Security Now (Audio‪)‬ Security Now

Privacy and Funding Challenges Facing Signal Messaging App
Loss of Advertisers for Twitter After Controversial Tweet by Elon Musk
Ransomware Group Files SEC Complaint Against Breached Company
Europe Opening Up Radio Encryption Standard TETRA for Public Review
Apple Announcing Adoption of RCS Messaging for iPhones
Steve's Progress on Dynamic Code Signing for SpinRite Releases
Removing Suction Cup Barnacles from Windshields
Recommendations for Benchmarking USB Drive Read/Write Speeds
Concerns Over EU's Proposed eIDAS 2.0 QWACs Legislation
Why Protectli Routers Are Preferred for pfSense Setups
Credit Card Security Precautions for Ex-LastPass Users
Origins and Evolution of Ethernet Networking Over 50 Years
Show Notes - https://www.grc.com/sn/SN-949-Notes.pdf

Hosts: Steve Gibson and Leo Laporte

Download or subscribe to this show at https://twit.tv/shows/security-now.

Get episodes ad-free with Club TWiT at https://twit.tv/clubtwit

You can submit a question to Security Now at the GRC Feedback Page.

For 16kbps versions, transcripts, and notes (including fixes), visit Steve's site: grc.com, also the home of the best disk maintenance and recovery utility ever written Spinrite 6.

Sponsors:
vanta.com/SECURITYNOW
kolide.com/securitynow
securemyemail.com/twit Use Code TWIT

Privacy Badger blocks trackers on news sites and prevents browser exposure to unwanted domains like TikTok and Datadog.
No major updates on EU's controversial Article 45 in eIDAS 2.0. Industry pushback continues as implementation would threaten encryption.
Cryptocurrency exchange Poloniex lost $130M in a hot wallet hack, the 14th largest crypto theft.
Decentralized finance platform Raft lost $3.3M due to an exploit.
Crook operated website iotaseed.io to generate wallet seed phrases, then recorded and stole them.
New Intel processor vulnerability called Downfall leaks encryption keys and sensitive data between users on shared systems.
Russia moves to formally ban all VPN use in the country.
Two new flaws found in OpenVPN software, one allowing memory access.
SpinRite development paused as DOS and Windows versions are complete.
Understanding assembly language helps malware analysis and exploit development, but high-level decompilers also useful.
Quantum-safe symmetric cryptography is limited compared to asymmetric crypto.
EU's Article 45 allows transparent decryption and traffic interception, supposedly for security purposes.
"Windshield Barnacle" parking enforcement device uses suction cups and 1000 lbs of force to immobilize vehicles until parking tickets are paid.
Sci-fi book series Aeon 14 by M.D. Cooper offers fun military space opera adventure.
27-year-old theoretical crypto attack now shown practical. Passive network observers can steal SSH RSA keys if faulty signature generated, allowing impersonation.
Show Notes - https://www.grc.com/sn/SN-948-Notes.pdf

Hosts: Steve Gibson and Leo Laporte

Download or subscribe to this show at https://twit.tv/shows/security-now.

Get episodes ad-free with Club TWiT at https://twit.tv/clubtwit

You can submit a question to Security Now at the GRC Feedback Page.

For 16kbps versions, transcripts, and notes (including fixes), visit Steve's site: grc.com, also the home of the best disk maintenance and recovery utility ever written Spinrite 6.

Sponsors:
kolide.com/securitynow
bitwarden.com/twit
GO.ACILEARNING.COM/TWIT

Microsoft announced storing their Azure keys in an HSM after previously losing control of a private signing key
A quartet of new 0-day vulnerabilities in Exchange Server that Microsoft declined to fix
Apache ActiveMQ servers under attack exploiting a 0-day, with over half of publicly exposed servers vulnerable
Update on the Citrix Bleed vulnerability with evidence of hackers gaining access and post-exploitation activity
CVSS version 4 released with new metrics for better granularity and clarity of vulnerability scores
Ace Hardware suffered a cyberattack impacting servers and systems
Google abandons controversial "Web DRM" proposal to let sites restrict browser extensions
Analysis of "BadCandy" malware infecting vulnerable Cisco routers
Bitwarden password manager adds support for FIDO2 passkeys in browser extension
Rescuing a severely degraded SSD and bringing it back to life with SpinRite
Feedback from listeners on IPv6 adoption, factors for choosing crypto primes, installing Windows 11, and more
The brewing battle in the EU over proposed eIDAS regulation Article 45 that could ban security checks on root certificates and undermine encrypted web traffic
Show Notes - https://www.grc.com/sn/SN-947-Notes.pdf

 

Hosts: Steve Gibson and Leo Laporte

Download or subscribe to this show at https://twit.tv/shows/security-now.

Get episodes ad-free with Club TWiT at https://twit.tv/clubtwit

You can submit a question to Security Now at the GRC Feedback Page.

For 16kbps versions, transcripts, and notes (including fixes), visit Steve's site: grc.com, also the home of the best disk maintenance and recovery utility ever written Spinrite 6.

Sponsors:
lookout.com
canary.tools/twit - use code: TWIT
Melissa.com/twit

What caused last week's connection interruption? Router was rebooting intermittently, but why?
David Redekop of AdamNetworks explained their enterprise network security solution aims to only allow known safe connections, blocking everything else.
iMessage gets Contact Key Verification to confirm new devices added to an account belong to the contact.
Public Interest Research Group asks Microsoft to extend Windows 10 support beyond 2025.
HackerOne breach bounties surpass $300M total payout.
CISA releases free Logging Made Easy toolkit to enhance Windows logging capabilities.
SpinRite 6.1 pre-release 2 published, likely final pre-release with some testing remaining before full launch.
Moving the Internet fully to IPv6 likely won't happen until IPv4 addresses are fully consumed.
Open source projects struggle with costly code signing certificates.
Deep dive into CitrixBleed vulnerability allowing authentication bypass.
Show Notes - https://www.grc.com/sn/SN-946-Notes.pdf

Hosts: Steve Gibson and Leo Laporte

Download or subscribe to this show at https://twit.tv/shows/security-now.

Get episodes ad-free with Club TWiT at https://twit.tv/clubtwit

You can submit a question to Security Now at the GRC Feedback Page.

For 16kbps versions, transcripts, and notes (including fixes), visit Steve's site: grc.com, also the home of the best disk maintenance and recovery utility ever written Spinrite 6.

Sponsors:
cs.co/twit
bitwarden.com/twit
vanta.com/SECURITYNOW

How fake drives continue to be sold on Amazon despite negative reviews
Microsoft is discontinuing support for the VBScript language
The 30-year old NTLM authentication protocol will eventually be removed from Windows
Two new vulnerabilities found in cURL
A new Cisco router vulnerability rated CVSS 10.0 was used to hack over 40,000 devices
Debate over whether "lib" should rhyme with "vibe" or "air"
Instructions for accessing the SpinRite 6.1 pre-release version
Feedback on passkey exportability and server IP address encryption
A listener asks if ransomware can encrypt already encrypted files
How Privacy Badger un-rewrites Google's search result links
The NSA and CISA warn about the power of privilege and the dangers of account misconfigurations like privilege creep, elevated service account permissions, and non-essential use of elevated accounts
Show Notes - https://www.grc.com/sn/SN-945-Notes.pdf

Hosts: Steve Gibson and Leo Laporte

Download or subscribe to this show at https://twit.tv/shows/security-now.

Get episodes ad-free with Club TWiT at https://twit.tv/clubtwit

You can submit a question to Security Now at the GRC Feedback Page.

For 16kbps versions, transcripts, and notes (including fixes), visit Steve's site: grc.com, also the home of the best disk maintenance and recovery utility ever written Spinrite 6.

Sponsors:
drata.com/twit
joindeleteme.com/twit promo code TWIT
canary.tools/twit - use code: TWIT

ValiDrive release follow-up
Passkeys exportability and phishing risk
Passkeys for device verification like SSH keys
Possibility of hobby browsers vs. production browsers
Availability of SpinRite 6.1 pre-release
Filling drives with crypto noise using VeraCrypt
Steve and Leo's favorite OTP apps
Google Docs link rewriting could be to prevent referrer leakage
Abusing HTTP/2 Rapid Reset
Show notes: https://www.grc.com/sn/SN-944-Notes.pdf

Hosts: Steve Gibson and Leo Laporte

Download or subscribe to this show at https://twit.tv/shows/security-now.

Get episodes ad-free with Club TWiT at https://twit.tv/clubtwit

You can submit a question to Security Now at the GRC Feedback Page.

For 16kbps versions, transcripts, and notes (including fixes), visit Steve's site: grc.com, also the home of the best disk maintenance and recovery utility ever written Spinrite 6.

Sponsors:
Melissa.com/twit
cs.co/twit
bitwarden.com/twit