Our weekly audio security column
& podcast by Steve Gibson and Leo Laporte
TechTV's Leo Laporte and I spend somewhat shy of two hours each week to discuss important issues of personal computer security. Sometimes we'll discuss something that just happened. Sometimes we'll talk about long-standing problems, concerns, or solutions. Either way, every week we endeavor to produce something interesting and important for every personal computer user.

(This was not our idea. It was created by a fan of the podcast using GIMP (similar to
Photoshop). But as a work of extreme image manipulation, it came out surprisingly well.)

 You may download and listen to selected episodes from this page (see below), or subscribe to the ongoing series as an RSS "podcast" to have them automatically downloaded to you as they are produced. To subscribe, use whichever service you prefer . . .

 Receive an automatic eMail reminder whenever a new episode is posted here (from ChangeDetection.com). See the section at the bottom of this page.

 Send us your feedback: Use the form at the bottom of the page to share your opinions, thoughts, ideas, and suggestions for future episodes.

 Leo also produces "This Week in Tech" (TWiT) and a number of other very popular podcasts (TWiT is America's most listened to podcast!) So if you are looking for more informed technology talk, be sure to check out Leo's other podcasts and mp3 files.

 And a huge thanks to AOL Radio for hosting the high-quality MP3 files and providing the bandwidth to make this series possible. We use "local links" to count downloads, but all of the high-quality full-size MP3 files are being served by AOL Radio.

Episode Archive

Each episode has SIX resources:

High quality 64 kbps mp3 audio file
Quarter size, bandwidth-conserving,
16 kbps (lower quality) mp3 audio file
A PDF file containing Steve's show notes
A web page text transcript of the episode
A simple text transcript of the episode
Ready-to-print PDF (Acrobat) transcript  

(Note that the text transcripts will appear a few hours later
than the audio files since they are created afterwards.)

For best results: RIGHT-CLICK on one of the two audio icons & below then choose "Save Target As..." to download the audio file to your computer before starting to listen. For the other resources you can either LEFT-CLICK to open in your browser or RIGHT-CLICK to save the resource to your computer.

Episode #793 | 17 Nov 2020 | 100 min.

This week the Chrome zero-days just keep on coming, and we contemplate what it means for the future. We have two interesting bits of ransomware meta news including a new tactic. We update after last week's Super Tuesday patch marathon, and examine new research into the most common source of Android malware to see where most unwanted apps come from and it's not what we would likely guess. We'll share a bit of listener feedback and an update on my work on SpinRite. Then we look at the new "SAD DNS" attack which successfully regresses us 12 years in DNS cache poisoning and spoofing attack prevention.
48 MB 12 MB  317 KB   <-- Show Notes 106 KB 75 KB 285 KB

Episode #792 | 10 Nov 2020 | 98 min.
“Slipstream” NAT Firewall Bypass

This week we look at the dilemma of Let's Encrypt's coming root expiration, new Chrome and Apple zero-day vulnerabilities, some new high-profile ransomware victims, China's Tianfu Cup pwning competition, the retirement of a PC industry insider, the continuing Great Encryption Dilemma, police monitoring of consumers' video, more ongoing pain for WordPress, a note about a sci-fi book event one week from now, and Samy Kamkar's tricky Slipstream attack and its mitigations.
47 MB 12 MB  366 KB   <-- Show Notes 114 KB 75 KB 310 KB

Episode #791 | 03 Nov 2020 | 89 min.
Chrome's Root Program

This week we examine a serious newly revealed Windows zero-day flaw, a public service reminder from Microsoft, Google's newly announced plan to get into the VPN service business, CERT's unappealing plan for automatic vulnerability naming, and a real mess that WordPress just made of an incremental security update to 455 million sites. Then we'll close a loop, I'll update about SpinRite, and we'll finish by examining Google's new plan to go their own way with a new Chromium browser certificate Root Store.
43 MB 11 MB  241 KB   <-- Show Notes 116 KB 68 KB 304 KB

Episode #790 | 27 Oct 2020 | 88 min.
The 25 Most Attacked Vulnerabilities

This week we examine a recently patched zero-day in Chrome and a nice new feature in that browser. We look at the site isolation coming soon to Firefox, and Microsoft's announcement of Edge for Linux. We have some movement in the further deprecation of Internet Explorer, and a potentially massive SQL injection attack that was recently dodged by more than one million WordPress sites, despite the fact that some admins complained. Then we have a bit of miscellany, closing-the-loop feedback, and an update on my work on SpinRite. We end by looking at the NSA's recently published list of the top 25 network vulnerabilities being used by malicious Chinese state actors to attack U.S. assets.
42 MB 11 MB  222 KB   <-- Show Notes 95 KB 69 KB 275 KB

Episode #789 | 20 Oct 2020 | 94 min.
Anatomy of a Ryuk Attack

This week we examine the coming controversial changes to the WebExtension API. We look at the revelations and fallout from last week's Patch Tuesday, and at Zoom's latest announcement of this week's roll-out of end-to-end encryption. We make sure everyone knows about the latest horrific SonicWall vulnerability and Microsoft's pair of not-that-worrisome out-of-cycle patches. We share a bit of miscellany and closing-the-loop feedback. Then we examine an actual Ryuk Ransomware intrusion and attack... step-by-step.
45 MB 11 MB  241 KB   <-- Show Notes 100 KB 70 KB 277 KB

Episode #788 | 13 Oct 2020 | 104 min.
Well-Known URIs

This week we catch up with Chrome 86's handful of security-related improvements. We touch on several recent ransomware events and on the consequences of not logging free WiFi users in France. We look at the results of an amazing bit of hacking of Apple, give an update on the enduring Zerologon threat, introduce the revenge of DNT with legislation-enhanced GPC, and describe another renewed attack on undecryptable E2EE now by seven countries. Then, following a bit of SpinRite and GRC forum news, we're going to add the concept of IANA-registered well-known URIs to our bag-of-tricks knowledgebase.
50 MB 12 MB  301 KB   <-- Show Notes 116 KB 77 KB 313 KB

Episode #787 | 06 Oct 2020 | 93 min.
Why Win7 Lives On

This week we examine several new and welcome Google initiatives aimed at improving Android general web browser security. We look at Microsoft's solution for updating aging Windows offline images with the latest Defender definitions. We note some surprising network behavior from Windows second Subsytem for Linux. We check-in on Exchange Server updates after eight months. We cover Cloudflare's announcement of a very welcome WebAPI firewall, the US Treasury's recent policy regarding Ransomware payments, and Kaspersky's discovery of the use of UEFI Bootkits. Then we have a bit of errata and a GRC forums update. And we conclude by sharing the results of an interesting poll which illuminates the many reasons why Windows 7 refuses to die.
45 MB 11 MB  397 KB   <-- Show Notes 92 KB 69 KB 274 KB

Episode #786 | 29 Sep 2020 | 107 min.

This week we look back at the just-released Chrome 85. We see that an enterprise's choice of VPN gateway really does make a difference. We drop in for an update on what would have to be called the new ransomware gold rush, and we examine the implications of Ring's latest announcement of their flying spy drone I mean webcam. Then we learn how much Vitamin D Dr. Fauci takes, and invite our podcast listeners to lock down their UserID of choice at GRC's new web forums using a non-public URL. Then we conclude with the required big update to the Zerologon story which we began last week.
51 MB 13 MB  544 KB   <-- Show Notes 132 KB 83 KB 326 KB

Episode #785 | 22 Sep 2020 | 103 min.
Formal Verification

This week we look at an important security update to Android for Firefox. We bid a fond farewell to Firefox Send and Notes. We look at the promise and growing popularity of the disastrously-named DuckDuckGo Internet search service. We dig into what's behind last Friday's Emergency Directive 20-04 from the DHS/CISA. We'll also take a look at the recent privacy and security improvements incorporated into Android 11 and iOS 14. We have a bit of errata, closing-the-loop feedback, and SpinRite news. Then we're going to take a look at the need for Formal Verification of our complex security protocols going forward in the context of another critical failure of a massively widespread system.
49 MB 12 MB  186 KB   <-- Show Notes 117 KB 82 KB 317 KB

Episode #784 | 15 Sep 2020 | 93 min.
BlindSide & BLURtooth

This week we look at the Chrome browser's proactive technology which is designed to punish abusive ads. We also look at the last hurrah for exploiting IE and Adobe Flash users, some Microsoft Edge updates, last Tuesday's Microsoft Patch-a-Palooza, Zoom's new implementation of two- factor authentication, that very bad WordPress File Manager attack two weeks out, the new Raccoon attack against TLS, and a quick SpinRite update. Then we conclude with a look at two newly discovered attacks named BlindSide and BLURtooth.
45 MB 11 MB  196 KB   <-- Show Notes 92 KB 66 KB 271 KB

Episode #783 | 08 Sep 2020 | 110 min.
IoT Isolation Strategies

This week we look at another device to receive DoH privacy, a browser to block drive-by downloads, my favorite messaging solution going open source, a new and trivial attack against hundreds of thousands of WordPress sites, Facebook's new vulnerability disclosure policy and their publication of WhatsApp security advisories, forthcoming security researcher policies for U.S. government properties, a new Tor Project membership program, Intel's latest microcode patches, the result of a small but significant double-blind controlled trial related to COVID outcomes, a SpinRite update, and a discussion of the need and means of enforcing strict IoT network isolation.
53 MB 13 MB  315 KB   <-- Show Notes 114 KB 83 KB 307 KB

Episode #782 | 01 Sep 2020 | 94 min.
I Know What You Did Last Summer

This week we take some deeper dives into fewer topics. We look at a bunch of the new features offered by Chrome's latest update, we look into the fascinating details of a Russian attempt to co-opt and bribe an employee of Tesla, and at some sobering security research which successfully circumvents VISA's point of sale PIN protection, allowing purchases of any amount. We also have a bunch of closing-the-loop feedback and miscellany. Then we examine the surprising research into just how well knowing where our browser has gone in the past identifies who we are today. Knowing what someone did last summer tells us who they are with surprising accuracy.
45 MB 11 MB  340 KB   <-- Show Notes 99 KB 72 KB 278 KB

Episode #781 | 25 Aug 2020 | 105 min.

This week we look at a new Chrome remote code execution flaw, some interesting news of three new ransomware victims, an emergency patch from Microsoft, the emergence of amateur RDP exploiters, the 15th birthday of the Zero Day Initiative, finally a good Windows 10 garbageware remover, recommendations of several of my most recommended remote networking utilities, then a bit of miscellany and SpinRite news. Then, finally, we examine a really terrific new high-tech hack against low-tech locks and their keys.
51 MB 13 MB  307 KB   <-- Show Notes 120 KB 79 KB 320 KB

Episode #780 | 18 Aug 2020 | 108 min.
Microsoft's 0-Day Folly

This week we discuss the "Achilles" Snapdragon DPS flaw affecting more than one billion Android Smartphones, last week's third-largest Patch Tuesday in history, Mozilla's sadly uncertain future, the other shoe dropping after the ransomware attack on Canon, the nature of the so-called "software glitch" preventing California from accurately tallying Coronavirus lab test results, the significance of Microsoft's addition of their Control Flow Guard technology to the Rust and LLVM code bases, Threema's addition of video calling to their super-secure communications platform, a bit of closing-the-loop feedback, news of a SpinRite technology decision, and then we take a sad look at Microsoft's recent seeming unconscionable behavior with regard to the two zero-day vulnerabilities that were finally patched last week.
52 MB 13 MB  407 KB   <-- Show Notes 119 KB 82 KB 319 KB

Episode #779 | 11 Aug 2020 | 107 min.

This week we note the completion of the first virtual Black Hat and Defcon conferences. We also examine the latest academic work to emerge from the Graz University, which dramatically advances our understanding of the past few years of performance optimizing processor vulnerabilities. We look at the ransomware attack on Canon, a mishandled vBulletin vulnerability disclosure, the forthcoming support for DoH on Windows 10, and the result of Troy Hunt's yearlong quest to find a home for his much-loved "Have I Been Pwned" services. We have a bit of miscellany, some feedback, and an update on my SpinRite work. Then we examine a very interesting new technology being used to evade state-based Internet censorship known as "Geneva."
52 MB 13 MB  353 KB   <-- Show Notes 119 KB 81 KB 319 KB

Episode #778 | 04 Aug 2020 | 105 min.

This week we touch on the recent update of Firefox to v79. We check back on the Twitter hack with the news of the identity of the accused perpetrators. We have more information about the Garmin ransomware hack. We look at the behavior of another disgruntled vulnerability researcher and consider another aspect of the ethics of vulnerability disclosure. We examine Zoom's bug of the week and the consequences of Microsoft's removal of all SHA-1 signed downloads, and note that QNAP NAS devices are still suffering from real trouble and neglect by their owners. I'm going to check in with the SpinRite work. Then we take a look at the week's biggest security event - the discovery of a boot security bypass for Linux.
50 MB 13 MB  393 KB   <-- Show Notes 112 KB 79 KB 316 KB

Episode #777 | 28 Jul 2020 | 88 min.

This week we revisit the trouble with F5 Networks' BIG-IP devices, we update on the epic Twitter hack, and we look at a security update for GnuTLS. We also cover the big five-day Garmin outage and Cisco's latest troubles. We'll point out a new Win10 debloater app and a bit of errata. Then I want to wrap up by sharing some truly surprising and interesting results that are emerging from my work on the pre-SpinRite hyper-accurate storage benchmark.
42 MB 11 MB  434 KB   <-- Show Notes 87 KB 64 KB 240 KB

Episode #776 | 21 Jul 2020 | 102 min.
A Tale of Two Counterfeits

This week we, of course, start off by looking at what happened at Twitter last week. We look at Checkpoint's discovery of the headline-grabbing wormable DNS vulnerability that's been present in all Windows Servers for the past 17 years. We touch on last week's Patch Tuesday, Cloudflare's surprise outage, another glitch in Zoom's product, and seven "no-logging" VPN providers whose logs were all found online. We cover some other quick news and some interesting SpinRite development developments, then examine the problem of counterfeit networking equipment - which, as our Picture of the Week shows, is actually a big problem.
49 MB 12 MB  784 KB   <-- Show Notes 119 KB 78 KB 317 KB

Episode #775 | 14 Jul 2020 | 88 min.

This week we look at Mozilla's surprise suspension of their Firefox Send service, Zoom's latest remote code exploit vulnerability, the latest revision of the U.S. Congress's EARN IT Act legislation, the growing tension with stalkerware apps, a Chinese Internet equipment vendor in the hot seat, the challenge of geolocating illegal drone operators, Fraunhofer's report of rampant router vulnerabilities, and SpinRite's move toward increased political correctness. Then we wrap up by looking at Tsunami, Google's latest and extremely useful-looking contribution to the open source community.
42 MB 11 MB  345 KB   <-- Show Notes 86 KB 65 KB 241 KB

Episode #774 | 07 Jul 2020 | 97 min.

This week we look at two new just-released emergency Windows 10 updates, and the new and curious path they will need to take to get to their users. We look at a slick new privacy feature coming to iOS 14 and how it is already cleaning up prior behavior. We'll take our annual survey of the rapidly growing success of the HackerOne program, and also note the addition of a major new participant in their bug bounty management program. We briefly note the latest American city to ban the use of facial recognition for law enforcement, but we mostly examine the result of NIST's analysis of demographic bias in facial recognition outcomes. We'll also look at a high-velocity vulnerability and exploitation, and close the loop with a couple of listeners. I'll share an interesting bit of work on SpinRite's AHCI controller benchmarking. Then we'll look at this episode's mysterious title: "123456."
47 MB 12 MB  239 KB   <-- Show Notes 111 KB 75 KB 300 KB

Episode #773 | 30 Jun 2020 | 97 min.
Ripple20 Too

This week we look at news in the shortening of certificate lifetime change, at Apple's decision to deliberately ignore support for a bunch of new Web APIs, at Apple's announcement of DoH support, at some troubling Mozilla/Comcast news, at some welcome legislation to head off the use of facial recognition, and at another less welcome attempt to outlaw strong encryption. We also look at the growing legislation against mandatory "chipping" and remind our listeners about the utility of VirusTotal. Then, after catching up with a bit of miscellany and listener feedback, we revisit last week's very worrisome revelation of the many flaws in a very widely used embedded TCP/IP stack. There's much news there.
47 MB 12 MB  222 KB   <-- Show Notes 95 KB 72 KB 276 KB

Episode #772 | 23 Jun 2020 | 113 min.

This week we look at Microsoft's interesting decision to update Windows 7 desktops with their new Edge browser, Google's wholesale removal of 106 widely-downloaded malicious Chrome extensions, Microsoft's continuing drama over Win10 printing, a potentially critical remote code execution vulnerability in everyone's favorite VLC media player, an interesting move by RosKomNadZor!, Netgear's residence in the Dog House, a new and startling record in DDoS attack size, a bit of errata and the anticipated announcement of a new piece of spin-off freeware from the SpinRite project. Then we examine the ripple effects of the mass adoption of a embedded TCP/IP stack that is found to be horribly insecure many years after it has been quite widely adopted across the embedded device industry.
54 MB 14 MB  292 KB   <-- Show Notes 123 KB 85 KB 323 KB

Episode #771 | 16 Jun 2020 | 93 min.

This week we address an accident that the Brave browser guys regret. We take a look at last week's Patch Tuesday and its several ramifications and consequences. We note a few odd new and unwelcome behaviors from this year's 2004 Win10 feature update and dip into yet another side-channel attack on Intel chips. But we also note that a long-awaited powerful antimalware technology is also about to ship from Intel. We look at the latest new SMB vulnerability named SMBleed, and conclude with an examination of the latest and more-practical-than-most techniques for covertly eavesdropping on a remote location - via a hanging light bulb.
44 MB 11 MB  307 KB   <-- Show Notes 106 KB 71 KB 278 KB

Episode #770 | 09 Jun 2020 | 98 min.
Zoom's E2EE Debacle

This week we take an interesting new look at some new problems arising with DoH; we look at IBM's new stance on facial image recognition research; we look at two recently disclosed flaws in the Zoom client; we check on the severity of the latest UPnP service flaw; and we update on Microsoft's new Edge rollout. We share a bit of miscellany and some terrific feedback from our listeners, touch on my SpinRite project progress, and then explore last week's truly confusing Zoom encryption reports that give the term "mixed messaging" a bad name.
47 MB 12 MB  186 KB   <-- Show Notes 109 KB 74 KB 283 KB

Episode #769 | 02 Jun 2020 | 113 min.
Zoom's E2EE Design

This week we look at which browsers still permit drive-by website downloads, Google's plan to blacklist notification-abusing websites, a deeper dive into local PC port scanning being performed by websites, Facebook's move to tighten up on high-impact posters, the new lawsuit against Clearview AI, some very interesting strings found embedded in Google's latest messaging app, the very worrisome return of a much more potent StrandHogg for Android, the refusal of SHA-1 to die, a more powerful new USB fuzzer, and an update in some nearly finished SpinRite work. Then we take a look at Zoom's newly detailed plans to become the world's most secure teleconferencing platform.
54 MB 14 MB  328 KB   <-- Show Notes 111 KB 87 KB 319 KB

Episode #768 | 26 May 2020 | 95 min.
Contact Tracing Apps R.I.P.

This week we begin with some browser news to examine a nifty new trick to be offered by the next Firefox 77 and we spend a bunch of time on the many new features -- and how to enable them -- being offered in Chrome's 83rd edition. We also look at Adobe's four emergency out-of-cycle patches, and a surprisingly robust and well designed new Jailbreak for iPhones. We take a look at a surprisingly powerful DNS amplification attack with a packet count multiplier of up to 1620, the sad but true complete collapse of Bluetooth connection security and the odd report of eBay scanning their user's PC's. We'll then share a bit of closing the loop listener feedback and a quick bit of miscellany, then I'm going to editorialize a bit about why I'm very sure that contact tracking apps are dead on arrival.
45 MB 11 MB  301 KB   <-- Show Notes 134 KB 76 KB 319 KB

Episode #767 | 19 May 2020 | 108 min.
WiFi 6

We begin this week as we often do on the third Tuesday with a look at the previous week's Patch Tuesday; and, in this case, a troubling new trend is emerging. We look at the DoH support coming soon to Windows 10, and at a little known packet capture utility that was quietly added to Windows 10 with the October 2018 feature update. We'll spend a bit of time on yesterday's DOJ/FBI press conference, and then take a look at a problem that Microsoft appears to be having a surprising time resolving. We'll take a look at face masks thwarting automated public facial recognition, and Utah's decision to roll their own contact tracing and locating app. And we'll wind up with what I hope will be an interesting walk through the history of Ethernet, from the beginning of wired to the evolution of the many confusing wireless protocols.
52 MB 13 MB  208 KB   <-- Show Notes 123 KB 81 KB 319 KB

Episode #766 | 12 May 2020 | 106 min.

This week we examine Firefox's recent move to 76 and slightly beyond; a wonderful new feature coming to Edge; and the security responsibility that attends the use of WordPress, vBulletin, and other complex and sophisticated web applications. We look at the plans for this summer's much-anticipated Black Hat and DEF CON conferences, a newly revealed CRITICAL bug affecting all of the past six years of Samsung Smartphones, and Zoom's latest security-boosting acquisition. I'll then provide an update on my SpinRite work which includes a bit of a rearrangement in sequence to provide another shorter term deliverable. And then we look at the new Thunderspy vulnerability that has the tech press huffing and puffing.
51 MB 13 MB  297 KB   <-- Show Notes 116 KB 83 KB 318 KB

Episode #765 | 05 May 2020 | 104 min.
An Authoritarian Internet?

This week we add Bruce Schneier's thoughts about the theoretical feasibility of contact tracing apps; we touch on our government's feelings about DNS over HTTPS; we look at yet another whacky way of exfiltrating data from an air-gapped computer; we examine a new vulnerability that has already damaged some large high-profile enterprise infrastructures; we note Adobe's latest round of critical updates, another welcome service coming from Mozilla, a dispiriting bit of over-the-top political correctness from the UK, and Google's plans to clean up the mess which is the Chrome Web Store. We then share a bit of errata, miscellany and SpinRite news, then take a look at China's proposed changes to the fundamental operation of our global Internet.
50 MB 12 MB  402 KB   <-- Show Notes 124 KB 80 KB 321 KB

Episode #764 | 28 Apr 2020 | 94 min.

This week we update on the Apple/Google contact tracing technology. We also take a close look at the past week's frenzy over two newly disclosed vulnerabilities in iOS's mail application. We consider the choice of VPN provider relative to expanding global surveillance agreements. And we look at some recently spotted dangers of public repositories. We have a bit of miscellany, a SpinRite update and some useful feedback from a listener regarding Oracle's VirtualBox VM system. Then we wrap up the week with a look into RPKI, Resource Public Key Infrastructure for finally bringing some security to BGP, the Internet's critical Border Gateway Protocol.
45 MB 11 MB  751 KB   <-- Show Notes 192 KB 71 KB 281 KB

Episode #763 | 21 Apr 2020 | 86 min.
The COVID Effect

This week, as an interesting case study, we continue tracking the latest actions being taken by Zoom and another unfortunate consequence of their overnight success. We have two pieces of Chrome browser news, and security news including what happened with last Tuesday's Windows patch, rollbacks in authentication plans, Signal's reaction to the planned EARN IT Act, trouble at the Tor Project and an interesting CAPTCHA change at Cloudflare. I also want to share my recent change in preferred VM systems, two bits of listener's closing the loop feedback, and a SpinRite update -- since stuff's beginning to happen.
41 MB 10 MB  252 KB   <-- Show Notes 89 KB 65 KB 260 KB

Episode #762 | 14 Apr 2020 | 95 min.
Virus Contact Tracing

This week we follow-up on a bunch of continuing Zoom news, since Zoom appears to be poised to become the teleconferencing platform of choice for the world at large. They've made more changes, have been sued and have been rapidly taking steps to fix their remaining problems. We have some browser news and another worrisome look into Android apps using a novel approach to quickly characterize them. We have an interesting and sad bit of miscellany and a progress report on my SpinRite work, and then we take the sort of full technical deep dive into the joint Apple/Google Contact Tracing system that our listeners have come to expect from this podcast. By the end of this podcast everyone will understand exactly what Apple and Google have done and how the system functions, in detail.
45 MB 11 MB  260 KB   <-- Show Notes 101 KB 72 KB 275 KB

Episode #761 | 07 Apr 2020 | 90 min.
Zoom Go Boom!

This week starts off with a bunch of web browser news including Firefox zero-days, Safari's recent scrape, more coronavirus-related feature rollbacks, the status of TLS v1.0 and 1.1, and some interesting developments on the Edge front. We revisit the lingering STIR and SHAKEN telco protocol mess, then look at a new DNS-filtering add-on service from Cloudflare and at the growing influence of an Internet group hoping to tighten up the mess with BGP. After a quick update on my SpinRite project, we take a look at what's been going on with the security of Zoom, the suddenly chosen tool for hosting Internet virtual classrooms and meetings of all kinds.
43 MB 11 MB  297 KB   <-- Show Notes 86 KB 68 KB 259 KB

Episode #760 | 31 Mar 2020 | 86 min.
Folding Proteins

This week we examine some consequences of increased telecommuting with the use of RDP and VPNs skyrocketing, along with a new bug in iOS's handling of VPN connections. We look at Google's unrelenting quest to get the "www" out, and note some changes to Firefox and further revisions of browser release schedules. We take a deep dive into a very welcome forthcoming code security feature for Windows 10. We share an action item for users of OpenWRT routers, and the result of an audit of Cloudflare's privacy-enforcing DNS service. We divulge a few interesting bits of feedback and some SQRL and SpinRite miscellany, then finish by examining a new opportunity to donate our unused CPU cycles for help with COVID-19 research.
41 MB 10 MB  291 KB   <-- Show Notes 86 KB 63 KB 254 KB

Episode #759 | 24 Mar 2020 | 102 min.

This week we look at a new unpatched zero-day attack affecting billions of Windows users, Mozilla's reversal on TLS 1.0 and 1.1 deprecation due to the coronavirus, a welcome micropatch for Win7 and Server 2008, Chrome's altered release schedule during the coronavirus, Avast's latest screw-up, a new threat affecting Android users, the results from last week's Pwn2Own competition, and a few observations about the coronavirus math and some worthwhile explainer videos. Then we look at where we are with Rowhammer after six years.
49 MB 12 MB  266 KB   <-- Show Notes 131 KB 82 KB 323 KB

Episode #758 | 17 Mar 2020 | 109 min.

This week we take a deep dive into the many repercussions preceding and following last week's Patch Tuesday. Wouldn't it be nice to have a quiet one for a change? But first, we look at a nice list of free services being maintained by BleepingComputer's Lawrence Abrams. We look at a recent report into the state of open source software vulnerabilities, and at new and truly despicable legislation aimed at forcing social media companies to provide "lawful access" to their customers' encrypted content.
52 MB 13 MB  309 KB   <-- Show Notes 169 KB 94 KB 401 KB

Episode #757 | 10 Mar 2020 | 107 min.
The Fuzzy Bench

This week we consider the new time-limited offers being made for free telecommuting tools, the continuing success of the DOD's "please come hack us" program, another take on the dilemma and reality of Android device security, some unwelcome news about AMD processor side-channel vulnerabilities, a new potentially serious and uncorrectable flaw in Intel processors, a 9.8-rated critical vulnerability in Linux system networking, a "stand back and watch the fireworks" forced termination of TLS v1.0 and v1.1, and the evolution of the SETI@home project after 19 years of distributed radio signal number crunching. We then touch on a bit of miscellany, and finish by looking at a new and open initiative launched by Google to uniformly benchmark the performance of security fuzzers.
51 MB 13 MB  291 KB   <-- Show Notes 116 KB 82 KB 320 KB

Episode #756 | 03 Mar 2020 | 104 min.

This week we look at a significant milestone for Let's Encrypt; the uncertain future of Facebook, Google, Twitter and others in Pakistan; some revealing information about the facial image scraping and recognition company Clearview AI; the Swiss government's reaction to the Crypto AG revelations; a "must patch now" emergency for Apache Tomcat servers; a revisit of OCSP stapling; a tried and true means of increasing your immunity to viruses; an update on SpinRite; and the latest serious vulnerability in our WiFi infrastructure, known as Kr00k.
50 MB 12 MB  236 KB   <-- Show Notes 141 KB 81 KB 351 KB

Episode #755 | 25 Feb 2020 | 115 min.
Apple's Cert Surprise

This week we reexamine the Windows 10 lost profiles problem, and also a consequence of the need to roll back (or avoid in the first place) the Patch Tuesday disaster. We look at a new feature to arrive with the next Windows 10 feature release, unfortunately named the 2004 release. We also examine the details of a new attack on the 4G LTE and 5G cellular technology, the full default rollout of Firefox's support for DoH, and also the availability of a powerful new sandboxing technology for Firefox. We also check in with Chrome's fix earlier today of a zero-day that was found being exploited in the wild. And, finally, before turning our attention to the bomb that Apple dropped in the lap of the entire certificate industry last week, I'm going to update our listeners about the things I've learned after returning to the work on SpinRite's next iteration.
55 MB 14 MB  278 KB   <-- Show Notes 131 KB 86 KB 324 KB

Episode #754 | 18 Feb 2020 | 88 min.
The Internet of Troubles

This week we continue following the continuing agony surrounding this month's increasingly troubled Window Update. We examine several significant failures which have befallen Windows 10 users after applying the month's "fixes," which have had the tendency of breaking things that weren't broken in the first place. We look at the danger presented by a very popular GDPR-compliance add-in for WordPress sites. We look at an eye-opening report about the stresses that CISOs are being subjected to, and also today's pilot test of Microsoft's new ElectionGuard voting system. We then touch on some SQRL and SpinRite news before taking a close look at two newly revealed IoT - Internet of Troubles - security worries.
42 MB 11 MB  569 KB   <-- Show Notes 95 KB 67 KB 273 KB

Episode #753 | 11 Feb 2020 | 101 min.
Promiscuous Cookies

This week we offer some welcome news about Microsoft A/V under Windows 7, we follow even more blow-by-blow consequences of January's final updates for Windows 7, we look at a worrisome exploitable Bluetooth bug Google just fixed in Android and what it means for those not fixed, we update on the ClearView AI face scanning saga, we take a peak into data recovery from physically destroyed phones, we entertain yet another whacky data exfiltration channel, and we conclude by looking at the consequences of the recent changes to make cookies mess promiscuous.
49 MB 12 MB  283 KB   <-- Show Notes 112 KB 79 KB 312 KB

Episode #752 | 04 Feb 2020 | 102 min.
The Little Red Wagon

This week we examine the most recent flaw found in Intel's processors and what it means. We look at the continually moving target that is Windows 10. We consider the Free Software Foundation's suggestion that Microsoft open source Windows 7 and the fact that last month's was apparently NOT the last update of Windows 7 for all non-ESU users. We look at the evolution of exploitation of the Remote Desktop Gateway flaw, Google's record breaking vulnerability bounty payouts, the return of Roskomnadzor, the size of fines, the question of who owns our biometrics, an update on Avast/AVG spying, the future of third-party AV, a major milestone for the WireGuard VPN, and the wonderful Little Red Wagon hack of the decade which titled this podcast.
49 MB 12 MB  375 KB   <-- Show Notes 134 KB 89 KB 343 KB

Episode #751 | 28 Jan 2020 | 107 min.

This week we look at some surprising revelations of Apple's cloud storage encryption (or lack thereof). We also cover a Microsoft cloud database mistake, some interesting legislation under consideration in New York, new attacks against a consumer router firmware, a rise of new attacks against our browsers, a welcome new publication from NIST on Privacy, a massive leakage of telnet usernames and passwords, a welcome micropatch for this month's IE zero-day, a bit of miscellany and SpinRite news, and then some coverage of the final nail that was recently pounded into SHA-1's coffin.
51 MB 13 MB  224 KB   <-- Show Notes 127 KB 81 KB 322 KB

Episode #750 | 21 Jan 2020 | ??? min.
The CurveBall CryptoAPI

This week we look at Google's addition of iOS devices as full Google account logon hardware security keys, as update on Apple vs Attorney General Barr, a serious new Internet Explorer 0-day and how the vulnerability can be mitigated, the release of Microsoft's Chromium-based Edge browser, the FBI's reaction to the Pulse Secure VPN vulnerability, another new and CRITICAL RDP remote code execution vulnerability that has slipped under the radar, a bit of miscellany, and then we examine the the headline grabbing CryptoAPI vulnerability that's been dubbed “CurveBall.”
44 MB 11 MB  263 KB   <-- Show Notes 104 KB 70 KB 277 KB

Episode #749 | 14 Jan 2020 | 117 min.
Win 7 - R. I. P.

This week's Security Now! podcast is titled "Windows 7 - R.I.P.," not because there's much that we haven't already said about the fact, but that it happens TODAY; and that, given the still massive install base of Windows 7, it's significant that all of those machines will now be going without any clearly needed security updates. So the big news for this week WAS to be the event of the first successful preimage attack on the SHA-1 hash. But that news was preempted at the last minute by the much more immediately significant news of the remotely exploitable "Cable Haunt" vulnerability that's present in most of the world's cable modems right now! So we'll be talking about that after we look at the FBI's recent request to have Apple unlock another terrorist's iPhone; update on the Checkrain jailbreak solution; examine the challenge of checking for illegal images while preserving privacy; look at some deeply worrying research into just how easy it is for bad guys to get SIMs swapped; examine the consequences of not patching a bad VPN flaw; deal with a bit of miscellany; and then, finally, look at the new "Cable Haunt" vulnerability.
56 MB 14 MB  535 KB   <-- Show Notes 174 KB 97 KB 399 KB

Episode #748 | 07 Jan 2020 | 118 min.
A Malware Lexicon

This first podcast of 2020 we look at a proposed standard for creating machine-readable warrant canaries. We also take a precautionary lesson from a big Xiaomi blunder, examine Microsoft's research into brute-forcing RDP, look at the continuing problem at the Point Of Sale, follow-up on Russia's plan to disconnect from the Internet, consider the end of life of Python 2.7, review the top 20 HackerOne bounty payers, warn of some bad new SQLite security vulnerabilities and cover a bit of Sci-Fi, SQRL and SpinRite miscellany. Then we group all malware into a seven-member Lexicon and quickly run through each one.
57 MB 14 MB  186 KB   <-- Show Notes 104 KB 92 KB 298 KB
2019 Archive Below...

Episode #747 | 31 Dec 2019 | 108 min.
The Best of 2019

For Security Now!'s annual holiday podcast, Leo takes us back to reexamine several significant events covered by this podcast during the past year.
47 MB 12 MB

Episode #746 | 23 Dec 2019 | 103 min.
A Decade of Hacks

This week we stumble into Microsoft's own confusion about whether or not Microsoft's Security Essentials will continue receiving updates after January 14th. We look briefly at the year when Ransomware happened, we revisit the Avast and AVG Mozilla extensions to see how they're doing, we look at the just-announced big news for Apple's and Google's bug bounty programs for 2020, and also at Mozilla's addition of another very appealing DoH provider (which Leo apparently likes). We provide a nudge to Drupal site masters to update their Drupal Cores RIGHT NOW... And then we conclude by revisiting this past decade -- spanning 2010 to 2019 -- and the many hacks we've explored during these previous ten years.
49 MB 12 MB  312 KB   <-- Show Notes 135 KB 80 KB 336 KB

Episode #745 | 17 Dec 2019 | 108 min.

This week we start with a reminder about Google's still operating SensorVault, we look inside Google's new "Verified SMS" Messages feature, examine another salvo in the end-to-end encryption war, a nice authentication feature added to iOS v13.3, some patch Tuesday news, a startling discovery about the weaknesses of RSA at scale, a collection of quick bits about last Friday the 13th, Mozilla 2FA for add-on developers, the surprising hard out for Microsoft's Security Essentials, and two bits about Chrome 79. Then we have a clarification about last week's VPN-geddon Denied discussion, a significant announcement about my new focus, some SQRL news... and then we conclude with a look at yet another interesting new way of compromising Intel processors known as "PlunderVolt".
52 MB 13 MB  227 KB   <-- Show Notes 131 KB 83 KB 323 KB

Episode #744 | 10 Dec 2019 | 97 min.
VPN-geddon Denied

This week we look at Microsoft's force-feeding of Windows 10 feature updates, the creation of a tool to keep Win7 and 8 updates freely flowing for free, the continuing evolution of a new highly secure programming language, an update to Microsoft's RDP client for iOS, Avast and AVG in the doghouse, some VERY severe authentication bypasses in OpenBSD, and a note about the WireGuard VPN. Then we take a look at the report which every security website breathlessly covered - and got wrong.
47 MB 12 MB  274 KB   <-- Show Notes 101 KB 72 KB 277 KB

Episode #743 | 03 Dec 2019 | 108 min.
Android “StandHogg”

This week we revisit free upgrades from Win7 or 8 to 10 (which can still be done, a alert for users of HP SSDs, the complications which arise with international privacy treaties when end-to-end encryption might be threatened, the US government's formal permission to hack, a quick look at a particularly devastating Ransomware attack, more anti-tracking privacy happiness coming soon, by default, to Firefox, the never-ending headaches caused by Windows DLLs, an update on my "Joy of Sync" determinations, and a look at the way some Android multitasking features can and are being actively abused -- with Google's knowledge.
52 MB 13 MB  326 KB   <-- Show Notes 139 KB 87 KB 355 KB

Episode #742 | 26 Nov 2019 | 101 min.
Pushing DoH

This week we look at some interesting changes coming to Android and some inherent challenges presented by the nature of the Android ecosystem. We examine some newly revealed troubles with the venerable VNC clients and servers. We note a welcome change to Twitter and update on law enforcement's "foregone conclusion" strategy to force password divulgence. We then look at a surprising pre-announcement from Microsoft about DNS, then dig more deeply into the details of the emerging DoH protocol and reveal a VERY interesting and surprising and unsuspected capability.
48 MB 12 MB  234 KB   <-- Show Notes 133 KB 79 KB 289 KB

Episode #741 | 19 Nov 2019 | 114 min.

This week we look back at November's Patch Tuesday while we count down to the impending end of patches for Windows 7 and Server 2008. We check in with CheckM8 and Checkra.in as the iOS bootrom exploit continues to mature. We look at GitHub's announcement launch of "GitHub Security Lab" to bring bounties and much stronger security focus to the open source community. We discuss a recent court ruling regarding U.S. border entry device searches. We cover yet another bad WhatsApp remote code execution vulnerability. We examine the impact of version 2 of ZombieLoad, the formation of the Bytecode Alliance, and a bit of media miscellany. Then we examine the impact of two Trusted Platform Module (TPM) failings, one which allows local key extraction, and a second that can be exploited remotely over a network.
55 MB 14 MB  206 KB   <-- Show Notes 143 KB 91 KB 358 KB

Episode #740 | 12 Nov 2019 | 118 min.
Credential Delegation

This week we check in on the developments of the long-term, now working, full consumer jailbreak of iOS devices from the iPhone 4S through the iPhone X. We examine the strange case of the misbehaving transducer, catch up on the rapidly evolving exploitation of the BlueKeep vulnerability, check out Mozilla's rebuttal to Comcast's attack on DoH, examine the surprising state of web browser support for DoH, and remind Linux and BSD users to refresh their distros after an important flaw was disclosed in a widely used archive library. Then we take a deep dive into the operation of a newly announced forthcoming solution and standard for significantly improving TLS website certificate security known as "TLS Credential Delegation."
56 MB 14 MB  255 KB   <-- Show Notes 102 KB 88 KB 291 KB

Episode #739 | 05 Nov 2019 | 109 min.
DoH & BlueKeep

This week we examine a widespread Windows breakage introduced by last month's patch Tuesday. We look at several things Google changed in their just-released Chrome 78, news from the Edge, the status of attacks on Intel chips, a new attack on publicly-exposed QNAP NAS devices, the significant risk of trusting managed service providers, the downside of apps for autos, and worries over Chinese made drones. We then finish by coming back to look at news on two other fronts: The escalating controversy over DNS-over-HTTPS (DoH) and the commencement of the long-awaited BlueKeep vulnerability attacks.
52 MB 13 MB  432 KB   <-- Show Notes 95 KB 82 KB 289 KB

Episode #738 | 29 Oct 2019 | 115 min.
A Foregone Conclusion

This week we look at another collision created by third-party AV; a powerful new Windows Defender feature that's easy to have missed; a public database breach by someone who should know better; what's worse than having all your files encrypted?; a VERY nice-looking, fully encrypted and free email service engineered in privacy-respecting Germany; stats coming back from Firefox's newly enhanced tracking privacy protection; a new and very bad remote code execution vulnerability affecting Nginx web servers; and the planned introduction of RCS to replace SMS next year. We also have a piece of SQRL news and some miscellany. Then we look at the outcome of a recent appellate court decision which complicates the decision about whether using a password or a biometric is more "judgment proof."
55 MB 14 MB  364 KB   <-- Show Notes 105 KB 87 KB 297 KB

Episode #737 | 22 Oct 2019 | 121 min.
Biometric Mess

This week we check in on the frenzy to turn CheckM8 into a consumer-friendly iOS jailbreak, on another instance of stealth steganography, on a number of changes to Firefox's URL display, and on the state of Microsoft's ElectionGuard open source voting system. We also look at a very serious flaw that was just found in Linux's Realtek WiFi driver and some welcome news from Yubico. We touch on a couple of miscellaneous media tidbits, then take a look at the ramifications of two recent biometric authentication failures and consider the challenges and inherent tradeoffs of biometric authentication.
58 MB 14 MB  365 KB   <-- Show Notes 107 KB 89 KB 295 KB

Episode #736 | 15 Oct 2019 | 101 min.

This week we take a look at a sobering supply chain proof-of-concept attack, an update on the ongoing encryption debate, a blast-from-the-past password decryption, an intriguing security and privacy consequence of today's high-resolution consumer cameras, and the sad state of consumer security knowledge. OpenPGP gets a nice boost, Windows Defender gets Tamper Protection, and SQRL gets a very nice mention by Google's Cloud Security architects. We'll share a bit of sci-fi and fun miscellany, then conclude by examining the crucially important, widely available, and completely unpatchable Apple Boot ROM exploit known as "CheckM8."
48 MB 12 MB  522 KB   <-- Show Notes 156 KB 79 KB 352 KB

Episode #735 | 08 Oct 2019 | 111 min.
Makes Ya WannaCry

This week we reveal a miracle mistake made by a hacker more than years ago that saved the world from devastating ransomware. But first we catch up on recent ransomware activities, examine the detailed handoff from the GandCrab shutdown and the Sodinokibi startup, a welcome change in Microsoft's Extended Security Update policy for Windows 7, a nasty zero-day RCE in vBulletin, and a bit of nice SQRL news.
53 MB 13 MB  675 KB   <-- Show Notes 147 KB 88 KB 357 KB

Episode #734 | 01 Oct 2019 | 108 min.
The Joy of Sync

With this week's "The Joy of Sync" podcast, we focus upon the latest state-of-the-art secure solutions for cross-device, cross-location device synchronization. But before we delve into that abyss, we'll update on Mozilla's recently announced plans to gradually and carefully bring DNS-over-HTTPS to all Firefox users in the U.S. It turns out it's not quite the slam dunk that we might imagine. We'll also check in with the EFF to see what they think, and remind our listeners about the 100% free VPN offering coming from our friends at Cloudflare.
52 MB 13 MB  265 KB   <-- Show Notes 118 KB 82 KB 318 KB

Episode #733 | 24 Sep 2019 | 102 min.
Top 25 Bug Classes

This week we look at the driver behind this summer's comeback in cryptocurrency mining. We also check out a managed security provider's summary of the biggest problems they encounter with their more than 4000 clients. We look at the revised and worrisome update after six years of SOHO router and NAS device security, and we suggest that everyone using Chrome go to Help > About. I found three notes about SpinRite that I'm not sure I ever shared, so I will. Then we conclude with the result of processing the massive CVE vulnerability database which reveals the top 25 most enduring classes of software bug impacting the security of our industry.
49 MB 12 MB  370 KB   <-- Show Notes 113 KB 76 KB 312 KB

Episode #732 | 17 Sep 2019 | 87 min.

This week we continue following the DoH story, which we begin discussing two weeks from now as a result of a rip in the space-time continuum. We also look at recent changes to Chrome 77 and the forthcoming Chrome 78, the already compromised iOS 13.0, and Mozilla Firefox's new browser VPN offering. We take a look back at last Tuesday's Patch Tuesday, take note of Chrome's Remote Desktop feature, cover another serious Exim mail server problem, handle a bit of miscellany, and examine a serious vulnerability affecting essentially ALL smartphone users known as “Simjacker.”
42 MB 10 MB  670 KB   <-- Show Notes 111 KB 66 KB 292 KB

Episode #731 | 10 Sep 2019 | 101 min.

This week we look at a forced two-day recess of all schools in Flagstaff, Arizona; the case of a ransomware operator being too greedy; Apple's controversial response to Google's posting last week about the watering hole attacks; Zerodium's new payout schedule and what it might mean; the final full public disclosure of BlueKeep exploitation code; some potentially serious flaws found and fixed in PHP that may require our listener's attention; some SQRL news, miscellany, and closing-the-loop feedback from a listener. Then we take our first look on this podcast into the growing problem and threat of “Deepfake” media content.
49 MB 12 MB  507 KB   <-- Show Notes 132 KB 81 KB 321 KB

Episode #730 | 03 Sep 2019 | 114 min.
The Ransomware Epidemic

Rather than looking at many small bits of news, this week we take longer looks at a few larger topics. We'll examine several pieces of welcome news from the bug bounty front. We also take a look at Google's Project Zero revelation of a comprehensive multiyear campaign aimed at iOS visitors to specific websites. Then we conclude with a distressingly large array of news from the ransomware front. We figure out how to pronounce Sodinokibi (so-dee'-no-kee-bee) and ponder the future of ransomware.
46 MB 12 MB  386 KB   <-- Show Notes 89 KB 69 KB 270 KB

Episode #729 | 27 Aug 2019 | 114 min.
Next Gen Ad Privacy

This week we check in on Texas, and on the Kazakhstan government's attempt to be their own CA. How did that work out for them? We note a troubling increase in attacks on the open source software supply chain. Google's announced plans to add data breach notification to Chrome. We look at a surprising Apple iOS v12.4 regression (whoops!) and at another Microsoft RDP component in need of updating. I update our listeners on the state of SQRL (another of its documents is completed) and on SQRL presentations past and future. I share some news from my ongoing file sync journey. We conclude by looking at some very interesting and promising moves as browser-based advertising matures from the ad hoc mess it has always been into a privacy-respecting Internet citizen.
56 MB 14 MB  232 KB   <-- Show Notes 142 KB 92 KB 358 KB

Episode #728 | 20 Aug 2019 | 114 min.
The KNOB Is Broken

This week we look at last week's monthly Patch Tuesday and its collision with third-party AV add-ons. We examine four years of Kaspersky unique web user tracking. We look again at Tavis Ormandy's discovery of the secret undocumented CTF protocol, wondering WTF is CTF? We note a new and devastating strategy in the ransomware battle which hit Texas last Friday. We also have the sad demise of Extended Validation certificates, the further removal of FTP support from web browsers, Google's campaign to still further reduce web certificate lifetimes, and Netflix's discovery of eight implementation flaws in the new HTTP/2 protocol. We'll cover a bit of miscellany, update on my file syncing journey, touch on SQRL news and SpinRite, then conclude with a look at the most recent attack on Bluetooth pairing negotiation which renders all Bluetooth associations vulnerable to a trivial attack.
55 MB 14 MB  266 KB   <-- Show Notes 122 KB 85 KB 323 KB

Episode #727 | 13 Aug 2019 | 118 min.
Black Hat and DEF CON

This week, as expected, we look at some of the events and announcements from last week's Black Hat and DEF CON conference events. Microsoft and Apple have upped the ante for bug hunters, the Chaos Computer Club shreds a hotel's door lock security, a serious philosophical design flaw is revealed to be present in 40 signed device drivers, and Google vows to continue its Incognito-mode battle. We also have some SQRL news, some fun miscellany, and some interesting closing-the-loop feedback from our terrific listeners.
57 MB 14 MB  389 KB   <-- Show Notes 99 KB 87 KB 292 KB

Episode #726 | 06 Aug 2019 | 116 min.
Steve's File Sync Journey

This week we look at a widespread false alarm about Facebook's planned subversion of end-to-end encryption, still more municipality ransomware attacks, more anti-encryption saber-rattling among the Five Eyes nations, Microsoft's discovery of Russian-backed IoT compromise for enterprise intrusion, Chrome 76's changes, this week's Black Hat and DEF CON conferences, a bit of miscellany, and closing the loop with our listeners. Then I want to share my recent experiences and findings about the challenge of synchronizing a working set of files between two locations, and the tools I settled on.
56 MB 14 MB  285 KB   <-- Show Notes 157 KB 93 KB 375 KB

Episode #725 | 30 Jul 2019 | 103 min.

This week we close the chapter on the Marcus Hutchins saga. The U.S. Attorney General weighs in on "warrant-proof" data encryption. We look at what's popular with the underground, give an update on the latest four new ransomware attacks, examine three different attacks on exposed network attached storage (NAS) servers, cover a bit of miscellany, then take a close look at the news of the just-released-yesterday vulnerabilities in the two billion-strong VxWorks embedded OS.
49 MB 12 MB  322 KB   <-- Show Notes 118 KB 74 KB 309 KB

Episode #724 | 23 Jul 2019 | 105 min.
Hide Your RDP Now!

This week we start off with something bad that we unfortunately saw coming. We then look at the changing security indication feedback in browsers; the challenge of keeping browsers compatible with important but non-standards-compliant websites; the failure and repair of incognito browsing mode; the possibility of a forthcoming "super incognito mode" for Firefox; a new super-fast TLS stack written in the Rust programming language; Microsoft's promised open source release of their voting machine election software; and yet another widely deployed, exposed, and exploitable Internet server. We have a quick bit of miscellany and some terrific SQRL news. Then we look at a recent and quite sobering report from Sophos about attacks on exposed RDP servers.
51 MB 13 MB  389 KB   <-- Show Notes 90 KB 77 KB 282 KB

Episode #723 | 16 Jul 2019 | 117 min.
Encrypting DNS

This week we cover a few bullet points from last Tuesday's monthly Windows patches, as well as some annoyance that the patches caused for Windows 7 users. We track some interesting ongoing ransomware news and look at the mixed blessing of fining companies for self-reporting breaches. We check out a survey of enterprise malware headaches, update some Mozilla/Firefox news, and examine yet another (and kind of obvious) way of exfiltrating information from a PC. We address a bit of errata, some miscellany, and closing-the-loop feedback with our listeners. We then conclude with a closer look at all the progress that's been occurring quietly with DNS encryption.
56 MB 14 MB  397 KB   <-- Show Notes 127 KB 86 KB 326 KB

Episode #722 | 09 Jul 2019 | 110 min.
Gem Hack & Ghost Protocol

This week we stumble over a number of instances where technology appears to be colliding with the status quo. In any complex social system, individual and group interests are often complex and may be in opposition. So when new technology comes along to offer new capabilities, not everyone is going to be pleased. So this week we discuss some of the mounting tensions being created by connectivity, storage, and computation which are being combined to create many new capabilities. We look at the surprising backlash to Mozilla's privacy-enhancing DNS-over-HTTPS support, concerns over the use of facial recognition and automobile license plate scanners, and the future of satellite-based Internet services. We present some SQRL news and share a bunch of closing-the-loop feedback from our listeners. We then examine how a Ruby code repository was hacked and look at the U.K. GCHQ's proposal for adding "ghost" participants into private conversations.
53 MB 13 MB  325 KB   <-- Show Notes 126 KB 84 KB 324 KB

Episode #721 | 02 Jul 2019 | 110 min.
Exposed Cloud Databases

This week we track further occurrences of ransomware in Florida and elsewhere. We check in on the state of the "going dark" anti-encryption debate. We look at a stunning new BlueKeep proof-of-concept demo produced by the guys at SophosLabs. We update some miscellany and present some closing-the-loop feedback from our terrific listeners. Then we examine the nature of the continuing problem of massive publicly exposed databases. In the third example of this just this week, we discover a prolific Chinese IoT manufacturer who is logging more than a million of their customers' devices into an exposed database of two-billion-plus records - which returns us to the dilemma we have with the utter lack of oversight and control over our own IoT devices, and the need to soberly reconsider what "IoT" stands for.
53 MB 13 MB  426 KB   <-- Show Notes 134 KB 83 KB 347 KB

Episode #720 | 25 Jun 2019 | 101 min.
Bug Bounty Business

This week we check in on the state of last week's Linux TCP SACK kernel panic, examine two Mozilla zero-days which were being used against Coinbase and others, and note that performing a full factory reset of an IoT device may not be sufficient. We look at a very clever and elegant solution to OpenSSH key theft via Rowhammer attacks, share an update on the BlueKeep RDP vulnerability, and examine the cause of a three-hour widespread Internet outage yesterday morning. We discuss NASA's APT, which crawled in via a Raspberry Pi, the cost of paying versus not paying a ransomware ransom, and an update on Microsoft's Chromium-based Edge browser. Lastly, we handle a bit of listener feedback, then take a closer look at the state of the commercial bug bounty business.
48 MB 12 MB  313 KB   <-- Show Notes 119 KB 75 KB 310 KB

Episode #719 | 18 Jun 2019 | 117 min.
Exim Under Siege

There were several significant stories this week. We have a new DRAM problem called "RAMBleed," news of a Linux server kernel-crashing flaw in TCP, and the occurrence of the expected attacks on Exim email servers - not to mention last week's Patch Tuesday, a Bluetooth surprise, and another useless warning about the BlueKeep vulnerability. Microsoft missed a 90-day Tavis Ormandy deadline. We have a good-news GandCrab wrap-up, Yubico's entropy mistake, a bit of post-announce SQRL news, and a favorite iOS security app. We selected as our title story the attacks on Exim mail servers so that we can talk about the other disasters, which are still pending, next week!
56 MB 14 MB  313 KB   <-- Show Notes 138 KB 85 KB 354 KB

Episode #718 | 11 Jun 2019 | 110 min.
Update Exim Now!

This week we catch up with the continuing antics of SandboxEscaper. We give an update on the status of the still-not-yet-widely-exploited BlueKeep vulnerability, and also look at a new botnet which is pounding on RDP servers (but not yet using BlueKeep). The FBI has issued an interesting advisory about not trusting secure sites just because they're secure, so we'll examine that. The popular VideoLAN player receives an important update thanks to an interesting source, Microsoft's Edge browser takes another step forward, and Mozilla reorganizes a bit. Then I'm going to share my must-have Utility of the Week, a just-released sci-fi movie on Netflix, and a bit of closing-the-loop feedback from the Twitterverse which resulted from my, as planned, first formal full release of SQRL. We'll close with a look at the critical need for anyone running the Exim mail server to update immediately.
53 MB 13 MB  221 KB   <-- Show Notes 118 KB 82 KB 321 KB

Episode #717 | 04 Jun 2019 | 111 min.
The Nansh0u Campaign

This week we check in on the BlueKeep RDP vulnerability. We look at the planned shutdown of one of the, if not THE, most successful, if one can call it that, affiliate-based ransomware systems. We update you on the anti-robocalling problem and then look at the recent announcements by the Russian and Chinese militaries about their plans to move away from the Microsoft Windows OS. We also look at Apple's announcement yesterday of their forthcoming "Sign in with Apple" service, touch on the state of SQRL, and then share a bit of fun feedback from a listener. We finish by examining the interesting details behind a significant old-school persistent campaign, the Nansh0u campaign, apparently sourced from China, which has successfully compromised many tens of thousands of servers exposed to the Internet.
53 MB 13 MB  506 KB   <-- Show Notes 124 KB 84 KB 155 KB

Episode #716 | 28 May 2019 | 107 min.
RDP: Really Do Patch

This week we primarily focus upon the almost certainly impending doom of the Internet, as the Windows Remote Desktop Protocol saga finishes out its second week with a great deal of news and new evidence-based expectation for the end of humanity as we have known it. Okay, well, maybe it won't be quite that dramatic, but it already makes last year's Meltdown and Spectre flaws seem quaint. But before we get to that, we take a look at the FIVE new zero-day exploits just dropped by SandboxEscaper, Google's discovery and confession of 14 years of cleartext password storage, Microsoft's just-released Win10 Feature Update 1903, Firefox's release 67, and some interesting new data about the prevalence of validly signed malware.
51 MB 13 MB  494 KB   <-- Show Notes 103 KB 78 KB 139 KB

Episode #715 | 21 May 2019 | 114 min.

As expected after last week's Tuesday morning end-of-embargo on details of the next round of Intel processor information leakage problems, we will take a closer look at the new challenges they create and the impact of their remediation on system performance and stability. But before that we look at last Tuesday's patches from Microsoft, Adobe, and Apple. We examine a new big security problem for Cisco that even has stock analysts taking notice. We check in on the ongoing troubles with the cryptocurrency market, see what Johns Hopkins associate professor Matthew Green tweeted about the trouble with Google's Titan Bluetooth dongle, and deal with yet another monthly problem with Windows 10 updates. We touch on a bit of miscellany, then wrap up with a look at the new so-called Microarchitectural Data Sampling vulnerabilities.
55 MB 14 MB  1.75 MB   <-- Show Notes 133 KB 86 KB 162 KB

Episode #714 | 14 May 2019 | 95 min.
Android “Q”

This week we look at a widespread problem affecting all WhatsApp users, many interesting bits of news arising from last week's Google I/O 2019 conference, a worrisome remotely exploitable flaw in all Linux kernels earlier than v5.0.8, the just released hours ago new set of flaws affecting all Intel processors known as ZombieLoad, a bit of miscellany, and some odds and ends. Then we take a deep look into the significant security enhancements Google also announced in their next release of Android: Q.
45 MB 11 MB  274 KB   <-- Show Notes 83 KB 68 KB 121 KB

Episode #713 | 07 May 2019 | 104 min.
Post-Coinhive Cryptojacking

This week we look at the mess arising from Mozilla's intermediate certificate expiration (the most tweeted event in my feed in a LONG time!), Google's announcement of self-expiring data retention, another wrinkle in the exploit marketplace, Mozilla's announcement about deliberate code obfuscation, a hacker who hacked at least 29 other botnet hackers, a warning about a very popular D-Link netcam, who's paying and who's receiving bug bounties by country, another user-agent gotcha with Google Docs, a problem with Google Earth on the new Chromium Edge browser, and a bit more about Edge's future just dropped at the start of Microsoft's Build 2019 conference. Then we take a look at the continuing and changing world of cryptojacking after Coinhive closed their doors last month.
50 MB 13 MB  723 KB   <-- Show Notes 106 KB 78 KB 142 KB

Episode #712 | 30 Apr 2019 | 100 min.
Credential Stuffing Attacks

This week we look at more privacy fallout from our recent coverage of Facebook and Google. We examine the uptake rate of recent Windows 10 feature releases. We finally know the source of the AV troubles with the April Patch Tuesday updates. We look at the NIST's formal fuzzing development, consider the source of a massive and ongoing database data leak involving more than half of all American households, note that Windows Insiders are already finding that their systems won't update to the May 2019 feature update, and address the concerns of United Airlines passengers who have noticed and been understandably upset by seatback cameras pointing at them. Finally, we have the "Cranky Old Guy Tip of the Week," touch on a bit of miscellany, then take a look at what many in the security industry are watching with concern: the large and emerging threat of website credential stuffing attacks.
48 MB 12 MB  371 KB   <-- Show Notes 101 KB 76 KB 136 KB

Episode #711 | 23 Apr 2019 | 126 min.

This week we discuss Google's use of their Sensorvault tracking to assist law enforcement. It's time to update Drupal again. And, speaking of "again," Facebook. We also look at Russia's newly approved legislation moving toward an Internet "off switch," a reminder that "USB Killers" are a real thing, the news of Marcus Hutchins's plea deal, an actively exploited Windows zero-day, a bunch of Microsoft Edge news, the Win7 end-of-life notices, something from the "I did say this was bound to happen" department, and some miscellaneous news. Then we examine the latest detailed threat research from Cisco's Talos Group about the leveraging of DNSpionage.
61 MB 15 MB  351 KB   <-- Show Notes 143 KB 95 KB 175 KB

Episode #710 | 16 Apr 2019 | 116 min.

This week we discuss a malicious use of the URL tracking "ping" attribute, more on WinRAR, more third-party AV troubles with Microsoft and other new trouble from last week's Patch Tuesday, good things that Patch Tuesday accomplished for Microsoft and for Adobe, another security-tightening change being proposed by Google, Russia's Roskomnadzor finally lowering the boom on Facebook, and the incredible TajMahal APT framework. We touch on a bit of miscellany, answer a SpinRite upgrade question, and share some closing-the-loop feedback from our listeners. We close with a look at Dragonblood, the first effective attack on the new WPA3 protocol (which didn't take long).
56 MB 14 MB  263 KB   <-- Show Notes 124 KB 85 KB 157 KB

Episode #709 | 09 Apr 2019 | 129 min.
URL “Ping” Tracking

This week we discuss more news of Microsoft's Chromium-based Edge browser; the U.K. government's plan to legislate, police, and enforce online social media content; improvements to Windows 10's update management; news from the "spoofing biometrics" department; the worrisome state of Android mobile financial apps; an update on the NSA's Ghidra software reverse engineering tool suite; perhaps the dumbest thing Facebook has done yet (and by policy, not by mistake); an important change in Win10 1809 external storage caching policy; and a bit of miscellany and closing-the-loop feedback from our terrific listeners. Then we're going to take a close look at another capitulation in the (virtually lost) battle against tracking our behavior on the Internet with URL "ping" tracking.
68 MB 15 MB  492 KB   <-- Show Notes 105 KB 91 KB 150 KB

Episode #708 | 02 Apr 2019 | 126 min.
Android Security

This week we are primarily going to share Google's well-deserved, self-congratulatory, but also very honest update on the status of Android Security at its 10th birthday. But before that we're going to share some of the continuing news of the WinRAR vulnerability, some really interesting data on Russian GPS hacking, Android's April Fools' Day patches, Tesla autopilot spoofing, some follow-up on the ASUS "ShadowHammer" attack and the targeted MAC addresses, the final release of the Windows 10 (last) October 2018 update, a VMware update, a SQRL question, two bits of listener feedback, and a SpinRite development question. Then we take a look at the state of Android 10 years in.
60 MB 15 MB  283 KB   <-- Show Notes 125 KB 93 KB 164 KB

Episode #707 | 26 Mar 2019 | 115 min.
Tesla, Pwned

This week on Security Now! we have the return of "Clippy," Microsoft's much-loathed dancing paperclip; operation "ShadowHammer," which reports say compromised ASUS (but did it?); the ransomware attack on Norsk Hydro aluminum; the surprise renaming of Windows Defender; a severe bug revealed in the most popular PDF-generating PHP library; an early look at Microsoft's forthcoming Chromium-based web browser; hope for preventing caller ID spoofing; a needed update for users of PuTTY; Mozilla's decision to conditionally rely upon Windows' root store; Microsoft to offer virtual Windows 7 and 10 desktops through Azure; details of the Windows 7 End of Life warning dialog; then a bit of Sci-Fi, SQRL and SpinRite news, followed by our look at the results of the much anticipated Mid-March Vancouver Pwn2Own competition - one of the results of which our episode title gives away!
62 MB 16 MB  355 KB   <-- Show Notes 153 KB 99 KB 182 KB

Episode #706 | 19 Mar 2019 | 115 min.
Open Source eVoting

This week we look back at last week's March Patch Madness. We have an answer about the Win7 SHA-256 Windows Update Update; big news regarding the many attacks leveraging the recently discovered WinRAR vulnerability; what happens when Apple, Google, and GoDaddy all drop a bit; an update on a big recent jump in Mirai Botnet capability; some worrisome news about compromised Counter Strike gaming servers; some welcome privacy enhancements coming in the next Android Q; a pair of very odd web browser extensions for Chrome and Firefox from Microsoft; a bit of follow-up on last week's Spoiler topic; some closing-the-loop feedback from our terrific listeners; and an early look at a VERY exciting and encouraging project to create an entirely open eVoting system.
55 MB 14 MB  231 KB   <-- Show Notes 126 KB 83 KB 155 KB

Episode #705 | 12 Mar 2019 | 134 min.

This week we look at the zero-day exploit bidding war that's underway, the NSA's release of Ghidra, Firefox's addition of privacy enhancements which were first developed for the Tor version of Firefox, a pair of zero-days that were biting people in the wild, news of a worrisome breach at Citrix, the risk of claiming to be an unhackable aftermarket car alarm, a new and interesting "windows developers chatting with users" idea at Microsoft, a semi-solution to Windows updates crashing systems, detailed news of the Marriott/Starwood breach, a bit of miscellany from Elaine, a SpinRite question answered, and then we finish with SPOILER - the latest research exploiting yet another new and different consequence of speculation on Intel machines.
64 MB 16 MB  321 KB   <-- Show Notes 146 KB 100 KB 181 KB

Episode #704 | 05 Mar 2019 | 132 min.
Careers in Bug Hunting

This week we look at a newly available improvement in Spectre mitigation performance being rolled out by Microsoft and who can try it right now, Adobe's ColdFusion emergency and patch, more problems with AV and self-signed certs, a Docker vulnerability being exploited in the wild, the end of Coinhive, a new major Wireshark release, a nifty web browser website screenshot hack, continuing troubles with the over-privileged Thunderbolt interface, bot-based credential stuffing attacks, some SQRL, miscellany, SpinRite, and listener feedback. Then we examine the increasing feasibility of making a sustainable career out of hunting for software bugs.
63 MB 16 MB  324 KB   <-- Show Notes 138 KB 95 KB 173 KB

Episode #703 | 26 Feb 2019 | 96 min.
Out in the Wild

This week we discuss a number of ongoing out-in-the-wild attacks, along with a bunch of other news. We have another early-warned Drupal vulnerability that has immediately come under attack in the wild, and a 19-year-old flaw in an obscure decompress for the "ACE" archive format, which until a few days ago WinRAR was supporting to its detriment. Microsoft reveals an abuse of HTTP/2 protocol which is DoSing its IIS servers. Mozilla faces a dilemma about a wannabe Certificate Authority, and they also send a worried letter to Australia. Microsoft's Edge browser is revealed to be secretly whitelisting 58 web domains which are allowed to bypass its "Click-to-Run" permission for FLASH. ICANN renews its plea for the Internet to adopt DNSSEC, NVIDIA releases a handful of critical driver updates for Windows, and Apple increases the intelligence of its Intelligent Tracking Prevention.
46 MB 12 MB  236 KB   <-- Show Notes 101 KB 70 KB 132 KB

Episode #702 | 19 Feb 2019 | 115 min.
Authenticity on the Internet

This week we catch up with last week's doozy of a Patch Tuesday for both Microsoft and Adobe. We also examine an interesting twist coming to Windows 7 and Server 2008 security updates, eight mining apps pulled from the Windows Store, another positive security initiative from Google, electric scooters being hacked, more chipping away at Tor's privacy guarantees, a year and a half after Equifax and where's the data?, the beginnings of GDPR-like legislation for the U.S., and some closing-the-loop feedback from our terrific listeners. Then we take a look at an extremely concerning new and emerging threat for the Internet.
55 MB 14 MB  178 KB   <-- Show Notes 136 KB 88 KB 166 KB

Episode #701 | 12 Feb 2019 | 123 min.

This week we look at Apple's most recent v12.1.4 iOS update and the two zero-day vulnerabilities it closed, as well as examine the very worrisome new Android image display vulnerability. We dive into an interesting “reverse RDP” attack, look at the new LibreOffice and OpenOffice vulnerability, and consider Microsoft's research into the primary source of software vulnerabilities. Mary Jo gets an early peek at enterprise pricing for extending Windows 7 support. China and Russia continue their work to take control of their countries' Internets. Firefox resumes rollout of its AV-warning Release 65. We offer up a few more SQRL anecdotes, share a bit of listener feedback, then see how Google does the ChaCha with their new “Adiantum” ultra-high-performance cryptographic cipher.
59 MB 15 MB  397 KB   <-- Show Notes 120 KB 90 KB 159 KB

Episode #700 | 05 Feb 2019 | 110 min.
700 & Counting

This week we discuss Chrome getting spell check for URLs; a bunch of Linux news with reasons to be sure you're patched up; some performance enhancements, updates, additions, and deletions from Chrome and Firefox; more Facebook nonsense; a bold move planned by the Japanese government; Ubiquiti routers again in trouble; a hopeful and welcome new initiative for the Chrome browser; a piece of errata; a quick SQRL update; and some follow-up thoughts about VPN connectivity.
53 MB 13 MB  267 KB   <-- Show Notes 117 KB 80 KB 151 KB

Episode #699 | 29 Jan 2019 | 119 min.
Browser Extension Security

This week we look at the expressive power of the social media friends we keep, the persistent DNS hijacking campaign which has the U.S. government quite concerned, last week's iOS and macOS updates (and doubtless another one very soon!), a valiant effort to take down malware distribution domains, Chrome catching up to IE and Firefox with drive-by file downloads, two particularly worrisome vulnerabilities in two Cisco router models publicly disclosed last Friday, some interesting miscellany, a particularly poignant SpinRite data recovery testimonial, and then some close looks at the state of the industry and the consequences of extensions to our web browsers.
56 MB 14 MB  508 KB   <-- Show Notes 131 KB 88 KB 162 KB

Episode #698 | 22 Jan 2019 | 114 min.
Which Mobile VPN Client?

This week we examine a very worrisome WiFi bug affecting billions of devices; a new fun category for the forthcoming Pwn2Own; Russia's ongoing, failing, and flailing efforts to control the Internet; the return of the Anubis Android banking malware; Google's changing policy for phone and SMS app access; Tim Cook's note in Time magazine; news of a nice Facebook ad auditing page; another Cisco default password nightmare in widely used, lower end devices; some errata, miscellany, and listener feedback. Then we answer the age-old and apparently quite confusing question: Which is the right VPN client for Android?
55 MB 14 MB  408 KB   <-- Show Notes 147 KB 88 KB 170 KB

Episode #697 | 15 Jan 2019 | 93 min.

This week we examine the intended and unintended consequences of last week's Windows Patch Tuesday; and, speaking of unintended consequences, the U.S. government shutdown has had some, too. We also examine a significant privacy failure in WhatsApp, another ransomware decryptor (with a twist), movement on the DNS over TLS front, an expectation of the cyberthreat landscape for 2019, a cloudy forecast for The Weather Channel App, a successful 51% attack against the Ethereum Classic cryptocurrency, another court reversing compelled biometric authentication, and an update on the lingering death of Flash, now in hospice care. We then look at a bit of miscellany and errata and finish by examining the implications of the recent increase in bounty for the purchase of zero-day vulnerabilities.
60 MB 15 MB  434 KB   <-- Show Notes 133 KB 91 KB 170 KB

Episode #696 | 08 Jan 2019 | 93 min.
Here Comes 2019!

This week we look at the NSA's announced forthcoming release of an internal powerful reverse engineering tool for examining and understanding other people's code; emergency out-of-cycle patches from both Adobe and Microsoft; and, yes, we do need to mention PewDiePie again. We also need to mention our prolific zero-day dropper SandboxEscaper, a new effort by the U.S. government to educate industry about the risks of cyberattacks, some welcome news on the ransomware front, some VERY welcome news of a new Windows 10 feature, and a note about a just-published side-channel attack on OS page caches. Then we'll wrap with an update on my work on SQRL and my discovery of a VERY impressive and free large file transmission and sharing facility.
44 MB 11 MB  365 KB   <-- Show Notes 111 KB 71 KB 139 KB

• Current Podcast Page
• Security Now 2018
• Security Now 2017
• Security Now 2016
• Security Now 2015
• Security Now 2014
• Security Now 2013
• Security Now 2012
• Security Now 2011
• Security Now 2010
• Security Now 2009
• Security Now 2008
• Security Now 2007
• Security Now 2006
• Security Now 2005

You can receive an eMail reminder whenever this page is updated with a new Security Now! episode. Click the "Monitor Changes" button to have the highly-regarded "Change Detection" web site monitor this page and send you a note when it changes.

Monitor this page for changes: (it's private by ChangeDetection)
Security Now!, SpinRite Testimonials, and other Feedback:
Please use GRC's Visitor & Listener FEEDBACK Page where you may easily submit any feedback for Security Now, SpinRite testimonials, suggestions for future Security Now topics or questions & comments for future Listener Feedback episodes. Thank you!

Jump to top of page
Gibson Research Corporation is owned and operated by Steve Gibson.  The contents
of this page are Copyright (c) 2020 Gibson Research Corporation. SpinRite, ShieldsUP,
NanoProbe, and any other indicated trademarks are registered trademarks of Gibson
Research Corporation, Laguna Hills, CA, USA. GRC's web and customer privacy policy.
Jump to top of page

Last Edit: Nov 20, 2020 at 09:07 (12.20 days ago)Viewed 1,343 times per day