Our weekly audio security column
& podcast by Steve Gibson and Leo Laporte
TechTV's Leo Laporte and I spend somewhat shy of two hours each week to discuss important issues of personal computer security. Sometimes we'll discuss something that just happened. Sometimes we'll talk about long-standing problems, concerns, or solutions. Either way, every week we endeavor to produce something interesting and important for every personal computer user.

SteveAndLeoAsPicardAndRiker
(This was not our idea. It was created by a fan of the podcast using GIMP (similar to
Photoshop). But as a work of extreme image manipulation, it came out surprisingly well.)

 You may download and listen to selected episodes from this page (see below), or subscribe to the ongoing series as an RSS "podcast" to have them automatically downloaded to you as they are produced. To subscribe, use whichever service you prefer . . .

 Receive an automatic eMail reminder whenever a new episode is posted here (from ChangeDetection.com). See the section at the bottom of this page.

 Send us your feedback: Use the form at the bottom of the page to share your opinions, thoughts, ideas, and suggestions for future episodes.

 Leo also produces "This Week in Tech" (TWiT) and a number of other very popular podcasts (TWiT is America's most listened to podcast!) So if you are looking for more informed technology talk, be sure to check out Leo's other podcasts and mp3 files.

 And a huge thanks to AOL Radio for hosting the high-quality MP3 files and providing the bandwidth to make this series possible. We use "local links" to count downloads, but all of the high-quality full-size MP3 files are being served by AOL Radio.





Episode Archive

Each episode has SIX resources:

High quality 64 kbps mp3 audio file
Quarter size, bandwidth-conserving,
16 kbps (lower quality) mp3 audio file
A PDF file containing Steve's show notes
A web page text transcript of the episode
A simple text transcript of the episode
Ready-to-print PDF (Acrobat) transcript  

(Note that the text transcripts will appear a few hours later
than the audio files since they are created afterwards.)

For best results: RIGHT-CLICK on one of the two audio icons & below then choose "Save Target As..." to download the audio file to your computer before starting to listen. For the other resources you can either LEFT-CLICK to open in your browser or RIGHT-CLICK to save the resource to your computer.

Episode #741 | 19 Nov 2019 | 114 min.
TPM-FAIL

This week we look back at November's Patch Tuesday while we count down to the impending end of patches for Windows 7 and Server 2008. We check in with CheckM8 and Checkra.in as the iOS bootrom exploit continues to mature. We look at GitHub's announcement launch of "GitHub Security Lab" to bring bounties and much stronger security focus to the open source community. We discuss a recent court ruling regarding U.S. border entry device searches. We cover yet another bad WhatsApp remote code execution vulnerability. We examine the impact of version 2 of ZombieLoad, the formation of the Bytecode Alliance, and a bit of media miscellany. Then we examine the impact of two Trusted Platform Module (TPM) failings, one which allows local key extraction, and a second that can be exploited remotely over a network.
55 MB 14 MB  206 KB   <-- Show Notes 143 KB 91 KB 358 KB

Episode #740 | 12 Nov 2019 | 118 min.
Credential Delegation

This week we check in on the developments of the long-term, now working, full consumer jailbreak of iOS devices from the iPhone 4S through the iPhone X. We examine the strange case of the misbehaving transducer, catch up on the rapidly evolving exploitation of the BlueKeep vulnerability, check out Mozilla's rebuttal to Comcast's attack on DoH, examine the surprising state of web browser support for DoH, and remind Linux and BSD users to refresh their distros after an important flaw was disclosed in a widely used archive library. Then we take a deep dive into the operation of a newly announced forthcoming solution and standard for significantly improving TLS website certificate security known as "TLS Credential Delegation."
56 MB 14 MB  255 KB   <-- Show Notes 102 KB 88 KB 291 KB

Episode #739 | 05 Nov 2019 | 109 min.
DoH & BlueKeep

This week we examine a widespread Windows breakage introduced by last month's patch Tuesday. We look at several things Google changed in their just-released Chrome 78, news from the Edge, the status of attacks on Intel chips, a new attack on publicly-exposed QNAP NAS devices, the significant risk of trusting managed service providers, the downside of apps for autos, and worries over Chinese made drones. We then finish by coming back to look at news on two other fronts: The escalating controversy over DNS-over-HTTPS (DoH) and the commencement of the long-awaited BlueKeep vulnerability attacks.
52 MB 13 MB  432 KB   <-- Show Notes 95 KB 82 KB 289 KB

Episode #738 | 29 Oct 2019 | 115 min.
A Foregone Conclusion

This week we look at another collision created by third-party AV; a powerful new Windows Defender feature that's easy to have missed; a public database breach by someone who should know better; what's worse than having all your files encrypted?; a VERY nice-looking, fully encrypted and free email service engineered in privacy-respecting Germany; stats coming back from Firefox's newly enhanced tracking privacy protection; a new and very bad remote code execution vulnerability affecting Nginx web servers; and the planned introduction of RCS to replace SMS next year. We also have a piece of SQRL news and some miscellany. Then we look at the outcome of a recent appellate court decision which complicates the decision about whether using a password or a biometric is more "judgment proof."
55 MB 14 MB  364 KB   <-- Show Notes 105 KB 87 KB 297 KB

Episode #737 | 22 Oct 2019 | 121 min.
Biometric Mess

This week we check in on the frenzy to turn CheckM8 into a consumer-friendly iOS jailbreak, on another instance of stealth steganography, on a number of changes to Firefox's URL display, and on the state of Microsoft's ElectionGuard open source voting system. We also look at a very serious flaw that was just found in Linux's Realtek WiFi driver and some welcome news from Yubico. We touch on a couple of miscellaneous media tidbits, then take a look at the ramifications of two recent biometric authentication failures and consider the challenges and inherent tradeoffs of biometric authentication.
58 MB 14 MB  365 KB   <-- Show Notes 107 KB 89 KB 295 KB

Episode #736 | 15 Oct 2019 | 101 min.
CheckM8

This week we take a look at a sobering supply chain proof-of-concept attack, an update on the ongoing encryption debate, a blast-from-the-past password decryption, an intriguing security and privacy consequence of today's high-resolution consumer cameras, and the sad state of consumer security knowledge. OpenPGP gets a nice boost, Windows Defender gets Tamper Protection, and SQRL gets a very nice mention by Google's Cloud Security architects. We'll share a bit of sci-fi and fun miscellany, then conclude by examining the crucially important, widely available, and completely unpatchable Apple Boot ROM exploit known as "CheckM8."
48 MB 12 MB  522 KB   <-- Show Notes 156 KB 79 KB 352 KB

Episode #735 | 08 Oct 2019 | 111 min.
Makes Ya WannaCry

This week we reveal a miracle mistake made by a hacker more than years ago that saved the world from devastating ransomware. But first we catch up on recent ransomware activities, examine the detailed handoff from the GandCrab shutdown and the Sodinokibi startup, a welcome change in Microsoft's Extended Security Update policy for Windows 7, a nasty zero-day RCE in vBulletin, and a bit of nice SQRL news.
53 MB 13 MB  675 KB   <-- Show Notes 147 KB 88 KB 357 KB

Episode #734 | 01 Oct 2019 | 108 min.
The Joy of Sync

With this week's "The Joy of Sync" podcast, we focus upon the latest state-of-the-art secure solutions for cross-device, cross-location device synchronization. But before we delve into that abyss, we'll update on Mozilla's recently announced plans to gradually and carefully bring DNS-over-HTTPS to all Firefox users in the U.S. It turns out it's not quite the slam dunk that we might imagine. We'll also check in with the EFF to see what they think, and remind our listeners about the 100% free VPN offering coming from our friends at Cloudflare.
52 MB 13 MB  265 KB   <-- Show Notes 118 KB 82 KB 318 KB

Episode #733 | 24 Sep 2019 | 102 min.
Top 25 Bug Classes

This week we look at the driver behind this summer's comeback in cryptocurrency mining. We also check out a managed security provider's summary of the biggest problems they encounter with their more than 4000 clients. We look at the revised and worrisome update after six years of SOHO router and NAS device security, and we suggest that everyone using Chrome go to Help > About. I found three notes about SpinRite that I'm not sure I ever shared, so I will. Then we conclude with the result of processing the massive CVE vulnerability database which reveals the top 25 most enduring classes of software bug impacting the security of our industry.
49 MB 12 MB  370 KB   <-- Show Notes 113 KB 76 KB 312 KB

Episode #732 | 17 Sep 2019 | 87 min.
SIMjacking

This week we continue following the DoH story, which we begin discussing two weeks from now as a result of a rip in the space-time continuum. We also look at recent changes to Chrome 77 and the forthcoming Chrome 78, the already compromised iOS 13.0, and Mozilla Firefox's new browser VPN offering. We take a look back at last Tuesday's Patch Tuesday, take note of Chrome's Remote Desktop feature, cover another serious Exim mail server problem, handle a bit of miscellany, and examine a serious vulnerability affecting essentially ALL smartphone users known as “Simjacker.”
42 MB 10 MB  670 KB   <-- Show Notes 111 KB 66 KB 292 KB

Episode #731 | 10 Sep 2019 | 101 min.
DeepFakes

This week we look at a forced two-day recess of all schools in Flagstaff, Arizona; the case of a ransomware operator being too greedy; Apple's controversial response to Google's posting last week about the watering hole attacks; Zerodium's new payout schedule and what it might mean; the final full public disclosure of BlueKeep exploitation code; some potentially serious flaws found and fixed in PHP that may require our listener's attention; some SQRL news, miscellany, and closing-the-loop feedback from a listener. Then we take our first look on this podcast into the growing problem and threat of “Deepfake” media content.
49 MB 12 MB  507 KB   <-- Show Notes 132 KB 81 KB 321 KB

Episode #730 | 03 Sep 2019 | 114 min.
The Ransomware Epidemic

Rather than looking at many small bits of news, this week we take longer looks at a few larger topics. We'll examine several pieces of welcome news from the bug bounty front. We also take a look at Google's Project Zero revelation of a comprehensive multiyear campaign aimed at iOS visitors to specific websites. Then we conclude with a distressingly large array of news from the ransomware front. We figure out how to pronounce Sodinokibi (so-dee'-no-kee-bee) and ponder the future of ransomware.
46 MB 12 MB  386 KB   <-- Show Notes 89 KB 69 KB 270 KB

Episode #729 | 27 Aug 2019 | 114 min.
Next Gen Ad Privacy

This week we check in on Texas, and on the Kazakhstan government's attempt to be their own CA. How did that work out for them? We note a troubling increase in attacks on the open source software supply chain. Google's announced plans to add data breach notification to Chrome. We look at a surprising Apple iOS v12.4 regression (whoops!) and at another Microsoft RDP component in need of updating. I update our listeners on the state of SQRL (another of its documents is completed) and on SQRL presentations past and future. I share some news from my ongoing file sync journey. We conclude by looking at some very interesting and promising moves as browser-based advertising matures from the ad hoc mess it has always been into a privacy-respecting Internet citizen.
56 MB 14 MB  232 KB   <-- Show Notes 142 KB 92 KB 358 KB

Episode #728 | 20 Aug 2019 | 114 min.
The KNOB Is Broken

This week we look at last week's monthly Patch Tuesday and its collision with third-party AV add-ons. We examine four years of Kaspersky unique web user tracking. We look again at Tavis Ormandy's discovery of the secret undocumented CTF protocol, wondering WTF is CTF? We note a new and devastating strategy in the ransomware battle which hit Texas last Friday. We also have the sad demise of Extended Validation certificates, the further removal of FTP support from web browsers, Google's campaign to still further reduce web certificate lifetimes, and Netflix's discovery of eight implementation flaws in the new HTTP/2 protocol. We'll cover a bit of miscellany, update on my file syncing journey, touch on SQRL news and SpinRite, then conclude with a look at the most recent attack on Bluetooth pairing negotiation which renders all Bluetooth associations vulnerable to a trivial attack.
55 MB 14 MB  266 KB   <-- Show Notes 122 KB 85 KB 323 KB

Episode #727 | 13 Aug 2019 | 118 min.
Black Hat and DEF CON

This week, as expected, we look at some of the events and announcements from last week's Black Hat and DEF CON conference events. Microsoft and Apple have upped the ante for bug hunters, the Chaos Computer Club shreds a hotel's door lock security, a serious philosophical design flaw is revealed to be present in 40 signed device drivers, and Google vows to continue its Incognito-mode battle. We also have some SQRL news, some fun miscellany, and some interesting closing-the-loop feedback from our terrific listeners.
57 MB 14 MB  389 KB   <-- Show Notes 99 KB 87 KB 292 KB

Episode #726 | 06 Aug 2019 | 116 min.
Steve's File Sync Journey

This week we look at a widespread false alarm about Facebook's planned subversion of end-to-end encryption, still more municipality ransomware attacks, more anti-encryption saber-rattling among the Five Eyes nations, Microsoft's discovery of Russian-backed IoT compromise for enterprise intrusion, Chrome 76's changes, this week's Black Hat and DEF CON conferences, a bit of miscellany, and closing the loop with our listeners. Then I want to share my recent experiences and findings about the challenge of synchronizing a working set of files between two locations, and the tools I settled on.
56 MB 14 MB  285 KB   <-- Show Notes 157 KB 93 KB 375 KB

Episode #725 | 30 Jul 2019 | 103 min.
Urgent/11

This week we close the chapter on the Marcus Hutchins saga. The U.S. Attorney General weighs in on "warrant-proof" data encryption. We look at what's popular with the underground, give an update on the latest four new ransomware attacks, examine three different attacks on exposed network attached storage (NAS) servers, cover a bit of miscellany, then take a close look at the news of the just-released-yesterday vulnerabilities in the two billion-strong VxWorks embedded OS.
49 MB 12 MB  322 KB   <-- Show Notes 118 KB 74 KB 309 KB

Episode #724 | 23 Jul 2019 | 105 min.
Hide Your RDP Now!

This week we start off with something bad that we unfortunately saw coming. We then look at the changing security indication feedback in browsers; the challenge of keeping browsers compatible with important but non-standards-compliant websites; the failure and repair of incognito browsing mode; the possibility of a forthcoming "super incognito mode" for Firefox; a new super-fast TLS stack written in the Rust programming language; Microsoft's promised open source release of their voting machine election software; and yet another widely deployed, exposed, and exploitable Internet server. We have a quick bit of miscellany and some terrific SQRL news. Then we look at a recent and quite sobering report from Sophos about attacks on exposed RDP servers.
51 MB 13 MB  389 KB   <-- Show Notes 90 KB 77 KB 282 KB

Episode #723 | 16 Jul 2019 | 117 min.
Encrypting DNS

This week we cover a few bullet points from last Tuesday's monthly Windows patches, as well as some annoyance that the patches caused for Windows 7 users. We track some interesting ongoing ransomware news and look at the mixed blessing of fining companies for self-reporting breaches. We check out a survey of enterprise malware headaches, update some Mozilla/Firefox news, and examine yet another (and kind of obvious) way of exfiltrating information from a PC. We address a bit of errata, some miscellany, and closing-the-loop feedback with our listeners. We then conclude with a closer look at all the progress that's been occurring quietly with DNS encryption.
56 MB 14 MB  397 KB   <-- Show Notes 127 KB 86 KB 326 KB

Episode #722 | 09 Jul 2019 | 110 min.
Gem Hack & Ghost Protocol

This week we stumble over a number of instances where technology appears to be colliding with the status quo. In any complex social system, individual and group interests are often complex and may be in opposition. So when new technology comes along to offer new capabilities, not everyone is going to be pleased. So this week we discuss some of the mounting tensions being created by connectivity, storage, and computation which are being combined to create many new capabilities. We look at the surprising backlash to Mozilla's privacy-enhancing DNS-over-HTTPS support, concerns over the use of facial recognition and automobile license plate scanners, and the future of satellite-based Internet services. We present some SQRL news and share a bunch of closing-the-loop feedback from our listeners. We then examine how a Ruby code repository was hacked and look at the U.K. GCHQ's proposal for adding "ghost" participants into private conversations.
53 MB 13 MB  325 KB   <-- Show Notes 126 KB 84 KB 324 KB

Episode #721 | 02 Jul 2019 | 110 min.
Exposed Cloud Databases

This week we track further occurrences of ransomware in Florida and elsewhere. We check in on the state of the "going dark" anti-encryption debate. We look at a stunning new BlueKeep proof-of-concept demo produced by the guys at SophosLabs. We update some miscellany and present some closing-the-loop feedback from our terrific listeners. Then we examine the nature of the continuing problem of massive publicly exposed databases. In the third example of this just this week, we discover a prolific Chinese IoT manufacturer who is logging more than a million of their customers' devices into an exposed database of two-billion-plus records - which returns us to the dilemma we have with the utter lack of oversight and control over our own IoT devices, and the need to soberly reconsider what "IoT" stands for.
53 MB 13 MB  426 KB   <-- Show Notes 134 KB 83 KB 347 KB

Episode #720 | 25 Jun 2019 | 101 min.
Bug Bounty Business

This week we check in on the state of last week's Linux TCP SACK kernel panic, examine two Mozilla zero-days which were being used against Coinbase and others, and note that performing a full factory reset of an IoT device may not be sufficient. We look at a very clever and elegant solution to OpenSSH key theft via Rowhammer attacks, share an update on the BlueKeep RDP vulnerability, and examine the cause of a three-hour widespread Internet outage yesterday morning. We discuss NASA's APT, which crawled in via a Raspberry Pi, the cost of paying versus not paying a ransomware ransom, and an update on Microsoft's Chromium-based Edge browser. Lastly, we handle a bit of listener feedback, then take a closer look at the state of the commercial bug bounty business.
48 MB 12 MB  313 KB   <-- Show Notes 119 KB 75 KB 310 KB

Episode #719 | 18 Jun 2019 | 117 min.
Exim Under Siege

There were several significant stories this week. We have a new DRAM problem called "RAMBleed," news of a Linux server kernel-crashing flaw in TCP, and the occurrence of the expected attacks on Exim email servers - not to mention last week's Patch Tuesday, a Bluetooth surprise, and another useless warning about the BlueKeep vulnerability. Microsoft missed a 90-day Tavis Ormandy deadline. We have a good-news GandCrab wrap-up, Yubico's entropy mistake, a bit of post-announce SQRL news, and a favorite iOS security app. We selected as our title story the attacks on Exim mail servers so that we can talk about the other disasters, which are still pending, next week!
56 MB 14 MB  313 KB   <-- Show Notes 138 KB 85 KB 354 KB

Episode #718 | 11 Jun 2019 | 110 min.
Update Exim Now!

This week we catch up with the continuing antics of SandboxEscaper. We give an update on the status of the still-not-yet-widely-exploited BlueKeep vulnerability, and also look at a new botnet which is pounding on RDP servers (but not yet using BlueKeep). The FBI has issued an interesting advisory about not trusting secure sites just because they're secure, so we'll examine that. The popular VideoLAN player receives an important update thanks to an interesting source, Microsoft's Edge browser takes another step forward, and Mozilla reorganizes a bit. Then I'm going to share my must-have Utility of the Week, a just-released sci-fi movie on Netflix, and a bit of closing-the-loop feedback from the Twitterverse which resulted from my, as planned, first formal full release of SQRL. We'll close with a look at the critical need for anyone running the Exim mail server to update immediately.
53 MB 13 MB  221 KB   <-- Show Notes 118 KB 82 KB 321 KB

Episode #717 | 04 Jun 2019 | 111 min.
The Nansh0u Campaign

This week we check in on the BlueKeep RDP vulnerability. We look at the planned shutdown of one of the, if not THE, most successful, if one can call it that, affiliate-based ransomware systems. We update you on the anti-robocalling problem and then look at the recent announcements by the Russian and Chinese militaries about their plans to move away from the Microsoft Windows OS. We also look at Apple's announcement yesterday of their forthcoming "Sign in with Apple" service, touch on the state of SQRL, and then share a bit of fun feedback from a listener. We finish by examining the interesting details behind a significant old-school persistent campaign, the Nansh0u campaign, apparently sourced from China, which has successfully compromised many tens of thousands of servers exposed to the Internet.
53 MB 13 MB  506 KB   <-- Show Notes 124 KB 84 KB 155 KB

Episode #716 | 28 May 2019 | 107 min.
RDP: Really Do Patch

This week we primarily focus upon the almost certainly impending doom of the Internet, as the Windows Remote Desktop Protocol saga finishes out its second week with a great deal of news and new evidence-based expectation for the end of humanity as we have known it. Okay, well, maybe it won't be quite that dramatic, but it already makes last year's Meltdown and Spectre flaws seem quaint. But before we get to that, we take a look at the FIVE new zero-day exploits just dropped by SandboxEscaper, Google's discovery and confession of 14 years of cleartext password storage, Microsoft's just-released Win10 Feature Update 1903, Firefox's release 67, and some interesting new data about the prevalence of validly signed malware.
51 MB 13 MB  494 KB   <-- Show Notes 103 KB 78 KB 139 KB

Episode #715 | 21 May 2019 | 114 min.
CPU.fail

As expected after last week's Tuesday morning end-of-embargo on details of the next round of Intel processor information leakage problems, we will take a closer look at the new challenges they create and the impact of their remediation on system performance and stability. But before that we look at last Tuesday's patches from Microsoft, Adobe, and Apple. We examine a new big security problem for Cisco that even has stock analysts taking notice. We check in on the ongoing troubles with the cryptocurrency market, see what Johns Hopkins associate professor Matthew Green tweeted about the trouble with Google's Titan Bluetooth dongle, and deal with yet another monthly problem with Windows 10 updates. We touch on a bit of miscellany, then wrap up with a look at the new so-called Microarchitectural Data Sampling vulnerabilities.
55 MB 14 MB  1.75 MB   <-- Show Notes 133 KB 86 KB 162 KB

Episode #714 | 14 May 2019 | 95 min.
Android “Q”

This week we look at a widespread problem affecting all WhatsApp users, many interesting bits of news arising from last week's Google I/O 2019 conference, a worrisome remotely exploitable flaw in all Linux kernels earlier than v5.0.8, the just released hours ago new set of flaws affecting all Intel processors known as ZombieLoad, a bit of miscellany, and some odds and ends. Then we take a deep look into the significant security enhancements Google also announced in their next release of Android: Q.
45 MB 11 MB  274 KB   <-- Show Notes 83 KB 68 KB 121 KB

Episode #713 | 07 May 2019 | 104 min.
Post-Coinhive Cryptojacking

This week we look at the mess arising from Mozilla's intermediate certificate expiration (the most tweeted event in my feed in a LONG time!), Google's announcement of self-expiring data retention, another wrinkle in the exploit marketplace, Mozilla's announcement about deliberate code obfuscation, a hacker who hacked at least 29 other botnet hackers, a warning about a very popular D-Link netcam, who's paying and who's receiving bug bounties by country, another user-agent gotcha with Google Docs, a problem with Google Earth on the new Chromium Edge browser, and a bit more about Edge's future just dropped at the start of Microsoft's Build 2019 conference. Then we take a look at the continuing and changing world of cryptojacking after Coinhive closed their doors last month.
50 MB 13 MB  723 KB   <-- Show Notes 106 KB 78 KB 142 KB

Episode #712 | 30 Apr 2019 | 100 min.
Credential Stuffing Attacks

This week we look at more privacy fallout from our recent coverage of Facebook and Google. We examine the uptake rate of recent Windows 10 feature releases. We finally know the source of the AV troubles with the April Patch Tuesday updates. We look at the NIST's formal fuzzing development, consider the source of a massive and ongoing database data leak involving more than half of all American households, note that Windows Insiders are already finding that their systems won't update to the May 2019 feature update, and address the concerns of United Airlines passengers who have noticed and been understandably upset by seatback cameras pointing at them. Finally, we have the "Cranky Old Guy Tip of the Week," touch on a bit of miscellany, then take a look at what many in the security industry are watching with concern: the large and emerging threat of website credential stuffing attacks.
48 MB 12 MB  371 KB   <-- Show Notes 101 KB 76 KB 136 KB

Episode #711 | 23 Apr 2019 | 126 min.
DNSpionage

This week we discuss Google's use of their Sensorvault tracking to assist law enforcement. It's time to update Drupal again. And, speaking of "again," Facebook. We also look at Russia's newly approved legislation moving toward an Internet "off switch," a reminder that "USB Killers" are a real thing, the news of Marcus Hutchins's plea deal, an actively exploited Windows zero-day, a bunch of Microsoft Edge news, the Win7 end-of-life notices, something from the "I did say this was bound to happen" department, and some miscellaneous news. Then we examine the latest detailed threat research from Cisco's Talos Group about the leveraging of DNSpionage.
61 MB 15 MB  351 KB   <-- Show Notes 143 KB 95 KB 175 KB

Episode #710 | 16 Apr 2019 | 116 min.
DragonBlood

This week we discuss a malicious use of the URL tracking "ping" attribute, more on WinRAR, more third-party AV troubles with Microsoft and other new trouble from last week's Patch Tuesday, good things that Patch Tuesday accomplished for Microsoft and for Adobe, another security-tightening change being proposed by Google, Russia's Roskomnadzor finally lowering the boom on Facebook, and the incredible TajMahal APT framework. We touch on a bit of miscellany, answer a SpinRite upgrade question, and share some closing-the-loop feedback from our listeners. We close with a look at Dragonblood, the first effective attack on the new WPA3 protocol (which didn't take long).
56 MB 14 MB  263 KB   <-- Show Notes 124 KB 85 KB 157 KB

Episode #709 | 09 Apr 2019 | 129 min.
URL “Ping” Tracking

This week we discuss more news of Microsoft's Chromium-based Edge browser; the U.K. government's plan to legislate, police, and enforce online social media content; improvements to Windows 10's update management; news from the "spoofing biometrics" department; the worrisome state of Android mobile financial apps; an update on the NSA's Ghidra software reverse engineering tool suite; perhaps the dumbest thing Facebook has done yet (and by policy, not by mistake); an important change in Win10 1809 external storage caching policy; and a bit of miscellany and closing-the-loop feedback from our terrific listeners. Then we're going to take a close look at another capitulation in the (virtually lost) battle against tracking our behavior on the Internet with URL "ping" tracking.
68 MB 15 MB  492 KB   <-- Show Notes 105 KB 91 KB 150 KB

Episode #708 | 02 Apr 2019 | 126 min.
Android Security

This week we are primarily going to share Google's well-deserved, self-congratulatory, but also very honest update on the status of Android Security at its 10th birthday. But before that we're going to share some of the continuing news of the WinRAR vulnerability, some really interesting data on Russian GPS hacking, Android's April Fools' Day patches, Tesla autopilot spoofing, some follow-up on the ASUS "ShadowHammer" attack and the targeted MAC addresses, the final release of the Windows 10 (last) October 2018 update, a VMware update, a SQRL question, two bits of listener feedback, and a SpinRite development question. Then we take a look at the state of Android 10 years in.
60 MB 15 MB  283 KB   <-- Show Notes 125 KB 93 KB 164 KB

Episode #707 | 26 Mar 2019 | 115 min.
Tesla, Pwned

This week on Security Now! we have the return of "Clippy," Microsoft's much-loathed dancing paperclip; operation "ShadowHammer," which reports say compromised ASUS (but did it?); the ransomware attack on Norsk Hydro aluminum; the surprise renaming of Windows Defender; a severe bug revealed in the most popular PDF-generating PHP library; an early look at Microsoft's forthcoming Chromium-based web browser; hope for preventing caller ID spoofing; a needed update for users of PuTTY; Mozilla's decision to conditionally rely upon Windows' root store; Microsoft to offer virtual Windows 7 and 10 desktops through Azure; details of the Windows 7 End of Life warning dialog; then a bit of Sci-Fi, SQRL and SpinRite news, followed by our look at the results of the much anticipated Mid-March Vancouver Pwn2Own competition - one of the results of which our episode title gives away!
62 MB 16 MB  355 KB   <-- Show Notes 153 KB 99 KB 182 KB

Episode #706 | 19 Mar 2019 | 115 min.
Open Source eVoting

This week we look back at last week's March Patch Madness. We have an answer about the Win7 SHA-256 Windows Update Update; big news regarding the many attacks leveraging the recently discovered WinRAR vulnerability; what happens when Apple, Google, and GoDaddy all drop a bit; an update on a big recent jump in Mirai Botnet capability; some worrisome news about compromised Counter Strike gaming servers; some welcome privacy enhancements coming in the next Android Q; a pair of very odd web browser extensions for Chrome and Firefox from Microsoft; a bit of follow-up on last week's Spoiler topic; some closing-the-loop feedback from our terrific listeners; and an early look at a VERY exciting and encouraging project to create an entirely open eVoting system.
55 MB 14 MB  231 KB   <-- Show Notes 126 KB 83 KB 155 KB

Episode #705 | 12 Mar 2019 | 134 min.
Spoiler

This week we look at the zero-day exploit bidding war that's underway, the NSA's release of Ghidra, Firefox's addition of privacy enhancements which were first developed for the Tor version of Firefox, a pair of zero-days that were biting people in the wild, news of a worrisome breach at Citrix, the risk of claiming to be an unhackable aftermarket car alarm, a new and interesting "windows developers chatting with users" idea at Microsoft, a semi-solution to Windows updates crashing systems, detailed news of the Marriott/Starwood breach, a bit of miscellany from Elaine, a SpinRite question answered, and then we finish with SPOILER - the latest research exploiting yet another new and different consequence of speculation on Intel machines.
64 MB 16 MB  321 KB   <-- Show Notes 146 KB 100 KB 181 KB

Episode #704 | 05 Mar 2019 | 132 min.
Careers in Bug Hunting

This week we look at a newly available improvement in Spectre mitigation performance being rolled out by Microsoft and who can try it right now, Adobe's ColdFusion emergency and patch, more problems with AV and self-signed certs, a Docker vulnerability being exploited in the wild, the end of Coinhive, a new major Wireshark release, a nifty web browser website screenshot hack, continuing troubles with the over-privileged Thunderbolt interface, bot-based credential stuffing attacks, some SQRL, miscellany, SpinRite, and listener feedback. Then we examine the increasing feasibility of making a sustainable career out of hunting for software bugs.
63 MB 16 MB  324 KB   <-- Show Notes 138 KB 95 KB 173 KB

Episode #703 | 26 Feb 2019 | 96 min.
Out in the Wild

This week we discuss a number of ongoing out-in-the-wild attacks, along with a bunch of other news. We have another early-warned Drupal vulnerability that has immediately come under attack in the wild, and a 19-year-old flaw in an obscure decompress for the "ACE" archive format, which until a few days ago WinRAR was supporting to its detriment. Microsoft reveals an abuse of HTTP/2 protocol which is DoSing its IIS servers. Mozilla faces a dilemma about a wannabe Certificate Authority, and they also send a worried letter to Australia. Microsoft's Edge browser is revealed to be secretly whitelisting 58 web domains which are allowed to bypass its "Click-to-Run" permission for FLASH. ICANN renews its plea for the Internet to adopt DNSSEC, NVIDIA releases a handful of critical driver updates for Windows, and Apple increases the intelligence of its Intelligent Tracking Prevention.
46 MB 12 MB  236 KB   <-- Show Notes 101 KB 70 KB 132 KB

Episode #702 | 19 Feb 2019 | 115 min.
Authenticity on the Internet

This week we catch up with last week's doozy of a Patch Tuesday for both Microsoft and Adobe. We also examine an interesting twist coming to Windows 7 and Server 2008 security updates, eight mining apps pulled from the Windows Store, another positive security initiative from Google, electric scooters being hacked, more chipping away at Tor's privacy guarantees, a year and a half after Equifax and where's the data?, the beginnings of GDPR-like legislation for the U.S., and some closing-the-loop feedback from our terrific listeners. Then we take a look at an extremely concerning new and emerging threat for the Internet.
55 MB 14 MB  178 KB   <-- Show Notes 136 KB 88 KB 166 KB

Episode #701 | 12 Feb 2019 | 123 min.
Adiantum

This week we look at Apple's most recent v12.1.4 iOS update and the two zero-day vulnerabilities it closed, as well as examine the very worrisome new Android image display vulnerability. We dive into an interesting “reverse RDP” attack, look at the new LibreOffice and OpenOffice vulnerability, and consider Microsoft's research into the primary source of software vulnerabilities. Mary Jo gets an early peek at enterprise pricing for extending Windows 7 support. China and Russia continue their work to take control of their countries' Internets. Firefox resumes rollout of its AV-warning Release 65. We offer up a few more SQRL anecdotes, share a bit of listener feedback, then see how Google does the ChaCha with their new “Adiantum” ultra-high-performance cryptographic cipher.
59 MB 15 MB  397 KB   <-- Show Notes 120 KB 90 KB 159 KB

Episode #700 | 05 Feb 2019 | 110 min.
700 & Counting

This week we discuss Chrome getting spell check for URLs; a bunch of Linux news with reasons to be sure you're patched up; some performance enhancements, updates, additions, and deletions from Chrome and Firefox; more Facebook nonsense; a bold move planned by the Japanese government; Ubiquiti routers again in trouble; a hopeful and welcome new initiative for the Chrome browser; a piece of errata; a quick SQRL update; and some follow-up thoughts about VPN connectivity.
53 MB 13 MB  267 KB   <-- Show Notes 117 KB 80 KB 151 KB

Episode #699 | 29 Jan 2019 | 119 min.
Browser Extension Security

This week we look at the expressive power of the social media friends we keep, the persistent DNS hijacking campaign which has the U.S. government quite concerned, last week's iOS and macOS updates (and doubtless another one very soon!), a valiant effort to take down malware distribution domains, Chrome catching up to IE and Firefox with drive-by file downloads, two particularly worrisome vulnerabilities in two Cisco router models publicly disclosed last Friday, some interesting miscellany, a particularly poignant SpinRite data recovery testimonial, and then some close looks at the state of the industry and the consequences of extensions to our web browsers.
56 MB 14 MB  508 KB   <-- Show Notes 131 KB 88 KB 162 KB

Episode #698 | 22 Jan 2019 | 114 min.
Which Mobile VPN Client?

This week we examine a very worrisome WiFi bug affecting billions of devices; a new fun category for the forthcoming Pwn2Own; Russia's ongoing, failing, and flailing efforts to control the Internet; the return of the Anubis Android banking malware; Google's changing policy for phone and SMS app access; Tim Cook's note in Time magazine; news of a nice Facebook ad auditing page; another Cisco default password nightmare in widely used, lower end devices; some errata, miscellany, and listener feedback. Then we answer the age-old and apparently quite confusing question: Which is the right VPN client for Android?
55 MB 14 MB  408 KB   <-- Show Notes 147 KB 88 KB 170 KB

Episode #697 | 15 Jan 2019 | 93 min.
Zerodium

This week we examine the intended and unintended consequences of last week's Windows Patch Tuesday; and, speaking of unintended consequences, the U.S. government shutdown has had some, too. We also examine a significant privacy failure in WhatsApp, another ransomware decryptor (with a twist), movement on the DNS over TLS front, an expectation of the cyberthreat landscape for 2019, a cloudy forecast for The Weather Channel App, a successful 51% attack against the Ethereum Classic cryptocurrency, another court reversing compelled biometric authentication, and an update on the lingering death of Flash, now in hospice care. We then look at a bit of miscellany and errata and finish by examining the implications of the recent increase in bounty for the purchase of zero-day vulnerabilities.
60 MB 15 MB  434 KB   <-- Show Notes 133 KB 91 KB 170 KB

Episode #696 | 08 Jan 2019 | 93 min.
Here Comes 2019!

This week we look at the NSA's announced forthcoming release of an internal powerful reverse engineering tool for examining and understanding other people's code; emergency out-of-cycle patches from both Adobe and Microsoft; and, yes, we do need to mention PewDiePie again. We also need to mention our prolific zero-day dropper SandboxEscaper, a new effort by the U.S. government to educate industry about the risks of cyberattacks, some welcome news on the ransomware front, some VERY welcome news of a new Windows 10 feature, and a note about a just-published side-channel attack on OS page caches. Then we'll wrap with an update on my work on SQRL and my discovery of a VERY impressive and free large file transmission and sharing facility.
44 MB 11 MB  365 KB   <-- Show Notes 111 KB 71 KB 139 KB
2018 Archive Below...

Episode #695 | 25 Dec 2018 | 177 min.
Best of 2019

TWiT's assembly of the best moments of Security Now! 2019.
85 MB 21 MB

Episode #694 | 18 Dec 2018 | 110 min.
The SQLite RCE Flaw

This week we look at Rhode Island's response to Google's recent API flaw; Signal's response to Australia's anti-encryption legislation, the return of PewDiePie; U.S. border agents retaining travelers' private data; This Week in Android hijinks; confusion surrounding the Windows v5 release; another Facebook API mistake; and the eighth annual most common passwords list, a.k.a. "How's monkey doing?" Why all might not be lost if someone is hit with drive-encrypting malware; Microsoft's recent four-month run of zero-day vulnerability patches; the Firefox 64 update; a reminder of an awesome train game for iOS, Mac, and Android; some closing-the-loop feedback with our listeners; and a look at a new and very troubling flaw discovered in the massively widespread SQLite library, and what we can do.
53 MB 13 MB  223 KB   <-- Show Notes 140 KB 83 KB 165 KB

Episode #693 | 11 Dec 2018 | 119 min.
Internal Bug Discovery

This week we take a look at Australia's recently passed anti-encryption legislation; details of a couple more mega breaches, including a bit of Marriott follow-up; a welcome call for legislation from Microsoft; a new twist on online advertising click fraud; the DHS's interest in deanonymizing cryptocurrencies beyond Bitcoin; the changing landscape of TOR funding; an entirely foreseeable disaster with a new Internet IoT-oriented protocol; a bit of errata; and some closing-the-loop feedback from our truly terrific listeners. Then we look at a case where a prominent company discovered one of their own bugs and acted responsibly - again - and what that suggests for everyone else.
56 MB 14 MB  280 KB   <-- Show Notes 105 KB 84 KB 147 KB

Episode #692 | 04 Dec 2018 | 134 min.
GPU RAM Image Leakage

This week we discuss another Lenovo Superfish-style local security certificate screw-up; several new, large and high-profile secure breach incidents and what they mean for us; the inevitable evolution of exploitation of publicly exposed UPnP router services; and the emergence of "Printer Spam." How well does ransomware pay? We have an idea now. We talk about two iOS scam apps, a false positive Bing warning, progress on the DNS over HTTPS front, and rumors that Microsoft is abandoning their EdgeHTML engine in favor of Chromium. We also have a bit of miscellany, news of a cybersecurity-related Humble Book Bundle just in time for Christmas, and a bit of closing-the-loop feedback. Then we discuss some new research that reveals that it's possible to recover pieces of web browser page images that have been previously viewed.
64 MB 16 MB  446 KB   <-- Show Notes 107 KB 96 KB 156 KB

Episode #691 | 27 Nov 2018 | 97 min.
ECCploit

Hackers and attackers apparently enjoyed their Thanksgiving, since this week we have very little news to report. But what we do have to discuss should be entertaining and engaging: Yesterday the U.S. Supreme Court heard Apple's argument about why a class action lawsuit against their monopoly App Store should not be allowed to proceed; Google and Mozilla are looking to remove support for FTP from their browsers; and from our "What could possibly go wrong?" department we have browsers asking for explicit permission to leave their sandboxes. We also have some interesting post-Troy Hunt "Are Passwords Immortal?" listener feedback from last week's topic. Then we will discuss the next step in the evolution of RowHammer attacks, which do, as Bruce Schneier once opined, only get better - or in this case worse.
46 MB 12 MB  292 KB   <-- Show Notes 94 KB 69 KB 128 KB

Episode #690 | 20 Nov 2018 | 131 min.
Are Passwords Immortal?

This week we cover the action during last week's Pwn2Own Mobile hacking contest. As this year draws to a close, we delve into the final last word on processor misdesign. We offer a very workable solution for unsupported Intel firmware upgrades for hostile environments. We look at a forthcoming Firefox breach alert feature. We cover the expected takeover of exposed Docker-offering servers. We note the recently announced successor to recently ratified HTTP/2. We cover a piece of 1.1.1.1 errata, close the loop with some of our podcast listeners, then finish by considering the future of passwords using a thoughtful article written by Troy Hunt, a well-known Internet security figure and the creator of the popular HaveIBeenPwned web service, among others.
63 MB 16 MB  383 KB   <-- Show Notes 134 KB 96 KB 165 KB

Episode #689 | 13 Nov 2018 | 134 min.
Self-Decrypting Drives

This week we cover last month's Patch Tuesday this month. We look at a GDPR-inspired lawsuit filed by Privacy International. We ask our listeners to check two router ports to protect against a new botnet that's making the rounds. We look at another irresponsibly disclosed zero-day, this time in VirtualBox. We look at CloudFlare's release of a very cool 1.1.1.1 app for iOS and Android. And, in perfect synchrony with this week's main topic, we note Microsoft's caution about the in-RAM vulnerabilities of the BitLocker whole-drive encryption. We also cover a bit of miscellany, we close the loop with our listeners, and then we take a deep dive into last week's worrisome revelation about the lack of true security being offered by today's Self-Encrypting SSD Drives.
65 MB 16 MB  347 KB   <-- Show Notes 146 KB 100 KB 178 KB

Episode #688 | 06 Nov 2018 | 112 min.
PortSmash

This week we discuss the new "BleedingBit" Bluetooth flaws, JavaScript no longer being optional with Google, a new Microsoft Edge browser zero-day, Windows Defender playing in its own sandbox, Microsoft and Sysinternals news, the further evolution of the CAPTCHA, the 30th anniversary of the Internet's first worm, a bizarre requirement of ransomware, a nice new bit of security non-tech from Apple, some closing-the-loop feedback from our listeners, then a look at the impact and implication of the new "PortSmash" attack against Intel (and almost certainly other) processors.
54 MB 13 MB  314 KB   <-- Show Notes 122 KB 82 KB 154 KB

Episode #687 | 30 Oct 2018 | 113 min.
Securing the Vending Machine

This week we follow-up on the Win10 ZIP extraction trouble, discuss some welcome Android patching news, look at SandboxEscaper's latest 0-day surprise, examine the Hadoop DemonBot, follow up on US DoD insecurity, look into the consequences of publicly exposed Docker server APIs, look at a DDoS-for-Hire front end, check out the mid-week Windows non-security Windows 10 bug fix update, look at the just-released Firefox v63, and examine a new privilege escalation vulnerability affecting Linux and OpenBSD. We also handle a bit of errata, some Sci-Fi miscellany, and a bit of closing the loop feedback from a listener. Then we answer last week's puzzler by exploring various ways of securing those vending machines.
54 MB 14 MB  323 KB   <-- Show Notes 112 KB 84 KB 151 KB

Episode #686 | 23 Oct 2018 | 119 min.
Libssh's Big Whoopsie!

This week a widely used embedded OS (FreeRTOS) is in the doghouse, as are at least eight D-Link routers which have serious problems most of which D-Link has stated will never be patched. We look at five new problems in Drupal 7 and 8, two of which are rated critical, trouble with Live Networks RTSP streaming server, still more trouble with the now-infamous Windows 10 Build 1809 feature update, and a long standing 0-day in the widely used and most popular plugin for jQuery. We then look at what can only be described as an embarrassing mistake in the open source libssh library, and we conclude by examining a fun recent hack and pose its solution to our audience as our Security Now! puzzler of the week!
57 MB 14 MB  337 KB   <-- Show Notes 118 KB 79 KB 150 KB

Episode #685 | 16 Oct 2018 | 125 min.
Good Samaritans?

This week we observe the untimely death of Microsoft's co-founder Paul Allen, revisit the controversial Bloomberg China supply chain hacking report, catch up on Microsoft's October patching fiasco, follow up on Facebook's privacy breach, look at the end of TLS v1.0 and 1.1, explore Google's addition of control flow integrity to Android 9, look at a GAO report about the state of U.S. DOD weapons cybersecurity, consider the EOL of PHP 5.x chain, take a quick look at an AV comparison test, entertain a few bits of feedback from our listeners, and then consider the implications of grey hat vigilante hacking of others' routers.
60 MB 15 MB  438 KB   <-- Show Notes 114 KB 88 KB 156 KB

Episode #684 | 09 Oct 2018 | 114 min.
The Supply Chain

This week we examine and explore an October Windows Surprise of a different sort. A security researcher massively weaponizes the existing MicroTik vulnerability and releases it as a proof of concept. Israel's National Cybersecurity Authority warns about a clever voicemail WhatsApp OTP bypass. What DID happen with that recent Google+ breach? Google tightens up its Chrome Extensions security policies. WiFi radio protocol designations finally switch to simple version numbering. Intel unwraps its 9th-generation Core processors. We've got head-spinning PDF updates from Adobe and Foxit. This isn't a competition, guys! And, finally, we take a look at the danger of Supply Chain Attacks, with a possible real-world example.
55 MB 14 MB  278 KB   <-- Show Notes 115 KB 83 KB 152 KB

Episode #683 | 02 Oct 2018 | 111 min.
The Facebook Breach

This week we discuss yet another treat from Cloudflare, the growing legislative battle over Net Neutrality, the rise of Python malware, Cisco's update report on the VPNFilter malware, still more Chrome controversy and some placating, the rapid exploitation of zero-day vulnerabilities, the first UEFI rootkit found in the wild, another new botnet discovery, the danger of the RDP protocol, a nasty website browser trick and how to thwart it, a quick update on recent nonfiction and science fiction, and then a look into the recent massive 50 million account Facebook security breach.
53 MB 13 MB  252 KB   <-- Show Notes 127 KB 84 KB 157 KB

Episode #682 | 25 Sep 2018 | 123 min.
SNI Encryption

This week we look at additional changes coming from Google's Chromium team, another powerful instance of newer cross-platform malware, the publication of a zero-day exploit after Microsoft missed its deadline, the return of Sabri Haddouche with browser crash attacks, the reasoning behind Matthew Green's decision to abandon Chrome after a change in release 69 - and an "Ungoogled Chromium" alternative that Matthew might approve of - Western Digital's pathetic response to a very serious vulnerability, a cool device exploit collection website, a question about the future of the Internet, a sobering example of the aftermarket in unwiped hard drives, Mirai Botnet creators working with and helping the FBI, another fine levied against Equifax, and a look at Cloudflare's quick move to encrypt a remaining piece of web metadata.
59 MB 15 MB  283 KB   <-- Show Notes 157 KB 95 KB 178 KB

Episode #681 | 18 Sep 2018 | 132 min.
The Browser Extension Ecosystem

This week we prepare for the first-ever Presidential Alert unblockable nationwide text message. We examine Chrome's temporary "www" removal reversal, check out Comodo's somewhat unsavory marketing, discuss a forthcoming solution to BGP hijacking, examine California's forthcoming IoT legislation, deal with the return of Cold Boot attacks, choose not to click on a link that promptly crashes any Safari OS, congratulate Twitter on adding some auditing, check in on the Mirai Botnet's steady evolution, look at the past year's explosion in DDoS number and size, and note another new annoyance brought to us by Windows 10. Then we take a look at the state of the quietly evolving web browser extension ecosystem.
63 MB 16 MB  369 KB   <-- Show Notes 109 KB 94 KB 160 KB

Episode #680 | 11 Sep 2018 | 128 min.
Exploits & Updates

This week we discuss Windows 7's additional three years of support life, MikroTik routers back in the news (and not in a good way), Google Chrome 69's new features, the hack of MEGA's cloud storage extension for Chrome, Week 3 of the Windows Task Scheduler zero-day, a new consequence of using "1234" as your password, Tesla making their white hat hacking policies clear (just in time for a big new hack!), our PCs as the new malware battlefield, a dangerous OpenVPN feature spotted, and Trend Micro, caught spying, getting kicked out of the macOS store.
61 MB 15 MB  278 KB   <-- Show Notes 104 KB 92 KB 152 KB

Episode #679 | 04 Sep 2018 | 124 min.
SonarSnoop

This week we cover the expected exploitation of the most recent Apache Struts vulnerability, a temporary interim patch for the Windows zero-day privilege elevation, an information disclosure vulnerability in all Android devices, Instagram's moves to tighten things up, another OpenSSH information disclosure problem, an unexpected outcome of the GDPR legislation and sky-high fines, the return of the Misfortune Cookie, many thousands of Magneto commerce sites being exploited, a fundamental design flaw in the TPM v2.0 spec, trouble with MITRE's CVE service, Mozilla's welcome plans to further control tracking, a gratuitous round of Win10 patches from Microsoft - and a working sonar system which tracks smartphone finger movements!
60 MB 15 MB  278 KB   <-- Show Notes 106 KB 89 KB 151 KB

Episode #678 | 28 Aug 2018 | 101 min.
Never a Dull Moment

It's been another busy week. We look at Firefox's changing certificate policies, the danger of grabbing a second-hand domain, the Fortnite mess on Android, another patch-it-now Apache Struts RCE, a frightening jump in Mirai Botnet capability, an unpatched Windows zero-day privilege elevation, and malware with a tricky new C&C channel. We find that A/V companies are predictably unhappy with Chrome, Tavis has found more serious problems in Ghostscript, and there's been a breakthrough in contactless RSA key extraction. As if that weren't enough, we discuss a worrisome flaw that has always been present in OpenSSH, and problems with never-dying Hayes AT commands in Android devices.
49 MB 12 MB  234 KB   <-- Show Notes 110 KB 75 KB 143 KB

Episode #677 | 21 Aug 2018 | 123 min.
The Foreshadow Flaw

This week, as we head into our 14th year of Security Now!, we look at some of the research released during last week's USENIX Security Symposium. We also take a peek at last week's Patch Tuesday details, Skype's newly released implementation of Open Whisper Systems' Signal privacy protocol, Google's Chrome browser's increasing pushback against being injected into, news following last week's observation about Google's user tracking, Microsoft's announcement of more spoofed domain takedowns, another page table sharing vulnerability, believe it or not "malicious regular expressions," some numbers on how much money Coinhive is raking in, flaws in browsers and their add-ons that allow tracking-block bypasses, two closing-the-loop bits of feedback, and then a look at the details of the latest Intel speculation disaster known as the "Foreshadow Flaw."
59 MB 15 MB  175 KB   <-- Show Notes 138 KB 91 KB 169 KB

Episode #676 | 14 Aug 2018 | 110 min.
The Mega FaxSploit

This week we cover lots of discoveries revealed during last week's Black Hat 2018 and DEF CON 26 Las Vegas security conferences, among them 47 vulnerabilities across 25 Android smartphones, Android "Disk-in-the-Middle" attacks, Google tracking when asked not to, more Brazilian D-Link router hijack hijinks, a backdoor found in VIA C3 processors, a trusted-client attack on WhatsApp, a macOS zero-day, a tasty new feature for Win10 Enterprise, a new Signal-based secure email service, Facebook's Fizz TLS v1.3 library, another Let's Encrypt milestone, and then "FaxSploit," the most significant nightmare in recent history - FAR worse, I think, than any of the theoretical Spectre and Meltdown attacks.
53 MB 13 MB  278 KB   <-- Show Notes 108 KB 80 KB 143 KB

Episode #675 | 07 Aug 2018 | 113 min.
New WiFi Password Attack

This week we discuss yet another new and diabolical router hack and attack, Reddit's discovery of SMS 2FA failure, WannaCry refusing to die, law enforcement's ample unused forensic resources, a new and very clever BGP-based attack, Windows 10 update dissatisfaction, and Google advancing their state-sponsored attack notifications. We ask, "What is Google's Project Dragonfly?" We go over a highly effective and highly targeted ransomware campaign, present some closing-the-loop feedback from our listeners, and reveal a breakthrough in hacking/attacking WiFi passwords.
54 MB 14 MB  189 KB   <-- Show Notes 112 KB 80 KB 148 KB

Episode #674 | 31 Jul 2018 | 131 min.
Attacking Bluetooth Pairing

This week we examine still another new Spectre processor speculation attack. We look at the new "Death Botnet," the security of the U.S. DOD websites, lots of Google Chrome news, pushes by the U.S. Senate toward more security, the emergence and threat of clone websites in other TLDs, more cryptocurrency mining bans, and Google's Titan hardware security dongles. We finish by examining the recently discovered flaw in the Bluetooth protocol which has device manufacturers and OS makers scrambling - but do they really need to?
63 MB 16 MB  146 KB   <-- Show Notes 113 KB 95 KB 160 KB

Episode #673 | 24 Jul 2018 | 113 min.
The Data Transfer Project

This week we examine still another new Spectre processor speculation attack, some news on DRAM hammering attacks and mitigations, the consequences of freely available malware source code, the reemergence of concern over DNS rebinding attacks, Venmo's very public transaction log, more Russian shenanigans, the emergence of flash botnets, Apple's continuing move of Chinese data to China, another (the fifth) Cisco secret backdoor found, an optional missing Windows patch from last week, and a bit of Firefox news and piece of errata. Then we look at "The Data Transfer Project" which, I think, marks a major step of maturity for our industry.
54 MB 14 MB  502 KB   <-- Show Notes 111 KB 80 KB 145 KB

Episode #672 | 17 Jul 2018 | 115 min.
All Up in Their Business

This week we look at even MORE new Spectre-related attacks, highlights from last Tuesday's monthly patch event, advances in GPS spoofing technology, GitHub's welcome help with security dependencies, Chrome's new (or forthcoming) "Site Isolation" feature, when hackers DO look behind the routers they commandeer, and the consequences of deliberate BGP routing misbehavior. Plus, reading between the lines of last Friday's DOJ indictment of the U.S. 2016 election hacking by 12 Russian operatives, the U.S. appears to really have been "all up in their business."
55 MB 14 MB  222 KB   <-- Show Notes 112 KB 81 KB 149 KB

Episode #671 | 10 Jul 2018 | 130 min.
STARTTLS Everywhere

This week we discuss another worrisome trend in malware, another fitness tracking mapping incident and mistake, something to warn our friends and family to ignore, the value of periodically auditing previously granted web app permissions, and when malware gets picky about the machines it infects. Another kind of well-meaning Coinhive service gets abused. What are the implications of D-Link losing control of its code-signing cert? There's some good news about Android apps. iOS v11.4.1 introduces "USB Restricted Mode," but is it? We've got a public service reminder about the need to wipe old thumb drives and memory cards. What about those free USB fans that were handed out at the recent North Korea/U.S. summit? Then we take a look at email's STARTTLS system and the EFF's latest initiative to increase its usefulness and security.
62 MB 16 MB  218 KB   <-- Show Notes 148 KB 97 KB 178 KB

Episode #670 | 03 Jul 2018 | 121 min.
Wi-Fi Protected Access v3

This week we discuss the interesting case of a VirusTotal upload - or was it? We've got newly discovered problems with our 4G LTE and even what follows; another new EFF encryption initiative; troubles with Spectre and Meltdown in some browsers; the evolution of UPnP-enabled attacks; an unpatched WordPress vulnerability that doesn't appear to be worrying the WordPress devs; and an early look at next year's forthcoming WPA3 standard, which appears to fix everything!
58 MB 15 MB  229 KB   <-- Show Notes 97 KB 81 KB 139 KB

Episode #669 | 26 Jun 2018 | 115 min.
Cellular Location Privacy

This week we examine some new side-channel worries and vulnerabilities. Did Mandiant "hack back" on China? More trouble with browsers, the big Google Firebase mess, sharing a bit of my dead system resurrection, and a look at the recent Supreme Court decision addressing cellular location privacy.
55 MB 14 MB  267 KB   <-- Show Notes 102 KB 81 KB 165 KB

Episode #668 | 19 Jun 2018 | 125 min.
Lazy FP State Restore

This week we examine a rather "mega" patch Tuesday, a nifty hack of Win10's Cortana, Microsoft's official "when do we patch" guidelines, the continuing tweaking of web browser behavior for our sanity, a widespread Windows 10 rootkit, the resurgence of the Satori IoT botnet, clipboard monitoring malware, a forthcoming change in Chrome's extensions policy, hacking apparent download counts on the Android store, some miscellany, an update on the status of Spectre & Meltdown - and, yes, yet another brand new speculative execution vulnerability our OSes will be needing to patch against.
60 MB 15 MB  171 KB   <-- Show Notes 125 KB 88 KB 206 KB

Episode #667 | 12 Jun 2018 | 105 min.
Zippity Do or Don’t

This week we update again on VPNFilter, look at another new emerging threat, check in on Drupalgeddon2, examine a very troubling remote Android vulnerability under active wormable exploitation, and take stock of Cisco's multiple firmware backdoors. We discuss a new crypto mining strategy, the evolution of Russian state-sponsored cybercrime, a genealogy service that lost its user database, ongoing Russian censorship, and another Adobe Flash mess. We check in on how Marcus Hutchins is doing. And, finally, we look at yet another huge mess resulting from insecure interpreters.
50 MB 13 MB  232 KB   <-- Show Notes 113 KB 74 KB 138 KB

Episode #666 | 05 Jun 2018 | 110 min.
Certificate Transparency

This week we discuss yesterday’s further good privacy news from Apple, the continuation of VPNFilter, an extremely clever web browser cross-site information leakage side-channel attack, and Microsoft Research’s fork of OpenVPN for security in a post-quantum world. Microsoft drops the ball on a zero-day remote code execution vulnerability in JScript, Valve finally patches a longstanding and very potent RCE vulnerability, Redis caching servers continue to be in serious trouble, a previously patched IE zero-day continues to find victims, and Google’s latest Chrome browser has removed support for HTTP public key pinning (HPKP). And, finally, what is “Certificate Transparency,” and why do we need it?
53 MB 13 MB  241 KB   <-- Show Notes 108 KB 77 KB 138 KB

Episode #665 | 29 May 2018 | 104 min.
VPNFilter

This week we discuss Oracle’s planned end of serialization, Ghostery’s GDPR faux pas, the emergence of a clever new banking trojan, Amazon Echo and the Case of the Fuzzy Match, more welcome movement from Mozilla, yet another steganographic hideout, an actual real-world appearance of HTTP Error 418 (I’m a Teapot!), the hype over Z-Wave’s Z-Shave, and a deep dive into the half a million strong VPNFilter botnet.
49 MB 12 MB  206 KB   <-- Show Notes 117 KB 74 KB 137 KB

Episode #664 | 22 May 2018 | 95 min.
SpectreNG Revealed

This week we examine the recent flaws discovered in the secure Signal messaging app for desktops, the rise in DNS router hijacking, another seriously flawed consumer router family, Microsoft Spectre patches for Win10’s April 2018 feature update, the threat of voice assistant spoofing attacks, the evolving security of HTTP, still more new trouble with GPON routers, Facebook’s Android app mistake, BMW’s 14 security flaws, and some fun miscellany. Then we examine the news of the next generation of Spectre processor speculation flaws and what they mean for us.
45 MB 11 MB  177 KB   <-- Show Notes 96 KB 67 KB 126 KB

Episode #663 | 15 May 2018 | 94 min.
Ultra-Clever Attacks

This week we will examine two incredibly clever, new, and bad attacks named eFail and Throwhammer. But first we catch up on the rest of the past week’s security and privacy news, including the evolution of UPnProxy, a worrisome flaw discovered in a very popular web development platform, the first anniversary of EternalBlue, the exploitation of those GPON routers, this week’s disgusting security headshaker, a summary of the RSA Conference’s security practices survey, the appearance of persistent IoT malware, a significant misconception about hard drive failure, an interesting bit of listener feedback, and then a look at two VERY clever new attacks.
45 MB 11 MB  320 KB   <-- Show Notes 91 KB 65 KB 120 KB

Episode #662 | 08 May 2018 | 101 min.
Spectre – NextGen

This week we begin by updating the status of several ongoing security stories: Russia vs. Telegram, Drupalgeddon2, and the return of Rowhammer. We will conclude with MAJOR new bad news related to Spectre. We also have a new cryptomalware, Twitter’s in-the-clear passwords mistake, new Android “P” security features, a crazy service for GDPR compliance, Firefox’s sponsored content plan, another million routers being attacked, more deliberately compromised JavaScript found in the wild, a new Microsoft Meltdown mistake, a comprehensive Windows command reference, and signs of future encrypted Twitter DMs.
48 MB 12 MB  254 KB   <-- Show Notes 115 KB 73 KB 137 KB

Episode #661 | 01 May 2018 | 120 min.
Securing Connected Things

This week we discuss Win10 getting a new spring in its step, Microsoft further patching Intel microcode, the U.K.’s NHS planning to update, another hack of modern connected autos, Oracle’s botched WebLogic patch, an interesting BSOD-on-demand Windows hack, a PDF credentials theft hack (which Adobe won’t fix), your Echo may be listening to you, a powerful hotel keycard hack, a bit of errata and feedback, and a discussion of another Microsoft-driven security initiative.
57 MB 14 MB  203 KB   <-- Show Notes 117 KB 92 KB 160 KB

Episode #660 | 24 Apr 2018 | 118 min.
Azure Sphere

This week we discuss Drupalgeddon2 continuing to unfold right on plan. The Orangeworm takes aim at medical equipment and companies. The FDA moves forward on requiring device updates. Microsoft leads a new Cybersecurity Tech Accord. We talk about another instance of loud noises and hard drives not mixing, considerations for naming your WiFi network, the unappreciated needs of consumer routers, Google’s new unencrypted messaging app push, Amazon pulling the trigger on “in-car” package delivery, the first puzzle recommendation in a long time, and Microsoft’s move to secure the IoT space.
57 MB 14 MB  246 KB   <-- Show Notes 116 KB 91 KB 159 KB

Episode #659 | 17 Apr 2018 | 93 min.
Never a Dull Moment

This week we discuss AMD’s release of their longawaited Spectre variant 2 microcode patches, the end of Telegram Messenger in Russia, the on-time arrival of Drupalgeddon2, Firefox and TLS v1.3, the new and widespread UPnProxy attacks, Microsoft’s reversal on no longer providing Windows security updates without AV installed, Google Chrome’s decision to prematurely remove HTTP cookies, the Android “patch gap,” renewed worries over old and insecure Bitcoin crypto, new attacks on old IIS, a WhatsApp photo used for police forensics, and an IoT vulnerability from our You Can’t Make This Stuff Up department.
44 MB 11 MB  141 KB   <-- Show Notes 104 KB 65 KB 126 KB

Episode #658 | 10 Apr 2018 | 98 min.
Deprecating TLS 1.0 & 1.1

This week we discuss Intel’s big Spectre microcode announcement, Telegram not being long for Russia, U.S. law enforcement’s continuing push for “lawful decryption,” more state-level Net Neutrality news, Win10’s replacement for Disk Cleanup, a bug bounty policy update, some follow-up to last week’s Quad-1 DNS conversation, why clocks had been running slow throughout Europe, and then a look at the deprecation of earlier versions of TLS and a big Cisco mistake.
46 MB 12 MB  442 KB   <-- Show Notes 102 KB 69 KB 129 KB

Episode #657 | 03 Apr 2018 | 107 min.
ProtonMail

This week we discuss “Drupalgeddon2,” Cloudflare’s new DNS offering, a reminder about GRC’s DNS Benchmark, Microsoft’s Meltdown meltdown, the persistent iOS QR code flaw and its long-awaited v11.3 update, another VPN user IP leak, more bug bounty news, an ill-fated-seeming new email initiative, free electricity, a policy change at Google’s Chrome Store, another “please change your passwords” after another website breach, a bit of miscellany, a heartwarming SpinRite report, some closing-the-loop feedback from our terrific listeners, and a closer look at the Swiss encrypted ProtonMail service.
51 MB 13 MB  362 KB   <-- Show Notes 103 KB 75 KB 137 KB

Episode #656 | 27 Mar 2018 | 110 min.
TLS v1.3 Happens

This week we discuss the mess with U.S. voting machines, technology’s inherent security versus convenience tradeoff, the evolving 2018 global threat landscape, and welcome news on the bug bounty front from Netflix and Dropbox. We have the interesting results of Stack Overflow’s eighth annual survey of 101,592 developers, worrisome news on the U.S. government data overreach front, some useful and important new web browser features, messenger app troubles, a critical Drupal update coming tomorrow, some welcome news for DNS security and privacy, a bit of miscellany, and a look at the just-ratified TLS v1.3.
53 MB 13 MB  185 KB   <-- Show Notes 117 KB 79 KB 144 KB

Episode #655 | 20 Mar 2018 | 97 min.
Pwn2Own 2018

This week we discuss the aftermath of CTS Labs’ abrupt disclosure of flaws in AMD’s outsourced chipsets; Intel’s plans for the future and their recent microcode update news; several of Microsoft’s recent announcements and actions; the importance of testing, in this case VPNs; the first self-driving automobile pedestrian death; a SQRL update; a bit of closing-the-loop feedback with our listeners; and a look at the outcome of last week’s annual Pwn2Own hacking competition.
47 MB 12 MB  189 KB   <-- Show Notes 126 KB 76 KB 143 KB

Episode #654 | 13 Mar 2018 | 109 min.
AMD Chipset Disaster

This week we discuss the just-released news of major trouble for AMD’s chipset security, ISPs actively spreading state-sponsored malware, Windows 10 S coming soon, a large pile of cryptocurrency mining-driven shenanigans, tomorrow’s Pwn2Own competition start, surprising stats about Spam botnet penetration, and a Week 2 update on the new Memcached DrDoS attacks.
52 MB 13 MB  261 KB   <-- Show Notes 126 KB 81 KB 148 KB

Episode #653 | 06 Mar 2018 | 109 min.
“MemCrashed” DDoS Attacks

This week we discuss some very welcome microcode news from Microsoft, ten (yes, ten!) new 4G LTE network attacks, the battle over how secure TLS v1.3 will be allowed to be, the incredible Trustico certificate fiasco, the continually falling usage of Adobe Flash, a new and diabolical cryptocurrency-related malware, the best Sci-Fi news in a LONG time, some feedback from our terrific listeners... and a truly record smashing (and not in a good way) new family of DDoS attacks.
52 MB 13 MB  409 KB   <-- Show Notes 126 KB 77 KB 146 KB

Episode #652 | 27 Feb 2018 | 137 min.
WebAssembly

This week we discuss Intel’s Spectre & Meltdown microcode update, this week in cryptojacking, Tavis strikes again, Georgia on my mind (and not in a good way), news from the iPhone hackers at Cellebrite, Apple to move its Chinese customer data, e-Passports? Not really, Firefox 60 loses a feature, the IRS and cryptocurrencies, Android P enhances Privacy, malicious code signing news, a VERY cool Cloudfront/Troy Hunt hack, a bit of errata, miscellany, and closing the loop feedback from our terrific listeners, and a closer look at WebAssembly.
66 MB 16 MB  169 KB   <-- Show Notes 162 KB 101 KB 180 KB

Episode #651 | 20 Feb 2018 | 104 min.
Russian Meddling Technology

This week we examine and discuss the appearance of new forms of Meltdown and Spectre attacks, the legal response against Intel, the adoption of new cybersecurity responsibility in New York, some more on Salon and authorized crypto mining, more on software cheating auto emissions, a newly revealed instance of highly profitable mal-mining, checking in on Let’s Encrypt’s steady growth, the first crack of Windows uncrackable UWP system, Apple’s wacky Telugu Unicode attacks, a frightening EternalBlue experiment, another aspect of crypto mining annoyance, a note now that Chrome’s new advertising controls are in place, and a bit of closing-the-loop with our listeners.
42 MB 11 MB  207 KB   <-- Show Notes 96 KB 75 KB 135 KB

Episode #650 | 13 Feb 2018 | 90 min.
Cryptocurrency Antics

This week we discuss today’s preempted Second Tuesday of the Month, slow progress on the Intel Spectre firmware update front, a worse-than-originally-thought Cisco firewall appliance vulnerability, the unsuspected threat of hovering hacking drones, hacking at the Winter Olympics, Kaspersky’s continuing unhappiness, the historic leak of Apple’s iOS boot source code, a critical WiFi update for some Lenovo laptop users, a glitch at WordPress, a bit of miscellany (including a passwords rap), some closing-the-loop feedback from our listeners, and then a look at a handful of cryptocurrency antics.
42 MB 11 MB  218 KB   <-- Show Notes 96 KB 67 KB 126 KB

Episode #649 | 06 Feb 2018 | 88 min.
Meltdown & Spectre Emerge

This week we observe that the Net Neutrality battle is actually FAR from lost. Computerworld's Woody Leonard enumerates a crazy January of updates. EternalBlue is turning out to be far more "eternal" than we'd wish. Will Flash EVER die? There's a new zero-day Flash exploit in the wild. What happens when you combine Shodan with Metasploit? Firefox 59 takes another privacy-enhancing step forward. We've got a questionable means of sneaking data between systems; another fun SpinRite report from the field; some closing-the-loop feedback from our listeners; and, finally, a look at the early emergence of Meltdown and Spectre exploits appearing in the wild.
42 MB 11 MB  184 KB   <-- Show Notes 101 KB 65 KB 124 KB

Episode #648 | 30 Jan 2018 | 107 min.
Post Spectre?

This week we discuss continuing Spectre updates, how not to treat Tavis Ormandy, a popular dating app where you'd really hope for HTTPS but be surprised to find it missing, the unintended consequences of global posting of fitness tracking data, gearing up (or not) for this year's voting machine hack'fest, another record broken by a cryptocurrency exchange heist, bad ads and fake ads, the unclear fate of the BSD operating systems, a caution about Dark Caracal's CrossRAT Trojan, another way to skin the Net Neutrality cat, a bit of errata and miscellany, one of the best SpinRite testimonials in a long time, and some closing the loop feedback from our terrific listeners.
50 MB 13 MB  140 KB   <-- Show Notes 114 KB 79 KB 145 KB

Episode #647 | 23 Jan 2018 | 105 min.
The Dark Caracal

This week's news continues to be dominated by the industry-shaking Meltdown and Spectre vulnerabilities. We will catch up with what's new there, then discuss the Net Neutrality violation detection apps that are starting to appear; a new app and browser plugin from the search privacy provider DuckDuckGo; a bit of welcome news from Apple's Tim Cook about their planned response to the iPhone battery-life and performance debacle; a bit of errata; and some feedback from our terrific listeners. Then we take a look into a state-level, state-sponsored, worldwide, decade-long cyberespionage campaign which the EFF and Lookout Security have dubbed “Dark Caracal.”
50 MB 13 MB  309 KB   <-- Show Notes 129 KB 78 KB 145 KB

Episode #646 | 16 Jan 2018 | 91 min.
The InSpectre

This week we discuss more trouble with Intel’s AMT, what Skype’s use of Signal really means, the UK’s data protection legislation giving researchers a bit of relief, the continuing winding down of HTTP, “progress” on the development of Meltdown attacks, Google successfully tackling the hardest to fix Spectre concern with a Return Trampoline, some closing-the-loop feedback with our terrific listeners, and the evolving landscape of Meltdown and Spectre – including Steve’s just completed “InSpectre” test and explanation utility.
44 MB 11 MB  140 KB   <-- Show Notes 126 KB 71 KB 138 KB

Episode #645 | 09 Jan 2018 | 116 min.
The Speculation Meltdown

This week, before we focus upon the industry-wide catastrophe enabled by precisely timing the instruction execution of all contemporary high-performance processor architectures, we examine a change in Microsoft’s policy regarding non-Microsoft AV systems, Firefox Quantum’s performance when tracking protections are enabled, the very worrisome hard-coded backdoors in 10 of Western Digital’s My Cloud drives; and, if at first (WEP) and at second (WPA) and at third (WPA2) and at fourth (WPS) you don’t succeed, try, try, try, try, try yet again with WPA3, another crucial cryptographic system being developed by a closed members-only committee.
55 MB 14 MB  222 KB   <-- Show Notes 116 KB 84 KB 162 KB

Episode #644 | 02 Jan 2018 | 118 min.
NSA Fingerprints

This week we discuss a new clever and disheartening abuse of our browsers’ handy-dandy username and password autofill, some recent and frantic scurrying around by many OS kernel developers, a just-released MacOS zero-day allowing full local system compromise, another massively popular router falls to the IoT botnets, even high-quality IoT devices have problems, the evolution of adblocking and countermeasures, an important update for Mozilla’s Thunderbird, a bit of miscellany, listener feedback, and an update on the NSA’s possible intervention into secure encryption standards.
56 MB 14 MB  172 KB   <-- Show Notes 132 KB 86 KB 155 KB

• Current Podcast Page
• Security Now 2017
• Security Now 2016
• Security Now 2015
• Security Now 2014
• Security Now 2013
• Security Now 2012
• Security Now 2011
• Security Now 2010
• Security Now 2009
• Security Now 2008
• Security Now 2007
• Security Now 2006
• Security Now 2005



You can receive an eMail reminder whenever this page is updated with a new Security Now! episode. Click the "Monitor Changes" button to have the highly-regarded "Change Detection" web site monitor this page and send you a note when it changes.

Monitor this page for changes: (it's private by ChangeDetection)
Security Now!, SpinRite Testimonials, and other Feedback:
Please use GRC's Visitor & Listener FEEDBACK Page where you may easily submit any feedback for Security Now, SpinRite testimonials, suggestions for future Security Now topics or questions & comments for future Listener Feedback episodes. Thank you!


Jump to top of page
Gibson Research Corporation is owned and operated by Steve Gibson.  The contents
of this page are Copyright (c) 2016 Gibson Research Corporation. SpinRite, ShieldsUP,
NanoProbe, and any other indicated trademarks are registered trademarks of Gibson
Research Corporation, Laguna Hills, CA, USA. GRC's web and customer privacy policy.
Jump to top of page

Last Edit: Nov 22, 2019 at 15:42 (12.63 days ago)Viewed 1,796 times per day