Router Firmware Updates Chrome to Implement PNA Three High Severity Flaws in WordPress Add-ons Closing the Loop: Listener feedback SpinRite Anatomy of a Log4j Exploit
Picture of the Week. Log4J News. Who pays for RansomWare attack recovery? The rising cost of cyber-insurance. Another very dangerous WordPress add-on. And a supply-chain attack on a popular WordPress add-on provider. Does WordPress make sense anymore? The European Union plans to fund some bug bounty programs. The "MoonBounce" EFI Bootkit. Closing the Loop. Inside the NetUSB Hack.
Picture of the Week. Apple eliminates 0-days from iOS and macOS. Qualys published technical details for PwnKit. Log4Shell hits Ubiquiti. New bug bounties posted by Zerodium. “DrawnApart”: A device identification technique based on remote GPU fingerprinting. Sorting Windows Folders to the TOP! Closing the Loop. SpinRite. The "Topics" API.
Picture of the Week. China's Olympics: Leave your tech at home. We have a serious CVS 9.9 remote code execution vulnerability in SAMBA. Living off the Land. The suspension of the ms-appinstaller:// protocol scheme handler. Soon: Internet-sourced macros WILL NOT RUN in Office apps! Never11? The Inept Panda.
Picture of the Week. A high-severity 0-day in Chrome. Apple updates against another 0-day. CISA thinks this Apple vulnerability is quite serious. Which brings us back to “SeriousSAM” as it's being called. The CISA Top 16 list. Last Tuesday was the industry's monthly Patch extravaganza. The Magento Emergency. “PHP Everywhere” Google's Vulnerability Reward Program for 2021. Google's Project Zero Stats. Bye bye WMIC. InControl.
Picture of the Week. The “UpdraftPlus” WordPress Plug-In. “Xenomorph” Decrypting “The Hive” Un-Pixelating redacted text. No Internet For You!! If at first you don't succeed... Ukrainian DDoS Attacks. The Bobiverse trilogy. SpinRite News. A BGP Routing Attack.
Picture of the Week. Honor among thieves? Daxin. Whither or Wither: Log4j / Log4Shell. “418 I’m a teapot” Will the US attack? Windows 11 Compatibility. Closing the Loop. SpinRite News. Trust Dies in Darkness.
Picture of the Week. The Russians are coming. Ukrainian “Cyber Unit Technologies” is paying for attacks on Russia. StarLink in Ukraine. Russia blocks access to Facebook, Twitter, foreign news outlets. Google has become proactive. Namecheap says "no more". Telegram's use explodes. Microsoft also shuts down in Russia. Coinbase. Russia releases the IP addresses and Domains of DDoS attacks. Russia to permit software piracy. Will Russia Disconnect?.
Picture of the Week. Patch Tuesday for the Industry. Android, too. Firefox emergency update. HP's major UEFI firmware patch-fest. The NVIDIA breach. ProtonMail gets it right. Linux Blues. Russia's New CA. The state of WordPress security. Sci-Fi update. QWACs on? or QWACs off?
Picture of the Week. Report Cybercrime: It's the Law. A software supply chain compromise. Browser in the Browser. TrickBot, MicroTik & Microsoft. The Infinite Loop OpenSSL Bug. CISA Alert AA22-074A. The Windows Local Privilege Escalation that Microsoft seems unable to fix. Use After Free.
Picture of the Week. A high severity 0-day vulnerability update for Chrome. An interview with the CTO of a large Ukraine ISP, Ukrtelecom. NPM under attack, again. Honda says, nothing to worry about... The U.S., the FCC, Kaspersky Labs and Chinese Telecoms. Closing The Loop. Targeted Exploitation.
Picture of the Week. 0-Day Watch. Spring Forward (Java: Spring4Shell) QNAP and the OpenSSL DoS vulnerability. Sophos has a 9.8. CISA orders federal civilian agencies to patch the Sophos vulnerability. Browser-in-the-browser. The supply-chain attacks on NPM have been growing. FinFisher bites the dust. A LAPSUS$ in judgment. Not so Wyze. Closing The Loop. Port Knocking.
Picture of the Week. Could NGINX have a 0-day? Microsoft's new Autopatch system. Another instance of Russian Protest in JavaScript's repository. End-of-service life for some popular Windows editions. Miscellany. Closing The Loop. Spring4Shell.
Picture of the Week. Chrome's 3rd 0-day of 2022. Patch Tuesday Redux. WordPress once again... Apache Struts Framework needs a critical update. Are America's nuclear systems so old they're un-hackable? Closing The Loop. SpinRite. A Critical Windows RPC RCE.
Picture of the Week. CISA's Known Exploited Vulnerabilities Catalog. Lenovo UEFI Firmware Troubles. Everscale Blockchain Wallet. Java 15, 16, 17, and 18 received MUST UPDATES last week. Closing The Loop. Sci-Fi. SpinRite. The 0-Day Explosion.
Picture of the Week. DoD DIB-VDP Pilot Overview. The OpenSSF and the Package Analysis project. Connecticut moves toward state privacy protections. Closing The Loop. Global Privacy Control.
Picture of the Week. Google updates Android to patch an actively exploited vulnerability. Connecticut’s recently passed data privacy bill became law last Wednesday. Ransomware victim snapshot. US State Department offering $10 million reward for information about Conti members. The worst threat the US faces... The White House and Quantum Computers. The ongoing threat from predictable DNS queries. F5 Networks Remote RCE warning and exploitation. Closing The Loop. Sci-Fi. That “Passkeys” Thing.
Picture of the Week. An “eventful” Patch Tuesday. Patch Tuesday. Apple patched a 0-day. Google's “Open Source Maintenance Crew”. Conti suggests overthrowing the new Costa Rican government. Policing the Google Play Store. The situation has grown more dire for F5 systems' BIG-IP boxes. Errata. Closing The Loop. SpinRite. The New EU Surveillance State.
Picture of the Week. Emergency mid-cycle update for Active Directory. Clearview AI -vs- {Illinois, Australia, Canada and the United Kingdom}. Clearview AI in Ukraine. Pwn2Own Vancouver 2022. The DoJ takes a welcome step back. Sometimes, unlocking can be too convenient. Closing The Loop. Dis-CONTI-nued: The End of Conti?
Picture of the Week. New South Wales DDL — Digital Driver's License. The latest Microsoft Office 0-day remote code execution vulnerability. GhostTouch. Vodafone’s new TrustPiD. Closing the Loop. DuckDuckGone?
Picture of the Week. ServiceNSW Responds. ExpressVPN pulls the plug in India. And speaking of pulling the plug. “Follina” under active exploitation. And a Windows Search URL schema can be abused, too. “Critical UNISOC Chip Vulnerability Affects Millions of Android Smartphones”. Ransomware sanctions are causing trouble. Conti spotted compromising motherboard firmware. Errata. Closing the Loop. Passkeys, Take 2.
Picture of the Week. Apple’s Passkeys presentation at WWDC 2022. WebAuthn. FREE Penetration Testing course with Kali Linux. Proof of Simulation. A valid use for facial recognition: The Smart Pet Door! Closing The Loop. The PACMAN Attack.
Picture of the Week. Double Decryption (Last week's key-strength puzzler). 3rd Party Authenticators. Firefox: Total Cookie Protection. We keep breaking DDoS attack records. MS-DFSNM. An Apple Safari regression. One Million WordPress sites force-updated. High-Severity RCE in Fastjson Library. Miscellany. Closing The Loop. Microsoft's Patchy Patches.
Picture of the Week. Errata: Firefox’s “Total Cookie Protection” 3rd Party FIDO2 Authenticators Germany's not buying the EU's proposal which subverts encryption The Conti Gang have finally pulled the last plug Log4J and Log4Shell is alive and well The '311' emergency number proposal 56 Insecure-By-Design Vulnerabilities “Long Story Short” Closing The Loop The “Hertzbleed” Attack
Picture of the week. Chrome's fourth zero-day of 2022. Mozilla's new Firefox privacy-enhancing feature. HackerOne discloses a malicious insider incident. Closing the loop. The ZuoRAT.
Picture of the Week. OpenSSL's Patch For Heap Memory Corruption Vulnerability. NIST Announces First Four Quantum-Resistant Cryptographic Algorithms. Yubico donated 30,000 Yubikeys to Ukraine. Apple's new extreme “Lockdown Mode”. Microsoft to re-enable Office Macros. This Is the Code the FBI Used to Wiretap the World. Closing The Loop. The Rolling Pwn.
Picture of the Week. The Rolling Pwn, take II. The great IPv4 Address Space Depletion. Confronting Reality in Cyberspace: Foreign Policy for a Fragmented Internet. Facebook has started encrypting its link URLs. Crack iOS 16's “Lockdown Mode”, earn $2 million. ClearView AI faces some new headwind. Ransomware gangs are getting into the searchable database game, too... Roskomnadzor strikes again! Last Tuesday's Patches. SpinRite. Closing The Loop. RetBleed.
Picture of the Week. Patch Tuesday Redux Redux. Windows 11 Start button failure. The continuing saga of Windows VBA macros. Windows 11 now blocks RDP brute-force attacks by default. Black Hat and DefCon coming soon. SpinRite. pfSense and TailScale. Closing The Loop. The MV720.
Picture of the Week. Atlassian's “Confluence” under attack. LS-Anvil. Google delays Chrome's cookie phase-out again. Attacker responding to loss of Office Macros. SpinRite. Closing The Loop. RIP: Nichelle Nichols. “The Dropout” on Hulu and “WeCrashed” on AppleTV+. Winamp releases new version after four years in development. Rowhammer’s Nine Lives.
Picture of the Week. Crypto is Hard. VirusTotal: Deception at a scale. Windows 11 might damage encrypted data. Microsoft Defender External Attack Surface Management. Closing The Loop. Daniel Bernstein sues the NSA. The Maker’s Schedule.
Picture of the Week. Patch Flashback Tuesday. Facebook is cautiously creeping toward default E2E encryption. VNC's inherent insecurity. The need to control domain names. And speaking of backup: Cyotek WebCopy. Google's Ryan Sleevi Retweeted Jens Axboe. SandSara Update from Ed Cano. Closing The Loop. SpinRite. TLS Private Key Leakage.
VIDEO of the Week Crashing Laptop Computers With Janet Jackson RealTek SoC flaw affects many millions of IoT devices 46 Million RPS - requests per second Chrome's 5th 0-Day of 2022 Apple: Not to be left behind... RubyGems to require MFA Closing The Loop: Domain Name Ownership Closing The Loop: Growing in Cybersecurity The Bumblebee Loader
Picture of the Week. LastPass Breached. The US Federal Trade Commission filed a lawsuit against data broker Kochava. The US Federal Communications Commission launched an investigation into mobile carriers’ geolocation data practices. California, here I come! A conversation with a Ransomware Attacker. DuckDuckGo's Privacy-Enhanced eMail Forwarding. Another IoT mess care of “Hikvision” SpinRite. Closing The Loop. Wacky Data Exfiltration.
Picture of the Week. Google’s (newest) Open Source Software Vulnerability Rewards Program. Did TikTok leak 2.05 BILLION User Records? An urgent Chrome update patches new 0-day flaw. Permission-less Browser Clipboard Write. Nearly 1/3 of the packages in PyPI trigger an automatic code execution upon download. A Quantum Hype Bubble? All of the BlackHat 2022 Presentation Slides PDFs. Csurf NPM library mistake. SpinRite. Closing The Loop. Sci-Fi Discovery: “The Silver Ships” Embedding AWS Credentials.
Picture of the Week. Cyberwarfare: Albania vs Iran. Crypto Heist — this or that. The White House "Tech Platform Accountability" Listening Session. Changes to the Dutch Intelligence Law. Another QNAP mess. D-Link's being taken over by MooBot. Sci-Fi Discovery: "The Silver Ships". Closing The Loop. The EvilProxy Service.
Picture of the Week. This is Patch News-Day. Lloyd's of London backing away from Cyber-Insurance. Uber Oops! Rockstar Games: Grand Theft Auto 6 Massive Leak. LastPass Breach Update. A CVSS 9.8 for WordPress. What cost, Security? Use-after-freedom: Google's "MiraclePtr" Closing The Loop. Spell-Jacking.
Picture of the Week. Can't have it both ways. Denmark has become the fourth EU member to rule that the use of Google Analytics is illegal. Rockstar Games hacker is busted! Mozilla says: No fair! Vivaldi, Manifest V3, webRequest, and ad blockers. Sticky Chrome vulnerabilities. SMB authentication rate limiter now on by default in Windows Insider. US bill to secure FOSS software. Iran vs Albania. Closing The Loop. The Silver Ships. SpinRite. DarkNet Politics.
Picture of the Week. (What Could Possibly Go Wrong) Microsoft Teams - Unecessarily Insecure Roskomnadzor blocks Soundcloud Microsoft Exchange Server Under Attack Again I'm (Still) Not a Robot! Google TAG History Closing the Loop Poisoning Akamai
Picture of the Week. Breach of Customer Information Meta-targeted Malware Uber's Chief Security Officer Found Guilty More Cryptocurrency Chaos The UK to drop GDPR Summer Internship with the NSA Many Incident Responders are Stressed Out Microsoft's newest dual 0-day Exchange Fumbles SpinRite news ZimaBoard Closing the Loop Source Port Randomization
Picture of the Week. Microsoft "Won't Fix". Malicious Kernel Drivers. Microsoft has finally added an RSS feed for Windows Updates! Passkeys [dot] Dev. Largest DDoS attack. Signal will be dropping its SMS/MMS support. Brute-force protection for Windows local admin accounts. Other than that... SpinRite. Closing The Loop. xchg rax, rax and "xorpd" ZimaBoard Goodness. Password Change Automation.
Picture of the Week. Firefox 106 is out. Google's Open Source IoT KataOS and Sparrow. This Week in CryptoCurrency Craziness. New Windows 0-day bypasses executable security checks. Apple's 9th 0-day of the year bites the dust. The evolutionary demise of banking malware. VMWare’s Critical CVSS 9.8 Update. Closing The Loop. Miscellany. Data Breach Responsibility.
Picture of the Week. Windows driver blocklist to be updated next Tuesday. More Microsoft shenanigans. An upcoming OpenSSL CRITICAL vulnerability update -- get ready! A new TCP/IP RCE in Windows. A study of malicious CVE proof of concept exploits in GitHub. "Stranger Strings" : An exploitable flaw in SQLite. PayPal to add support for Passkeys. A browser exploitation tutorial! Kathleen Booth: July 9th, 1922 – September 29, 2022. Closing The Loop. SpinRite. After 20 years in GCHQ.
Picture of the Week. A minor Dropbox breach. OpenSSL follow-up. FTC sued and settled with a repeated offender. $1.2 billion in reported ransomware payments during 2021. Akamai's Q3 Threat Report. Initial Access Brokerages. How do today's bank heists work? De-Fi De-struction De-jour. Russia moves to Linux. We're The Red Cross. Don't attack us, please! Where there's a will, there's a way. From China with Love. The UK's NCSC scan plan. Miscellany. Closing The Loop. SpinRite.
Picture of the Week. Patch Tuesday review. Shennina Framework - Automating Host Exploitation with AI. GitHub's welcome new feature. Three LightSpeed vulnerabilities. Shufflecake: Plausible deniability encrypted Linux volumes. Australia has decided to get proactive! Apple's iOS 16.1.1 everyone file sharing time-limits to 10 minutes in China. A couple of Decentralized Finance notes because I can’t help myself. “The Helm” was unable to survive COVID-19. Elon meets Twitter. Closing The Loop. SpinRite. Memory-Safe Languages.
Picture of the Week. Firefox v107 was released last Tuesday. Google settles for a cool $391.5 million. Red Hat Signing its ZIP file Packages. The FBI purchased Pegasus for “research and development purposes”. Greece bought Predator for €7 million. A passkeys support directory. Quantum decryption deadline. Attorneys General ask the FTC for online privacy regulation. Closing The Loop. SpinRite. Wi-Peep.
Picture of the Week. iSpoof you no more. Here come the Freebie Bots! Anatomy of the real-time Cryptocurrency heist. Lookin' for something to do? Boa server vulnerability. The dilemma of closed-source Chinese networking products. The Cyber Defense Index. Malicious Docker Hub images. Since we’ve been tracking 0-days for a while. CISA on Mastodon. Miscellany. Closing The Loop. SpinRite.
Picture of the Week. Don't mess with Australia. Facebook / Meta fined by Ireland. REvil’s full Medibank dump. Is nothing sacred? Mozilla yanks a (no longer) trusted root. Android Platform Certs Escape. South Dakota says: No more Tik-Tok. Albania blames its IT staff. Good news on the memory safe languages front. Black Hat USA 2022. Another Chrome 0-day bites the dust. Anker's Eufy Camera debacle. An amazing-looking WiFi-6 router... $119. Elon really said this. Closing the Loop. SpinRite. LastPass Again.
Picture of the Week. Chrome does Passkeys. SYNC.COM suffered its first outage. Medibank reboot. Totally fake cryptocurrency trading platforms. Malware on Telegram. Texas gets in on the TikTok banning. The LastPass class action lawsuit. Rackspace had a big embarrassing problem. Rackspace is now facing at least three class action lawsuits. Another country goes on the offensive. Closing The Loop. SpinRite. Miscellany. Apple Encrypts the Cloud.
Picture of the Week. A malware operation known as URSNIF. Pwn2Own Toronto 2022. Citrix and Fortinet recently released security updates to patch 0-day vulnerabilities. Patch Tuesday. Another Uber breach? Elon Botches ‘Bot Blockage. Vivaldi integrates Mastodon in its desktop browser. 5,200 Dutch government warnings. CIB: “Coordinated Inauthentic Behavior” GitHub to require 2FA by the end of next year. Bye bye SHA-1. WordFence’s VERY useful looking WordPress add-on vulnerability database. Closing The Loop. SpinRite. A Generic WAF Bypass.
Anatomy of a Log4j Exploit. Will Russia Disconnect? FCC Says Kaspersky Labs is a National Security Threat. Lenovo UEFI Firmware Troubles. That ""Passkeys"" Thing. Dis-CONTI-nued: The End of Conti? Steve's Take on the LastPass Breach.
Picture of the Week. SpinRite. Leaving LastPass. Is there reason for concern? Well known password cracker Jeremi Gosney's LastPass rant. Steve shares his plan regarding LastPass. What is Steve's next password manager? What should LastPass users do to protect themselves?
Picture of the Week. LastPass Aftermath. LastPass Vault De-Obfuscator. What more do we know this week regarding LastPass? The most alarming discovery by listeners. Understanding the scale of GPU-enhanced password cracking. On the true strength of passwords. Feedback from listeners regarding LastPass.
Picture of the Week About Password Iterations EBC or CB Norton Lifelock Troubles Chrome Follows Microsoft and Firefox Chromium is Beginning to Rust BYOVD and Windows Defender Failures Closing the Loop (feedback) The Rule of Two
Picture of the Week. PayPal Credential Stuffing. iOS 16.3 : Cloud encryption for all. InfoSecurity Magazine: “ChatGPT Creates Polymorphic Malware”. CheckPoint Research: OPWNAI : Cybercriminals Starting to Use ChatGPT. “Meta” fined for the third time. Bitwarden acquires “Passwordless.dev”. Closing the Loop. SpinRite. Credential Reuse.
Android to start blocking old and unsafe apps. Microsoft to block Internet sourced Excel add-ins. An example of saying "no" even when it may hurt. Hacked Wormhole funds on the move. Kevin Rose Hacked. Facebook will be moving more users into E2EE. iOS 6.3 and FIDO. Scan thy Citizenry. The Hive ransomware organization takedown. Errata. Closing the Loop. SpinRite. Data Operand Independent Timing.
Picture of the Week. The European Union's Internet Surveillance Proposal. 30,000 patient records online? .DEV is always HTTPS! Google changes Chrome's release strategy. Russia shoots the messenger. A fool and his Crypto... QNAP is back. CVSS severity discrepancy. Closing the Loop. How ESXi Fell.
Picture of the Week ESXiArgs follow-up ChatGPT's Malicious Use Google Security Key Giveaway Brave goes HTTPS-by-default 1Password Makes Another Passkeys Move Russian Patriotic Hackers Amazon to FINALLY Secure Its AWS S3 Instances More Anti-Chinese Camera Removals Microsoft to embed Adobe Acrobat PDF reader into Edge Password Exhaustion One Time Passowrd OTPAuth Password Exhaustion Ascon
Picture of the Week. GoneDaddy. Section 230. No Blue, No SMS-based 2FA. Bitwarden gets Argon. “Meta Verified”. Emsisoft Fake Code Signing. Attacks breaking records. More Mirai. NPM malware. Patch Tuesday. Samsung announces “Message Guard”. The Hyundai & Kia mess. A Clever Regurgitator.
Picture of the Week. Windows 11? ... anyone? As Plain as Ever. Edge's new built-in VPN? LastPass Incident Update. Signal says NO to the UK. More PyPI troubles. The QNAP bug bounty program. SpinRite. The NSA @ Home.
Picture of the Week. DDoS’ing Fosstodon. DDoS for Hire takedowns. TikTok Insanity. Illegal Warrantless Surveillance. Strategic Objective 3.3. GitHub Secret Scanning. CISA's Covert Red-Team. What's left? What's old is new again. TCG TPM vulnerabilities. WordPress “All In One SEO”. Russia fines Wikipedia. A Fowl Incident.
Picture of the Week. Another Malicious Chrome Extension. Germany to join the Huawei & ZTE ban. Putting “phishing” into perspective. The Polynonce attack. Plex's RCE now in CISA's KEV. Sci-Fi: Andor. Sony Sues Quad9.
Picture of the Week. Multiple Exploitable Samsung 0-Days. A good idea for NPM. The TikTok Tick Tock. Google pushes for 90-day TLS certificate life. CHESS is safe. CISA has begun scanning! Flying Trojan Horses.
Picture of the Week. Synacktiv wins this year's CanSecWest Pwn2Own GitHub: Mistakes happen DDoS for Hire. . .Or Not 144,000 malicious packages published No iPhones For Russian Presidential Staff I NUIT Edge Gets Crypto Microsoft's Email Extortion
Picture of the Week So... Not an attack, then? AI Overlord Hysteria Italy says NO to ChatGPT It’s illegal... How much will that be? The U.S. FDA & medical device security Hack the Pentagon Firefox 3rd-party DLL check-up Microsoft’s Extortion? The Silver Ships Zombie Software
Picture of the Week. Microsoft and Fortra go on the offensive. Can ChatGPT keep a secret? Apple updates their OS's. Wordpress under attack... again. Mozilla's Site Breach Monitor. Another ChatGPT investigation. Samsung handsets reaching EoL. Less access for loan apps. The right to be forgotten. SpinRite. A Dangerous Interpretation.
Picture of the Week. Patch Tuesday Review. Risky Business News. Google Assured Open Source Software. WhatsApp Improvements. Bad Security? Go to jail! Forced Entry.
Picture of the Week. Lockdown Mode seen succeeding. A growing black market for ChatGPT accounts. Decommissioned Corporate Routers Leak Secrets. Jaguar Tooth: Cisco router vulnerabilities. Security Research Legal Defense Fund. A quick Firefox fix. Kubernetes security audit. Google Chrome zero-day. An End-to-End Encryption Proposal.
Picture of the Week. The Encryption Debate. Age does matter... Age Verification. WhatsApp: Rather be blocked in UK than weaken security. Exposing Side-Channel Monitoring. Closing the Loop. A new UDP reflection attack vector. Google Authenticator Updated. Does Israel use NSO Group commercial spyware? A Russian OS? TP-Link routers compromised. A pre-release security audit. Another Intel side-channel attack. Windows users: Don’t remove cURL! AI comes to VirusTotal.
Picture of the Week. Google & Passkeys. TP-Link routers DO auto-update. US Marshals Service: Where’s the backup?? T-Mobile keeps getting breached. Chrome: No more LOCK icon. Apple's new “Rapid Security Response” system. Elon Musk, making friends wherever he goes... A quick Mastodon aside. Here come the fake AI-generated “news” sites. Russia to replace “American” TCP/IP with “Russian Internet”. Vint Serf's 3 mistakes. Detecting Unwanted Location Trackers.
Picture of the Week. SpinRite. Location Tracker Behavior. Formal definitions from the specification. Bluetooth LE devices have MAC addresses and therein lies a problem. All devices are serialized. And now, that "pairing registry". Privacy considerations.
Picture of the Week. Tracker Follow-Up. Automatic IoT device updating. HP 9020e - error code 83C0000B. Section 230 Stands. The KeePass Vulnerability. Apple joins Samsung, Amazon and Verizon in banning ChatGPT. Google's Privacy Sandbox moves forward. The FBI heavily misused FISA powers. Supply Chain Nightmare. SpinRite. VCaaS – Voice Cloning as a Service.
Picture of the Week. HP = “Huge Pile” The “.ZIP” TLD — What could possibly go wrong? PyPI gets more serious about security AND privacy. “No logs saved anywhere”??? Twitter in the EU? Bitwarden's support for Passkeys. A €1.2 billion fine will grab your attention. Editing WhatsApp messages. A new Google Bug Bounty. SpinRite. Brave's Brilliant Off the Record Request.
Picture of the Week. Another week of silence from HP. Mandatory “SMB Signing” coming to Windows 11. OWASP. Did Apple help the NSA attack the Kremlin? Kaspersky's analysis of this iPhone attack and compromise. The Trifecta Jackpot! Who wrote that? Tor gets anti-DoS protection. Cybersecurity at Educational institutions. Civilian Surveillance Cameras in Ukraine. Cyber Mercenaries. Closing the Loop. Windows Platform Binary Table.
Picture of the Week. Cryptomining Rude Surprise Billing. Musk's Twitter is refusing to pay for Cloud Services. IoT DDoS rapidly rising. H1CA found executing code on client machines. Apple's WWDC Redux. France takes a different approach... Russia: Scanners stay out! Miscellany. Closing the Loop. SpinRite. Scanning the Internet.
Picture of the Week. Patch Tuesday. Does EVERYTHING leak?? Closing the Loop. SpinRite gets version 7.1! The Massive MOVEit Maelstrom.
Picture of the Week. Catching Leo up to speed from last week. DuckDuckBrowse. And an updated Tor Browser. Opera, now enhanced with “AI”. The KasperskyOS Phone. The cost of doing business in Russia. Slowly turn the wheels of justice. The US to create a new “Cyber Force”. Apple.com now supports Passkeys. Selective GDPR enforcement? Facial Recognition is Photo Recognition. Google cybersecurity clinics. Progress/MOVEit sued. Closing the Loop. SpinRite. Operation Triangulation.
Picture of the Week. Another Critical Unauthenticated SQLi Flaw Discovered in MOVEit Transfer Software. And as for MOVEit... What's a “Rug Pull” ?? “Avast, ye Matey” China's OpenKylin v1. TootRoot! Firefox 115. Did Russia Disconnect? Use some honey if you want to catch some flies. Cryptocurrency losses. International Consumer Data Transit. Apple's emergency update retraction. Syncthing Revisited. Closing the Loop. SpinRite's first RTM release. RTOS-32. Rowhammer Indelible Fingerprinting.
Picture of the Week. Kaspersky on Microsoft's Patch Tuesday. As the worm turns: WormGPT. Microsoft revokes 100+ malicious drivers. MOVEit Update. Does Dun & Bradstreet know you? No Threads for you! (or EU!) All Bitcoin addresses look alike. Twitter changes DM settings. Closing the Loop. SpinRite. Satellite Insecurity, Part 1.
Picture of the Week. R.I.P. Kevin Mitnick. Apple says: "Thanks, but we'd rather leave." Web Environment Integrity. Web Analytics under the spotlight. More progress on the IoT security front. The "Expeditionary cyber force". Ransomware payouts being made much less often. MOVEit Update. TikTok + Passkeys. Closing the Loop. SpinRite. Satellite Insecurity, Part 2.
Picture of the Week. Satellite Turla: APT Command and Control in the Sky. OS 17 to further crack down on device fingerprinting. Android to start warning of "unknown trackers". The 7th branch of the US military. Russia criminalizes open source project contribution. VirusTotal's 2023 report. Closing the Loop. TETRA:BURST.
Picture of the Week. NASA “shouted” at Voyager. Another view of Microsoft. What about this Chinese attack? AI meets Keyboard Acoustic Side-Channel attacks. Closing the Loop. Revisiting Global Privacy Control.
Picture of the Week. Security Now!'s 18th birthday! Closing the Loop. Firefox Multi-Account Containers. A question about Full Disk Encryption on SSD's. Should I run SpinRite before I back up my drives to a NAS? Overly complex password rules. DuckDuckGo's email alias. The new Russian Astra Linux based OS can not legally be possible. Regarding satellite crowding: The skies won’t be darkening anytime soon. This is what came to mind on the Voyager 2 segment with the shout. Can you please share the name of the session manager that you use in Firefox? The numbers behind the Voyager recorrection. “Topics” Arrives. How Topics Works.
OpenSUSE goes private. Android to get satellite comms. SanDisk and Western Digital in hot water. You’re asking for it: YouTube children's privacy. Whoopsie! 8Base. Where the money is. The TSSHOCK vulnerability. BitForge. A Quantum resilient security key. Removed Chrome extensions notifications. HTTPS by default? WinRAR 6.23 final released. Closing the Loop. When Heuristics Backfire.
Picture of the Week WinRAR v6.23 fixes HTTPS for local networks Portable domains for email Google Topics and monopolies Voyager 2 antenna analysis Windows time settings Unix time in TLS handshakes Fake flash drives Man-in-the-middle attacks
Steve provides an update on ValiDrive, his new freeware utility for testing USB drives. There has been another sighting of Google's Topics API, this time on Android phones. Apple has opened up their iPhones to security researchers through their Security Research Device program since 2019. Research reveals vulnerabilities in browser extensions that allow them to steal plaintext passwords from a website's HTML source code. Feedback from listeners. Apple publicly shares a letter from a CSAM activist demanding they implement scanning to detect child abuse images in iCloud Photos.
UK government appears to back down on demands to break encryption in Online Safety Bill Microsoft reveals how China-based hackers acquired secret key used to breach Outlook accounts Multiple flaws allowed key to improperly leave highly secure environment Mozilla research finds all major auto brands fail on privacy protection Evidence suggests LastPass encrypted vault data is being decrypted Researchers tie $35M in crypto thefts to compromised LastPass accounts Brute force feasible on old low iteration count passwords
Last week's news about evidence of LastPass vault decryption targeting cryptocurrency keys, and the UK's backing down on its encryption monitoring legislation. How hardware security modules (HSMs) allow cryptographic operations like code signing without exposing private keys. Browser identity segregation using multiple profiles rather than separate browsers. Requirements and best practices for securely wiping data from modern solid state drives. A countdown clock for the 32-bit UNIX time rollover in the year 2038. Steve's plan to move off Twitter and onto email lists for Security Now communication. A deep dive into cryptographic hash collisions, using fewer hash bits, and balancing anonymity with statistical meaning.
Apple has quietly removed support for Postscript in macOS Ventura. China has formally accused the NSA of hacking and maintaining access to Huawei servers since 2009. A misconfigured Azure Shared Access Signature token resulted in 38TB of sensitive internal Microsoft data being exposed. The Signal messaging platform has added a post-quantum encryption protocol. A zero-day iOS exploit chain was used to target Egyptian presidential candidate Ahmed Eltantawy. Steve gave an update on the status of his forthcoming ValiDrive USB validation utility. A blog post about the complexity of modern web browsers. An emailer claimed to have a mathematical algorithm that can generate truly random numbers. An emailer asked whether encrypting and deleting a hard drive could substitute for overwriting with random data. There was an explanation of how public key encryption can be used bidirectionally. Listener questions whether all stolen LastPass vaults will eventually be decrypted.
Exim email server ignored ZDI's responsible disclosure of critical remote code execution flaws for over a year, putting millions of servers at risk. Malicious ads are appearing in Bing Chat responses, promoting fake sites distributing malware. Windows 11 now natively supports passkeys, though browser support may make this redundant. Researchers exploit WiFi beamforming side-channel to potentially reveal keystrokes, but practicality is limited. The ECH TLS extension encrypts the ClientHello packet to hide SNI data. Exim disclosure timeline and impact on millions of vulnerable servers. Bing chat ads mimic search result malvertising risks amplified by chatbot trust.
Steve announces the release of his new freeware utility ValiDrive for detecting fake drive capacities. 23andMe claims a recent data breach exposed customer info due to credential stuffing attacks. Key stats from Microsoft's 2023 Digital Defense Report on cyberattacks. Brave lays off 9% of its staff amid the tough economic climate. Google Docs exports replace links with tracking redirects, enabling Google to monitor clicked links from exported documents. The MOVEit breach impacted Sony, exposing employee and family data. Firefox 118 now supports Encrypted Client Hello. Google will provide 7 years of updates for its new Pixel phones, up from 5 years previously. The MACE Act passed overwhelmingly in Congress, allowing agencies more flexibility in cybersecurity hiring. Median dwell time for ransomware dropped to less than 1 day, with human-driven attacks deploying it faster. Steve digs into the top 10 cybersecurity misconfigurations outlined in the new NSA/CISA advisory.
ValiDrive release follow-up Passkeys exportability and phishing risk Passkeys for device verification like SSH keys Possibility of hobby browsers vs. production browsers Availability of SpinRite 6.1 pre-release Filling drives with crypto noise using VeraCrypt Steve and Leo's favorite OTP apps Google Docs link rewriting could be to prevent referrer leakage Abusing HTTP/2 Rapid Reset
How fake drives continue to be sold on Amazon despite negative reviews Microsoft is discontinuing support for the VBScript language The 30-year old NTLM authentication protocol will eventually be removed from Windows Two new vulnerabilities found in cURL A new Cisco router vulnerability rated CVSS 10.0 was used to hack over 40,000 devices Debate over whether "lib" should rhyme with "vibe" or "air" Instructions for accessing the SpinRite 6.1 pre-release version Feedback on passkey exportability and server IP address encryption A listener asks if ransomware can encrypt already encrypted files How Privacy Badger un-rewrites Google's search result links The NSA and CISA warn about the power of privilege and the dangers of account misconfigurations
What caused last week's connection interruption? Is it possible to create and maintain an Internet whitelist? What's the latest on LastPass vault decryptions? How do you know of a remote correspondent adds a new device to their Apple account that it's really them? Might there be more life left in Windows 10 than we thought? What's foremost in the minds of today's bug bounty hunters? What new free and open source utility has CISA released? Could it be that SpinRite 6.1 is finished? Is TLS 1.2 ready for retirement? And what about IPv4? How can open source projects get their code signed? And then we're going to take a really interesting deep dive into the Internet's latest mass-casualty disaster.
Microsoft announced storing their Azure keys in an HSM after previously losing control of a private signing key A quartet of new 0-day vulnerabilities in Exchange Server that Microsoft declined to fix Apache ActiveMQ servers under attack exploiting a 0-day, with over half of publicly exposed servers vulnerable Update on the Citrix Bleed vulnerability with evidence of hackers gaining access and post-exploitation activity CVSS version 4 released with new metrics for better granularity and clarity of vulnerability scores Ace Hardware suffered a cyberattack impacting servers and systems Google abandons controversial "Web DRM" proposal Analysis of "BadCandy" malware infecting vulnerable Cisco routers Bitwarden password manager adds support for FIDO2 passkeys in browser extension Feedback from listeners on IPv6 adoption, factors for choosing crypto primes, installing Windows 11, and more The brewing battle in the EU over proposed eIDAS regulation Article 45
Is your lack of privacy badgering you? And if so what can you do about it? What's the latest on last week's bombshell news of the EU's Article 45 in eIDAS 2.0? Who's lost how much money in online cryptocurrency? Is using seed phrases from a seed phrase suggestion site a good idea? Has there been an effective speculative execution flaw discovered in Intel's processors? What country has decided to ban all VPNs? How bad are the two flaws found in OpenVPN? Why have I stopped working on SpinRite? What's the best backup for a large NAS? Should vulnerability researchers learn the assembly language of their target processors? If quantum computers threaten asymmetric crypto, why not return to symmetric crypto? Could someone explain exactly why Article 45 is a bad thing? What in the world is a Windshield Barnacle and why don't you want one? What's my latest Sci-Fi book series discovery? Just how bad could it be if a cosmic ray flipped a bit at just the wrong time?
Privacy and Funding Challenges Facing Signal Messaging App Loss of Advertisers for Twitter After Controversial Tweet by Elon Musk Ransomware Group Files SEC Complaint Against Breached Company Europe Opening Up Radio Encryption Standard TETRA for Public Review Apple Announcing Adoption of RCS Messaging for iPhones Steve's Progress on Dynamic Code Signing for SpinRite Releases Removing Suction Cup Barnacles from Windshields Recommendations for Benchmarking USB Drive Read/Write Speeds Concerns Over EU's Proposed eIDAS 2.0 QWACs Legislation Why Protectli Routers Are Preferred for pfSense Setups Credit Card Security Precautions for Ex-LastPass Users Origins and Evolution of Ethernet Networking Over 50 Years
Adobe Flash Player Updater is (still) desperately trying to update Veracrypt password security Firefox moves to 120 with a bunch of very nice new features Do-Not-Track is back on track “ownCloud” -or- “PwnCloud” ? CrushFTP Critical Vulnerability Bypassing fingerprint authentication ApacheMQ TransUnion & Experian both hacked
How masked domain owners can be unmasked through ICANN's new Registration Data Request Service (RDRS) WhatsApp's addition of Secret Code for extra privacy protection in Chat Lock Iranian hackers exploited default passwords in programmable logic controllers at US water facilities Attempt by Montana to ban TikTok statewide was stalled by a federal judge ruling Over 1 billion Android devices now have RCS messaging enabled EU Cyber Resilience Act will improve security of Internet of Things devices sold in the EU Black Basta ransomware group has netted over $107 million since early 2022 Google's new .meme top-level domain allowing meme-related web properties CISA’s Secure by Design initiative echoes security best practices frequently recommended on the podcast France plans to ban use of “foreign” end-to-end encrypted apps like Telegram and require use of French app Olvid instead Concerns raised by industry experts Ivan Ristic and Ryan Hurst about EU's eIDAS 2.0 legislation
The government collection of push notification metadata Facebook Messenger sets end to end encryption as the default Iran’s Cyber Av3ngers Cisco's Talos Top 10 cyber security exploits this year Over 30% of apps are still using a using a vulnerable version the Log4J library Quad 9 speaks on their legal victory against Sony What are the "Clear Web", "Dark Web", and "Deep Web"? A Flaw in Telegram Xfinity Mobile wants you to accept a root CA, DO NOT Hardware VPN alternative A breakthrough in quantum computing
Child protection legislation in the US Meta pushes back on the $200 billion FTC fine for COPPA violation Age verification on the internet Google moving from 3rd party cookies to topics A look at Cloudflare's metrics SpinRite update Cox Media admits that it spys on you
Steve's Next Password Manager After the LastPass Hack CHESS is Safe Here Come the Fake AI-generated "News" Sites How Bad Guys Use Satellites Microsoft's "Culture of Toxic Obfuscation" Steve announces his commitment to SN Apple Says No NSA's Decade of Huawei Hacking ValiDrive announcement
SpinRite 6.1 update Pruning Root Certificates A solution to Schrodinger's Bowl DNS Benchmark and anti-virus tools Nebula Mesh SpinRite 7 is coming The Mystery of CVE-2023-38606
More on Apple's hardware backdoor Russian Hacking of Ukranian cameras Russian hackers were inside Ukraine telecoms giant for months Things are still a mess at 23andMe CoinsPaid was the victim of another cyberattack Crypto Hacking in 2023 Mandiant Twitter scam Defining "cyber warfare" LastPass is making some changes Windows Watch Google settles $5 billion lawsuit Return Oriented Programming Shutting Down Edge Root Certificates Credit freezing SpinRite Update
What would an IoT device look like that HAD been taken over? And speaking of DDoS attacks Trouble in the Quantum Crypto world The Browser Monoculture Question about the Apple backdoor Getting into infosec proton drive vs sync SpinRite update The Protected Audience API
Microsoft's Top Execs' Emails Breached in Sophisticated Russia-Linked APT Attack US Health and Human Services Breached Firefox vs “The Competition” Brave reduces its anti-fingerprinting protections CISA’s proactive policing results one year later Longer Life For Samsung Updates Google Incognito Mode "Misunderstanding" Show Doc Not showing images on iOS Safari Generated AI Media Authentication Which computer languages to learn? Flashlight app subscription Google’s Privacy Sandbox system Malware and IoT devices Protected Audience API vs. Malvertising Defensive computing Why ISPs don't do anything about DDoS attacks SpinRite Update
iOS to allow native Chromium and Firefox engines. An OS immune to ransomware? HP back in the doghouse over "anti-virus" printer bricking The mother of all breaches New "Thou shall not delete those chats" rules Fewer ransoms are being paid Verified Camera Images More on the $15/month flashlight app What happens when apps change publishers Microsoft hating on Firefox Credit Karma is storing 1GB of data on the iPhone Staying on Windows 7 Sci-Fi recommendations Windows 7 and HSTS sites TOTP codes/secrets and Bitwarden SpinRite on Mac SpinRite v6.1 is done! LearnDMARC.com Alex Stamos on "Microsoft Security"
CISA’s “Secure by Design” Initiative The GNU C Library Flaw Fastly CDN switches from OpenSSL to BoringSSL Roskomnadzor asserts itself Google updates Android’s Password Manager Firefox gets post-quantum crypto Get your TOTP tokens from LastPass Inflated iOS app data LearnDMARC Sync mobile app bug SpinRite and Windows Defender Crypto signing camera Analog hole in digital camera authentication iOS and Google's Topics The gathering of the Stephvens Programmable Logic Controllers SpinRite update Malware-infected Toothbrush The Unforeseen Consequences of Google’s 3rd-party Cookie Cutoff
Toothbrush Botnet “There are too many damn Honeypots!” Remotely accessing your home network securely Going passwordless as an ecommerce site Facebook "old password" reminders Browsers on iOS More UPnP Issues A password for every website? "Free" accounts Keeping phones plugged in Running your own email server in 2024 iOS app sizes SpinRite 6.1 running on an iMac SpinRite update Bitlocker’s encryption cracked in minutes
Wyze breach Microsoft patch Tuesday fixes 15 remote code execution flaws Why are there password restrictions? The Canadian Flipper Zero Ban Security on the old internet Using Old Passwords Passwordless login TOTP as a second factor German ISP using default router passwords Email encryption in transit pfSense Tailscale integration DuckDuckGo's email protection integration with Bitwarden The KeyTrap Vulnerability
Nevada attempts to block Meta’s end-to-end encryption for minors. A survey of security breaches Edge’s Super-Duper Secure Mode moves into Chrome DoorDash dashes our privacy Avast charged $16.5 million for selling user browsing data No charge for extra logging! European Parliament's IT service has found traces of spyware on the smartphones of its security and defense subcommittee members LockBit RaaS group disrupted Firefox v123 The ScreenConnect Authentication Bypass SpinRite update Introducing BootAble Cox moving to Yahoo Mail for users Credit Card security Exploiting password complexity reqirements? Email only logins Flipper Zero in Canada German Router security More Flipper Zero in Canada Throwaway email addresses Shared email accounts Password quality enforcement Fingerprint tech and some future stories
"Death, Lonely Death" by Doug Muir, about the decades-old Voyager 1 explorer Cory Doctorow's Visions of the Future Humble Book Bundle CTRL-K shortcut for search on a browser Direct bootable image downloading for GRC's servers Closing the loop on compromised emails Taco Bell's passwordless app A solution for Bcrypt's password length limit of 72 bytes Data as the missing piece for law enforcement and privacy advocates The token solution for email-only login Apple's Password Manager Resources on Github The risk of long-term persistent cookies in browsers Why mainframe industries still require weak passwords A conundrum involving an exploitable Response Header error and a bounty payment. An inspection of Apple's new Post-Quantum Encryption upgrade
VMware needs immediate patching Midnight Blizzard still on the offensive China is quietly "de-American'ing" their networks Signal Version 7.0, now in beta Meta, WhatsApp, and Messenger -meets- the EU's DMA The Change Healthcare cyberattack SpinRite update Telegram's end-to-end encryption KepassXC now supports passkeys Login accelerators Sites start rejecting @duck.com emails Tool to detect chrome extensions change owners Sortest SN title Passkeys vs 2FA
Voyager 1 update The Web turned 35 and Dad is disappointed Automakers sharing driving data with insurance companies A flaw in Passkey thinking Passkeys vs 2fa Sharing accounts with Passkeys Passkyes vs. Passwords/MFA Workaround to sites that block anonymous email addresses Open Bounty programs on HackerOne Steve on Twitter Ways to disclose bugs publicly Security by obscurity Something you have/know/are vs Passkeys Passkeys vs TOTP Inspecting Chrome extensions Passkey transportability Morris the Second
Apple vs U.S. DOJ G.M.’s Unbelievably Horrible Driver Data Sharing Ends Super Sushi Samurai Apple has effectively abandoned HomeKit Secure Routers The forthcoming “.INTERNAL” TLD The United Nations vs AI. Telegram now blocked throughout Spain Vancouver Pwn2Own 2024 China warns of incoming hacks Annual Tax Season Phishing Deluge SpinRite update Authentication without a phone Are Passkeys quantum safe? GoFetch: The Unpatchable vulnerability in Apple chips
A near-Universal (Local) Linux Elevation of Privilege vulnerability TechCrunch informed AT&T of a 5 year old data breach Signal to get very useful cloud backups Telegram to allow restricted incoming HP exits Russia ahead of schedule Advertisers are heavier users of Ad Blockers than average Americans! The Google Incognito Mode Lawsuit Canonical fights malicious Ubuntu store apps Spinrite update A Cautionary Tale
Out-of-support DLink NAS devices contain hard coded backdoor credentials Privnote is not so “Priv” Crowdfense is willing to pay millions Engineers Pinpoint Cause of Voyager 1 Issue, Are Working on Solution SpinRite Update Minimum Viable Secure Product
An update on the AT&T data breach 340,000 social security numbers leaked Cookie Notice Compliance The GDPR does enforce some transparency Physical router buttons Wifi enabled button pressers Netsecfish disclosure of Dlink NAS vulnerability Chrome bloat SpinRite update GhostRace
What do you call “Stuxnet on steroids”?? Voyager 1 update Android 15 to quarantine apps Thunderbird & Microsoft Exchange China bans Western encrypted messaging apps Gentoo says “no” to AI Cars collecting diving data Freezing your credit Investopedia Computer Science Abstractions Lazy People vs. Secure Systems Actalis issues free S/MIME certificates PIN Encryption DRAM and GhostRace AT&T Phishing Scam Race Conditions and Multi-core processors An Alternative to the Current Credit System SpinRite Updates Chat (out of) Control
GCHQ: No more default passwords for consumer IoT devices! What happened with Chrome and 3rd-party cookies? Race conditions and multi-threading GM "accidentally" enrolled millions into "OnStar Smart Driver +" program Steve recommends Ryk Brown's "Frontiers Saga" SpinRite update Passkeys: A Shattered Dream?
The vulnerability of GPS Is the sky falling on all VPN systems? Multi-user Passkeys, YubiKeys? The iCloud Keychain The UK and Google's Topics
Picture of the Week. Most to least common 4-digit pins. Enhanced LORAN. Passkeys. Microsoft's Head in the Clouds.
When you’re the biggest target... Searching for Search How long will a Windows XP machine survive unprotected on the Internet? Free Laundry VPNs and Firewalls Netgate SG1100 Ad Industry vs. Google Privacy Sandbox Bitwarden and passkeys Token2 passkey dongle 312 Scientists & Researchers Respond
The bigger problem with AI Overview https://udm14.com/ -and- https://tenbluelinks.org/ The horses have left the barn VPNs and Firewalls Email @ GRC Extension to fix Google search Passwords and SPAM Fixing motherboard components Vertical tabs in Firefox FritzBox routers Too many PINs More Google search fixes Testing Windows XP The 50 Gigabyte Privacy Bomb
