Security Now (Audio)
479 episodes - English - Latest episode: 4 days ago -Cybersecurity guru Steve Gibson joins Leo Laporte every Tuesday. Steve and Leo break down the latest cybercrime and hacking stories, offering a deep understanding of what's happening and how to protect yourself and your business. Security Now is a must listen for security professionals every week.
Records live every Tuesday at 4:30pm Eastern / 1:30pm Pacific / 20:30 UTC.
Homepage Google Podcasts Overcast Castro Pocket Casts RSS feed
Episodes
SN 971: Chat (out of) Control - Fuxnet, Android Quarantine, Gentoo
April 24, 2024 00:43 - 2 hours - 62.5 MBWhat do you call "Stuxnet on steroids"?? Voyager 1 update Android 15 to quarantine apps Thunderbird & Microsoft Exchange China bans Western encrypted messaging apps Gentoo says "no" to AI Cars collecting diving data Freezing your credit Investopedia Computer Science Abstractions Lazy People vs. Secure Systems Actalis issues free S/MIME certificates PIN Encryption DRAM and GhostRace AT&T Phishing Scam Race Conditions and Multi-core processors An Alternative to the Current Cre...
SN 970: GhostRace - AT&T Breach Update, Cookie Notices, Router Buttons
April 17, 2024 00:13 - 1 hour - 51.7 MBAn update on the AT&T data breach 340,000 social security numbers leaked Cookie Notice Compliance The GDPR does enforce some transparency Physical router buttons Wifi enabled button pressers Netsecfish disclosure of Dlink NAS vulnerability Chrome bloat SpinRite update GhostRace Show Notes - https://www.grc.com/sn/SN-970-Notes.pdf Hosts: Steve Gibson and Leo Laporte Download or subscribe to this show at https://twit.tv/shows/security-now. Get episodes ad-free with Club TWiT at h...
SN 969: Minimum Viable Secure Product - Dlink NAS Backdoor, Privnote, Crowdefense
April 10, 2024 00:18 - 1 hour - 51.1 MBOut-of-support DLink NAS devices contain hard coded backdoor credentials Privnote is not so "Priv" Crowdfense is willing to pay millions Engineers Pinpoint Cause of Voyager 1 Issue, Are Working on Solution SpinRite Update Minimum Viable Secure Product Show Notes - https://www.grc.com/sn/SN-969-Notes.pdf Hosts: Steve Gibson and Leo Laporte Download or subscribe to this show at https://twit.tv/shows/security-now. Get episodes ad-free with Club TWiT at https://twit.tv/clubtwit You ca...
SN 968: A Cautionary Tale - XZ Outbreak, AT&T Data Breach
April 03, 2024 00:48 - 1 hour - 48.6 MBA near-Universal (Local) Linux Elevation of Privilege vulnerability TechCrunch informed AT&T of a 5 year old data breach Signal to get very useful cloud backups Telegram to allow restricted incoming HP exits Russia ahead of schedule Advertisers are heavier users of Ad Blockers than average Americans! The Google Incognito Mode Lawsuit Canonical fights malicious Ubuntu store apps Spinrite update A Cautionary Tale Show Notes - https://www.grc.com/sn/SN-968-Notes.pdf Hosts: Steve Gib...
SN 967: GoFetch - Apple vs. DOJ, ".INTERNAL" TLD
March 27, 2024 01:22 - 2 hours - 55.9 MBApple vs U.S. DOJ G.M.'s Unbelievably Horrible Driver Data Sharing Ends Super Sushi Samurai Apple has effectively abandoned HomeKit Secure Routers The forthcoming ".INTERNAL" TLD The United Nations vs AI. Telegram now blocked throughout Spain Vancouver Pwn2Own 2024 China warns of incoming hacks Annual Tax Season Phishing Deluge SpinRite update Authentication without a phone Are Passkeys quantum safe? GoFetch: The Unpatchable vulnerability in Apple chips Show Notes - https://ww...
SN 966: Morris The Second - Voyager 1, The Web Turns 35
March 20, 2024 00:03 - 2 hours - 58.9 MBVoyager 1 update The Web turned 35 and Dad is disappointed Automakers sharing driving data with insurance companies A flaw in Passkey thinking Passkeys vs 2fa Sharing accounts with Passkeys Passkeys vs. Passwords/MFA Workaround to sites that block anonymous email addresses Open Bounty programs on HackerOne Steve on Twitter Ways to disclose bugs publicly Security by obscurity Something you have/know/are vs Passkeys Passkeys vs TOTP Inspecting Chrome extensions Passkey transpor...
SN 965: Passkeys vs. 2FA - Unhelpful CERT, VMware patch, Signal 7.0 Beta
March 13, 2024 00:47 - 2 hours - 65.8 MBVMware needs immediate patching Midnight Blizzard still on the offensive China is quietly "de-American'ing" their networks Signal Version 7.0, now in beta Meta, WhatsApp, and Messenger -meets- the EU's DMA The Change Healthcare cyberattack SpinRite update Telegram's end-to-end encryption KepassXC now supports passkeys Login accelerators Sites start rejecting @duck.com emails Tool to detect chrome extensions change owners Sortest SN title Passkeys vs 2FA Show Notes - https://ww...
SN 964: PQ3 - Voyager 1's fate, Apple's post-quantum iMessage protocol
March 06, 2024 00:13 - 2 hours - 60.7 MB"Death, Lonely Death" by Doug Muir, about the decades-old Voyager 1 explorer Cory Doctorow's Visions of the Future Humble Book Bundle CTRL-K shortcut for search on a browser Direct bootable image downloading for GRC's servers Closing the loop on compromised emails Taco Bell's passwordless app A solution for Bcrypt's password length limit of 72 bytes Data as the missing piece for law enforcement and privacy advocates The token solution for email-only login Apple's Password Manager ...
SN 963: Web portal? Yes please! - Firefox v123, LockBit Disrupted
February 28, 2024 01:48 - 2 hours - 114 MBNevada attempts to block Meta's end-to-end encryption for minors. A survey of security breaches Edge's Super-Duper Secure Mode moves into Chrome DoorDash dashes our privacy Avast charged $16.5 million for selling user browsing data No charge for extra logging! European Parliament's IT service has found traces of spyware on the smartphones of its security and defense subcommittee members LockBit RaaS group disrupted Firefox v123 The ScreenConnect Authentication Bypass SpinRite upda...
SN 962: The Internet Dodged a Bullet - Wyze Breach, Patch Tuesday, KeyTrap
February 21, 2024 02:02 - 2 hours - 61.6 MBWyze breach Microsoft patch Tuesday fixes 15 remote code execution flaws Why are there password restrictions? The Canadian Flipper Zero Ban Security on the old internet Using Old Passwords Passwordless login TOTP as a second factor German ISP using default router passwords Email encryption in transit pfSense Tailscale integration DuckDuckGo's email protection integration with Bitwarden The KeyTrap Vulnerability Show Notes - https://www.grc.com/sn/SN-962-Notes.pdf Hosts: Steve ...
SN 961: Bitlocker: Chipped or Cracked? - Honeypots, Toothbrush Botnet, Bitlocker Cracked
February 14, 2024 01:54 - 2 hours - 56.8 MBToothbrush Botnet "There are too many damn Honeypots!" Remotely accessing your home network securely Going passwordless as an ecommerce site Facebook "old password" reminders Browsers on iOS More UPnP Issues A password for every website? "Free" accounts Keeping phones plugged in Running your own email server in 2024 iOS app sizes SpinRite 6.1 running on an iMac SpinRite update Bitlocker's encryption cracked in minutes Show Notes - https://www.grc.com/sn/SN-961-Notes.pdf Host...
SN 960: Unforeseen Consequences - CISA's "Secure by Design" Initiative, Fastly's BoringSSL
February 07, 2024 02:11 - 2 hours - 57.1 MBCISA's "Secure by Design" Initiative The GNU C Library Flaw Fastly CDN switches from OpenSSL to BoringSSL Roskomnadzor asserts itself Google updates Android's Password Manager Firefox gets post-quantum crypto Get your TOTP tokens from LastPass Inflated iOS app data LearnDMARC Sync mobile app bug SpinRite and Windows Defender Crypto signing camera Analog hole in digital camera authentication iOS and Google's Topics The gathering of the Stephvens Programmable Logic Controllers ...
SN 959: Stamos on "Microsoft Security" - HP Printer Bricking, Mercedes Benz Source Code
January 31, 2024 02:28 - 2 hours - 63.5 MBiOS to allow native Chromium and Firefox engines. An OS immune to ransomware? HP back in the doghouse over "anti-virus" printer bricking The mother of all breaches New "Thou shall not delete those chats" rules Fewer ransoms are being paid Verified Camera Images More on the $15/month flashlight app What happens when apps change publishers Microsoft hating on Firefox Credit Karma is storing 1GB of data on the iPhone Staying on Windows 7 Sci-Fi recommendations Windows 7 and HSTS s...
SN 958: A Week of News and Listener Views - HSS Breach, CISA's Policing Results
January 24, 2024 02:37 - 2 hours - 61.9 MBMicrosoft's Top Execs' Emails Breached in Sophisticated Russia-Linked APT Attack US Health and Human Services Breached Firefox vs "The Competition" Brave reduces its anti-fingerprinting protections CISA's proactive policing results one year later Longer Life For Samsung Updates Google Incognito Mode "Misunderstanding" Show Doc Not showing images on iOS Safari Generated AI Media Authentication Which computer languages to learn? Flashlight app subscription Google's Privacy Sandbox ...
SN 957: The Protected Audience API - Hacked Washing Machine, Quantum Crypto Troubles
January 17, 2024 01:27 - 1 hour - 48.4 MBWhat would an IoT device look like that HAD been taken over? And speaking of DDoS attacks Trouble in the Quantum Crypto world The Browser Monoculture Question about the Apple backdoor Getting into infosec proton drive vs sync SpinRite update The Protected Audience API Show Notes - https://www.grc.com/sn/SN-957-Notes.pdf Hosts: Steve Gibson and Leo Laporte Download or subscribe to this show at https://twit.tv/shows/security-now. Get episodes ad-free with Club TWiT at https://twit...
SN 956: The Inside Tracks - 23andME Mess, Ukraine Telecom Hack, LastPass
January 10, 2024 02:14 - 1 hour - 52.2 MBMore on Apple's hardware backdoor Russian Hacking of Ukranian cameras Russian hackers were inside Ukraine telecoms giant for months Things are still a mess at 23andMe CoinsPaid was the victim of another cyberattack Crypto Hacking in 2023 Mandiant Twitter scam Defining "cyber warfare" LastPass is making some changes Windows Watch Google settles $5 billion lawsuit Return Oriented Programming Shutting Down Edge Root Certificates Credit freezing SpinRite Update Show Notes - http...
SN 955: The Mystery of CVE-2023-38606 - SpinRite Update, Nebula Mesh, Apple's Backdoor
January 03, 2024 02:20 - 1 hour - 51.9 MBSpinRite 6.1 update Pruning Root Certificates A solution to Schrodinger's Bowl DNS Benchmark and anti-virus tools Nebula Mesh SpinRite 7 is coming The Mystery of CVE-2023-38606 Show Notes - https://www.grc.com/sn/SN-955-Notes.pdf Hosts: Steve Gibson and Leo Laporte Download or subscribe to this show at https://twit.tv/shows/security-now. Get episodes ad-free with Club TWiT at https://twit.tv/clubtwit You can submit a question to Security Now at the GRC Feedback Page. For 16kbps ...
SN 954: Best of 2023 - Security Now's Best Moments of 2023
December 26, 2023 18:30 - 1 hour - 44.9 MBLeo looks back at the year's top security stories of 2023. Steve's Next Password Manager After the LastPass Hack CHESS is Safe Here Come the Fake AI-generated "News" Sites How Bad Guys Use Satellites Microsoft's "Culture of Toxic Obfuscation" Steve announces his commitment to SN Apple Says No NSA's Decade of Huawei Hacking ValiDrive announcement Host: Leo Laporte Download or subscribe to this show at https://twit.tv/shows/security-now. Get episodes ad-free with Club TWiT at http...
SN 950: Leo Turns 67 - Fingerprint Security, Do-Not-Track
November 29, 2023 01:50 - 2 hours - 60.7 MBAdobe Flash Player Updater is (still) desperately trying to update Veracrypt password security Firefox moves to 120 with a bunch of very nice new features Do-Not-Track is back on track "ownCloud" -or- "PwnCloud" ? CrushFTP Critical Vulnerability Bypassing fingerprint authentication ApacheMQ TransUnion & Experian both hacked Show Notes - https://www.grc.com/sn/SN-950-Notes.pdf Hosts: Steve Gibson and Leo Laporte Download or subscribe to this show at https://twit.tv/shows/security-...
SN 949: Ethernet Turned 50 - Signal funding, X (Twitter) ad fallout, RCS for iPhone, TETRA review
November 22, 2023 02:03 - 2 hours - 61 MBPrivacy and Funding Challenges Facing Signal Messaging App Loss of Advertisers for Twitter After Controversial Tweet by Elon Musk Ransomware Group Files SEC Complaint Against Breached Company Europe Opening Up Radio Encryption Standard TETRA for Public Review Apple Announcing Adoption of RCS Messaging for iPhones Steve's Progress on Dynamic Code Signing for SpinRite Releases Removing Suction Cup Barnacles from Windshields Recommendations for Benchmarking USB Drive Read/Write Speeds ...
SN 948: What if a Bit Flipped? - Privacy Badger, Downfall, OpenVPN, Windshield Barnacle, Article 45
November 15, 2023 02:46 - 2 hours - 60.8 MBPrivacy Badger blocks trackers on news sites and prevents browser exposure to unwanted domains like TikTok and Datadog. No major updates on EU's controversial Article 45 in eIDAS 2.0. Industry pushback continues as implementation would threaten encryption. Cryptocurrency exchange Poloniex lost $130M in a hot wallet hack, the 14th largest crypto theft. Decentralized finance platform Raft lost $3.3M due to an exploit. Crook operated website iotaseed.io to generate wallet seed phrases, the...
SN 947: Article 45 - Citrix Bleed update, Ace Hardware cyberattack, Bitwarden get Passkeys
November 08, 2023 02:41 - 2 hours - 61.3 MBMicrosoft announced storing their Azure keys in an HSM after previously losing control of a private signing key A quartet of new 0-day vulnerabilities in Exchange Server that Microsoft declined to fix Apache ActiveMQ servers under attack exploiting a 0-day, with over half of publicly exposed servers vulnerable Update on the Citrix Bleed vulnerability with evidence of hackers gaining access and post-exploitation activity CVSS version 4 released with new metrics for better granularity and...
SN 946: CitrixBleed - iMessage Contact Key Verification, HackerOne bug bounty news, CISA's Logging Made Easy
November 01, 2023 00:53 - 2 hours - 55.9 MBWhat caused last week's connection interruption? Router was rebooting intermittently, but why? David Redekop of AdamNetworks explained their enterprise network security solution aims to only allow known safe connections, blocking everything else. iMessage gets Contact Key Verification to confirm new devices added to an account belong to the contact. Public Interest Research Group asks Microsoft to extend Windows 10 support beyond 2025. HackerOne breach bounties surpass $300M total payou...
SN 945: The Power of Privilege - New cURL vulnerabilities, CVSS 10.0 Cisco Nightmare, So long VBScript!
October 25, 2023 01:26 - 2 hours - 59.7 MBHow fake drives continue to be sold on Amazon despite negative reviews Microsoft is discontinuing support for the VBScript language The 30-year old NTLM authentication protocol will eventually be removed from Windows Two new vulnerabilities found in cURL A new Cisco router vulnerability rated CVSS 10.0 was used to hack over 40,000 devices Debate over whether "lib" should rhyme with "vibe" or "air" Instructions for accessing the SpinRite 6.1 pre-release version Feedback on passkey exp...
SN 944: Abusing HTTP/2 Rapid Reset - Passkeys, ValiDrive follow-up, 2FA apps, pre-release Spinrite
October 18, 2023 02:57 - 2 hours - 67 MBValiDrive release follow-up Passkeys exportability and phishing risk Passkeys for device verification like SSH keys Possibility of hobby browsers vs. production browsers Availability of SpinRite 6.1 pre-release Filling drives with crypto noise using VeraCrypt Steve and Leo's favorite OTP apps Google Docs link rewriting could be to prevent referrer leakage Abusing HTTP/2 Rapid Reset Show notes: https://www.grc.com/sn/SN-944-Notes.pdf Hosts: Steve Gibson and Leo Laporte Download or...
SN 943: The Top 10 Cybersecurity Misconfigurations - MACE Act Passed, Brave Layoffs, 23andMe Breached
October 11, 2023 01:30 - 2 hours - 60.3 MBSteve announces the release of his new freeware utility ValiDrive for detecting fake drive capacities. 23andMe claims a recent data breach exposed customer info due to credential stuffing attacks. Key stats from Microsoft's 2023 Digital Defense Report on cyberattacks, including increased attacks on open source software, growth in business email compromise, and more password attacks. Brave lays off 9% of its staff amid the tough economic climate, despite its efforts to diversify revenue w...
SN 942: Encrypting ClientHello - EXIM eMail Servers Exposed, Windows 11 Passkeys, Bing Chat Malware Risk
October 04, 2023 04:03 - 2 hours - 58.6 MBExim email server ignored ZDI's responsible disclosure of critical remote code execution flaws for over a year, putting millions of servers at risk. Malicious ads are appearing in Bing Chat responses, promoting fake sites distributing malware. Windows 11 now natively supports passkeys, though browser support may make this redundant. Researchers exploit WiFi beamforming side-channel to potentially reveal keystrokes, but practicality is limited. The ECH TLS extension encrypts the ClientHe...
SN 941: We told you so! - NSA hacked Huawei? MS big AI data blunder, ValiDrive update
September 27, 2023 01:18 - 2 hours - 67 MBApple has quietly removed support for Postscript in macOS Ventura over security concerns with the outdated interpreter language. China has formally accused the NSA of hacking and maintaining access to Huawei servers since 2009, based on documents from Edward Snowden. A misconfigured Azure Shared Access Signature token resulted in 38TB of sensitive internal Microsoft data being exposed, including employee backups with passwords. The Signal messaging platform has added a post-quantum encry...
SN 925: Brave's Brilliant Off the Record Request - .ZIP TLD, Bitwarden Passkey support, PyPi
May 31, 2023 00:50 - 1 hour - 44.8 MBPicture of the Week. HP = "Huge Pile" The ".ZIP" TLD — What could possibly go wrong? PyPI gets more serious about security AND privacy. "No logs saved anywhere"??? Twitter in the EU? Bitwarden's support for Passkeys. A €1.2 billion fine will grab your attention. Editing WhatsApp messages. A new Google Bug Bounty. SpinRite. Brave's Brilliant Off the Record Request. Show Notes: https://www.grc.com/sn/SN-925-Notes.pdf Hosts: Steve Gibson and Leo Laporte Download or subscribe to t...
SN 924: VCaaS – Voice Cloning as a Service - HP printer update, KeePass vulnerability, SpinRite bug
May 24, 2023 00:58 - 1 hour - 50.9 MBPicture of the Week. Tracker Follow-Up. Automatic IoT device updating. HP 9020e - error code 83C0000B. Section 230 Stands. The KeePass Vulnerability. Apple joins Samsung, Amazon and Verizon in banning ChatGPT. Google's Privacy Sandbox moves forward. The FBI heavily misused FISA powers. Supply Chain Nightmare. SpinRite. VCaaS – Voice Cloning as a Service. Show Notes: https://www.grc.com/sn/SN-924-Notes.pdf Hosts: Steve Gibson and Leo Laporte Download or subscribe to this show a...
SN 923: Location Tracker Behavior - Diving deep into Google and Apple's tracker spec, SpinRite update
May 17, 2023 01:57 - 1 hour - 54.7 MBPicture of the Week. SpinRite. Location Tracker Behavior. Formal definitions from the specification. Bluetooth LE devices have MAC addresses and therein lies a problem. All devices are serialized. And now, that "pairing registry". Privacy considerations. Show Notes: https://www.grc.com/sn/SN-923-Notes.pdf Hosts: Steve Gibson and Leo Laporte Download or subscribe to this show at https://twit.tv/shows/security-now. Get episodes ad-free with Club TWiT at https://twit.tv/clubtwit Yo...
SN 922: Detecting Unwanted Location Trackers - Google Passkeys, Chrome lock icon, AI news sites, Vint Cerf
May 10, 2023 01:16 - 2 hours - 58.4 MBPicture of the Week. Google & Passkeys. TP-Link routers DO auto-update. US Marshals Service: Where's the backup?? T-Mobile keeps getting breached. Chrome: No more LOCK icon. Apple's new "Rapid Security Response" system. Elon Musk, making friends wherever he goes... A quick Mastodon aside. Here come the fake AI-generated "news" sites. Russia to replace "American" TCP/IP with "Russian Internet". Vint Serf's 3 mistakes. Detecting Unwanted Location Trackers. Show Notes: https://www...
SN 921: OSB OMG and Other News! - Age verification, Google Authenticator E2EE, VirusTotal AI, cURL
May 03, 2023 01:35 - 2 hours - 55.9 MBPicture of the Week. The Encryption Debate. Age does matter... Age Verification. WhatsApp: Rather be blocked in UK than weaken security. Exposing Side-Channel Monitoring. Closing the Loop. A new UDP reflection attack vector. Google Authenticator Updated. Does Israel use NSO Group commercial spyware? A Russian OS? TP-Link routers compromised. A pre-release security audit. Another Intel side-channel attack. Windows users: Don't remove cURL! AI comes to VirusTotal. Show Notes...
SN 920: An End-to-End Encryption Proposal - Wipe those routers, Lockdown Mode, ChatGPT black market
April 25, 2023 18:49 - 2 hours - 56.7 MBPicture of the Week. Lockdown Mode seen succeeding. A growing black market for ChatGPT accounts. Decommissioned Corporate Routers Leak Secrets. Jaguar Tooth: Cisco router vulnerabilities. Security Research Legal Defense Fund. A quick Firefox fix. Kubernetes security audit. Google Chrome zero-day. An End-to-End Encryption Proposal. Show Notes https://www.grc.com/sn/SN-920-Notes.pdf Hosts: Steve Gibson and Leo Laporte Download or subscribe to this show at https://twit.tv/shows/sec...
SN 919: Forced Entry - Patch Tuesday, Google Assured Open Source Software, WhatsApp Improvements
April 18, 2023 18:04 - 1 hour - 48.6 MBPicture of the Week. Patch Tuesday Review. Risky Business News. Google Assured Open Source Software. WhatsApp Improvements. Bad Security? Go to jail! Forced Entry. Show Notes https://www.grc.com/sn/SN-919-Notes.pdf Hosts: Steve Gibson and Jason Howell Download or subscribe to this show at https://twit.tv/shows/security-now. Get episodes ad-free with Club TWiT at https://twit.tv/clubtwit You can submit a question to Security Now! at the GRC Feedback Page. For 16kbps versions, tra...
SN 918: A Dangerous Interpretation - H26FORGE, Privatized ChatGPT, Mozilla Site Breach Monitor
April 11, 2023 18:57 - 2 hours - 57.2 MBPicture of the Week. Microsoft and Fortra go on the offensive. Can ChatGPT keep a secret? Apple updates their OS's. Wordpress under attack... again. Mozilla's Site Breach Monitor. Another ChatGPT investigation. Samsung handsets reaching EoL. Less access for loan apps. The right to be forgotten. SpinRite. A Dangerous Interpretation. Show Notes: https://www.grc.com/sn/SN-918-Notes.pdf Hosts: Steve Gibson and Jason Howell Download or subscribe to this show at https://twit.tv/show...
SN 917: Zombie Software - ChatGPT Ban, Hacking the Pentagon
April 04, 2023 18:25 - 1 hour - 51 MBPicture of the Week So... Not an attack, then? AI Overlord Hysteria Italy says NO to ChatGPT It's illegal... How much will that be? The U.S. FDA & medical device security Hack the Pentagon Firefox 3dr-party DLL check-up Microsoft's Extortion? The Silver Ships Zombie Software Show Notes: https://www.grc.com/sn/sn-917-notes.pdf Hosts: Steve Gibson and Ant Pruitt Download or subscribe to this show at https://twit.tv/shows/security-now. Get episodes ad-free with Club TWiT at h...
SN 916: Microsoft's Email Extortion - Pwn2Own, Edge Crypto Wallet
March 29, 2023 01:05 - 1 hour - 44.9 MBPicture of the Week. Synacktiv wins this year's CanSecWest Pwn2Own GitHub: Mistakes happen DDoS for Hire. . .Or Not 144,000 malicious packages published No iPhones For Russian Presidential Staff I NUIT Edge Gets Crypto Microsoft's Email Extortion Show Notes: https://www.grc.com/sn/sn-916-notes.pdf Hosts: Steve Gibson and Leo Laporte Download or subscribe to this show at https://twit.tv/shows/security-now. Get episodes ad-free with Club TWiT at https://twit.tv/clubtwit You can s...
SN 912: The NSA @ Home - LastPass hack details, Signal says no to UK, more PyPI troubles, QNAP bug bounty
March 01, 2023 02:02 - 1 hour - 3.57 KBPicture of the Week. Windows 11? ... anyone? As Plain as Ever. Edge's new built-in VPN? LastPass Incident Update. Signal says NO to the UK. More PyPI troubles. The QNAP bug bounty program. SpinRite. The NSA @ Home. Show Notes: https://www.grc.com/sn/SN-912-Notes.pdf Hosts: Steve Gibson and Leo Laporte Download or subscribe to this show at https://twit.tv/shows/security-now. Get episodes ad-free with Club TWiT at https://twit.tv/clubtwit You can submit a question to Securit...
SN 911: A Clever Regurgitator - GoneDaddy, Section 230, NPM malware, Hyundai Kia mess, Meta Verified
February 22, 2023 02:14 - 1 hour - 51.5 MBGoneDaddy, Section 230, NPM malware, Hyundai Kia mess, Meta Verified Picture of the Week. GoneDaddy. Section 230. No Blue, No SMS-based 2FA. Bitwarden gets Argon. "Meta Verified". Emsisoft Fake Code Signing. Attacks breaking records. More Mirai. NPM malware. Patch Tuesday. Samsung announces "Message Guard". The Hyundai & Kia mess. A Clever Regurgitator. Show Notes https://www.grc.com/sn/sn-911-notes.pdf Hosts: Steve Gibson and Leo Laporte Download or subscribe to this show ...
SN 910: Ascon - Malicious ChatGPT Use, Google Security Key Giveaway, OTPAuth
February 15, 2023 03:23 - 2 hours - 55.6 MBPicture of the Week ESXiArgs follow-up ChatGPT's Malicious Use Google Security Key Giveaway Brave goes HTTPS-by-default 1Password Makes Another Passkeys Move Russian Patriotic Hackers Amazon to FINALLY Secure Its AWS S3 Instances More Anti-Chinese Camera Removals Microsoft to embed Adobe Acrobat PDF reader into Edge Password Exhaustion One Time Passowrd OTPAuth Password Exhaustion Ascon Show Notes https://www.grc.com/sn/sn-910-notes.pdf Hosts: Steve Gibson and Leo Laporte...
SN 909: How ESXi Fell - EU Internet Surveillance, QNAP returns, .DEV is always HTTPS
February 08, 2023 02:53 - 2 hours - 61.2 MBPicture of the Week. The European Union's Internet Surveillance Proposal. 30,000 patient records online? .DEV is always HTTPS! Google changes Chrome's release strategy. Russia shoots the messenger. A fool and his Crypto... QNAP is back. CVSS severity discrepancy. Closing the Loop. How ESXi Fell. Show Notes: https://www.grc.com/sn/SN-909-Notes.pdf Hosts: Steve Gibson and Leo Laporte Download or subscribe to this show at https://twit.tv/shows/security-now. Get episodes ad-fr...
SN 908: Data Operand Independent Timing - Old Android apps, Kevin Rose, iOS 6.3 and FIDO, Hive hacked
February 01, 2023 02:17 - 1 hour - 48.1 MBAndroid to start blocking old and unsafe apps. Microsoft to block Internet sourced Excel add-ins. An example of saying "no" even when it may hurt. Hacked Wormhole funds on the move. Kevin Rose Hacked. Facebook will be moving more users into E2EE. iOS 6.3 and FIDO. Scan thy Citizenry. The Hive ransomware organization takedown. Errata. Closing the Loop. SpinRite. Data Operand Independent Timing. Show Notes: https://www.grc.com/sn/SN-908-Notes.pdf Hosts: Steve Gibson and Leo Lapo...
SN 907: Credential Reuse - iOS 16.3, ChatGPT creates malware, Bitwarden acquires Passwordless.dev
January 25, 2023 03:15 - 1 hour - 48.9 MBPicture of the Week. PayPal Credential Stuffing. iOS 16.3 : Cloud encryption for all. InfoSecurity Magazine: "ChatGPT Creates Polymorphic Malware". CheckPoint Research: OPWNAI : Cybercriminals Starting to Use ChatGPT. "Meta" fined for the third time. Bitwarden acquires "Passwordless.dev". Closing the Loop. SpinRite. Credential Reuse. Show Notes: https://www.grc.com/sn/SN-907-Notes.pdf Hosts: Steve Gibson and Leo Laporte Download or subscribe to this show at https://twit.tv/shows...
SN 906: The Rule of Two - Norton Lifelock Data Breach, Chromium and Rust, LastPass
January 18, 2023 02:44 - 1 hour - 52.7 MBPicture of the Week About Password Iterations EBC or CB Norton Lifelock Troubles Chrome Follows Microsoft and Firefox Chromium is Beginning to Rust BYOVD and Windows Defender Failures Closing the Loop (feedback) The Rule of Two Show notes: https://www.grc.com/sn/sn-906-notes.pdf Hosts: Steve Gibson and Leo Laporte Download or subscribe to this show at https://twit.tv/shows/security-now. Get episodes ad-free with Club TWiT at https://twit.tv/clubtwit You can submit a question to...
SN 905: 1 - LastPass Aftermath, LastPass vault de-obfuscator, LastPass iteration count folly
January 11, 2023 03:33 - 1 hour - 51.3 MBPicture of the Week. LastPass Aftermath. LastPass Vault De-Obfuscator. What more do we know this week regarding LastPass? The most alarming discovery by listeners. Understanding the scale of GPU-enhanced password cracking. On the true strength of passwords. Feedback from listeners regarding LastPass. Show Notes https://www.grc.com/sn/SN-905-Notes.pdf Hosts: Steve Gibson and Leo Laporte Download or subscribe to this show at https://twit.tv/shows/security-now. Get episodes ad-free ...
SN 904: Leaving LastPass - How LastPass failed, Steve's next password manager, how to protect yourself
January 04, 2023 04:47 - 2 hours - 56.6 MBPicture of the Week. SpinRite. Leaving LastPass. Is there reason for concern? Well known password cracker Jeremi Gosney's LastPass rant. Steve shares his plan regarding LastPass. What is Steve's next password manager? What should LastPass users do to protect themselves? Show Notes https://www.grc.com/sn/SN-904-Notes.pdf Hosts: Steve Gibson and Leo Laporte Download or subscribe to this show at https://twit.tv/shows/security-now. Get episodes ad-free with Club TWiT at https://twit....
SN 903: Security Now Best of 2022 - The best moments from throughout the year
December 27, 2022 17:02 - 2 hours - 64.9 MBAnatomy of a Log4j Exploit. Will Russia Disconnect? FCC Says Kaspersky Labs is a National Security Threat. Lenovo UEFI Firmware Troubles. That "Passkeys" Thing. Dis-CONTI-nued: The End of Conti? Steve's Take on the LastPass Breach. Hosts: Steve Gibson and Leo Laporte Download or subscribe to this show at https://twit.tv/shows/security-now. Get episodes ad-free with Club TWiT at https://twit.tv/clubtwit You can submit a question to Security Now! at the GRC Feedback Page. For 16kbp...
SN 902: A Generic WAF Bypass - Pwn2Own Toronto, URSNIF malware, Vivaldi Mastodon support, Bye Bye SHA-1
December 21, 2022 02:39 - 1 hour - 53.6 MBPicture of the Week. A malware operation known as URSNIF. Pwn2Own Toronto 2022. Citrix and Fortinet recently released security updates to patch 0-day vulnerabilities. Patch Tuesday. Another Uber breach? Elon Botches 'Bot Blockage. Vivaldi integrates Mastodon in its desktop browser. 5,200 Dutch government warnings. CIB: "Coordinated Inauthentic Behavior" GitHub to require 2FA by the end of next year. Bye bye SHA-1. WordFence's VERY useful looking WordPress add-on vulnerability da...
SN 901: Apple Encrypts the Cloud - Chrome Passkeys, Telegram malware, SYNC.com outage, Rackspace lawsuits
December 14, 2022 04:00 - 2 hours - 66.6 MBPicture of the Week. Chrome does Passkeys. SYNC.COM suffered its first outage. Medibank reboot. Totally fake cryptocurrency trading platforms. Malware on Telegram. Texas gets in on the TikTok banning. The LastPass class action lawsuit. Rackspace had a big embarrassing problem. Rackspace is now facing at least three class action lawsuits. Another country goes on the offensive. Closing The Loop. SpinRite. Miscellany. Apple Encrypts the Cloud. Show Notes https://www.grc.com/sn/S...