
This week is our annual holiday best of the year wrap up. Stories include: • Anatomy of a Log4j Exploit. • Will Russia Disconnect? • FCC Says Kaspersky Labs is a National Security Threat. • Lenovo UEFI Firmware Troubles. • That "Passkeys" Thing. • Dis-CONTI-nued: The End of Conti? • Steve's Take on the LastPass Breach.
Dec 27, 2022
2 hr 13 min

This week we answer another collection of burning questions: Is there no honor among thieves? What was discovered during this year's Toronto Pwn2Own competition? What did we learn from last Tuesday's patchfest? Whose fault was the most recent Uber data breach? What happened when Elon tried to block all the bots? What's the first web browser to offer native support for Mastodon? What exactly is "Coordinated Inauthentic Behavior" and why is it such a problem? What will happen to GitHub submitters at the end of next year? What measure could every member of the US senate possibly agree upon? Exactly what applications are there for a zero-width space character? And finally, what larger lesson are we taught by the discovery of a serious failure to block a problem that we should never have had in the first place? The answer to all those questions and more await the listeners of today's Security Now podcast #902.
Dec 20, 2022
1 hr 41 min

This week we answer the following questions and more: What browser just added native support for passkeys and where are they stored? What service have I recommended that suffered a major multi-day service outage? How can you recognize a totally fake cryptocurrency trading site? Which messaging platform has become cybercrime's favorite, and how would you go about monetizing desirable usernames? What's the latest in TikTok legislative insanity, and is it insane? Which two major companies have been hit with class action lawsuits following security breaches? Was Medibank's leaked data truly useless? And Apple has finally given us the keys to our encrypted data in the cloud, holding none for themselves... or have they?
Dec 13, 2022
2 hr

This week we answer a few questions: What if an Australian company doesn't secure their own network? Has Ireland NOT levied fines against any major Internet property owned by Meta? What's in REvil's complete dump of Australia's Medibank data disclosure? We finally answer the question: Is nothing sacred? (It turns out it's not rhetorical.) Also, whose root cert just got pulled from all of our browsers, and how did a handful of Android platform certs escape? What US state has banned all use of Tik-Tok? What country is prosecuting its own ex-IT staff after a breach? How has memory-safe language deployment actually fared in the wild? Are last August's BlackHat 2022 videos out yet? And which brand of IoT security camera do you probably NOT want to use or purchase? Which podcast had the most amazing guest last week? What happened when SpinRite was run on an SSD? And what does LastPass's announcement of another hacker intrusion mean for it and its users? Answers to those questions and more coming your way
during this week's Security Now! podcast.
Dec 6, 2022
1 hr 43 min

What happens when you: Run a Caller ID spoofing service? Or when you mis-list and underprice online goods? Or click on a phishing link for a cryptocurrency exchange? Or consider working for a underworld hacking group? Use a webserver from the dark ages in your IoT device? Or rattle your sabers while attempting to sell closed networking systems to your enemies? Or decide whether or not to continue to suspend your Twitter ad buys? Or login to Carnival Cruises with a passkey? Or use hardware to sign your code? This week's podcast answers all of those questions and more!
Nov 29, 2022
1 hr 42 min

This week we note that Firefox moved to v107 and that Google recently reached a nearly $400 million dollar user-tracking settlement. Red Hat has started cryptographically signing its ZIP distributions, the FBI purchased the nefarious Pegasus spyware and Greece paid 7 million euros for the similar Predator spyware. Passkeys have a directory listing sites where they can be used, the OMB has decreed a quantum decryption deadline, and 33 US state attorneys general have asked the FTC to get serious about online privacy regulation. We have some engaging listener feedback and SpinRite is finally a day or two away from starting its final testing. And we're going to wrap up by examining some chilling research which allows the physical location in space of every WiFi device within range to be accurately determined by someone walking past or flying a tiny drone.
Nov 22, 2022
2 hr

This week we have another event-filled Patch Tuesday retrospective. We look at a newly published horrifying automated host attack framework which script kiddies are sure to jump on. We have a welcome new feature for GitHub, crucial vulnerabilities in the LiteSpeed web server, a spiritual successor to TrueCrypt and VeraCrypt for Linux, Australia's announcement of their intention to proactively attack the attackers, a controversial new feature in iOS 16.1.1, a couple more decentralized finance catastrophes, some miscellany and listener feedback. Then we'll finish by looking at a just-published advisory from U.S.'s National Security Agency, our NSA, promoting the use of memory-safe languages.
Nov 15, 2022
1 hr 30 min

This pure news week we look at Dropbox's handling of a minor breach, and we follow-up on last week's OpenSSL flaws. The FTC has had it with a repeat offender, and we know how much total (reported) ransom was paid last year. Akamai reports on phishing kits, we have some stats about what Initial Access Brokers charge, and we look at the mechanics of cyber bank heists. Several more DeFi platforms defy belief, Russia is forced to move to Linux, the Red Cross wants a please don't attack us cyber-seal, nutty Floridians get themselves indicted for a bold tax fraud scheme, is China cheating with 0-days?, the NCSC will be scanning its citizenry... and more!
Nov 8, 2022
1 hr 38 min

This week we revisit the Windows driver block list which has received a long-needed update and at Microsoft's own definition of a CVE. We note that sometime today the OpenSSL project will be releasing an update for an ultra-CRITICAL flaw in OpenSSL v3 and we look at a remote code execution flaw in Windows TCP/IP stack. We have a ubiquitous problem in the past 22 years of the widely used SQLite library and a surprising percentage of malicious proofs-of-concepts found in GitHub. Passkeys gets another supporter and the first part of a professional tutorial explaining how to exploit the Chrome browser is released. After some listener feedback and a SpinRite update, we look at the goodbye posting of the UK's head of cyber security after 20 years.
Nov 1, 2022
1 hr 48 min

This week we note the release of an updated Firefox browser and Google's welcome and interesting announcement of a super-secure-by- design open source operating system project. We look at the latest cryptocurrency craziness and at a new Windows 0-day which bypasses downloaded executable file security checks. And speaking of 0-days, Apple just patched their iPhone and iPad OS's against their 9th 0-day of the year. We then take a look at the forces driving the evolutionary demise of previously rampant banking malware and at today's critical VMWare update. Then, after sharing and addressing some interesting listener feedback, we'll take a look at new Australian legislation aimed at punishing data breaches and consider the ethics of Australia's proposed new heavy fines.
Oct 25, 2022
1 hr 42 min
Load more
