Our weekly audio security column
& podcast by Steve Gibson and Leo Laporte
TechTV's Leo Laporte and I spend somewhat shy of two hours each week to discuss important issues of personal computer security. Sometimes we'll discuss something that just happened. Sometimes we'll talk about long-standing problems, concerns, or solutions. Either way, every week we endeavor to produce something interesting and important for every personal computer user.

SteveAndLeoAsPicardAndRiker
(This was not our idea. It was created by a fan of the podcast using GIMP (similar to
Photoshop). But as a work of extreme image manipulation, it came out surprisingly well.)

 You may download and listen to selected episodes from this page (see below), or subscribe to the ongoing series as an RSS "podcast" to have them automatically downloaded to you as they are produced. To subscribe, use whichever service you prefer . . .

 Receive an automatic eMail reminder whenever a new episode is posted here (from ChangeDetection.com). See the section at the bottom of this page.

 Send us your feedback: Use the form at the bottom of the page to share your opinions, thoughts, ideas, and suggestions for future episodes.

 Leo also produces "This Week in Tech" (TWiT) and a number of other very popular podcasts (TWiT is America's most listened to podcast!) So if you are looking for more informed technology talk, be sure to check out Leo's other podcasts and mp3 files.

 And a huge thanks to AOL Radio for hosting the high-quality MP3 files and providing the bandwidth to make this series possible. We use "local links" to count downloads, but all of the high-quality full-size MP3 files are being served by AOL Radio.





Episode Archive

Each episode has SIX resources:

High quality 64 kbps mp3 audio file
Quarter size, bandwidth-conserving,
16 kbps (lower quality) mp3 audio file
A PDF file containing Steve's show notes
A web page text transcript of the episode
A simple text transcript of the episode
Ready-to-print PDF (Acrobat) transcript  

(Note that the text transcripts will appear a few hours later
than the audio files since they are created afterwards.)

For best results: RIGHT-CLICK on one of the two audio icons & below then choose "Save Target As..." to download the audio file to your computer before starting to listen. For the other resources you can either LEFT-CLICK to open in your browser or RIGHT-CLICK to save the resource to your computer.

Episode #871 | 17 May 2022 | 99 min.
The New EU Surveillance State

This week we look back at what no one wanted, an eventful Patch Tuesday. Apple has pushed a set of updates to close an actively exploited zero-day. Google announced the creation of their Open Source Maintenance Crew. A ransomware gang wants to overthrow a government. Google's Play Store faces an endlessly daunting task. The predicted disaster for F5's BIG-IP systems arrived. A piece of errata and some closing-the-loop feedback from our terrific listeners. Then we're going to look at just how far afield the European Union has wandered with their forthcoming breathtaking surveillance legislation.
48 MB 12 MB  610 KB   <-- Show Notes 125 KB 77 KB 319 KB

Episode #870 | 10 May 2022 | 108 min.
That “Passkeys” Thing

This week we look at a patch to Android to thwart an actively exploited vulnerability. We briefly revisit Connecticut's new privacy law and we take a quick look at the raft of recent ransomware victims. The U.S. State Department has added another ransomware group to its big bounty list and we look at what's being called the biggest cybersecurity threat facing the U.S. Meanwhile, the White House issues a memorandum about the threat from quantum computing and we have the discovery of a new and pernicious DNS vulnerability that's unlikely to be fixed in our IoT devices. And after looking at F5 Networks new and quite serious troubles, we close the loop with some listener feedback, briefly discuss the past week of Sci-Fi news, then finish by looking at the past week's most Tweeted-to-me question: “What's that passkeys thing that Apple, Google and Microsoft are adopting?”
52 MB 13 MB  701 KB   <-- Show Notes 144 KB 84 KB 357 KB

Episode #869 | 03 May 2022 | 91 min.
Global Privacy Control

This week we're going to examine the success of the abbreviation overloaded DoD's DIB-VDP pilot program. We're going to introduce the relatively new OpenSSF - Open Source Security Foundation - and its Package Analysis Project. We're going to look at some hopeful new privacy legislation recently passed in Connecticut's house which if signed into law would cause it to join four other privacy-progressive states, and we're going to look at Moxie Marlinspike's irreverent rationale for the need for port knocking. Then, after sharing some interesting listener feedback, we're going to look at the background, implementation and future of a very encouraging development in user web browser and Internet privacy.
44 MB 11 MB  649 KB   <-- Show Notes 86 KB 69 KB 259 KB

Episode #868 | 26 Apr 2022 | 104 min.
The 0-Day Explosion

This week we're going to take a close look at the U.S. Cybersecurity and Infrastructure Security Agency's mandated must update list, including some recent entries. We're going to examine the somewhat breathtaking mistake that Lenovo made across more than 100 of their laptop models, and a cryptocurrency wallet implemented in a web browser (what could possibly go wrong?) Then we're going to look at another startling vulnerability that was recently discovered in Java versions 15, 16, 17 and 18. We have a bunch of interesting listener feedback, a brief Sci-Fi interlude, and the announcement of a major milestone reached for SpinRite. Then we're going to wrap up by taking a look across the past ten years of 0-day vulnerabilities thanks to some recent research performed by the security firm Mandiant. The title of this week's podcast gives away what's been happening.
50 MB 12 MB  535 KB   <-- Show Notes 123 KB 81 KB 319 KB

Episode #867 | 19 Apr 2022 | 98 min.
A Critical Windows RPC RCE

This week we examine Chrome's third zero-day of the year, followed by Microsoft's massive 128-patch fest last week, and we note that we don't even bother counting Windows zero-days, though there were another two this month amid the 47 critical vulnerabilities that were patched, one of them being so worrisome that it captured this week's podcast title, which we'll cover at length before we conclude. We also have more WordPress add-on trouble, the return of a longstanding problem in Apache Struts, and we have some interesting commentary about the current hackability status of the United States nuclear arsenal. I want to share a bit of closing-the-loop feedback with our listeners and give everyone a snapshot into the recent work on SpinRite. Then we're going to take a close look at the one flaw, out of 128 that Microsoft patched last week, that truly has the entire security industry on pins and needles because it enables a zero-click Internet worm.
47 MB 12 MB  652 KB   <-- Show Notes 91 KB 72 KB 277 KB

Episode #866 | 12 Apr 2022 | 81 min.
Spring4Shell

We'll wrap up this week's podcast by revisiting Spring4Shell. Last week, when we first mentioned it, it was just a questionable itch. Now, a week later, it's a full blown outbreak deserving of today's podcast title. But before we roll up our sleeves for that we're going to examine credible reports of a 0-day in the Internet's most popular web server platform. We're going to take a look at Microsoft's newly announced “Autopatch” system, and the rapidly approaching end-of-security life of some Windows 10 editions. We have another instance of an NPM protest-ware modification of a highly used library, and I want to share a bit of miscellany and listener feedback. Then we'll finish by looking at what one week has done to Spring4Shell.
39 MB 10 MB  396 KB   <-- Show Notes 92 KB 63 KB 266 KB

Episode #865 | 05 Apr 2022 | 104 min.
Port Knocking

This week we examine a critical Java framework flaw that's been named “Spring4Shell” because it's mildly reminiscent of Java's recent “Log4J” problem. We'll also take a look at the popular QNAP NAS devices and several recent security troubles there. Sophos has got themselves an attention grabbing must patch now 9.8 CVSS vulnerability and it didn't take long (10-days) for the theoretical Browser-in-the-Browser spoof to become non-theoretical. There's more worrisome news on the NPM supply-chain package manager exploitation nightmare, the FinFisher spyware firm happily bites the dust, and some of the young hackers forming the Lapsus$ gang have been identified. Squarely in the doghouse this week is WYZE whose super-popular webcams have problems which are just as serious as those of the company itself... and, oh!, the authentication bypass details, which I'll share, are SO wonderful! Then after a bit of closing-the-loop feedback with our listeners, I want to talk about and put the idea of “Strong Service Concealment” on everyone's radar. “Port Knocking” is not a new idea by any means. But it is extremely clever, cool and useful. In today's world, there's more reason than ever for ports and the services behind them that are not actively soliciting public traffic to be kept completely hidden. There are a number of ways this can be done which are very cool.
50 MB 13 MB  316 KB   <-- Show Notes 101 KB 76 KB 285 KB

Episode #864 | 29 Mar 2022 | 99 min.
Targeted Exploitation

This week we start by looking at Chrome's second zero-day vulnerability of the year. We then spend some time with an interview of the Chief Technical Officer of one of Ukraine's largest ISPs learning of the challenges they're currently facing. JavaScript's most popular package manager npm is under attack again, and Honda tells worried reporters that they have no plans to address the consequences of a new glaring security vulnerability affecting five recent years of their Honda Civic design. The FCC classifies Kaspersky Lab as a national security threat and adds a bunch of Chinese Telecom companies and services, as well. Then, after addressing a piece of use-after-free listener feedback, we take a detailed look at the consequences of Chrome's first zero-day of the year and at the attacks launched by North Korea which leveraged that flaw.
48 MB 12 MB  604 KB   <-- Show Notes 114 KB 77 KB 315 KB

Episode #863 | 22 Mar 2022 | 98 min.
User After Free

This week we look at the US's new cybercrime reporting law that was just passed. We examine a worrisome software supply chain sabotage and the trend it represents. We look at “Browser-in-the-browser,” a new way to spoof sign-in dialogs to capture authentication credentials, and we examine the way MicroTik routers are being used by the TrickBot botnet to obscure their command and control servers. A very concerning infinite loop bug has been uncovered in OpenSSL (time to update!) and CISA walks us through their forensic analysis of a Russian attack on an NGO. We then take a look at the Windows vulnerability that refuses to be resolved, and we'll finish by spending a bit more time than we have so far looking more closely at why User-After-Free flaws continue to be so challenging.
47 MB 12 MB  284 KB   <-- Show Notes 117 KB 77 KB 314 KB

Episode #862 | 15 Mar 2022 | 98 min.
QWACs On? or QWACs Off?

This week we briefly touch on last week's Patch Tuesday for both Windows and Android, the world's two most used operating systems. We look at a recent emergency update to Firefox and the need to keep all of our systems' UEFI firmware up to date. NVIDIA suffers a huge and quite embarrassing network breach, and ProtonMail handles their Russian customers correctly. The Linux kernel has seen some challenging times recently, and Russia has decided to start signing website certificates. Research was just published to put some numbers to WordPress add-ons' observably miserable security, and the European Union legislators who brought us GDPR and mandatory website cookie notifications are at it again. What now?
47 MB 12 MB  840 KB   <-- Show Notes 113 KB 77 KB 311 KB

Episode #861 | 08 Mar 2022 | 88 min.
Rogue Nation Cyber Consequences

This week we examine many of the cyber-consequences of Russia's unilateral aggression against Ukraine. In a world as interconnected as today, can a rogue nation go it alone? Ukraine has formed a volunteer IT Army. Hacking groups are picking sides. Is Starlink a hope? Actors on both sides of Russia's borders are selectively blocking Internet content. Google has become proactive. The Namecheap registrar has withdrawn service. Use of the Telegram encrypted messenger service has exploded. Cryptocurrency exchanges block tens of thousands of wallets. Russia releases the IP addresses and domains attacking them, and likely some which are not. They also prepare to amend their laws to permit software piracy and appear to be preparing to entirely disconnect from the global Internet. All of the technologies we've been talking about for years are in play.
42 MB 11 MB  436 KB   <-- Show Notes 80 KB 69 KB 243 KB

Episode #860 | 01 Mar 2022 | 103 min.
Trust Dies in Darkness

This week we examine the consequences of paying ransomware extortion demands. How did that work out for you? We take a deep look into "Daxin," a somewhat terrifying malware from attackers linked to China. We take something of a retrospective look at Log4j and draw some lessons from its trajectory. We touch on some technical consequences of Russia's invasion of Ukraine, including which kitchen appliances Russia's servers are claiming to be, and the question of the possible consequences of the U.S. becoming involved in launching some cyberattacks at Russia. We have a piece of interesting listener feedback and the results of last week's next SpinRite development pre-release. Then we're going to take a look at the significant mistake Samsung made which crippled and compromised the security of all 100 million of their most recently made Smartphones.
49 MB 12 MB  855 KB   <-- Show Notes 112 KB 78 KB 310 KB

Episode #859 | 22 Feb 2022 | 94 min.
A BGP Routing Attack

This week we talk about another WordPress plug-in mess, this one so bad that WordPress themselves force-installed updates on more than three million sites. We look at the new Xenomorph Android malware and at a mistake made by a new and prominent ransomware service. We examine why blurring or pixelating text for redaction was never a good idea, and what can go wrong with a plan to shut off one's teenagers' Internet access at home. We unfortunately need to revisit the supercritical Magento/Adobe Commerce platform patch which didn't quite work completely the first time, and we consider the implications of the technology behind last week's denial-of-service attacks on some of Ukraine's critical infrastructure. Then, after quick sci-fi and SpinRite updates, we'll take a look at an effective and lucrative attack that was perpetrated by deliberately abusing the still-too-trusting Border Gateway Protocol.
45 MB 11 MB  273 KB   <-- Show Notes 86 KB 71 KB 265 KB

Episode #858 | 15 Feb 2022 | 92 min.
InControl

This week we look at a couple of new zero-days in Chrome and Apple's OSes. We also look at what the U.S. CISA thinks of not only these, but of 15 other problems that our federal agencies seem to be in no big hurry to fix. And we revisit last summer's SeriousSAM vulnerability in Windows which remains under attack. This being the third Tuesday of the month, we'll look back at the second Tuesday to see how that went. Sunday saw a true emergency patch issued by Adobe that probably canceled some Super Bowl plans, and we have an amazingly bad idea for a WordPress add-on. Google has published their 2021 Bounty Report, and their Project Zero has published stats about how things are going there. We have Microsoft removing a popular and highly abused feature of Windows. And then, because nothing else in the past week commanded the podcast's title, I'll wind up by formally introducing GRC's latest freeware which puts its users firmly "InControl."
44 MB 11 MB  571 KB   <-- Show Notes 109 KB 71 KB 282 KB

Episode #857 | 08 Feb 2022 | 106 min.
The Inept Panda

This week we're going to take a look at our law enforcement and cyber-defense recommendations regarding safe conduct while in Beijing for the 2022 Winter Olympic Games. We're going to take a look at a serious CVSS 9.9 vulnerability affecting Linux's use of SAMBA, and at some interesting details of so-called “Living off the Land” exploitation of commonly present operating system utilities. We'll examine Microsoft's most recent approach to application packaging and installation triggered by their recent wholesale neutering of it's primary application and feature. And we're also going to celebrate a welcome change in Microsoft policy that's been 20 years in the making. I'll share a brief pre-announcement of a new forthcoming GRC quickie freeware utility. Then we'll take a close look at “MY2022” the iOS and Android application which all attendees of the Beijing Olympics are required to install, carry and use. Citizen Lab's reverse-engineering analysis will explain how this week's podcast got its name.
51 MB 13 MB  569 KB   <-- Show Notes 101 KB 79 KB 287 KB

Episode #856 | 01 Feb 2022 | 136 min.
The “Topics” API

This is another of those weeks where we're going to go deeper into fewer topics rather than broader across more topics, with Google's newly announced and explained “Topics” API of course being our title story. So we'll start by looking at “PwnKit” which is a startling and long standing local privilege escalation vulnerability which has existed in every distribution of Linux since May of 2009. It's a MUST PATCH for Linux systems. We'll then look at another of the blessedly few Log4j exploits which is actually happening, update on two new Zerodium limited-time bounty “offers” and at a new means for fingerprinting web browsers. I have a totally random bit of miscellany to share in the form of a tip, a SpinRite update and some closing the loop feedback from our terrific listeners. Then we'll wrap up by taking a really interesting deep dive into Google's new ad-targeting “Topics” API.
65 MB 16 MB  247 KB   <-- Show Notes 112 KB 101 KB 334 KB

Episode #855 | 25 Jan 2022 | 94 min.
Inside the NetUSB Hack

This week we briefly touch on the ongoing Log4j background noise. We look at the result of the insurance industry's pushback against ransomware coverage and at the resulting changing cyber-insurance landscape. We look at another WordPress add-on problem and a supply-chain attack on a very popular add-on provider. We also wonder whether WordPress still makes sense in 2022? We cover the EU's quite welcome major bug bounty funding, and Kaspersky's discovery of a very difficult to root out UEFI bootkit. We'll share some interesting questions and topics suggested by our listeners, then we're going to take another of our recent technical deep dives to examine the precise cause of that pervasive NetUSB flaw – it's really fun and completely understandable!
45 MB 11 MB  336 KB   <-- Show Notes 90 KB 70 KB 272 KB

Episode #854 | 18 Jan 2022 | 102 min.
Anatomy of a Log4j Exploit

This week we start off by looking at how the U.S. Pentagon is dealing with Log4j and how the U.S. administration at the While House wants to improve the security of open source software. This being the 3rd Tuesday of the month, we'll look back last week's decidedly mixed-blessing Patch Tuesday – the good and the unfortunate. We'll then look at a very serious new remotely exploitable problem which affects many popular routers – and provide a shortcut of the week to immediately check your own routers – and then over a new and very welcome access control standard being introduced by the W3C which Chrome is already in the process of adopting. We'll wrap up the top portion of the podcast with yet another set of very serious WordPress add-on blunders. Then we'll share a bit of listener feedback, including answering the very popular questions about refilling empty SodaStream tanks. And after a brief SpinRite progress update we're going to take a close look inside the operation of an actual, Iranian, Log4j exploit kit.
49 MB 12 MB  413 KB   <-- Show Notes 106 KB 79 KB 288 KB

Episode #853 | 11 Jan 2022 | 93 min.
URL Parsing Vulnerabilities

This week we'll begin with another in our series of Log4j updates which includes among a few other bits of news, an instance of a real-world vulnerability and the FTC's somewhat surprising and aggressive message. We'll chronicle the Chrome browser's first largish update of 2022 and also note the gratifying 2021 growth of the privacy-centric Brave browser. WordPress needs updating, but this time not an add-on but WordPress itself. We're going to then answer the age-old question posed during last Wednesday's Windows Weekly podcast: “What exactly is a Pluton? and how many can dance on the head of a pin?” And finally, after a quick Sci-Fi reading recommendation and a very brief touch on my ongoing SpinRite work, we're going to take a gratifyingly deep dive into the unfortunate vagaries of our industry's URL parsing libraries to see just how much trouble we're in as a result of no two of them parsing URLs in exactly the same way.
45 MB 11 MB  765 KB   <-- Show Notes 116 KB 71 KB 310 KB

Episode #852 | 04 Jan 2022 | 90 min.
December 33rd

This week we start off the new year with a handful of Log4j updates including yet another fix from Apache; some false positive alarms; Alibaba in the doghouse; and an underwhelming announcement from the U.S. Department of Homeland Security. We note the postponement of a critical industry security conference, an interesting aspirational announcement from DuckDuckGo's CEO, and the soon-to-be-rising costs of cyber insurance. Then, after a bit of miscellany and a SpinRite update, we look at the surprising technological decision that has forced the official creation of December 33rd.
43 MB 11 MB  920 KB   <-- Show Notes 106 KB 68 KB 276 KB
2021 Archive Below...

Episode #851 | 28 Dec 2021 | 90 min.
Best of 2021

Leo Laporte walks through some of the highlights of the show and most impactful stories of 2021. Stories include: • SolarWinds Hack Detailed By Microsoft • Crispy Subtitles from Lay's • Remembering Dan Kaminsky • REvil Hacks Apple Supplier Quanta Computer • The “Doom” CAPTCHA • How Colonial Pipeline Was Breached • When John McAfee Called Steve Gibson • T-Mobile Subscribers: Do This Now • “Internet Anonymity” is an Oxymoron
52 MB 13 MB

Episode #850 | 21 Dec 2021 | 107 min.
It's a Log4j Christmas

There was no way that a massively widespread vulnerability in Java with a CVSS score of 10.0 would be wrapped up in a week. So this week we'll look at the further consequences of the Log4j vulnerabilities, including the two additional updates the Apache group have since released. But before that we'll look at what will hopefully be Chrome's final zero-day patch of the year, Firefox's surprise refusal to take its users to Microsoft.com, and Mozilla's decision to protect its users from Windows 10 cloud-based clipboard sharing. We have a new and interesting means of increasing the power of fraudulent cell tower Stingray attacks, and a continuing threat from cross-radio WiFi-to-Bluetooth leakage. We'll touch on a sci-fi reminder and a SpinRite update, then dig into what's happened since last week on the Log4j front.
52 MB 13 MB  532 KB   <-- Show Notes 142 KB 84 KB 354 KB

Episode #849 | 14 Dec 2021 | 91 min.
Log4j & Log4Shell

This week we will, of course, be discussing what's being called the worst Internet-wide security catastrophe in recent memory. Log4Shell is not like Spectre or Meltdown, which were academic theories. This is at the far other end of that spectrum. But first we're going to talk a bit about last week's massive Amazon network services outage and the unfortunate but probably inevitable abuse of Apple's AirTag ecosystem. I need to correct the record over my undeserved praise, last week, for Windows 11 and its loosening grip over its Edge browser association, and we need to warn all WordPress site admins about a new and serious set of threats. We have a single item of closing the loop feedback about today's main topic, a bit of Sci-Fi and a SpinRite update. Then, we'll roll up our sleeves and by the end of today's episode listening will understand exactly how, why and what happened with Log4j and Log4Shell.
44 MB 11 MB  413 KB   <-- Show Notes 106 KB 70 KB 280 KB

Episode #848 | 7 Dec 2021 | 95 min.
XSinator

This week Tavis Ormandy finds a bug in Mozilla's NSS signature verification. We look at the horrifying lack of security in smartwatches for children (smartwatches for children?!?), and at the next six VPN services to be banned in Russia. Microsoft softens the glue between Windows 11 and Edge, bad guys find a new way of slipping malware into our machines, a botnet uses the bitcoin blockchain for backup communications, and HP has 150 printer models in dire need of firmware updates. We touch on sci-fi and SpinRite, then we look at new research into an entirely new class of cross-site privacy breaches affecting every web browser including a test every user can run for themselves on their various browsers.
46 MB 11 MB  2.21 MB   <-- Show Notes 111 KB 74 KB 308 KB

Episode #847 | 30 Nov 2021 | 113 min.
Bogons Begone!

This week we'll note that the new Edge browser's Super Duper Secure Mode has been deployed and can be enabled by security-conscious users. We also have more than one third 37% of the world's smartphones vulnerable to audio monitoring and recording flaws in their MediaTek firmware. We have an important reminder about clicking links in email and wonder how that can still be a problem, and the entirely predictable evolution of a Windows zero-day vulnerability which is latent no longer. We have some interesting closing-the-loop feedback from our terrific listeners, and a sci-fi book update. Then we take another and much broader look at the recent efforts to clean up IPv4, but this time from the perspective of those working to do so.
54 MB 14 MB  368 KB   <-- Show Notes 131 KB 84 KB 327 KB

Episode #846 | 23 Nov 2021 | 102 min.
HTTP Request Smuggling

We're going to start off this week by taking a careful look at a shocking proposal being made by the Internet's Engineering Task Force, the IETF. They're proposing a change to a fundamental and long-standing aspect of the Internet's routing which I think must be doomed to fail. So we'll spend a bit of time on this in case it might actually happen. Then Microsoft reveals some results from their network of honeypots, and we update on the progress, or lack of, toward more secure passwords. GoDaddy suffers another major intrusion, and just about every Netgear router really does now need to receive a critical update for the fifth time this year. This one is very worrisome.
49 MB 12 MB  601 KB   <-- Show Notes 108 KB 74 KB 283 KB

Episode #845 | 16 Nov 2021 | 94 min.
Blacksmith

This week we look at a critical 9.8-rated vulnerability affecting Palo Alto Network's widely deployed VPN/Firewall appliance, and at a welcome new micropatch from the 0patch guys, the nature of which leads me into a bit of philosophical musing about the Zen of coding. We're then rocketed back to reality by a review of last week's Patch Tuesday, looking at what it broke and happily what more it fixed, including hints that Christmas might finally be coming to printing by December. We have some more encouraging ransomware vs the law news, and we examine the question of how to make big money defrauding online advertisers. I'll then share some fun and interesting closing the loop feedback from our listeners, update on my SpinRite work, and then we're going to take a look at “Blacksmith” – the evolution of Rowhammer attacks on DRAM.
45 MB 11 MB  819 KB   <-- Show Notes 96 KB 73 KB 278 KB

Episode #844 | 09 Nov 2021 | 112 min.
Bluetooth Fingerprinting

This week we quickly cover a bunch of welcome news on the combating ransomware front. We look at the results from last week's Pwn2Own contest in Austin Texas and at a weird problem that only some users of Windows 11 started experiencing after Halloween. There's a serious problem with GitLab servers and additional supply-chain attacks on JavaScript's package management. Google fixed a bunch of things in Android last Tuesday, and Cisco has issued an emergency CVSS 9.8 alert and US Federal agencies are being ordered to patch hundreds of outstanding vulnerabilities. We have some fun closing the loop feedback from our listeners. I'm going to share the details of an interesting IRQ problem I tracked down last week. Then we'll take a look at an aspect of radio frequency fingerprinting that has apparently escaped everyone's notice until seven researchers from UCSD did the math.
54 MB 13 MB  327 KB   <-- Show Notes 128 KB 87 KB 330 KB

Episode #843 | 02 Nov 2021 | 99 min.
Trojan Source

This week we keep counting them Chrome 0-days, we look at a pair of badly misbehaving Firefox add-ons with Mozilla's moves to deal with their and future proxy API abuse. We check-in for Windows news from Redmond which I'm again unable to resist commenting upon, then we look at a surprise motherload of critical updates from Adobe and at the still-ongoing DDoS attacks against VoIP providers and their providers. We'll look at some fun and interesting Closing The Loop feedback from our listeners and I'm able to share some surprising early benchmarks from SpinRite. Then we finish by looking at a frighteningly clever and haunting new attack against source code known as “Trojan Source.”
48 MB 12 MB  511 KB   <-- Show Notes 82 KB 74 KB 251 KB

Episode #842 | 26 Oct 2021 | 106 min.
The More Things Change...

This week we share some welcome news about Windows 11. Leo gets his wish about REvil. Microsoft improves vulnerability report management, attempts to explain their policy regarding the expiration of security updates, and prepares for the imminent release of the next big feature update to Windows 10, 21H2. Zerodium publicly solicits vulnerabilities in three top VPN providers. Three researchers disclose their new and devastating "Gummy Browser" attack, which I'll debunk. Another massively popular JavaScript NPM package has been maliciously compromised and then widely downloaded. We close the loop by looking at "Nubeva's" claims of having solved the ransomware problem. We touch on a new annoyance spreading across websites, and also briefly touch on four sci-fi events: "Dune," "Foundation," "Arrival," and "Invasion." I briefly update on SpinRite. Then we'll take a look back to share and discuss a conversation Leo and I had more than 20 years ago. What's surprising is the degree to which "The More Things Change..." how little, like nothing, actually has.
51 MB 13 MB  374 KB   <-- Show Notes 167 KB 90 KB 393 KB

Episode #841 | 19 Oct 2021 | 109 min.
Minh Duong's Epic Rickroll

This week we, of course, update on various controversies surrounding Win11 and catch up on the aftermath of last week's Patch Tuesday. We note that REvil's brief reappearance appears to have ended – perhaps this time forever – and we examine, just for the record, the outcome of the big, virtual, 30-nation anti-ransomware meeting where the invitations for China and Russia were apparently lost in the mail. We look at the amazing results of this past weekend's Tianfu Cup 2021 hacking competition in China, at the startling success of a prolific botnet's clipboard hijacking module, and at LinkedIn's decision to dramatically pare down its offerings in China. And then, after quickly sharing Sunday's big news about SpinRite, we're going to take a very fun and detailed look at the sophisticated senior prank orchestrated by Illinois' Minh Duong who miraculously sidestepped his own arrest.
52 MB 13 MB  573 KB   <-- Show Notes 124 KB 84 KB 326 KB

Episode #840 | 12 Oct 2021 | 98 min.
0-Day Angst

This week we look at Microsoft's decision to finally disable Excel's legacy XLM by default, but not for everyone. We look at Google's warning sent to more than 14,000 of its Gmail users and at their move toward enforced two-step verification. We look at recent hacking and ransom payment legislation and at last week's massive breach at Twitch. We cover the emergency Apache web server update and the mass exodus from WhatsApp during last week's Facebook outage. We look at new Windows 11 side effects and at Patch Tuesday. We close the loop with some listeners and I quickly update on SpinRite's progress. Then we settle down to consider the true significance and import of the various year-to-date 0-day counts.
47 MB 12 MB  572 KB   <-- Show Notes 101 KB 74 KB 283 KB

Episode #839 | 05 Oct 2021 | 105 min.
“Something Went Wrong”

This week we, of course, look at the massive global outage that took down all Facebook services for 6 hours yesterday. But before we get there we look at this week's new pair of 0-day flaws which Google fixed in Chrome, we note the arrival of Windows 11 with a yawn and also caution about one known flaw that it's already known to have. We look at some potential for global action against ransomware, and some possible movement by the FCC to thwart SIM swapping and number transporting attacks. We also examine a widespread Android Trojan which is making its attackers far too much money, and speaking of money, there's a known flaw in Apple Pay when using a VISA card that neither company wants to fix. And finally, after a quick check-in on SpinRite, we're going to examine what exactly did “go wrong” at Facebook yesterday?
51 MB 13 MB  606 KB   <-- Show Notes 136 KB 83 KB 348 KB

Episode #838 | 28 Sep 2021 | 97 min.
autodiscover.fiasco

This week we examine a new pair of 0-days which have forced emergency updates to their respective products. We examine the growing annoyance of those who are reporting bugs to Apple, Epik's belated confirmation of their mega data breach, Windows 11's further progress toward its release, and its new and much more useful PC Health Check tool. We look at some additional fallout from this month's ever-exciting Patch Tuesday and take notice of a clever new approach for bypassing anti-malware checking under Windows. And after a quick check-in about the first two episodes of AppleTV's Foundation series, we settle in to examine the week's most explosive, worrisome and somewhat controversial disclosure of yet another huge Microsoft screw-up which caused this week's episode to be given the domain name: autodiscover.fiasco.
47 MB 12 MB  469 KB   <-- Show Notes 101 KB 72 KB 277 KB

Episode #837 | 21 Sep 2021 | 100 min.
Cobalt Strike

This week we examine a devastating and still ongoing DDoS attack against the latest in a series of VoIP service providers. We checkout the once again mixed blessing of last Tuesday's Microsoft patches, and we examine a welcome feature of Android 11 that's being back-ported through Android 6. We catch-up with Chrome's patching of two more new 0-day vulnerabilities and attacks, then we look at a “Pwnage” eMail I received from Troy Hunt's Have I Been Pwned site – was GRC Pwned? I then have a quick Sci-Fi reminder for the end of the week, a SpinRite update and a fun related YouTube posting. Then we'll wrap up by introducing the latest weapon in the malign perpetrator's arsenal, the powerful commercial tool known as Cobalt Strike.
48 MB 12 MB  880 KB   <-- Show Notes 109 KB 75 KB 285 KB

Episode #836 | 14 Sep 2021 | 118 min.
The Meris Botnet

This week we're going to note the apparent return of REvil--not nearly as dead and gone as many hoped. We're going to look at a new and quite worrisome 0-day exploitation of an old Windows IE MHTML component. Even though IE is gone, it's guts live on in Windows. We're going to share the not surprising but still interesting results of security impact surveys taken of IT and home workers, after which we'll examine a fully practical JavaScript based Spectre attack on Chrome. I have bit of closing the loop feedback to share and a surprisingly serious question about the true nature of reality for us to consider. Then we'll finish out today's podcast by looking at the evolution of Internet DoS attacks through the years which recently culminated in the largest ever seen, most problematic to block and contain RPS DDoS attack where RPS stands for Requests Per Second.
57 MB 14 MB  536 KB   <-- Show Notes 141 KB 89 KB 353 KB

Episode #835 | 07 Sep 2021 | 115 min.
TPM 1.2 vs 2.0

This week we look at a way of protecting ourselves from Razor-mouse-like local elevation of privilege attacks. We reexamine the meaning of the phrase “Internet Anonymity” following the ProtonMail revelation. We revisit Apple's now delayed CSAM plans. We look at some new troubles for Bluetooth and at a popular and persistently unpatched residential security system which can be trivially disarmed by bad guys. We share some interesting closing the loop feedback and a new Sci-Fi discovery. Then we take a long and careful look at the details and differences between version 1.2 and 2.0 of the Trusted Platform Module specification to discover just what it is that Microsoft wants to insist is available for Windows 11.
55 MB 14 MB  536 KB   <-- Show Notes 131 KB 86 KB 329 KB

Episode #834 | 31 Aug 2021 | 92 min.
Life: Hanging by a PIN

This week we'll start out by clarifying the terms credit freeze and credit lock. Then we have news of the T-Mobile breach from its perpetrator. We examine the evolving and infuriating question of where will Windows 11 run and we look at yet another newly revealed attack against Microsoft's Exchange server known as ProxyToken. I wanted to clarify a bit about Tailscale's source openness, and touch on the disturbing revelations shaking the mass storage industry with SSD performance being deliberately reduced once they've been well reviewed and adopted. I'll update our patient SpinRite owners on my recent work and progress, we'll touch on some cellular phone terminology, then conclude by considering the power of the PIN and look at just how much damage it can do.
44 MB 11 MB  421 KB   <-- Show Notes 107 KB 69 KB 280 KB

Episode #833 | 24 Aug 2021 | 107 min.
Microsoft's Reasoned Neglect

This week we briefly look at Firefox's plan to block unsecured downloads. We examine the threat posed by T-Mobile's massive and deep data breach and what current and past customers of T-Mobile should do. We look at three additional so-called “Overlay Networks” in addition to Tailscale, and also at the consequences of another Orange Tsai Microsoft Exchange Server exploit chain discovery. We'll also examine a simple-to-make flaw in the Razer gaming mouse installer, cover another worrisome IoT protocol screw-up, and share a couple of feedback notes and a question from our listeners. Then I want to conclude by following up on last week's discussion of Microsoft's apparent culpable negligence with a proposed explanation of their behavior and motivation which fits the facts so well that it becomes Reasoned Neglect.
51 MB 13 MB  801 KB   <-- Show Notes 112 KB 79 KB 313 KB

Episode #832 | 17 Aug 2021 | 79 min.
Microsoft's Culpable Negligence

This week we look at another very significant improvement in Firefox's privacy guarantees and the first steps for Facebook into native end-to-end encryption. We look at several well-predicted instances of abuse of Microsoft's PrintNightmare vulnerabilities, and at a clever cryptocurrency mining Botnet that optimizes the commandeered system for its own needs. We note ASUS' terrific move to help their motherboard users make the move to Windows 11, and at the merger of NortonLifeLock and Avast. Then, after touching upon a bit of errata and some closing-the-loop feedback from our terrific podcast followers, we conclude with a sober consideration of Microsoft's handling of vulnerability patching during the past year. And we ask what it means.
38 MB 9.5 MB  325 KB   <-- Show Notes 95 KB 62 KB 267 KB

Episode #831 | 10 Aug 2021 | 103 min.
Apple's CSAM Mistake

This week we look at a pervasive failure built into the random number generators of a great many, if not nearly all, lightweight IoT devices. We look at some old, new and returned critical vulnerabilities in major VPN products. And we encounter 14 fatal flaws in a widely used embedded TCP/IP stack. We look at a number of terrific bits of feedback from our listeners. Then we carefully examine the operation and consequences of Apple's recent announcement of their intention to begin reacting to the photographic image content being sent, received and stored by their iOS-based devices.
50 MB 12 MB  1.0 MB   <-- Show Notes 131 KB 80 KB 322 KB

Episode #830 | 03 Aug 2021 | 118 min.
The BlackMatter Interview

This week we look at FireFox's declining active user count, at the evolution of the Initial Network Access Broker world, at several different ransomware group renamings and revivals and we encounter a well-informed Active Directory security researcher who feels about Microsoft's July pretty much as we do. I want to turn our listeners onto a very interesting looking Hamachi'esque overlay for WireGuard and share a fun diagnostic anecdote that cost me a day of work last Friday. We have a bit of closing the loop feedback from a couple of our listeners, then we're going to share an interview with a member of the “maybe new or maybe rebranded” ransomware group BlackMatter which Recorded Future posted yesterday.
57 MB 14 MB  583 KB   <-- Show Notes 130 KB 90 KB 330 KB

Episode #829 | 27 Jul 2021 | 100 min.
SeriousSAM & PetitPotam

This week we will plow into another two new serious vulnerabilities brought to the industry by Microsoft named SeriousSAM and PetitPotam. But we first look at how Chrome managed to hugely speed up its Phishing website early warning system (making it even earlier). We cover the striking news of Kaseya having obtained a universal decryptor which is effective for every one of their victims, we look at the massive HP printer driver mess and consider the larger lesson that it teaches, and then we look at the new security features GitHub is bringing to its support of the "Go" language. Then, after sharing one bit of listener feedback, we plow into SeriousSAM and PetitPotam.
48 MB 12 MB  801 KB   <-- Show Notes 109 KB 75 KB 287 KB

Episode #828 | 20 Jul 2021 | 99 min.
REvil Vanishes!

This week we look at the continuing attacks on Chrome with yet another zero-day and at Mozilla's continuing work to give their users the most privacy possible. We reexamine that iOS WiFi SSID bug and a related bug which, it turns out, Apple apparently knew was a showstopper. Amazingly, two more new problems have surfaced with Microsoft printer technology. We have a review of last week's Patch Tuesday including the importance of also updating any instances of Adobe's Acrobat and Reader. We revisit an old friend and consider the folly of rolling one's own crypto. We look at the explosive revelations surrounding the widespread abuse of iPhone and Android "surveillance-ware" produced by the NSO Group. And finally, after sharing one fun piece of errata, we're going to finish by examining the curious, sudden, complete and total disappearance of the REvil ransomware organization.
48 MB 12 MB  722 KB   <-- Show Notes 105 KB 74 KB 284 KB

Episode #827 | 13 Jul 2021 | 107 min.
REvil's Clever Crypto

The past week has been dominated by the unimaginable mess that Microsoft has created with what have become multiple failed attempts to patch the two PrintNightmare flaws, and the continuing “Cleanup on Aisle 5” following what is widely regarded as the single most significant ransomware supply chain attack event ever. So today we first catch up on the still sadly relevant PrintNightmare from which the industry has been unable to awaken. We'll cover a few more bits of security news. Then, as planned, we'll take a deep dive into the detailed operation of the REvil/Sodinokibi malware's cryptographic design.
51 MB 13 MB  639 KB   <-- Show Notes 96 KB 80 KB 287 KB

Episode #826 | 06 Jul 2021 | 94 min.
The Kaseya Saga

The so-called Windows “PrintNightmare” remote code execution flaw, as bad as it is, was overshadowed by the Sodinokibi malware which the REvil ransomware gang managed to infiltrate into Kaseya, a popular provider of remote network management solutions for managed service providers. Since those MSP's all, in turn, have their own customers, the result was a multiplicative explosion in simultaneous ransomware attacks. Since those attacks reportedly numbered in excess of 1000(!), this makes it the worst ransomware event in history. So, while we'll definitely be covering the PrintNightmare and other events of the week, our topic will be the reconstruction of the timeline and details of the Kaseya Saga.
45 MB 11 MB  1.37 MB   <-- Show Notes 113 KB 71 KB 309 KB

Episode #825 | 29 Jun 2021 | 97 min.
Halfway through 2021

This week we look at the story behind an important Edge update and revisit Google's now-delayed FloC liftoff. We consider the cost of Ireland's recovery from the Conti ransomware attack, and ask who's responsible for the damage and data loss following the remote wiping of many Western Digital My Book NAS devices. We take a moment to observe the passing of an industry legend. Then, we look at the mess surrounding questions of where Windows 11 will run. I share my favorite web browser keyboard shortcut, and also my favorite web site cloning tool, which I just had the occasion to use. We have a worthwhile looking cybersecurity Humble Bundle, then we'll wrap up by responding to two pieces of closing the loop feedback from our terrific listeners. And that will bring us to the end of the first half of an event-filled 2021.
47 MB 12 MB  385 KB   <-- Show Notes 133 KB 76 KB 323 KB

Episode #824 | 22 Jun 2021 | 120 min.
Avaddon Ransonomics

This week, believe it or not, we have yet another 0-day stomped out in Chrome. We also have some additional intelligence about the evolution of the ransomware threat. I also want to closely look at a curious WiFi bug that was recently discovered in iOS and what it almost certainly means about the way we're still programming today. Under our miscellany topic I want to share the SHA256 hash of the developer release .ISO of Windows 11 that Paul Thurrott, I and many others have been playing with this past week. I have a tip about creating an offline account and restoring Windows 10's traditional Start menu under Windows 11. A new purpose has also been discovered for this podcast which I want to share, and I've decided to explain in more detail than I have before what I've been doing with SpinRite's evolution - it's much more than anyone might expect - yet no more than is necessary. Then we're going to conclude with the view of ransomware from Russia, from two Russian security researchers who believe they know exactly why the Avaddon ransomware as a service decided to shutter its operations and publish its keys.
58 MB 14 MB  429 KB   <-- Show Notes 132 KB 92 KB 347 KB

Episode #823 | 15 Jun 2021 | 123 min.
TLS Confusion Attacks

This week we're going to start by looking at a moment-by-moment reconstruction of a recent Chrome browser attack and patch battle. Then we're going to recap last week's industry wide June patch-fest followed by looking at TikTok's controversial but unsurprising privacy policy update. We need to also cover the wonderful spy-novel'ish ANOM sting operation which lowered the boom on as many as 800 criminals. For our happily infrequent Errata section we'll challenge an apparently erroneous statement I made last week, then I want to share an interesting laptop data recovery experience which BitLocker made much more complex a few weeks ago which I think our listeners will find interesting. Then we're going to tackle this week's topic of some very troubling research which again demonstrates just how difficult it is to design robustly secure networked systems.
59 MB 15 MB  445 KB   <-- Show Notes 176 KB 97 KB 402 KB

Episode #822 | 08 Jun 2021 | 114 min.
Extrinsic Password Managers

This week I want to start off with a calm rant to summarize why today's computer security is so atrocious. I think it's worth a bit of a reality check on that. Then we're going to look at a new feature in Firefox and at Firefox's apparent jump in performance. We'll touch on three new ransomware victims, look at what's been learned about how Colonial Pipeline was breached, and at the curious news that the FBI somehow managed to snatch all of DarkSide's Bitcoins. We'll look at the latest good and bad news regarding WordPress, and at Github's updated policy regarding posting proofs-of-concepts for ongoing attacks. I've finished Project Hail Mary, so I have a comment to make there, and I want to address the surprisingly controversial question of NAT vs IPv6. Then we'll wrap up by examining the question of whether password managers should be intrinsic to our browsers or extrinsic. I think we're going to have some fun!
55 MB 14 MB  513 KB   <-- Show Notes 138 KB 92 KB 357 KB

Episode #821 | 01 Jun 2021 | 104 min.
Epsilon Red

This week we begin by examining the recent advances made by the just-released Chrome 91 and revisit Google's configurable long-term activity logging. On the ransomware front we look at yet another likely addition to the ransomware ecosystem: trusted 3rd-party file decryptors. We anticipate next week's activation of the Amazon Sidewalk ultra-wide area network, look at the questionable claims of another massive cyberattack, and at WhatsApp's privacy struggles with India and Brazil – couldn't happen to nicer folks. Then we'll touch on just a single bit of trivia before plowing into a detailed examination of the operation of the newest ransomware in town: Epsilon Red.
50 MB 12 MB  678 KB   <-- Show Notes 125 KB 80 KB 323 KB

Episode #820 | 25 May 2021 | 88 min.
The Dark Escrow

This week we examine Firefox's just-released and welcome re-architecture under codename "Fission." We look at a new and recently active ransomware player named "Conti" and at a recently paid, high-profile mega ransom. We then ask the question, "When they say IoT, do they mean us?" We examine the implications of a new industry term, "mean time to inventory." We'll then lighten things up a bit with a new form of CAPTCHA and, of all things, a screensaver I discovered that I cannot take my eyes off of. (Leo, it's not quite as bad as whatever that game is that you cannot stop playing, but still.) We'll then share an ample helping of closing-the-loop feedback from our terrific listeners, after which I want to conclude by predicting what I would bet we're probably going to next see emerge from the evolving ransomware business model sad though it is to utter the phrase "ransomware business model."
42 MB 11 MB  589 KB   <-- Show Notes 95 KB 67 KB 273 KB

Episode #819 | 18 May 2021 | 105 min.
The WiFi Frag Attacks

This week we follow-up on last week's “News from the Darkside” with a surprising amount of happenings including the dark web's rejection of further ransomware. We look at blockchain analytics which are used to follow the dark money, the mixed signals now coming from the Darkside group and a live list of more than 2000 ransomware attacks during the past two years from the dark web. We cover last week's Patch Tuesday that you won't want to miss. We have a bit of miscellany, including the “Unidentified Aerial Phenomena Task Force” which is actually a thing, and some closing-the-loop feedback from our listeners regarding last week's Andy Weir's “Hail Mary” book mention. Then we take a close look at the biggest non-Colonial Pipeline news from last week: a new round of research which revealed a range of attacks on WiFi's security.
50 MB 13 MB  1.27 MB   <-- Show Notes 119 KB 83 KB 320 KB

Episode #818 | 11 May 2021 | 94 min.
News from the DarkSide

This week we look at a new (and old) thread to our global DNS infrastructure. We ask what the heck Google is planning with two-step verification, and we examine a huge new problem with the Internet's majority of email servers. We look at the reality of Tor exit node insecurity, touch on a new sci-fi novel by a well-known author, share a bit of closing-the-loop feedback, then take a look at this latest very high-profile ransomware attack from a previously low-key attacker.
45 MB 11 MB  516 KB   <-- Show Notes 97 KB 70 KB 273 KB

Episode #817 | 04 May 2021 | ??? min.
The Ransomware Task Force

This week we touch on several topics surrounding ransomware. We look at the REvil attack that affected Apple, and at this past weekend's attack that brought down Southern California's world renown Scripps Health system. We catch up on the multinational takedown of the Emotet botnet and the FBI's contribution of more than 4 million compromised eMail addresses to Troy Hunt's Have I Been Pwned. We also look at the two notification services that Troy now offers. I take the opportunity to pound another well-deserved nail into QNAP, and take note of an update I just made to my favorite NNTP newsreader, Gravity. I also ran across a Dan Kaminsky anecdote that I had to share, then we have two pieces of closing the loop listener feedback before we conclude by taking a look at the just-announced task force to combat ransomware. Is there any hope that this scourge can be thwarted?
57 MB 14 MB  363 KB   <-- Show Notes 137 KB 93 KB 361 KB

Episode #816 | 27 Apr 2021 | 115 min.
The Mystery of AS8003

This week we begin by remembering Dan Kaminsky, who the world lost last Friday at the age of 42. We finally catch up with this month's Patch Tuesday, and look at a welcome maturation in Google's Project Zero vulnerability disclosure policy. We shine a light upon a new startup venture which, if successful, promises to dramatically improve the future of IoT security. We then look at some controversial security research, for which the researchers have apologized, and wonder whether any apology was due. We shine another light onto a new battle Cloudflare has chosen to wage against an abusive patent troll, to help Cloudflare with additional attention, and to let our listeners know that they can participate in a money-making hunt for prior art. And after a brief SpinRite progress report, we engage with the Internet mystery of the Autonomous System 8003.
55 MB 14 MB  457 KB   <-- Show Notes 132 KB 89 KB 358 KB

Episode #815 | 20 Apr 2021 | 106 min.
Homogeneity Attacks

This week we touch on the Vivaldi browser project's take on Google's FLoC. We look at Chrome's vulnerability-driven update to v89, and then its feature-embellished move to Chrome 90. We consider the surprising move by the FBI to remove web shells from U.S. Exchange Servers without their owners' knowledge or permission, and WordPress's consideration of FLoC Blocking. We also have an interesting-looking programmer's Humble Bundle, some interesting closing-the-loop feedback from our listeners, and a brief progress report on SpinRite. We finish by examining an important privacy guarantee provided by Google's FLoC implementation which prevents homogeneity attacks, where users presenting a common cohort ID also share a sensitive attribute.
51 MB 13 MB  767 KB   <-- Show Notes 104 KB 79 KB 288 KB

Episode #814 | 13 Apr 2021 | 108 min.
PwnIt and OwnIt

This week we start with some needed revisiting of previous major topics. We look at an additional remote port that Chrome will soon be blocking, and the need to change server ports if you're using it. We look again at Google's forthcoming FLoC non-tracking technology and a new test page put up by the EFF. We revisit the PHP GIT server hack now that it's been fully understood. We look at Cisco's eyebrow-raising decision not to update some end-of-life routers having newly revealed critical vulnerabilities, and we also examine another instance of the industry's failure to patch for years. Then, we conclude with a blow-by-blow, or hack-by-hack, walkthrough of last week's quite revealing and somewhat chilling Pwn2Own competition.
52 MB 13 MB  664 KB   <-- Show Notes 112 KB 81 KB 318 KB

Episode #813 | 06 Apr 2021 | 109 min.
A Spy in Our Pocket

This week, by popular demand, we examine the big cover-up at Ubiquiti. We look at the consequences of the personal data of 533-plus million Facebook users appearing on the 'Net and how to tell if you're represented there. We look at another water treatment plant break-in with a very different outcome. We look at a new move by Google to further lock down Android against abuses of its permissive-by-design API services. We look at the new threat to Call Of Duty cheaters, and yet another set of serious vulnerabilities in QNAP NAS devices. Then, after sharing a catchy tweet, we look into some new research from researchers in Ireland into the unwarranted chattiness of iOS and Android mobile phones.
52 MB 13 MB  862 KB   <-- Show Notes 92 KB 83 KB 289 KB

Episode #812 | 30 Mar 2021 | 87 min.
GIT Me Some PHP!

This week we begin by checking in on the patching progress, or lack therefore, of the ProxyLogon Exchange Server mess. We examine a new Spectre vulnerability in Linux, a handful of high-severity flaws affecting OpenSSL, still more problems surfacing with SolarWinds code, an intriguing new offering from our friends at Cloudflare, and the encouraging recognition of the need for increasing vigilance of the security of increasingly prevalent networked APIs. I'll check in about my work on SpinRite. Then we're going to take a look at the often breathlessly reported hack of the PHP project's private Git server, and why I think that all the tech press got it all wrong.
42 MB 10 MB  969 KB   <-- Show Notes 106 KB 67 KB 276 KB

Episode #811 | 23 Mar 2021 | 114 min.
What the FLoC?

This week we briefly, I promise, catch up with ProxyLogon news regarding Windows Defender and the Black Kingdom. We look at Firefox's next release which will be changing its Referer header policy for the better. We look at this week's most recent RCE disaster, a critical vulnerability in the open source MyBB forum software, and China's new CAID (China Anonymization ID). We then conclude by taking a good look at Google's plan to replace tracking with explicit recent browsing history profiling, which is probably the best way to understand FLoC (Federated Learning of Cohorts). And as a special bonus we almost certainly figure out why they named it something so awful.
55 MB 14 MB  375 KB   <-- Show Notes 131 KB 87 KB 328 KB

Episode #810 | 16 Mar 2021 | 113 min.
ProxyLogon

This week we start off with a bunch of interesting browser-related news, zero-days, updates, a browser-based PoC for Spectre, a zero-script tracking kludge, and a look at last Tuesday's Patch Tuesday, what it fixed and what it broke. Some wonderful news for the Open Source community, a bit of miscellany, some listener feedback, and a screenshot of the final replacement for SpinRite's "Discovering System's Mass Storage Devices..." screen. Then we revisit the Microsoft Exchange disaster, another week downstream and still drowning.
54 MB 14 MB  2.3 MB   <-- Show Notes 111 KB 85 KB 319 KB

Episode #809 | 09 Mar 2021 | 95 min.
Hafnium

This week we look into last week's critical Chrome update and also cover the wackiest-but-true Chrome extension of all time. We look at Google's new funding of Linux security development; a surprisingly undead, long-unheard-from media player that just received a massive collection of updates; and, yes, still another way of abusing Intel's latest processor microarchitecture. We need to update everyone on our Dependency Confusion topic from two weeks back because there's big news there. We have several bits of identical listener feedback all wanting to be sure that I knew something had happened. Then we're going to cover the world's latest global crisis which we first mentioned as breaking news in the middle of last week's podcast. It was breaking then. It's badly broken now.
46 MB 11 MB  795 KB   <-- Show Notes 94 KB 68 KB 272 KB

Episode #808 | 02 Mar 2021 | 109 min.
CNAME Collusion

This week we discuss a welcome change coming soon to the Chrome browser, and a welcome evolution in last week's just released Firefox 86. We're going to look at questions surrounding the source of the original intrusion into SolarWinds servers, and at a new severity-10 vulnerability affecting Rockwell Automation PLC controllers. We'll touch on VMware's current trouble with exploitation of their vCenter management system, and I want to share a recent code debugging experience I think our listeners will enjoy and find interesting. Then we're going to conclude with some information about something that's been going on quietly out of sight and under the covers which must be made as widely public among web technologists as possible.
52 MB 13 MB  526 KB   <-- Show Notes 123 KB 81 KB 319 KB

Episode #807 | 23 Feb 2021 | 105 min.
Dependency Confusion

This week we'll follow-up on the Android SHAREit app sale. We look at a clever new means of web browser identification and tracking and at a little mistake the Brave browser made that had big effect. I want to remind our listeners about the ubiquitous presence of tracking and viewing beacons in virtually all commercial eMail today. We'll look at Microsoft's final SolarWinds Solorigate report and at another example of the growing trend of mobile apps being sold and then having their trust abused. I'll share a post from the weekend about a dramatic improvement in SSD performance after running SpinRite, but also why you may wish to hold off on doing so yourself. And then we're going to look at what everyone will agree was -- and perhaps still is -- a breathtaking oversight in the way today's complex software products are assembled which creates an inherent massive vulnerability across the entire software industry.
51 MB 13 MB  360 KB   <-- Show Notes 107 KB 77 KB 285 KB

Episode #806 | 16 Feb 2021 | 107 min.
C.O.M.B.

This week we'll begin by following up on last week's headline-making attack on the Oldsmar, Florida water treatment plant with new details that have since come to light. We'll then take a look into last week's Patch Tuesday event and at some of the sadly broken things that have once again been fixed. Also, anyone using Adobe's PDF tools, Acrobat or Reader, needs to update. We're going to look at a dangerous Android App with 1.8 billion (with a "b") users, and at Microsoft's note about the rise of web shells, which dovetails nicely into this week's WordPress add-on disaster. I'll briefly update about my past eventful week with SpinRite, which includes a 25-second movie of new SpinRite code running. Then we'll take a look at the recent discovery of the largest list of email and password combinations ever compiled, and what we can each do about it.
51 MB 13 MB  405 KB   <-- Show Notes 127 KB 82 KB 321 KB

Episode #805 | 09 Feb 2021 | 121 min.
SCADA Scandal

This week we begin with a collection of interesting and engaging news surrounding Google's Chrome browser. We look at a high-profile Windows Defender misfire, and at new WordPress plugin nightmares. We check in on the world of DDoS attacks and cover the meaning of three new critical vulnerabilities in SolarWinds software. We have a bit of closing-the-loop feedback from our listeners, an update on my work toward the next SpinRite, and then we look at a near-miss disaster in a poorly designed industrial control system.
58 MB 14 MB  255 KB   <-- Show Notes 132 KB 90 KB 357 KB

Episode #804 | 02 Feb 2021 | 114 min.
NAT Slipstreaming 2.0

This week we examine another instance of a misbehaving certificate authority losing Chrome's trust. We cover a number of serious new vulnerabilities including an urgent update need for the just-released Gnu Privacy Guard; another supply chain attack against end users; a disastrous 10-year-old flaw in Linux's SUDO command; and, thanks to Google, some details of Apple's quietly redesigned sandboxing of iMessage in iOS 14. I'm going to share something that I think our listeners will find quite interesting about some recent architectural decisions for SpinRite, and then we'll conclude with a look at the inevitable improvement in NAT bypassing Slipstreaming.
55 MB 14 MB  279 KB   <-- Show Notes 121 KB 85 KB 323 KB

Episode #803 | 26 Jan 2021 | 115 min.
Comparative Smartphone Security

This week we look at the updates in release 88 of both Chrome and Edge with their evolving password manager features. We also look at two recent headshaking consequences of the hard end of life for Adobe's Flash. Ransomware gangs have added another new incentive for payment, and additional details continue emerging about last year's SolarWinds attacks. We have newly disclosed discoveries from a Google Project Zero researcher, and I spend a bit of time wondering out loud how we're ever going to change the low priority that's currently being given to serious security problems that don't directly inconvenience end users. And we finish by examining a very useful analysis of the comparative security of iOS and Android recently published by Johns Hopkins' Matthew Green and team.
55 MB 14 MB  413 KB   <-- Show Notes 118 KB 86 KB 321 KB

Episode #802 | 19 Jan 2021 | 87 min.
Where the Plaintext Is

This week we look at one aspect in which Chrome and Chromium differ, and then at a bit of growth news from the DuckDuckGo folks. Google's Project Zero reports on some terrific detective work, and we look at last week's Patch Tuesday. There's also Microsoft's pending change to the flaws which enabled last year's Zerologon debacle, and the NSA's interesting statement about enterprises and the DoH protocol. We look at the research that cracked the secret key out of Google's supposedly uncrackable Titan FIDO U2F dongle, and we catch up with a bit of listener feedback. Then we wrap up by looking at various aspects of the frenzy caused by WhatsApp's quite predictable move to incorporate its users' conversation metadata into Facebook's monetization ecosystem.
42 MB 10 MB  506 KB   <-- Show Notes 86 KB 65 KB 244 KB

Episode #801 | 12 Jan 2021 | 110 min.
Out With the Old

This week we address critical updates for Firefox and all Chromium-based browsers and a potentially unwelcome, but reversible, change coming to Firefox. We look at another new tactic being employed by ransomware gangs; an update on ransomware's profitability; a bogus-seeming announcement from Intel during yesterday's CES; and the first use, on this podcast, of the term "teledildonics." Following that, we have some residual SolarWinds news, the formation of a security screw-up crisis management group, news of the inevitable attacks on Zyxel users, the mass exodus from WhatsApp following their plans to force all metadata sharing, and a sci-fi note about "The Expanse." Then, inspired by the amazing amount of old code I have rediscovered inside SpinRite, I will take our listeners back to the roaring '80s with a look at how far we have come from DOS v3.3, whose maximum partition size was 33.5 megabytes.
53 MB 13 MB  350 KB   <-- Show Notes 120 KB 83 KB 320 KB

Episode #800 | 05 Jan 2021 | 106 min.
SolarBlizzard

This week we open the New Year taking a longer look at fewer topics since the bad guys were apparently enjoying their New Year holiday, too. So we look at an interesting kludge that's been forced upon Chrome by ill-mannered antiviral scanners. We need to warn all enterprise users of Zyxel network border security products of another recently discovered built-in backdoor. We look at the rise in IoT compromise swatting attacks and a series of new flaws and vulnerabilities in the PHP Zend and Yii frameworks. We have a quick bit of miscellany to share, then I want to explain a lot about the value of trimming SSDs and newer SMR drives. And we'll conclude by catching up with what will hopefully be the last news, for a while at least, of the disastrous SolarWinds breach and intrusions.
51 MB 13 MB  293 KB   <-- Show Notes 117 KB 77 KB 314 KB

• Current Podcast Page
• Security Now 2020
• Security Now 2019
• Security Now 2018
• Security Now 2017
• Security Now 2016
• Security Now 2015
• Security Now 2014
• Security Now 2013
• Security Now 2012
• Security Now 2011
• Security Now 2010
• Security Now 2009
• Security Now 2008
• Security Now 2007
• Security Now 2006
• Security Now 2005



You can receive an eMail reminder whenever this page is updated with a new Security Now! episode. Click the "Monitor Changes" button to have the highly-regarded "Change Detection" web site monitor this page and send you a note when it changes.

Monitor this page for changes: (it's private by ChangeDetection)
Security Now!, SpinRite Testimonials, and other Feedback:
Please use GRC's Visitor & Listener FEEDBACK Page where you may easily submit any feedback for Security Now, SpinRite testimonials, suggestions for future Security Now topics or questions & comments for future Listener Feedback episodes. Thank you!


Jump to top of page
Gibson Research Corporation is owned and operated by Steve Gibson.  The contents
of this page are Copyright (c) 2022 Gibson Research Corporation. SpinRite, ShieldsUP,
NanoProbe, and any other indicated trademarks are registered trademarks of Gibson
Research Corporation, Laguna Hills, CA, USA. GRC's web and customer privacy policy.
Jump to top of page

Last Edit: May 19, 2022 at 14:37 (7.07 days ago)Viewed 970 times per day