Our weekly audio security column
& podcast by Steve Gibson and Leo Laporte
TechTV's Leo Laporte and I spend somewhat shy of two hours each week to discuss important issues of personal computer security. Sometimes we'll discuss something that just happened. Sometimes we'll talk about long-standing problems, concerns, or solutions. Either way, every week we endeavor to produce something interesting and important for every personal computer user.

(This was not our idea. It was created by a fan of the podcast using GIMP (similar to
Photoshop). But as a work of extreme image manipulation, it came out surprisingly well.)

 You may download and listen to selected episodes from this page (see below), or subscribe to the ongoing series as an RSS "podcast" to have them automatically downloaded to you as they are produced. To subscribe, use whichever service you prefer . . .

 Receive an automatic eMail reminder whenever a new episode is posted here (from ChangeDetection.com). See the section at the bottom of this page.

 Send us your feedback: Use the form at the bottom of the page to share your opinions, thoughts, ideas, and suggestions for future episodes.

 Leo also produces "This Week in Tech" (TWiT) and a number of other very popular podcasts (TWiT is America's most listened to podcast!) So if you are looking for more informed technology talk, be sure to check out Leo's other podcasts and mp3 files.

 And a huge thanks to AOL Radio for hosting the high-quality MP3 files and providing the bandwidth to make this series possible. We use "local links" to count downloads, but all of the high-quality full-size MP3 files are being served by AOL Radio.

Episode Archive

Each episode has SIX resources:

High quality 64 kbps mp3 audio file
Quarter size, bandwidth-conserving,
16 kbps (lower quality) mp3 audio file
A PDF file containing Steve's show notes
A web page text transcript of the episode
A simple text transcript of the episode
Ready-to-print PDF (Acrobat) transcript  

(Note that the text transcripts will appear a few hours later
than the audio files since they are created afterwards.)

For best results: RIGHT-CLICK on one of the two audio icons & below then choose "Save Target As..." to download the audio file to your computer before starting to listen. For the other resources you can either LEFT-CLICK to open in your browser or RIGHT-CLICK to save the resource to your computer.

Episode #900 | 06 Dec 2022 | ... min.
LastPass, Again

This week we answer a few questions: What if an Australian company doesn't secure their own network? Has Ireland NOT levied fines against any major Internet property owned by Meta? What's in REvil's complete dump of Australia's Medibank data disclosure? We finally answer the question: Is nothing sacred? (It turns out it's not rhetorical.) Also, whose root cert just got pulled from all of our browsers, and how did a handful of Android platform certs escape? What US state has banned all use of Tik-Tok? What country is prosecuting its own ex-IT staff after a breach? How has memory-safe language deployment actually fared in the wild? Are last August's BlackHat 2022 videos out yet? And which brand of IoT security camera do you probably NOT want to use or purchase? Which podcast had the most amazing guest last week? What happened when SpinRite was run on an SSD? And what does LastPass's announcement of another hacker intrusion mean for it and its users? Answers to those questions and more coming your way during this week's Security Now! podcast.
 440 KB   <-- Show Notes

Episode #899 | 29 Nov 2022 | 102 min.
Freebie Bots & Evil Cameras

What happens when you: Run a Caller ID spoofing service? Or when you mis-list and underprice online goods? Or click on a phishing link for a cryptocurrency exchange? Or consider working for a underworld hacking group? Use a webserver from the dark ages in your IoT device? Or rattle your sabers while attempting to sell closed networking systems to your enemies? Or decide whether or not to continue to suspend your Twitter ad buys? Or login to Carnival Cruises with a passkey? Or use hardware to sign your code? This week's podcast answers all of those questions and more!
49 MB 12 MB  623 KB   <-- Show Notes 138 KB 85 KB 353 KB

Episode #898 | 22 Nov 2022 | 120 min.

This week we note that Firefox moved to v107 and that Google recently reached a nearly $400 million dollar user-tracking settlement. Red Hat has started cryptographically signing its ZIP distributions, the FBI purchased the nefarious Pegasus spyware and Greece paid 7 million euros for the similar Predator spyware. Passkeys have a directory listing sites where they can be used, the OMB has decreed a quantum decryption deadline, and 33 US state attorneys general have asked the FTC to get serious about online privacy regulation. We have some engaging listener feedback and SpinRite is finally a day or two away from starting its final testing. And we're going to wrap up by examining some chilling research which allows the physical location in space of every WiFi device within range to be accurately determined by someone walking past or flying a tiny drone.
57 MB 14 MB  377 KB   <-- Show Notes 168 KB 100 KB 401 KB

Episode #897 | 15 Nov 2022 | 90 min.
Memory-Safe Languages

This week we have another event-filled Patch Tuesday retrospective. We look at a newly published horrifying automated host attack framework which script kiddies are sure to jump on. We have a welcome new feature for GitHub, crucial vulnerabilities in the LiteSpeed web server, a spiritual successor to TrueCrypt and VeraCrypt for Linux, Australia's announcement of their intention to proactively attack the attackers, a controversial new feature in iOS 16.1.1, a couple more decentralized finance catastrophes, some miscellany and listener feedback. Then we'll finish by looking at a just-published advisory from U.S.'s National Security Agency, our NSA, promoting the use of memory-safe languages.
43 MB 11 MB  469 KB   <-- Show Notes 105 KB 73 KB 281 KB

Episode #896 | 08 Nov 2022 | 98 min.
Something for Everyone

This pure news week we look at Dropbox's handling of a minor breach, and we follow-up on last week's OpenSSL flaws. The FTC has had it with a repeat offender, and we know how much total (reported) ransom was paid last year. Akamai reports on phishing kits, we have some stats about what Initial Access Brokers charge, and we look at the mechanics of cyber bank heists. Several more DeFi platforms defy belief, Russia is forced to move to Linux, the Red Cross wants a please don't attack us cyber-seal, nutty Floridians get themselves indicted for a bold tax fraud scheme, is China cheating with 0-days?, the NCSC will be scanning its citizenry... and more!
47 MB 12 MB  388 KB   <-- Show Notes 106 KB 77 KB 286 KB

Episode #895 | 01 Nov 2022 | 108 min.
After 20 years in GCHQ

This week we revisit the Windows driver block list which has received a long-needed update and at Microsoft's own definition of a CVE. We note that sometime today the OpenSSL project will be releasing an update for an ultra-CRITICAL flaw in OpenSSL v3 and we look at a remote code execution flaw in Windows TCP/IP stack. We have a ubiquitous problem in the past 22 years of the widely used SQLite library and a surprising percentage of malicious proofs-of-concepts found in GitHub. Passkeys gets another supporter and the first part of a professional tutorial explaining how to exploit the Chrome browser is released. After some listener feedback and a SpinRite update, we look at the goodbye posting of the UK's head of cyber security after 20 years.
52 MB 13 MB  467 KB   <-- Show Notes 127 KB 85 KB 326 KB

Episode #894 | 25 Oct 2022 | 102 min.
Data Breach Responsibility

This week we note the release of an updated Firefox browser and Google's welcome and interesting announcement of a super-secure-by- design open source operating system project. We look at the latest cryptocurrency craziness and at a new Windows 0-day which bypasses downloaded executable file security checks. And speaking of 0-days, Apple just patched their iPhone and iPad OS's against their 9th 0-day of the year. We then take a look at the forces driving the evolutionary demise of previously rampant banking malware and at today's critical VMWare update. Then, after sharing and addressing some interesting listener feedback, we'll take a look at new Australian legislation aimed at punishing data breaches and consider the ethics of Australia's proposed new heavy fines.
49 MB 12 MB  947 KB   <-- Show Notes 115 KB 79 KB 315 KB

Episode #893 | 18 Oct 2022 | 101 min.
Password Change Automation

This week we examine several more serious Microsoft security failures which have just come to light, and a new useful Windows security feature that was just added. The new Passkeys logon technology received its own website to monitor its progress, and Cloudflare logs another record breaking DDoS attack. Signal drops its legacy support for SMS/MMS on Android, Fortinet attempts to keep a new bad authentication bypass quiet, the White House proposes work on an IoT cybersecurity seal of approval, and the US Treasury department levies a hefty fine against a cryptocurrency exchange for not caring who they send money to. I have some updates on SpinRite, my just-discovered ZimaBoard and two pieces of listener feedback. Then we're going to finish by examining a new standardized means of accessing websites' password change pages. And we also have our first-ever Security Now VIDEO of the Week.
48 MB 12 MB  918 KB   <-- Show Notes 109 KB 79 KB 287 KB

Episode #892 | 11 Oct 2022 | 105 min.
Source Port Randomization

This week we look at a massive customer information leak from a surprising source. Meta notes where their users are being harvested. And in an industry first, Uber's CSO has been convicted. We have more, much more, cryptocurrency industry turmoil. A new appointee in the U.K. wants to drop their use of the GDPR. The NSA is looking for next summer interns, IBM learns that incident responders are feeling quite stressed out, and Microsoft continues to fumble their Exchange Server response. I have news of SpinRite and of my discovery of a lovely little Single Board Computer. And after sharing some listener feedback, we're going to look at a recent mistake made in the Linux kernel that allowed its users to be tracking online.
50 MB 13 MB  818 KB   <-- Show Notes 141 KB 86 KB 358 KB

Episode #891 | 04 Oct 2022 | 102 min.
Poisoning Akamai

This week we examine a puzzlingly insecure implementation by Microsoft in Teams' design and at their complete re-write of Microsoft Defender Smartscreen. Roskomnadzor strikes again, and Exchange Server is again under serious attack with a new 0-day. CloudFlare introduces Turnstile, their free CAPTCHA improvement and Google published a fabulously engaging 6-video YouTube series under the banner: “Hacking Google.” We'll then spend some time sharing and replying to listener feedback before we examine a breathtaking flaw that was discovered in Akamai's global CDN caching, and what became of it.
49 MB 12 MB  483 KB   <-- Show Notes 151 KB 85 KB 359 KB

Episode #890 | 27 Sep 2022 | 93 min.
DarkNet Politics

This week we examine Europol's desire to retain data on non-criminal EU citizens, and we look at the forth EU nation to declare that the use of Google Analytics is an illegal breach of the GDPR. Has Teapot been caught? Seems like. And Mozilla says it's no fair that operating systems bundle their own browsers. Here we go again. Meanwhile, Chrome's forthcoming V3 Manifest threatens add-on ad-blocker extensions, and past Chrome vulnerabilities are leaving embedded browsers vulnerable. Windows 11 actually gets a useful feature, and some US legislation proposes to improve open source software security. We revisit the Iran-Albanian cyber-conflict now that we know how Iran got into Albania's networks. And after one important and interesting bit of listener feedback about multi-factor authentication fatigue and a quick SpinRite update, we look at some new trends in the Dark underworld with the leak of another major piece of cybercrime malware.
45 MB 11 MB  568 KB   <-- Show Notes 112 KB 75 KB 310 KB

Episode #889 | 20 Sep 2022 | 92 min.

This week we look at last week's Patch Tuesday and at the changing cyber insurance landscape. We visit and revisit a collection of major network breaches at Uber, Rockstar Games and LastPass. We look at another significant problem facing 280,000 WordPress users and at a recommended mitigation for the future. We examine the cost to processing performance of the most recent Retbleed security mitigations, and look at Google's very welcome use-after-free vulnerability technology. And after sharing a few pieces of feedback from our listeners, we examine a somewhat surprising consequence of enabling Chrome's enhanced spell check and provide some mitigations.
44 MB 11 MB  678 KB   <-- Show Notes 102 KB 73 KB 280 KB

Episode #888 | 13 Sep 2022 | 107 min.
The EvilProxy Service

This week we look at an unusual and disturbing escalation of a cyberattack. I also note that cryptoheists have become so pervasive that I'm not mentioning them much anymore. The While House conducted a “Listening Session” to dump on today's powerful tech platforms, and a government regulator in The Netherlands quit his position and tells us why. There's another QNAP mess which is bad enough to exceed my already quite high QNAP mess threshold, and D-Link routers need to be sure they are running their very latest firmware. I have another comment about my latest Sci-Fi author discovery and two quick bits of feedback from our listeners. Then we're going to examine EvilProxy, the conceptual cousin to Ransomware as a Service.
51 MB 13 MB  830 KB   <-- Show Notes 137 KB 85 KB 352 KB

Episode #887 | 06 Sep 2022 | 108 min.
Embedding AWS Credentials

This week we look at Google's just-announced and launched open source software vulnerability rewards program. We ask the question whether TikTok leaked more than 2 Billion of their user's records. We look at Chrome's urgent update to close its 6th 0-day of 2022 and at a worrisome “feature” -- I think it a bug! --in Chrome. A somewhat hidden autorun facility in PyPI's pip tool used for downloading and installing Python packages is being used to run malware. And we examine a recent anti-Quantum computing opinion from an Oxford university quantum physicist. Then I have two bits of miscellany, three pieces of listener feedback, a fun SpinRite video discovery, and my discovery of a wonderful and blessedly prolific science fiction author. And after all that, we look at the result of Symantec's recent research into their discovery of more than 1800 mobile apps which they found to be leaking critical AWS cloud credentials, primarily due to carelessness in the use of today's software supply chain.
52 MB 13 MB  252 KB   <-- Show Notes 153 KB 87 KB 360 KB

Episode #886 | 23 Aug 2022 | 112 min.
Wacky Data Exfiltration

This week we begin by discussing the implications of last week's LastPass breach disclosure. We look at some recent saber-rattling by the U.S.'s FTC and FCC over the disclosure of presumably private location data. We share pieces of a fascinating conversation with a Russian ransomware operator, gaining some insight into the way he conducts attacks and the way he views the world. We tell everyone about a new tracking-stripping and privacy-enforcing email forwarding service that's just come out of a yearlong beta from the DuckDuckGo people. We have another big and widespread IoT update mess to share. I have some welcome progress to report about my work on SpinRite, and some listener feedback. Finally, we're going to look at some recent goings on at the Ben-Gurion University of the Negev, which never fails to entertain.
54 MB 13 MB  511 KB   <-- Show Notes 151 KB 93 KB 367 KB

Episode #885 | 23 Aug 2022 | 92 min.
The Bumblebee Loader

This week we'll start off with a bit of fun over the most tweeted by far wacky tech news item. We then get serious with a very worrisome flaw which very likely exists in the WAN interface of the routers that many of us probably own. DDoS attacks have broken another record by a large margin, and both Chrome and Apple deal with, if not emergency then at least high priority software updates. We also have another major software repository tightening up its security against supply chain attacks. Then after sharing just a few, but powerful, bits of feedback, we're going to step through the blow-by-blow operation and actions of the newest and meanest kid on the block with the emergence of a powerful malware loader that gets its name from the DLL it first loads: Bumblebee.
44 MB 11 MB  544 KB   <-- Show Notes 93 KB 68 KB 270 KB

Episode #884 | 16 Aug 2022 | 98 min.
TLS Private Key Leakage

This week we look back at last week's Patch Tuesday to learn how much better Microsoft various products are as a result. We look at Facebook's announced intention to creep further toward end-to-end encryption in Messenger, and at the puzzling result of a recent scan of the Internet for completely exposed VNC servers. I want to take a few minutes to talk about the importance of planning ahead for a domain name's future, share my tip for a terrific website cloning tool, and a few more updates. Then, after sharing some feedback from our ever-attentive listeners, we're going to address the question: Can a remote server's TLS private key be derived simply by monitoring a sufficient number of its connections? What?! We all know that everything has been designed so that's not possible. But edge cases turn out to be a surprising problem and the details of this research are quite interesting.
47 MB 12 MB  283 KB   <-- Show Notes 120 KB 78 KB 316 KB

Episode #883 | 09 Aug 2022 | 94 min.
The Maker's Schedule

This week we examine the collapse of one of the four NIST-approved post-quantum crypto algorithms. We look at what VirusTotal has to tell us about what the malware miscreants have been up to, and at the conditions under which Windows 11 was corrupting its users' encrypted data. We also celebrate a terrific-looking new commercial service being offered by Microsoft, and we briefly tease next week's probable topic, which is cryptographer Daniel Bernstein's second lawsuit against the United States. I want to share a bunch of interesting feedback in Q&A style from our terrific listeners, then I want to share my discovery of a coder, serial entrepreneur, and writer by sharing something he wrote which I suspect will resonate profoundly with every one of our listeners.
45 MB 11 MB  506 KB   <-- Show Notes 97 KB 72 KB 279 KB

Episode #882 | 02 Aug 2022 | 119 min.
Rowhammer's Nine Lives

This week we're going to note an urgent vulnerability created by an add-on to Atlassian's Confluence corporate workgroup server. Next week's Usenix security conference will be presenting TLS-Anvil for testing TLS libraries. Google has decided to again delay their removal of 3rd-party cookies from Chrome, and attackers were already switching away from using Office Macros before Microsoft actually did it. We have a bunch of listener feedback, some thoughts about computer science theory and bit lengths, and some interesting miscellany. Then we're going to look at the return of Rowhammer thanks to some new brilliant and clever research.
57 MB 14 MB  371 KB   <-- Show Notes 130 KB 88 KB 329 KB

Episode #881 | 26 Jul 2022 | 107 min.
The MV720

This week we start off by updating our follow-up to this month's Patch Tuesday. Things were more interesting than they originally seemed. Then we keep up with the evolving state of Microsoft Office's VBA macro foreign document execution. We also have a fabulous bit of news about some default security policy changes for Windows 11 announced by Microsoft. Then, with August rapidly approaching, we have a few calendar notes to mention; I have a welcome and long-awaited bit of SpinRite news to share; we have a bit of miscellany and some brief bits of listener feedback to cover. Then we take a deep dive into the poor-by-design security of a very popular and frightening widely used aftermarket GPS tracking device. You don't want one of these anywhere near you or your enterprise. Yet 1.5 million are.
51 MB 13 MB  654 KB   <-- Show Notes 179 KB 86 KB 394 KB

Episode #880 | 19 Jul 2022 | 105 min.

This week we start with a quick update on last week's Rolling Pwn problem. Then we look at the state of IPv4 space depletion and the rising price of an IPv4 address. We have an interesting report on the Internet's failed promise, Facebook's response to URL-tracker trimming, Apple's record-breaking Lockdown Mode bounty, ClearView Ai's new headwinds, a new feature being offered by ransomware gangs, the return of Roskomnadzor, last Tuesday's patches and some feedback from our listeners. Then we look at the details of the latest way of exfiltrating secrets from operating system kernels thanks to insecurities in Intel and AMD micro-architecture implementations. Yes, some additional bleeding
51 MB 13 MB  529 KB   <-- Show Notes 86 KB 77 KB 265 KB

Episode #879 | 12 Jul 2022 | 116 min.
The Rolling Pwn

This week we look at a recently made and corrected mistake in the super-important OpenSSL crypto library. The NIST has settled upon the first four of eight post-quantum crypto algorithms. Yubico stepped-up to help Ukraine. Apple has added an extreme “Lockdown Mode” to their devices. Microsoft unbelievably re-enables Office VBA macros received from the Internet. The FBI creates a successful encrypted message app for a major sting operation. We close the loop with some of our listeners. Then we examine an even more egregious case of remote automotive wireless unlocking and engine starting.
56 MB 14 MB  518 KB   <-- Show Notes 152 KB 94 KB 370 KB

Episode #878 | 05 Jul 2022 | 99 min.
The ZuoRAT

This week we look at Chrome's 4th 0-day of the year and at another welcome privacy-enhancing bump from Firefox. And also share the disclosure and forensic investigation of the bug bounty clearinghouse HackerOne's discovery of a malicious (now ex-) employee among their ranks. And some listener feedback draws us into a discussion of the nature of the vulnerabilities of connecting Operation Technology systems to the Internet, ans also some hope for the future amalgamation of the currently-fragmented SmartHome IoT industry. And before we start into our deep dive into some new and worrisomely prolific malware, we're going to consider whether we'd rather have one 9-inch pizza or two 5-inch pizzas? As always, another gripping episode of Security Now!
48 MB 12 MB  1055 KB   <-- Show Notes 101 KB 73 KB 279 KB

Episode #877 | 28 Jun 2022 | 110 min.
The “Hertzbleed” Attack

This week, after dealing with a major piece of errata from last week, we look at Germany's reaction to the EU's proposed “let's monitor everyone and privacy be damned” legislation. The Conti gang finally pulls the last plug. We have an update on the status of Log4J and Log4Shell and a weird proposal for a "311" cyber attack reporting number, and a sweeping 56 new vulnerabilities were found and reported across the proprietary technologies of major industrial control technology providers. And this week we have a piece of miscellany, followed by ten interesting items of closing-the-loop feedback to share from our listeners. We will then take a deep dive into the latest “HertzBleed Attack” which leverages the dynamic speed scaling present in today's modern processors. We'll examine another effective side-channel attack – which is even effective against carefully-written post-quantum crypto – and can be used to reveal its secret keys.
53 MB 13 MB  609 KB   <-- Show Notes 90 KB 80 KB 281 KB

Episode #876 | 21 Jun 2022 | 118 min.
Microsoft's Patchy Patches

We begin this week by answering last week's double-decryption strength puzzler. I then take a look at what's currently known about FIDO2 support in LastPass and Bitwarden. We look at last week's Mozilla announcement of Total Cookie Protection for Firefox (which doesn't appear to be working for me) and invite everyone to test their browsers. DDoS attacks have broken yet another record, another NTLM relay attack has been uncovered in Windows, Apple messed up Safari five years ago, more than a million WordPress sites were recently force-updated, and another high-severity flaw was fixed in a popular JAVA library. Then after sharing a bit of miscellany and some fun closing-the-loop feedback, we look at the awareness the rest of the security industry is sharing regarding the deteriorating quality of Microsoft's security management.
57 MB 14 MB  625 KB   <-- Show Notes 144 KB 90 KB 359 KB

Episode #875 | 14 Jun 2022 | 101 min.
The PACMAN Attack

This week will, I expect, be the last time we talk about passkeys for awhile. But out listeners are still buzzing about it, and some widespread confusion about what Apple presented during their WWDC developer's session needs a bit of clarification. While doing that, I realized and will share how to best characterize what FIDO is, which we're going to get, with respect to SQRL, which we're not. I also want to turn our listeners onto a free streaming penetration testing security course which begins Wednesday after next. Then we have a TON of listener feedback which I've wrapped in additional news. And one listener's question, in particular, was so intriguing that I'm going to repeat it but not answer it yet, so that all of our listeners can have a week to contemplate its correct answer. And although I wasn't looking for it, I also stumbled upon a surprising demonstration proof that we are, indeed, living in a simulation. When I share it, I think you'll be as convinced as I am. And finally, as suggested by this podcast's title, we're going to take a very deep dive into the past week's headline-capturing news that Apple's famous M1 ARM chips all contain a critical bug that cannot be fixed. Just how bad is it?
48 MB 12 MB  346 KB   <-- Show Notes 146 KB 83 KB 355 KB

Episode #874 | 07 Jun 2022 | 90 min.
Passkeys, Take 2

This week we have a response from ServiceNSW to the news of their insecure digital driver's license. ExpressVPN is the first VPN to pull the plug on India. Turning off the Internet is becoming a common practice by repressive regimes. The Windows Follina exploit explodes in the wild. Another Windows/Word URL scheme can be exploited. A critical cellular modem chip defect has surfaced. Named ransomware is being impacted by U.S. sanctions and ransomware is taking aim at our system boot firmware. We have a bit of errata and closing the loop feedback. Then, in the wake of Apple's big WWDC 2022 keynote, which mentioned Apple's forthcoming adoption of the FIDO2 Passkeys, I want to highlight one glaring concern that everyone seems to have missed.
43 MB 11 MB  393 KB   <-- Show Notes 138 KB 72 KB 337 KB

Episode #873 | 31 May 2022 | 110 min.

This week we examine the difficult to believe in 2022 design of Australia's New South Wales Digital Driver's License which was sold as being quite difficult to counterfeit. We examine the latest, once again fumbled, extremely pervasive Microsoft Office zero-day remote code execution vulnerability. We look at the first instance of touchscreen remote touch manipulation, and at Vodafone and Deutsche Telekom's difficult to believe yet already being piloted plan to further monetize their customers by somehow injecting persistent supercookies into their customer's connections at the carrier level. Then, after sharing some feedback from our terrific listeners, we'll dig into the discovery that the DuckDuckGo Privacy Browser carved out a privacy exception for Microsoft.
53 MB 13 MB  1,067 KB   <-- Show Notes 124 KB 83 KB 321 KB

Episode #872 | 24 May 2022 | 103 min.
Dis-CONTI-nued: The End of Conti?

This week we'll start by following-up on Microsoft's Patch Tuesday Active Directory domain controller mess. We're going to look at several instances of the Clearview AI facial recognition system making news, and at the systems which fell during last week's Vancouver Pwn2Own competition. We cover some welcome news from the U.S. Department of Justice and some disturbing news about a relatively simple and obvious hack against popular Bluetooth-link smart locks. We have some closing-the-loop feedback from our listeners, including a look at what's going on with the Voyager 1 space probe, and another interesting look into the looming impact of quantum crypto. Then we finish by sharing an in-depth examination of the surprisingly deliberately orchestrated shutdown of the Conti ransomware operation.
50 MB 12 MB  717 KB   <-- Show Notes 106 KB 80 KB 288 KB

Episode #871 | 17 May 2022 | 99 min.
The New EU Surveillance State

This week we look back at what no one wanted, an eventful Patch Tuesday. Apple has pushed a set of updates to close an actively exploited zero-day. Google announced the creation of their Open Source Maintenance Crew. A ransomware gang wants to overthrow a government. Google's Play Store faces an endlessly daunting task. The predicted disaster for F5's BIG-IP systems arrived. A piece of errata and some closing-the-loop feedback from our terrific listeners. Then we're going to look at just how far afield the European Union has wandered with their forthcoming breathtaking surveillance legislation.
48 MB 12 MB  610 KB   <-- Show Notes 125 KB 77 KB 319 KB

Episode #870 | 10 May 2022 | 108 min.
That “Passkeys” Thing

This week we look at a patch to Android to thwart an actively exploited vulnerability. We briefly revisit Connecticut's new privacy law and we take a quick look at the raft of recent ransomware victims. The U.S. State Department has added another ransomware group to its big bounty list and we look at what's being called the biggest cybersecurity threat facing the U.S. Meanwhile, the White House issues a memorandum about the threat from quantum computing and we have the discovery of a new and pernicious DNS vulnerability that's unlikely to be fixed in our IoT devices. And after looking at F5 Networks new and quite serious troubles, we close the loop with some listener feedback, briefly discuss the past week of Sci-Fi news, then finish by looking at the past week's most Tweeted-to-me question: “What's that passkeys thing that Apple, Google and Microsoft are adopting?”
52 MB 13 MB  701 KB   <-- Show Notes 144 KB 84 KB 357 KB

Episode #869 | 03 May 2022 | 91 min.
Global Privacy Control

This week we're going to examine the success of the abbreviation overloaded DoD's DIB-VDP pilot program. We're going to introduce the relatively new OpenSSF - Open Source Security Foundation - and its Package Analysis Project. We're going to look at some hopeful new privacy legislation recently passed in Connecticut's house which if signed into law would cause it to join four other privacy-progressive states, and we're going to look at Moxie Marlinspike's irreverent rationale for the need for port knocking. Then, after sharing some interesting listener feedback, we're going to look at the background, implementation and future of a very encouraging development in user web browser and Internet privacy.
44 MB 11 MB  649 KB   <-- Show Notes 86 KB 69 KB 259 KB

Episode #868 | 26 Apr 2022 | 104 min.
The 0-Day Explosion

This week we're going to take a close look at the U.S. Cybersecurity and Infrastructure Security Agency's mandated must update list, including some recent entries. We're going to examine the somewhat breathtaking mistake that Lenovo made across more than 100 of their laptop models, and a cryptocurrency wallet implemented in a web browser (what could possibly go wrong?) Then we're going to look at another startling vulnerability that was recently discovered in Java versions 15, 16, 17 and 18. We have a bunch of interesting listener feedback, a brief Sci-Fi interlude, and the announcement of a major milestone reached for SpinRite. Then we're going to wrap up by taking a look across the past ten years of 0-day vulnerabilities thanks to some recent research performed by the security firm Mandiant. The title of this week's podcast gives away what's been happening.
50 MB 12 MB  535 KB   <-- Show Notes 123 KB 81 KB 319 KB

Episode #867 | 19 Apr 2022 | 98 min.
A Critical Windows RPC RCE

This week we examine Chrome's third zero-day of the year, followed by Microsoft's massive 128-patch fest last week, and we note that we don't even bother counting Windows zero-days, though there were another two this month amid the 47 critical vulnerabilities that were patched, one of them being so worrisome that it captured this week's podcast title, which we'll cover at length before we conclude. We also have more WordPress add-on trouble, the return of a longstanding problem in Apache Struts, and we have some interesting commentary about the current hackability status of the United States nuclear arsenal. I want to share a bit of closing-the-loop feedback with our listeners and give everyone a snapshot into the recent work on SpinRite. Then we're going to take a close look at the one flaw, out of 128 that Microsoft patched last week, that truly has the entire security industry on pins and needles because it enables a zero-click Internet worm.
47 MB 12 MB  652 KB   <-- Show Notes 91 KB 72 KB 277 KB

Episode #866 | 12 Apr 2022 | 81 min.

We'll wrap up this week's podcast by revisiting Spring4Shell. Last week, when we first mentioned it, it was just a questionable itch. Now, a week later, it's a full blown outbreak deserving of today's podcast title. But before we roll up our sleeves for that we're going to examine credible reports of a 0-day in the Internet's most popular web server platform. We're going to take a look at Microsoft's newly announced “Autopatch” system, and the rapidly approaching end-of-security life of some Windows 10 editions. We have another instance of an NPM protest-ware modification of a highly used library, and I want to share a bit of miscellany and listener feedback. Then we'll finish by looking at what one week has done to Spring4Shell.
39 MB 10 MB  396 KB   <-- Show Notes 92 KB 63 KB 266 KB

Episode #865 | 05 Apr 2022 | 104 min.
Port Knocking

This week we examine a critical Java framework flaw that's been named “Spring4Shell” because it's mildly reminiscent of Java's recent “Log4J” problem. We'll also take a look at the popular QNAP NAS devices and several recent security troubles there. Sophos has got themselves an attention grabbing must patch now 9.8 CVSS vulnerability and it didn't take long (10-days) for the theoretical Browser-in-the-Browser spoof to become non-theoretical. There's more worrisome news on the NPM supply-chain package manager exploitation nightmare, the FinFisher spyware firm happily bites the dust, and some of the young hackers forming the Lapsus$ gang have been identified. Squarely in the doghouse this week is WYZE whose super-popular webcams have problems which are just as serious as those of the company itself... and, oh!, the authentication bypass details, which I'll share, are SO wonderful! Then after a bit of closing-the-loop feedback with our listeners, I want to talk about and put the idea of “Strong Service Concealment” on everyone's radar. “Port Knocking” is not a new idea by any means. But it is extremely clever, cool and useful. In today's world, there's more reason than ever for ports and the services behind them that are not actively soliciting public traffic to be kept completely hidden. There are a number of ways this can be done which are very cool.
50 MB 13 MB  316 KB   <-- Show Notes 101 KB 76 KB 285 KB

Episode #864 | 29 Mar 2022 | 99 min.
Targeted Exploitation

This week we start by looking at Chrome's second zero-day vulnerability of the year. We then spend some time with an interview of the Chief Technical Officer of one of Ukraine's largest ISPs learning of the challenges they're currently facing. JavaScript's most popular package manager npm is under attack again, and Honda tells worried reporters that they have no plans to address the consequences of a new glaring security vulnerability affecting five recent years of their Honda Civic design. The FCC classifies Kaspersky Lab as a national security threat and adds a bunch of Chinese Telecom companies and services, as well. Then, after addressing a piece of use-after-free listener feedback, we take a detailed look at the consequences of Chrome's first zero-day of the year and at the attacks launched by North Korea which leveraged that flaw.
48 MB 12 MB  604 KB   <-- Show Notes 114 KB 77 KB 315 KB

Episode #863 | 22 Mar 2022 | 98 min.
User After Free

This week we look at the US's new cybercrime reporting law that was just passed. We examine a worrisome software supply chain sabotage and the trend it represents. We look at “Browser-in-the-browser,” a new way to spoof sign-in dialogs to capture authentication credentials, and we examine the way MicroTik routers are being used by the TrickBot botnet to obscure their command and control servers. A very concerning infinite loop bug has been uncovered in OpenSSL (time to update!) and CISA walks us through their forensic analysis of a Russian attack on an NGO. We then take a look at the Windows vulnerability that refuses to be resolved, and we'll finish by spending a bit more time than we have so far looking more closely at why User-After-Free flaws continue to be so challenging.
47 MB 12 MB  284 KB   <-- Show Notes 117 KB 77 KB 314 KB

Episode #862 | 15 Mar 2022 | 98 min.
QWACs On? or QWACs Off?

This week we briefly touch on last week's Patch Tuesday for both Windows and Android, the world's two most used operating systems. We look at a recent emergency update to Firefox and the need to keep all of our systems' UEFI firmware up to date. NVIDIA suffers a huge and quite embarrassing network breach, and ProtonMail handles their Russian customers correctly. The Linux kernel has seen some challenging times recently, and Russia has decided to start signing website certificates. Research was just published to put some numbers to WordPress add-ons' observably miserable security, and the European Union legislators who brought us GDPR and mandatory website cookie notifications are at it again. What now?
47 MB 12 MB  840 KB   <-- Show Notes 113 KB 77 KB 311 KB

Episode #861 | 08 Mar 2022 | 88 min.
Rogue Nation Cyber Consequences

This week we examine many of the cyber-consequences of Russia's unilateral aggression against Ukraine. In a world as interconnected as today, can a rogue nation go it alone? Ukraine has formed a volunteer IT Army. Hacking groups are picking sides. Is Starlink a hope? Actors on both sides of Russia's borders are selectively blocking Internet content. Google has become proactive. The Namecheap registrar has withdrawn service. Use of the Telegram encrypted messenger service has exploded. Cryptocurrency exchanges block tens of thousands of wallets. Russia releases the IP addresses and domains attacking them, and likely some which are not. They also prepare to amend their laws to permit software piracy and appear to be preparing to entirely disconnect from the global Internet. All of the technologies we've been talking about for years are in play.
42 MB 11 MB  436 KB   <-- Show Notes 80 KB 69 KB 243 KB

Episode #860 | 01 Mar 2022 | 103 min.
Trust Dies in Darkness

This week we examine the consequences of paying ransomware extortion demands. How did that work out for you? We take a deep look into "Daxin," a somewhat terrifying malware from attackers linked to China. We take something of a retrospective look at Log4j and draw some lessons from its trajectory. We touch on some technical consequences of Russia's invasion of Ukraine, including which kitchen appliances Russia's servers are claiming to be, and the question of the possible consequences of the U.S. becoming involved in launching some cyberattacks at Russia. We have a piece of interesting listener feedback and the results of last week's next SpinRite development pre-release. Then we're going to take a look at the significant mistake Samsung made which crippled and compromised the security of all 100 million of their most recently made Smartphones.
49 MB 12 MB  855 KB   <-- Show Notes 112 KB 78 KB 310 KB

Episode #859 | 22 Feb 2022 | 94 min.
A BGP Routing Attack

This week we talk about another WordPress plug-in mess, this one so bad that WordPress themselves force-installed updates on more than three million sites. We look at the new Xenomorph Android malware and at a mistake made by a new and prominent ransomware service. We examine why blurring or pixelating text for redaction was never a good idea, and what can go wrong with a plan to shut off one's teenagers' Internet access at home. We unfortunately need to revisit the supercritical Magento/Adobe Commerce platform patch which didn't quite work completely the first time, and we consider the implications of the technology behind last week's denial-of-service attacks on some of Ukraine's critical infrastructure. Then, after quick sci-fi and SpinRite updates, we'll take a look at an effective and lucrative attack that was perpetrated by deliberately abusing the still-too-trusting Border Gateway Protocol.
45 MB 11 MB  273 KB   <-- Show Notes 86 KB 71 KB 265 KB

Episode #858 | 15 Feb 2022 | 92 min.

This week we look at a couple of new zero-days in Chrome and Apple's OSes. We also look at what the U.S. CISA thinks of not only these, but of 15 other problems that our federal agencies seem to be in no big hurry to fix. And we revisit last summer's SeriousSAM vulnerability in Windows which remains under attack. This being the third Tuesday of the month, we'll look back at the second Tuesday to see how that went. Sunday saw a true emergency patch issued by Adobe that probably canceled some Super Bowl plans, and we have an amazingly bad idea for a WordPress add-on. Google has published their 2021 Bounty Report, and their Project Zero has published stats about how things are going there. We have Microsoft removing a popular and highly abused feature of Windows. And then, because nothing else in the past week commanded the podcast's title, I'll wind up by formally introducing GRC's latest freeware which puts its users firmly "InControl."
44 MB 11 MB  571 KB   <-- Show Notes 109 KB 71 KB 282 KB

Episode #857 | 08 Feb 2022 | 106 min.
The Inept Panda

This week we're going to take a look at our law enforcement and cyber-defense recommendations regarding safe conduct while in Beijing for the 2022 Winter Olympic Games. We're going to take a look at a serious CVSS 9.9 vulnerability affecting Linux's use of SAMBA, and at some interesting details of so-called “Living off the Land” exploitation of commonly present operating system utilities. We'll examine Microsoft's most recent approach to application packaging and installation triggered by their recent wholesale neutering of it's primary application and feature. And we're also going to celebrate a welcome change in Microsoft policy that's been 20 years in the making. I'll share a brief pre-announcement of a new forthcoming GRC quickie freeware utility. Then we'll take a close look at “MY2022” the iOS and Android application which all attendees of the Beijing Olympics are required to install, carry and use. Citizen Lab's reverse-engineering analysis will explain how this week's podcast got its name.
51 MB 13 MB  569 KB   <-- Show Notes 101 KB 79 KB 287 KB

Episode #856 | 01 Feb 2022 | 136 min.
The “Topics” API

This is another of those weeks where we're going to go deeper into fewer topics rather than broader across more topics, with Google's newly announced and explained “Topics” API of course being our title story. So we'll start by looking at “PwnKit” which is a startling and long standing local privilege escalation vulnerability which has existed in every distribution of Linux since May of 2009. It's a MUST PATCH for Linux systems. We'll then look at another of the blessedly few Log4j exploits which is actually happening, update on two new Zerodium limited-time bounty “offers” and at a new means for fingerprinting web browsers. I have a totally random bit of miscellany to share in the form of a tip, a SpinRite update and some closing the loop feedback from our terrific listeners. Then we'll wrap up by taking a really interesting deep dive into Google's new ad-targeting “Topics” API.
65 MB 16 MB  247 KB   <-- Show Notes 112 KB 101 KB 334 KB

Episode #855 | 25 Jan 2022 | 94 min.
Inside the NetUSB Hack

This week we briefly touch on the ongoing Log4j background noise. We look at the result of the insurance industry's pushback against ransomware coverage and at the resulting changing cyber-insurance landscape. We look at another WordPress add-on problem and a supply-chain attack on a very popular add-on provider. We also wonder whether WordPress still makes sense in 2022? We cover the EU's quite welcome major bug bounty funding, and Kaspersky's discovery of a very difficult to root out UEFI bootkit. We'll share some interesting questions and topics suggested by our listeners, then we're going to take another of our recent technical deep dives to examine the precise cause of that pervasive NetUSB flaw – it's really fun and completely understandable!
45 MB 11 MB  336 KB   <-- Show Notes 90 KB 70 KB 272 KB

Episode #854 | 18 Jan 2022 | 102 min.
Anatomy of a Log4j Exploit

This week we start off by looking at how the U.S. Pentagon is dealing with Log4j and how the U.S. administration at the While House wants to improve the security of open source software. This being the 3rd Tuesday of the month, we'll look back last week's decidedly mixed-blessing Patch Tuesday – the good and the unfortunate. We'll then look at a very serious new remotely exploitable problem which affects many popular routers – and provide a shortcut of the week to immediately check your own routers – and then over a new and very welcome access control standard being introduced by the W3C which Chrome is already in the process of adopting. We'll wrap up the top portion of the podcast with yet another set of very serious WordPress add-on blunders. Then we'll share a bit of listener feedback, including answering the very popular questions about refilling empty SodaStream tanks. And after a brief SpinRite progress update we're going to take a close look inside the operation of an actual, Iranian, Log4j exploit kit.
49 MB 12 MB  413 KB   <-- Show Notes 106 KB 79 KB 288 KB

Episode #853 | 11 Jan 2022 | 93 min.
URL Parsing Vulnerabilities

This week we'll begin with another in our series of Log4j updates which includes among a few other bits of news, an instance of a real-world vulnerability and the FTC's somewhat surprising and aggressive message. We'll chronicle the Chrome browser's first largish update of 2022 and also note the gratifying 2021 growth of the privacy-centric Brave browser. WordPress needs updating, but this time not an add-on but WordPress itself. We're going to then answer the age-old question posed during last Wednesday's Windows Weekly podcast: “What exactly is a Pluton? and how many can dance on the head of a pin?” And finally, after a quick Sci-Fi reading recommendation and a very brief touch on my ongoing SpinRite work, we're going to take a gratifyingly deep dive into the unfortunate vagaries of our industry's URL parsing libraries to see just how much trouble we're in as a result of no two of them parsing URLs in exactly the same way.
45 MB 11 MB  765 KB   <-- Show Notes 116 KB 71 KB 310 KB

Episode #852 | 04 Jan 2022 | 90 min.
December 33rd

This week we start off the new year with a handful of Log4j updates including yet another fix from Apache; some false positive alarms; Alibaba in the doghouse; and an underwhelming announcement from the U.S. Department of Homeland Security. We note the postponement of a critical industry security conference, an interesting aspirational announcement from DuckDuckGo's CEO, and the soon-to-be-rising costs of cyber insurance. Then, after a bit of miscellany and a SpinRite update, we look at the surprising technological decision that has forced the official creation of December 33rd.
43 MB 11 MB  920 KB   <-- Show Notes 106 KB 68 KB 276 KB
2021 Archive Below...

Episode #851 | 28 Dec 2021 | 90 min.
Best of 2021

Leo Laporte walks through some of the highlights of the show and most impactful stories of 2021. Stories include: • SolarWinds Hack Detailed By Microsoft • Crispy Subtitles from Lay's • Remembering Dan Kaminsky • REvil Hacks Apple Supplier Quanta Computer • The “Doom” CAPTCHA • How Colonial Pipeline Was Breached • When John McAfee Called Steve Gibson • T-Mobile Subscribers: Do This Now • “Internet Anonymity” is an Oxymoron
52 MB 13 MB

Episode #850 | 21 Dec 2021 | 107 min.
It's a Log4j Christmas

There was no way that a massively widespread vulnerability in Java with a CVSS score of 10.0 would be wrapped up in a week. So this week we'll look at the further consequences of the Log4j vulnerabilities, including the two additional updates the Apache group have since released. But before that we'll look at what will hopefully be Chrome's final zero-day patch of the year, Firefox's surprise refusal to take its users to Microsoft.com, and Mozilla's decision to protect its users from Windows 10 cloud-based clipboard sharing. We have a new and interesting means of increasing the power of fraudulent cell tower Stingray attacks, and a continuing threat from cross-radio WiFi-to-Bluetooth leakage. We'll touch on a sci-fi reminder and a SpinRite update, then dig into what's happened since last week on the Log4j front.
52 MB 13 MB  532 KB   <-- Show Notes 142 KB 84 KB 354 KB

Episode #849 | 14 Dec 2021 | 91 min.
Log4j & Log4Shell

This week we will, of course, be discussing what's being called the worst Internet-wide security catastrophe in recent memory. Log4Shell is not like Spectre or Meltdown, which were academic theories. This is at the far other end of that spectrum. But first we're going to talk a bit about last week's massive Amazon network services outage and the unfortunate but probably inevitable abuse of Apple's AirTag ecosystem. I need to correct the record over my undeserved praise, last week, for Windows 11 and its loosening grip over its Edge browser association, and we need to warn all WordPress site admins about a new and serious set of threats. We have a single item of closing the loop feedback about today's main topic, a bit of Sci-Fi and a SpinRite update. Then, we'll roll up our sleeves and by the end of today's episode listening will understand exactly how, why and what happened with Log4j and Log4Shell.
44 MB 11 MB  413 KB   <-- Show Notes 106 KB 70 KB 280 KB

Episode #848 | 7 Dec 2021 | 95 min.

This week Tavis Ormandy finds a bug in Mozilla's NSS signature verification. We look at the horrifying lack of security in smartwatches for children (smartwatches for children?!?), and at the next six VPN services to be banned in Russia. Microsoft softens the glue between Windows 11 and Edge, bad guys find a new way of slipping malware into our machines, a botnet uses the bitcoin blockchain for backup communications, and HP has 150 printer models in dire need of firmware updates. We touch on sci-fi and SpinRite, then we look at new research into an entirely new class of cross-site privacy breaches affecting every web browser including a test every user can run for themselves on their various browsers.
46 MB 11 MB  2.21 MB   <-- Show Notes 111 KB 74 KB 308 KB

Episode #847 | 30 Nov 2021 | 113 min.
Bogons Begone!

This week we'll note that the new Edge browser's Super Duper Secure Mode has been deployed and can be enabled by security-conscious users. We also have more than one third 37% of the world's smartphones vulnerable to audio monitoring and recording flaws in their MediaTek firmware. We have an important reminder about clicking links in email and wonder how that can still be a problem, and the entirely predictable evolution of a Windows zero-day vulnerability which is latent no longer. We have some interesting closing-the-loop feedback from our terrific listeners, and a sci-fi book update. Then we take another and much broader look at the recent efforts to clean up IPv4, but this time from the perspective of those working to do so.
54 MB 14 MB  368 KB   <-- Show Notes 131 KB 84 KB 327 KB

Episode #846 | 23 Nov 2021 | 102 min.
HTTP Request Smuggling

We're going to start off this week by taking a careful look at a shocking proposal being made by the Internet's Engineering Task Force, the IETF. They're proposing a change to a fundamental and long-standing aspect of the Internet's routing which I think must be doomed to fail. So we'll spend a bit of time on this in case it might actually happen. Then Microsoft reveals some results from their network of honeypots, and we update on the progress, or lack of, toward more secure passwords. GoDaddy suffers another major intrusion, and just about every Netgear router really does now need to receive a critical update for the fifth time this year. This one is very worrisome.
49 MB 12 MB  601 KB   <-- Show Notes 108 KB 74 KB 283 KB

Episode #845 | 16 Nov 2021 | 94 min.

This week we look at a critical 9.8-rated vulnerability affecting Palo Alto Network's widely deployed VPN/Firewall appliance, and at a welcome new micropatch from the 0patch guys, the nature of which leads me into a bit of philosophical musing about the Zen of coding. We're then rocketed back to reality by a review of last week's Patch Tuesday, looking at what it broke and happily what more it fixed, including hints that Christmas might finally be coming to printing by December. We have some more encouraging ransomware vs the law news, and we examine the question of how to make big money defrauding online advertisers. I'll then share some fun and interesting closing the loop feedback from our listeners, update on my SpinRite work, and then we're going to take a look at “Blacksmith” – the evolution of Rowhammer attacks on DRAM.
45 MB 11 MB  819 KB   <-- Show Notes 96 KB 73 KB 278 KB

Episode #844 | 09 Nov 2021 | 112 min.
Bluetooth Fingerprinting

This week we quickly cover a bunch of welcome news on the combating ransomware front. We look at the results from last week's Pwn2Own contest in Austin Texas and at a weird problem that only some users of Windows 11 started experiencing after Halloween. There's a serious problem with GitLab servers and additional supply-chain attacks on JavaScript's package management. Google fixed a bunch of things in Android last Tuesday, and Cisco has issued an emergency CVSS 9.8 alert and US Federal agencies are being ordered to patch hundreds of outstanding vulnerabilities. We have some fun closing the loop feedback from our listeners. I'm going to share the details of an interesting IRQ problem I tracked down last week. Then we'll take a look at an aspect of radio frequency fingerprinting that has apparently escaped everyone's notice until seven researchers from UCSD did the math.
54 MB 13 MB  327 KB   <-- Show Notes 128 KB 87 KB 330 KB

Episode #843 | 02 Nov 2021 | 99 min.
Trojan Source

This week we keep counting them Chrome 0-days, we look at a pair of badly misbehaving Firefox add-ons with Mozilla's moves to deal with their and future proxy API abuse. We check-in for Windows news from Redmond which I'm again unable to resist commenting upon, then we look at a surprise motherload of critical updates from Adobe and at the still-ongoing DDoS attacks against VoIP providers and their providers. We'll look at some fun and interesting Closing The Loop feedback from our listeners and I'm able to share some surprising early benchmarks from SpinRite. Then we finish by looking at a frighteningly clever and haunting new attack against source code known as “Trojan Source.”
48 MB 12 MB  511 KB   <-- Show Notes 82 KB 74 KB 251 KB

Episode #842 | 26 Oct 2021 | 106 min.
The More Things Change...

This week we share some welcome news about Windows 11. Leo gets his wish about REvil. Microsoft improves vulnerability report management, attempts to explain their policy regarding the expiration of security updates, and prepares for the imminent release of the next big feature update to Windows 10, 21H2. Zerodium publicly solicits vulnerabilities in three top VPN providers. Three researchers disclose their new and devastating "Gummy Browser" attack, which I'll debunk. Another massively popular JavaScript NPM package has been maliciously compromised and then widely downloaded. We close the loop by looking at "Nubeva's" claims of having solved the ransomware problem. We touch on a new annoyance spreading across websites, and also briefly touch on four sci-fi events: "Dune," "Foundation," "Arrival," and "Invasion." I briefly update on SpinRite. Then we'll take a look back to share and discuss a conversation Leo and I had more than 20 years ago. What's surprising is the degree to which "The More Things Change..." how little, like nothing, actually has.
51 MB 13 MB  374 KB   <-- Show Notes 167 KB 90 KB 393 KB

Episode #841 | 19 Oct 2021 | 109 min.
Minh Duong's Epic Rickroll

This week we, of course, update on various controversies surrounding Win11 and catch up on the aftermath of last week's Patch Tuesday. We note that REvil's brief reappearance appears to have ended – perhaps this time forever – and we examine, just for the record, the outcome of the big, virtual, 30-nation anti-ransomware meeting where the invitations for China and Russia were apparently lost in the mail. We look at the amazing results of this past weekend's Tianfu Cup 2021 hacking competition in China, at the startling success of a prolific botnet's clipboard hijacking module, and at LinkedIn's decision to dramatically pare down its offerings in China. And then, after quickly sharing Sunday's big news about SpinRite, we're going to take a very fun and detailed look at the sophisticated senior prank orchestrated by Illinois' Minh Duong who miraculously sidestepped his own arrest.
52 MB 13 MB  573 KB   <-- Show Notes 124 KB 84 KB 326 KB

Episode #840 | 12 Oct 2021 | 98 min.
0-Day Angst

This week we look at Microsoft's decision to finally disable Excel's legacy XLM by default, but not for everyone. We look at Google's warning sent to more than 14,000 of its Gmail users and at their move toward enforced two-step verification. We look at recent hacking and ransom payment legislation and at last week's massive breach at Twitch. We cover the emergency Apache web server update and the mass exodus from WhatsApp during last week's Facebook outage. We look at new Windows 11 side effects and at Patch Tuesday. We close the loop with some listeners and I quickly update on SpinRite's progress. Then we settle down to consider the true significance and import of the various year-to-date 0-day counts.
47 MB 12 MB  572 KB   <-- Show Notes 101 KB 74 KB 283 KB

Episode #839 | 05 Oct 2021 | 105 min.
“Something Went Wrong”

This week we, of course, look at the massive global outage that took down all Facebook services for 6 hours yesterday. But before we get there we look at this week's new pair of 0-day flaws which Google fixed in Chrome, we note the arrival of Windows 11 with a yawn and also caution about one known flaw that it's already known to have. We look at some potential for global action against ransomware, and some possible movement by the FCC to thwart SIM swapping and number transporting attacks. We also examine a widespread Android Trojan which is making its attackers far too much money, and speaking of money, there's a known flaw in Apple Pay when using a VISA card that neither company wants to fix. And finally, after a quick check-in on SpinRite, we're going to examine what exactly did “go wrong” at Facebook yesterday?
51 MB 13 MB  606 KB   <-- Show Notes 136 KB 83 KB 348 KB

Episode #838 | 28 Sep 2021 | 97 min.

This week we examine a new pair of 0-days which have forced emergency updates to their respective products. We examine the growing annoyance of those who are reporting bugs to Apple, Epik's belated confirmation of their mega data breach, Windows 11's further progress toward its release, and its new and much more useful PC Health Check tool. We look at some additional fallout from this month's ever-exciting Patch Tuesday and take notice of a clever new approach for bypassing anti-malware checking under Windows. And after a quick check-in about the first two episodes of AppleTV's Foundation series, we settle in to examine the week's most explosive, worrisome and somewhat controversial disclosure of yet another huge Microsoft screw-up which caused this week's episode to be given the domain name: autodiscover.fiasco.
47 MB 12 MB  469 KB   <-- Show Notes 101 KB 72 KB 277 KB

Episode #837 | 21 Sep 2021 | 100 min.
Cobalt Strike

This week we examine a devastating and still ongoing DDoS attack against the latest in a series of VoIP service providers. We checkout the once again mixed blessing of last Tuesday's Microsoft patches, and we examine a welcome feature of Android 11 that's being back-ported through Android 6. We catch-up with Chrome's patching of two more new 0-day vulnerabilities and attacks, then we look at a “Pwnage” eMail I received from Troy Hunt's Have I Been Pwned site – was GRC Pwned? I then have a quick Sci-Fi reminder for the end of the week, a SpinRite update and a fun related YouTube posting. Then we'll wrap up by introducing the latest weapon in the malign perpetrator's arsenal, the powerful commercial tool known as Cobalt Strike.
48 MB 12 MB  880 KB   <-- Show Notes 109 KB 75 KB 285 KB

Episode #836 | 14 Sep 2021 | 118 min.
The Meris Botnet

This week we're going to note the apparent return of REvil--not nearly as dead and gone as many hoped. We're going to look at a new and quite worrisome 0-day exploitation of an old Windows IE MHTML component. Even though IE is gone, it's guts live on in Windows. We're going to share the not surprising but still interesting results of security impact surveys taken of IT and home workers, after which we'll examine a fully practical JavaScript based Spectre attack on Chrome. I have bit of closing the loop feedback to share and a surprisingly serious question about the true nature of reality for us to consider. Then we'll finish out today's podcast by looking at the evolution of Internet DoS attacks through the years which recently culminated in the largest ever seen, most problematic to block and contain RPS DDoS attack where RPS stands for Requests Per Second.
57 MB 14 MB  536 KB   <-- Show Notes 141 KB 89 KB 353 KB

Episode #835 | 07 Sep 2021 | 115 min.
TPM 1.2 vs 2.0

This week we look at a way of protecting ourselves from Razor-mouse-like local elevation of privilege attacks. We reexamine the meaning of the phrase “Internet Anonymity” following the ProtonMail revelation. We revisit Apple's now delayed CSAM plans. We look at some new troubles for Bluetooth and at a popular and persistently unpatched residential security system which can be trivially disarmed by bad guys. We share some interesting closing the loop feedback and a new Sci-Fi discovery. Then we take a long and careful look at the details and differences between version 1.2 and 2.0 of the Trusted Platform Module specification to discover just what it is that Microsoft wants to insist is available for Windows 11.
55 MB 14 MB  536 KB   <-- Show Notes 131 KB 86 KB 329 KB

Episode #834 | 31 Aug 2021 | 92 min.
Life: Hanging by a PIN

This week we'll start out by clarifying the terms credit freeze and credit lock. Then we have news of the T-Mobile breach from its perpetrator. We examine the evolving and infuriating question of where will Windows 11 run and we look at yet another newly revealed attack against Microsoft's Exchange server known as ProxyToken. I wanted to clarify a bit about Tailscale's source openness, and touch on the disturbing revelations shaking the mass storage industry with SSD performance being deliberately reduced once they've been well reviewed and adopted. I'll update our patient SpinRite owners on my recent work and progress, we'll touch on some cellular phone terminology, then conclude by considering the power of the PIN and look at just how much damage it can do.
44 MB 11 MB  421 KB   <-- Show Notes 107 KB 69 KB 280 KB

Episode #833 | 24 Aug 2021 | 107 min.
Microsoft's Reasoned Neglect

This week we briefly look at Firefox's plan to block unsecured downloads. We examine the threat posed by T-Mobile's massive and deep data breach and what current and past customers of T-Mobile should do. We look at three additional so-called “Overlay Networks” in addition to Tailscale, and also at the consequences of another Orange Tsai Microsoft Exchange Server exploit chain discovery. We'll also examine a simple-to-make flaw in the Razer gaming mouse installer, cover another worrisome IoT protocol screw-up, and share a couple of feedback notes and a question from our listeners. Then I want to conclude by following up on last week's discussion of Microsoft's apparent culpable negligence with a proposed explanation of their behavior and motivation which fits the facts so well that it becomes Reasoned Neglect.
51 MB 13 MB  801 KB   <-- Show Notes 112 KB 79 KB 313 KB

Episode #832 | 17 Aug 2021 | 79 min.
Microsoft's Culpable Negligence

This week we look at another very significant improvement in Firefox's privacy guarantees and the first steps for Facebook into native end-to-end encryption. We look at several well-predicted instances of abuse of Microsoft's PrintNightmare vulnerabilities, and at a clever cryptocurrency mining Botnet that optimizes the commandeered system for its own needs. We note ASUS' terrific move to help their motherboard users make the move to Windows 11, and at the merger of NortonLifeLock and Avast. Then, after touching upon a bit of errata and some closing-the-loop feedback from our terrific podcast followers, we conclude with a sober consideration of Microsoft's handling of vulnerability patching during the past year. And we ask what it means.
38 MB 9.5 MB  325 KB   <-- Show Notes 95 KB 62 KB 267 KB

Episode #831 | 10 Aug 2021 | 103 min.
Apple's CSAM Mistake

This week we look at a pervasive failure built into the random number generators of a great many, if not nearly all, lightweight IoT devices. We look at some old, new and returned critical vulnerabilities in major VPN products. And we encounter 14 fatal flaws in a widely used embedded TCP/IP stack. We look at a number of terrific bits of feedback from our listeners. Then we carefully examine the operation and consequences of Apple's recent announcement of their intention to begin reacting to the photographic image content being sent, received and stored by their iOS-based devices.
50 MB 12 MB  1.0 MB   <-- Show Notes 131 KB 80 KB 322 KB

Episode #830 | 03 Aug 2021 | 118 min.
The BlackMatter Interview

This week we look at FireFox's declining active user count, at the evolution of the Initial Network Access Broker world, at several different ransomware group renamings and revivals and we encounter a well-informed Active Directory security researcher who feels about Microsoft's July pretty much as we do. I want to turn our listeners onto a very interesting looking Hamachi'esque overlay for WireGuard and share a fun diagnostic anecdote that cost me a day of work last Friday. We have a bit of closing the loop feedback from a couple of our listeners, then we're going to share an interview with a member of the “maybe new or maybe rebranded” ransomware group BlackMatter which Recorded Future posted yesterday.
57 MB 14 MB  583 KB   <-- Show Notes 130 KB 90 KB 330 KB

Episode #829 | 27 Jul 2021 | 100 min.
SeriousSAM & PetitPotam

This week we will plow into another two new serious vulnerabilities brought to the industry by Microsoft named SeriousSAM and PetitPotam. But we first look at how Chrome managed to hugely speed up its Phishing website early warning system (making it even earlier). We cover the striking news of Kaseya having obtained a universal decryptor which is effective for every one of their victims, we look at the massive HP printer driver mess and consider the larger lesson that it teaches, and then we look at the new security features GitHub is bringing to its support of the "Go" language. Then, after sharing one bit of listener feedback, we plow into SeriousSAM and PetitPotam.
48 MB 12 MB  801 KB   <-- Show Notes 109 KB 75 KB 287 KB

Episode #828 | 20 Jul 2021 | 99 min.
REvil Vanishes!

This week we look at the continuing attacks on Chrome with yet another zero-day and at Mozilla's continuing work to give their users the most privacy possible. We reexamine that iOS WiFi SSID bug and a related bug which, it turns out, Apple apparently knew was a showstopper. Amazingly, two more new problems have surfaced with Microsoft printer technology. We have a review of last week's Patch Tuesday including the importance of also updating any instances of Adobe's Acrobat and Reader. We revisit an old friend and consider the folly of rolling one's own crypto. We look at the explosive revelations surrounding the widespread abuse of iPhone and Android "surveillance-ware" produced by the NSO Group. And finally, after sharing one fun piece of errata, we're going to finish by examining the curious, sudden, complete and total disappearance of the REvil ransomware organization.
48 MB 12 MB  722 KB   <-- Show Notes 105 KB 74 KB 284 KB

Episode #827 | 13 Jul 2021 | 107 min.
REvil's Clever Crypto

The past week has been dominated by the unimaginable mess that Microsoft has created with what have become multiple failed attempts to patch the two PrintNightmare flaws, and the continuing “Cleanup on Aisle 5” following what is widely regarded as the single most significant ransomware supply chain attack event ever. So today we first catch up on the still sadly relevant PrintNightmare from which the industry has been unable to awaken. We'll cover a few more bits of security news. Then, as planned, we'll take a deep dive into the detailed operation of the REvil/Sodinokibi malware's cryptographic design.
51 MB 13 MB  639 KB   <-- Show Notes 96 KB 80 KB 287 KB

Episode #826 | 06 Jul 2021 | 94 min.
The Kaseya Saga

The so-called Windows “PrintNightmare” remote code execution flaw, as bad as it is, was overshadowed by the Sodinokibi malware which the REvil ransomware gang managed to infiltrate into Kaseya, a popular provider of remote network management solutions for managed service providers. Since those MSP's all, in turn, have their own customers, the result was a multiplicative explosion in simultaneous ransomware attacks. Since those attacks reportedly numbered in excess of 1000(!), this makes it the worst ransomware event in history. So, while we'll definitely be covering the PrintNightmare and other events of the week, our topic will be the reconstruction of the timeline and details of the Kaseya Saga.
45 MB 11 MB  1.37 MB   <-- Show Notes 113 KB 71 KB 309 KB

Episode #825 | 29 Jun 2021 | 97 min.
Halfway through 2021

This week we look at the story behind an important Edge update and revisit Google's now-delayed FloC liftoff. We consider the cost of Ireland's recovery from the Conti ransomware attack, and ask who's responsible for the damage and data loss following the remote wiping of many Western Digital My Book NAS devices. We take a moment to observe the passing of an industry legend. Then, we look at the mess surrounding questions of where Windows 11 will run. I share my favorite web browser keyboard shortcut, and also my favorite web site cloning tool, which I just had the occasion to use. We have a worthwhile looking cybersecurity Humble Bundle, then we'll wrap up by responding to two pieces of closing the loop feedback from our terrific listeners. And that will bring us to the end of the first half of an event-filled 2021.
47 MB 12 MB  385 KB   <-- Show Notes 133 KB 76 KB 323 KB

Episode #824 | 22 Jun 2021 | 120 min.
Avaddon Ransonomics

This week, believe it or not, we have yet another 0-day stomped out in Chrome. We also have some additional intelligence about the evolution of the ransomware threat. I also want to closely look at a curious WiFi bug that was recently discovered in iOS and what it almost certainly means about the way we're still programming today. Under our miscellany topic I want to share the SHA256 hash of the developer release .ISO of Windows 11 that Paul Thurrott, I and many others have been playing with this past week. I have a tip about creating an offline account and restoring Windows 10's traditional Start menu under Windows 11. A new purpose has also been discovered for this podcast which I want to share, and I've decided to explain in more detail than I have before what I've been doing with SpinRite's evolution - it's much more than anyone might expect - yet no more than is necessary. Then we're going to conclude with the view of ransomware from Russia, from two Russian security researchers who believe they know exactly why the Avaddon ransomware as a service decided to shutter its operations and publish its keys.
58 MB 14 MB  429 KB   <-- Show Notes 132 KB 92 KB 347 KB

Episode #823 | 15 Jun 2021 | 123 min.
TLS Confusion Attacks

This week we're going to start by looking at a moment-by-moment reconstruction of a recent Chrome browser attack and patch battle. Then we're going to recap last week's industry wide June patch-fest followed by looking at TikTok's controversial but unsurprising privacy policy update. We need to also cover the wonderful spy-novel'ish ANOM sting operation which lowered the boom on as many as 800 criminals. For our happily infrequent Errata section we'll challenge an apparently erroneous statement I made last week, then I want to share an interesting laptop data recovery experience which BitLocker made much more complex a few weeks ago which I think our listeners will find interesting. Then we're going to tackle this week's topic of some very troubling research which again demonstrates just how difficult it is to design robustly secure networked systems.
59 MB 15 MB  445 KB   <-- Show Notes 176 KB 97 KB 402 KB

Episode #822 | 08 Jun 2021 | 114 min.
Extrinsic Password Managers

This week I want to start off with a calm rant to summarize why today's computer security is so atrocious. I think it's worth a bit of a reality check on that. Then we're going to look at a new feature in Firefox and at Firefox's apparent jump in performance. We'll touch on three new ransomware victims, look at what's been learned about how Colonial Pipeline was breached, and at the curious news that the FBI somehow managed to snatch all of DarkSide's Bitcoins. We'll look at the latest good and bad news regarding WordPress, and at Github's updated policy regarding posting proofs-of-concepts for ongoing attacks. I've finished Project Hail Mary, so I have a comment to make there, and I want to address the surprisingly controversial question of NAT vs IPv6. Then we'll wrap up by examining the question of whether password managers should be intrinsic to our browsers or extrinsic. I think we're going to have some fun!
55 MB 14 MB  513 KB   <-- Show Notes 138 KB 92 KB 357 KB

Episode #821 | 01 Jun 2021 | 104 min.
Epsilon Red

This week we begin by examining the recent advances made by the just-released Chrome 91 and revisit Google's configurable long-term activity logging. On the ransomware front we look at yet another likely addition to the ransomware ecosystem: trusted 3rd-party file decryptors. We anticipate next week's activation of the Amazon Sidewalk ultra-wide area network, look at the questionable claims of another massive cyberattack, and at WhatsApp's privacy struggles with India and Brazil – couldn't happen to nicer folks. Then we'll touch on just a single bit of trivia before plowing into a detailed examination of the operation of the newest ransomware in town: Epsilon Red.
50 MB 12 MB  678 KB   <-- Show Notes 125 KB 80 KB 323 KB

Episode #820 | 25 May 2021 | 88 min.
The Dark Escrow

This week we examine Firefox's just-released and welcome re-architecture under codename "Fission." We look at a new and recently active ransomware player named "Conti" and at a recently paid, high-profile mega ransom. We then ask the question, "When they say IoT, do they mean us?" We examine the implications of a new industry term, "mean time to inventory." We'll then lighten things up a bit with a new form of CAPTCHA and, of all things, a screensaver I discovered that I cannot take my eyes off of. (Leo, it's not quite as bad as whatever that game is that you cannot stop playing, but still.) We'll then share an ample helping of closing-the-loop feedback from our terrific listeners, after which I want to conclude by predicting what I would bet we're probably going to next see emerge from the evolving ransomware business model sad though it is to utter the phrase "ransomware business model."
42 MB 11 MB  589 KB   <-- Show Notes 95 KB 67 KB 273 KB

Episode #819 | 18 May 2021 | 105 min.
The WiFi Frag Attacks

This week we follow-up on last week's “News from the Darkside” with a surprising amount of happenings including the dark web's rejection of further ransomware. We look at blockchain analytics which are used to follow the dark money, the mixed signals now coming from the Darkside group and a live list of more than 2000 ransomware attacks during the past two years from the dark web. We cover last week's Patch Tuesday that you won't want to miss. We have a bit of miscellany, including the “Unidentified Aerial Phenomena Task Force” which is actually a thing, and some closing-the-loop feedback from our listeners regarding last week's Andy Weir's “Hail Mary” book mention. Then we take a close look at the biggest non-Colonial Pipeline news from last week: a new round of research which revealed a range of attacks on WiFi's security.
50 MB 13 MB  1.27 MB   <-- Show Notes 119 KB 83 KB 320 KB

Episode #818 | 11 May 2021 | 94 min.
News from the DarkSide

This week we look at a new (and old) thread to our global DNS infrastructure. We ask what the heck Google is planning with two-step verification, and we examine a huge new problem with the Internet's majority of email servers. We look at the reality of Tor exit node insecurity, touch on a new sci-fi novel by a well-known author, share a bit of closing-the-loop feedback, then take a look at this latest very high-profile ransomware attack from a previously low-key attacker.
45 MB 11 MB  516 KB   <-- Show Notes 97 KB 70 KB 273 KB

Episode #817 | 04 May 2021 | ??? min.
The Ransomware Task Force

This week we touch on several topics surrounding ransomware. We look at the REvil attack that affected Apple, and at this past weekend's attack that brought down Southern California's world renown Scripps Health system. We catch up on the multinational takedown of the Emotet botnet and the FBI's contribution of more than 4 million compromised eMail addresses to Troy Hunt's Have I Been Pwned. We also look at the two notification services that Troy now offers. I take the opportunity to pound another well-deserved nail into QNAP, and take note of an update I just made to my favorite NNTP newsreader, Gravity. I also ran across a Dan Kaminsky anecdote that I had to share, then we have two pieces of closing the loop listener feedback before we conclude by taking a look at the just-announced task force to combat ransomware. Is there any hope that this scourge can be thwarted?
57 MB 14 MB  363 KB   <-- Show Notes 137 KB 93 KB 361 KB

Episode #816 | 27 Apr 2021 | 115 min.
The Mystery of AS8003

This week we begin by remembering Dan Kaminsky, who the world lost last Friday at the age of 42. We finally catch up with this month's Patch Tuesday, and look at a welcome maturation in Google's Project Zero vulnerability disclosure policy. We shine a light upon a new startup venture which, if successful, promises to dramatically improve the future of IoT security. We then look at some controversial security research, for which the researchers have apologized, and wonder whether any apology was due. We shine another light onto a new battle Cloudflare has chosen to wage against an abusive patent troll, to help Cloudflare with additional attention, and to let our listeners know that they can participate in a money-making hunt for prior art. And after a brief SpinRite progress report, we engage with the Internet mystery of the Autonomous System 8003.
55 MB 14 MB  457 KB   <-- Show Notes 132 KB 89 KB 358 KB

Episode #815 | 20 Apr 2021 | 106 min.
Homogeneity Attacks

This week we touch on the Vivaldi browser project's take on Google's FLoC. We look at Chrome's vulnerability-driven update to v89, and then its feature-embellished move to Chrome 90. We consider the surprising move by the FBI to remove web shells from U.S. Exchange Servers without their owners' knowledge or permission, and WordPress's consideration of FLoC Blocking. We also have an interesting-looking programmer's Humble Bundle, some interesting closing-the-loop feedback from our listeners, and a brief progress report on SpinRite. We finish by examining an important privacy guarantee provided by Google's FLoC implementation which prevents homogeneity attacks, where users presenting a common cohort ID also share a sensitive attribute.
51 MB 13 MB  767 KB   <-- Show Notes 104 KB 79 KB 288 KB

Episode #814 | 13 Apr 2021 | 108 min.
PwnIt and OwnIt

This week we start with some needed revisiting of previous major topics. We look at an additional remote port that Chrome will soon be blocking, and the need to change server ports if you're using it. We look again at Google's forthcoming FLoC non-tracking technology and a new test page put up by the EFF. We revisit the PHP GIT server hack now that it's been fully understood. We look at Cisco's eyebrow-raising decision not to update some end-of-life routers having newly revealed critical vulnerabilities, and we also examine another instance of the industry's failure to patch for years. Then, we conclude with a blow-by-blow, or hack-by-hack, walkthrough of last week's quite revealing and somewhat chilling Pwn2Own competition.
52 MB 13 MB  664 KB   <-- Show Notes 112 KB 81 KB 318 KB

Episode #813 | 06 Apr 2021 | 109 min.
A Spy in Our Pocket

This week, by popular demand, we examine the big cover-up at Ubiquiti. We look at the consequences of the personal data of 533-plus million Facebook users appearing on the 'Net and how to tell if you're represented there. We look at another water treatment plant break-in with a very different outcome. We look at a new move by Google to further lock down Android against abuses of its permissive-by-design API services. We look at the new threat to Call Of Duty cheaters, and yet another set of serious vulnerabilities in QNAP NAS devices. Then, after sharing a catchy tweet, we look into some new research from researchers in Ireland into the unwarranted chattiness of iOS and Android mobile phones.
52 MB 13 MB  862 KB   <-- Show Notes 92 KB 83 KB 289 KB

Episode #812 | 30 Mar 2021 | 87 min.
GIT Me Some PHP!

This week we begin by checking in on the patching progress, or lack therefore, of the ProxyLogon Exchange Server mess. We examine a new Spectre vulnerability in Linux, a handful of high-severity flaws affecting OpenSSL, still more problems surfacing with SolarWinds code, an intriguing new offering from our friends at Cloudflare, and the encouraging recognition of the need for increasing vigilance of the security of increasingly prevalent networked APIs. I'll check in about my work on SpinRite. Then we're going to take a look at the often breathlessly reported hack of the PHP project's private Git server, and why I think that all the tech press got it all wrong.
42 MB 10 MB  969 KB   <-- Show Notes 106 KB 67 KB 276 KB

Episode #811 | 23 Mar 2021 | 114 min.
What the FLoC?

This week we briefly, I promise, catch up with ProxyLogon news regarding Windows Defender and the Black Kingdom. We look at Firefox's next release which will be changing its Referer header policy for the better. We look at this week's most recent RCE disaster, a critical vulnerability in the open source MyBB forum software, and China's new CAID (China Anonymization ID). We then conclude by taking a good look at Google's plan to replace tracking with explicit recent browsing history profiling, which is probably the best way to understand FLoC (Federated Learning of Cohorts). And as a special bonus we almost certainly figure out why they named it something so awful.
55 MB 14 MB  375 KB   <-- Show Notes 131 KB 87 KB 328 KB

Episode #810 | 16 Mar 2021 | 113 min.

This week we start off with a bunch of interesting browser-related news, zero-days, updates, a browser-based PoC for Spectre, a zero-script tracking kludge, and a look at last Tuesday's Patch Tuesday, what it fixed and what it broke. Some wonderful news for the Open Source community, a bit of miscellany, some listener feedback, and a screenshot of the final replacement for SpinRite's "Discovering System's Mass Storage Devices..." screen. Then we revisit the Microsoft Exchange disaster, another week downstream and still drowning.
54 MB 14 MB  2.3 MB   <-- Show Notes 111 KB 85 KB 319 KB

Episode #809 | 09 Mar 2021 | 95 min.

This week we look into last week's critical Chrome update and also cover the wackiest-but-true Chrome extension of all time. We look at Google's new funding of Linux security development; a surprisingly undead, long-unheard-from media player that just received a massive collection of updates; and, yes, still another way of abusing Intel's latest processor microarchitecture. We need to update everyone on our Dependency Confusion topic from two weeks back because there's big news there. We have several bits of identical listener feedback all wanting to be sure that I knew something had happened. Then we're going to cover the world's latest global crisis which we first mentioned as breaking news in the middle of last week's podcast. It was breaking then. It's badly broken now.
46 MB 11 MB  795 KB   <-- Show Notes 94 KB 68 KB 272 KB

Episode #808 | 02 Mar 2021 | 109 min.
CNAME Collusion

This week we discuss a welcome change coming soon to the Chrome browser, and a welcome evolution in last week's just released Firefox 86. We're going to look at questions surrounding the source of the original intrusion into SolarWinds servers, and at a new severity-10 vulnerability affecting Rockwell Automation PLC controllers. We'll touch on VMware's current trouble with exploitation of their vCenter management system, and I want to share a recent code debugging experience I think our listeners will enjoy and find interesting. Then we're going to conclude with some information about something that's been going on quietly out of sight and under the covers which must be made as widely public among web technologists as possible.
52 MB 13 MB  526 KB   <-- Show Notes 123 KB 81 KB 319 KB

Episode #807 | 23 Feb 2021 | 105 min.
Dependency Confusion

This week we'll follow-up on the Android SHAREit app sale. We look at a clever new means of web browser identification and tracking and at a little mistake the Brave browser made that had big effect. I want to remind our listeners about the ubiquitous presence of tracking and viewing beacons in virtually all commercial eMail today. We'll look at Microsoft's final SolarWinds Solorigate report and at another example of the growing trend of mobile apps being sold and then having their trust abused. I'll share a post from the weekend about a dramatic improvement in SSD performance after running SpinRite, but also why you may wish to hold off on doing so yourself. And then we're going to look at what everyone will agree was -- and perhaps still is -- a breathtaking oversight in the way today's complex software products are assembled which creates an inherent massive vulnerability across the entire software industry.
51 MB 13 MB  360 KB   <-- Show Notes 107 KB 77 KB 285 KB

Episode #806 | 16 Feb 2021 | 107 min.

This week we'll begin by following up on last week's headline-making attack on the Oldsmar, Florida water treatment plant with new details that have since come to light. We'll then take a look into last week's Patch Tuesday event and at some of the sadly broken things that have once again been fixed. Also, anyone using Adobe's PDF tools, Acrobat or Reader, needs to update. We're going to look at a dangerous Android App with 1.8 billion (with a "b") users, and at Microsoft's note about the rise of web shells, which dovetails nicely into this week's WordPress add-on disaster. I'll briefly update about my past eventful week with SpinRite, which includes a 25-second movie of new SpinRite code running. Then we'll take a look at the recent discovery of the largest list of email and password combinations ever compiled, and what we can each do about it.
51 MB 13 MB  405 KB   <-- Show Notes 127 KB 82 KB 321 KB

Episode #805 | 09 Feb 2021 | 121 min.
SCADA Scandal

This week we begin with a collection of interesting and engaging news surrounding Google's Chrome browser. We look at a high-profile Windows Defender misfire, and at new WordPress plugin nightmares. We check in on the world of DDoS attacks and cover the meaning of three new critical vulnerabilities in SolarWinds software. We have a bit of closing-the-loop feedback from our listeners, an update on my work toward the next SpinRite, and then we look at a near-miss disaster in a poorly designed industrial control system.
58 MB 14 MB  255 KB   <-- Show Notes 132 KB 90 KB 357 KB

Episode #804 | 02 Feb 2021 | 114 min.
NAT Slipstreaming 2.0

This week we examine another instance of a misbehaving certificate authority losing Chrome's trust. We cover a number of serious new vulnerabilities including an urgent update need for the just-released Gnu Privacy Guard; another supply chain attack against end users; a disastrous 10-year-old flaw in Linux's SUDO command; and, thanks to Google, some details of Apple's quietly redesigned sandboxing of iMessage in iOS 14. I'm going to share something that I think our listeners will find quite interesting about some recent architectural decisions for SpinRite, and then we'll conclude with a look at the inevitable improvement in NAT bypassing Slipstreaming.
55 MB 14 MB  279 KB   <-- Show Notes 121 KB 85 KB 323 KB

Episode #803 | 26 Jan 2021 | 115 min.
Comparative Smartphone Security

This week we look at the updates in release 88 of both Chrome and Edge with their evolving password manager features. We also look at two recent headshaking consequences of the hard end of life for Adobe's Flash. Ransomware gangs have added another new incentive for payment, and additional details continue emerging about last year's SolarWinds attacks. We have newly disclosed discoveries from a Google Project Zero researcher, and I spend a bit of time wondering out loud how we're ever going to change the low priority that's currently being given to serious security problems that don't directly inconvenience end users. And we finish by examining a very useful analysis of the comparative security of iOS and Android recently published by Johns Hopkins' Matthew Green and team.
55 MB 14 MB  413 KB   <-- Show Notes 118 KB 86 KB 321 KB

Episode #802 | 19 Jan 2021 | 87 min.
Where the Plaintext Is

This week we look at one aspect in which Chrome and Chromium differ, and then at a bit of growth news from the DuckDuckGo folks. Google's Project Zero reports on some terrific detective work, and we look at last week's Patch Tuesday. There's also Microsoft's pending change to the flaws which enabled last year's Zerologon debacle, and the NSA's interesting statement about enterprises and the DoH protocol. We look at the research that cracked the secret key out of Google's supposedly uncrackable Titan FIDO U2F dongle, and we catch up with a bit of listener feedback. Then we wrap up by looking at various aspects of the frenzy caused by WhatsApp's quite predictable move to incorporate its users' conversation metadata into Facebook's monetization ecosystem.
42 MB 10 MB  506 KB   <-- Show Notes 86 KB 65 KB 244 KB

Episode #801 | 12 Jan 2021 | 110 min.
Out With the Old

This week we address critical updates for Firefox and all Chromium-based browsers and a potentially unwelcome, but reversible, change coming to Firefox. We look at another new tactic being employed by ransomware gangs; an update on ransomware's profitability; a bogus-seeming announcement from Intel during yesterday's CES; and the first use, on this podcast, of the term "teledildonics." Following that, we have some residual SolarWinds news, the formation of a security screw-up crisis management group, news of the inevitable attacks on Zyxel users, the mass exodus from WhatsApp following their plans to force all metadata sharing, and a sci-fi note about "The Expanse." Then, inspired by the amazing amount of old code I have rediscovered inside SpinRite, I will take our listeners back to the roaring '80s with a look at how far we have come from DOS v3.3, whose maximum partition size was 33.5 megabytes.
53 MB 13 MB  350 KB   <-- Show Notes 120 KB 83 KB 320 KB

Episode #800 | 05 Jan 2021 | 106 min.

This week we open the New Year taking a longer look at fewer topics since the bad guys were apparently enjoying their New Year holiday, too. So we look at an interesting kludge that's been forced upon Chrome by ill-mannered antiviral scanners. We need to warn all enterprise users of Zyxel network border security products of another recently discovered built-in backdoor. We look at the rise in IoT compromise swatting attacks and a series of new flaws and vulnerabilities in the PHP Zend and Yii frameworks. We have a quick bit of miscellany to share, then I want to explain a lot about the value of trimming SSDs and newer SMR drives. And we'll conclude by catching up with what will hopefully be the last news, for a while at least, of the disastrous SolarWinds breach and intrusions.
51 MB 13 MB  293 KB   <-- Show Notes 117 KB 77 KB 314 KB

• Current Podcast Page
• Security Now 2020
• Security Now 2019
• Security Now 2018
• Security Now 2017
• Security Now 2016
• Security Now 2015
• Security Now 2014
• Security Now 2013
• Security Now 2012
• Security Now 2011
• Security Now 2010
• Security Now 2009
• Security Now 2008
• Security Now 2007
• Security Now 2006
• Security Now 2005

You can receive an eMail reminder whenever this page is updated with a new Security Now! episode. Click the "Monitor Changes" button to have the highly-regarded "Change Detection" web site monitor this page and send you a note when it changes.

Monitor this page for changes: (it's private by ChangeDetection)
Security Now!, SpinRite Testimonials, and other Feedback:
Please use GRC's Visitor & Listener FEEDBACK Page where you may easily submit any feedback for Security Now, SpinRite testimonials, suggestions for future Security Now topics or questions & comments for future Listener Feedback episodes. Thank you!

Jump to top of page
Gibson Research Corporation is owned and operated by Steve Gibson.  The contents
of this page are Copyright (c) 2022 Gibson Research Corporation. SpinRite, ShieldsUP,
NanoProbe, and any other indicated trademarks are registered trademarks of Gibson
Research Corporation, Laguna Hills, CA, USA. GRC's web and customer privacy policy.
Jump to top of page

Last Edit: Dec 06, 2022 at 12:23 (1.67 days ago)Viewed 1,380 times per day