Security Now (Audio)

A number of ongoing out-in-the-wild attacks Another early-warned Drupal vulnerability A 19-year old flaw in an obscure decompress for the "ACE" archive format Microsoft reveals an abuse of HTTP/2 protocol which is DoSing its IIS servers. Mozilla faces a dilemma about a wanna-be Certificate Authority and they also send a worried letter to Australia. Microsoft's Edge browser is revealed to be secretly whitelisting 58 web domains which are allowed to bypass its "Click-To-Run" permission for Flash. ICANN renews its plea for the Internet to adopt DNSSEC. NVIDIA releases a handful of critical driver updates for Windows. Apple increases the intelligence of it's Intelligent Tracking Prevention. We invite you to read our show notes at https://www.grc.com/sn/SN-703-Notes.pdf Hosts: Steve Gibson and Leo Laporte Download or subscribe to this show at https://twit.tv/shows/security-now. You can submit a question to Security Now! at the GRC Feedback Page. For 16kbps versions, transcripts, and notes (including fixes), visit Steve's site: grc.com, also the home of the best disk maintenance and recovery utility ever written Spinrite 6. Sponsors: thehelm.com/SECURITYNOW expressvpn.com/securitynow Atlassian.com/IT

Last week's doozy of a patch Tuesday for both Microsoft and Adobe An interesting twist coming to Windows 7 and Server 2008 security updates Eight mining apps pulled from the Windows Store Another positive security initiative from Google Electric scooters being hacked Chipping away at Tor's privacy guarantees A year and a half after Equifax, and where's the data? The beginnings of GDPR-like legislation for US An extremely concerning new and emerging threat for the Internet We invite you to read our show notes. Hosts: Steve Gibson and Leo Laporte Download or subscribe to this show at https://twit.tv/shows/security-now. You can submit a question to Security Now! at the GRC Feedback Page. For 16kbps versions, transcripts, and notes (including fixes), visit Steve's site: grc.com, also the home of the best disk maintenance and recovery utility ever written Spinrite 6. Sponsors: WordPress.com/securitynow canary.tools/twit - use code: TWIT Wasabi.com offer code SecurityNow

Apple's most recent v12.1.4 iOS update and the two 0-day vulnerabilities it closed Worrisome new Android image-display vulnerability An interesting "reverse RDP" attack The new LibreOffice & OpenOffice vulnerability Microsoft's research into the primary source of software vulnerabilities MaryJo gets an early peek at enterprise pricing for extending Windows 7 support China and Russia continue their work to take control of their countries' Internet Firefox's resumption of its A/V warning in release 65. How Google does the Cha-Cha with their new "Adiantum" ultra-high-performance cryptographic cipher. We invite you to read our show notes. Hosts: Steve Gibson and Leo Laporte Download or subscribe to this show at https://twit.tv/shows/security-now. You can submit a question to Security Now! at the GRC Feedback Page. For 16kbps versions, transcripts, and notes (including fixes), visit Steve's site: grc.com, also the home of the best disk maintenance and recovery utility ever written Spinrite 6. Sponsors: Atlassian.com/IT go.itpro.tv/securitynow promo code SN30 Sophos.com

Chrome gets "spell-check for URLs" Catch up on your Linux patch up! Performance enhancements for Chrome and FireFox. Facebook must really like being in the doghouse. The Japanese government takes on IoT security. Ubiquiti routers are in trouble again. Chrome "Never Slow" mode in the works. We invite you to read our show notes. Hosts: Steve Gibson and Leo Laporte Download or subscribe to this show at https://twit.tv/shows/security-now. You can submit a question to Security Now! at the GRC Feedback Page. For 16kbps versions, transcripts, and notes (including fixes), visit Steve's site: grc.com, also the home of the best disk maintenance and recovery utility ever written Spinrite 6. Sponsors: FreshBooks.com/securitynow LastPass.com/twit securitynow.cachefly.com

The expressive power of the social media friends we keep The persistent DNS hijacking campaign which has the US Government quite concerned Last week's iOS and macOS updates (and doubtless another one very soon!) A valiant effort to take down malware distribution domains Chrome catching up to IE and Firefox with drive-by file downloads Two particularly worrisome vulnerabilities in two Cisco router models publicly disclosed last Friday The state of the industry and the consequences of extensions to our web browsers. We invite you to read our show notes. Hosts: Steve Gibson and Leo Laporte Download or subscribe to this show at https://twit.tv/shows/security-now. You can submit a question to Security Now! at the GRC Feedback Page. For 16kbps versions, transcripts, and notes (including fixes), visit Steve's site: grc.com, also the home of the best disk maintenance and recovery utility ever written Spinrite 6. Sponsors: expressvpn.com/securitynow Atlassian.com thehelm.com/SECURITYNOW

Which is the right VPN client for Android, and which should you avoid at all costs? A very worrisome WiFi bug affecting billions of devices Hack a Tesla Model 3 at Pwn2Own Russia's ongoing, failing and flailing efforts to control the Internet The return of the Anubis Android banking malware Google's changing policy for phone and SMS App access Tim Cook's note in TIME Magazine News of a nice Facebook Ad auditing page Another Cisco default password nightmare in widely used lower-end devices We invite you to read our show notes. Hosts: Steve Gibson and Leo Laporte Download or subscribe to this show at https://twit.tv/shows/security-now. You can submit a question to Security Now! at the GRC Feedback Page. For 16kbps versions, transcripts, and notes (including fixes), visit Steve's site: grc.com, also the home of the best disk maintenance and recovery utility ever written Spinrite 6. Sponsors: canary.tools/twit - use code: TWIT Wasabi.com offer code SecurityNow WordPress.com/securitynow

The implications of the recent increase in bounty for the purchase of 0-day vulnerabilities. The intended and unintended consequences of last week's Windows Patch Tuesday. Speaking of unintended consequences, the US Government shutdown has had some, too! A significant privacy failure in WhatsApp. Another Ransomware decryptor (with a twist). Movement on the DNS-over-TLS front. An expectation of the cyberthreat landscape for 2019. A cloudy forecast for The Weather Channel App. A successful 51% attack against the Ethereum Classic cryptocurrency. Another court reversing compelled biometric authentication. An update on the lingering death of Flash... now in hospice care. Hosts: Steve Gibson and Leo Laporte Download or subscribe to this show at https://twit.tv/shows/security-now. You can submit a question to Security Now! at the GRC Feedback Page. For 16kbps versions, transcripts, and notes (including fixes), visit Steve's site: grc.com, also the home of the best disk maintenance and recovery utility ever written Spinrite 6. Sponsors: go.itpro.tv/securitynow promo code SN30 Sophos.com Atlassian.com

The NSA announces the forthcoming release of an internal powerful reverse-engineering tool for examining and understanding other people's code. Emergency out-of-cycle patches from both Adobe and Microsoft. PewDiePie hacker strikes again. Prolific 0-day dropper SandboxEscaper ruffles some feathers. A new effort by the US government to educate industry about the risks of Cyber attacks. Welcome news on the ransomware front. VERY welcome news of a new Windows 10 feature. A note about a just-published side-channel attack on OS page caches. We invite you to read our show notes. Hosts: Steve Gibson and Leo Laporte Download or subscribe to this show at https://twit.tv/shows/security-now. You can submit a question to Security Now! at the GRC Feedback Page. For 16kbps versions, transcripts, and notes (including fixes), visit Steve's site: grc.com, also the home of the best disk maintenance and recovery utility ever written Spinrite 6. Sponsors: LastPass.com/twit securitynow.cachefly.com FreshBooks.com/securitynow

The Best of Security Now from 2018! Hosts: Steve Gibson and Leo Laporte Download or subscribe to this show at https://twit.tv/shows/security-now. You can submit a question to Security Now! at the GRC Feedback Page. For 16kbps versions, transcripts, and notes (including fixes), visit Steve's site: grc.com, also the home of the best disk maintenance and recovery utility ever written Spinrite 6. Sponsor: securitynow.cachefly.com

Rhode Island's response to Google's recent API flaw Signal's response to Australia's anti-encryption legislation The return of PewDiePie US border agents retaining traveler's private data This Week in Android Hijinks Confusion surrounding the Windows v5 release Another Facebook API mistake The 8th annual most common passwords list (AKA "How's 'monkey' doing?") Why all might not be lost if someone is hit with drive encrypting malware Microsoft's recent 4-month run of 0-day vulnerability patches The Firefox 64 update A reminder of an awesome train game for iOS, Mac and Android A look at a new and very troubling flaw discovered in the massively widespread SQLite library... and what we can do. We invite you to read our show notes. Hosts: Steve Gibson and Leo Laporte Download or subscribe to this show at https://twit.tv/shows/security-now. You can submit a question to Security Now! at the GRC Feedback Page. For 16kbps versions, transcripts, and notes (including fixes), visit Steve's site: grc.com, also the home of the best disk maintenance and recovery utility ever written Spinrite 6. Sponsors: LastPass.com/twit RocketMortgage.com/SecurityNow redhat.com/heroes

Australia's recently passed anti-encryption legislation Details of a couple more mega-breaches including a bit of Marriott follow-up A welcome call for legislation from Microsoft A new twist on online advertising click fraud The DHS is interested in deanonymizing cryptocurrencies beyond Bitcoin The changing landscape of TOR funding An entirely foreseeable disaster with a new Internet IoT-oriented protocol Google finds bugs in Google+ and acts responsibly -- again -- what that suggests for everyone else We invite you to read our show notes. Hosts: Steve Gibson and Leo Laporte Download or subscribe to this show at https://twit.tv/shows/security-now. You can submit a question to Security Now! at the GRC Feedback Page. For 16kbps versions, transcripts, and notes (including fixes), visit Steve's site: grc.com, also the home of the best disk maintenance and recovery utility ever written Spinrite 6. Sponsors: ITPro.TV/securitynow - use code: SN30 expressvpn.com/securitynow canary.tools/twit - use code: TWIT

Another Lenovo SuperFish-style local security certificate screw up The Marriott breach and several other new, large and high-profile secure breach incidents The inevitable evolution of exploitation of publicly exposed UPnP router services The emergence of "Printer Spam" How well does ransomware pay? We have an idea now. The story of two iOS scam apps Progress on the DNS over HTTPS front Rumors that Microsoft is abandoning their EdgeHTML engine in favor of Chromium We also have a bit of A Cyber Security related Humble Book Bundle just in time for Christmas Some new research that reveals that it's possible to recover pieces of web browser page images that have been previously viewed. We invite you to read our shown notes. Hosts: Steve Gibson and Jason Howell Download or subscribe to this show at https://twit.tv/shows/security-now. You can submit a question to Security Now! at the GRC Feedback Page. For 16kbps versions, transcripts, and notes (including fixes), visit Steve's site: grc.com, also the home of the best disk maintenance and recovery utility ever written Spinrite 6. Sponsors: Ring.com/SECURITYNOW WordPress.com/securitynow RocketMortgage.com/SecurityNow

Yesterday, the US Supreme Court heard Apple's argument about why a class action lawsuit against their monopoly App Store should not be allowed to proceed. How could this affect iOS security? Google and Mozilla are looking to remove support for FTP from their browsers. From our "what could possibly go wrong" department, we have browsers asking for explicit permission to leave their sandboxes. The next step in the evolution of RowHammer attacks which do, as Bruce Schneier once opined, only get better... or in this case, worse! We invite you to read our show notes. Hosts: Steve Gibson and Leo Laporte Download or subscribe to this show at https://twit.tv/shows/security-now. You can submit a question to Security Now! at the GRC Feedback Page. For 16kbps versions, transcripts, and notes (including fixes), visit Steve's site: grc.com, also the home of the best disk maintenance and recovery utility ever written Spinrite 6. Sponsors: Wasabi.com offer code SecurityNow do.co/twit securitynow.cachefly.com

All the action at last week's Pwn2Own Mobile hacking contest The final word on processor mis-design in the Meltdown/Spectre era A workable solution for unsupported Intel firmware upgrades for hostile environments A forthcoming Firefox breach alert feature The expected takeover of exposed Docker-offering servershe recently announced successor to recently ratified HTTP/2 1.1.1.1 errata The future of passwords: a thoughtful article written by Troy Hunt, the creator of the popular "Have I Been Pwned" web service We invite you to read our show notes. Hosts: Steve Gibson and Leo Laporte Download or subscribe to this show at https://twit.tv/shows/security-now. You can submit a question to Security Now! at the GRC Feedback Page. For 16kbps versions, transcripts, and notes (including fixes), visit Steve's site: grc.com, also the home of the best disk maintenance and recovery utility ever written Spinrite 6. Sponsors: RocketMortgage.com/SecurityNow ITPro.TV/securitynow - use code: SN30 expressvpn.com/securitynow

Last month's Patch Tuesday, this month A GDPR-inspired lawsuit filed by Privacy International Check these two router ports to protect against a new botnet that's making the rounds Another irresponsibly disclosed zero-day, this time in Virtual Box CloudFlare's release of a very cool 1.1.1.1 app for iOS and Android Microsoft's caution about the in-RAM vulnerabilities of the BitLocker whole drive encryption A deep dive into last week's worrisome revelation about the lack of true security being offered by today's Self-Encrypting SSD drives. We invite you to read our show notes. Hosts: Steve Gibson and Leo Laporte Download or subscribe to this show at https://twit.tv/shows/security-now. You can submit a question to Security Now! at the GRC Feedback Page. For 16kbps versions, transcripts, and notes (including fixes), visit Steve's site: grc.com, also the home of the best disk maintenance and recovery utility ever written Spinrite 6. Sponsors: WordPress.com/securitynow canary.tools/twit - use code: TWIT LastPass.com/twit