Security Now

• SN 1009: Attacking TOTP - Force-Installed Outlook, DJI Firmware Update

  • What do we learn from January's record breaking 0-day critical Patch Tuesday?
  • Microsoft to "force-install" a new Outlook into all Windows 10 and 11 desktops?
  • GoDaddy required to get much more serious about its hosting security.
  • More age verification enforcement is coming, including globally.
  • What another instance of a widely exposed management interface teaches us.
  • DJI drone's official firmware update lifts geofencing for unrestricted flight.
  • CISA's efforts pay off with MUCH improved critical infrastructure security.
  • Listener feedback about TOTP, HOTP and age-verification.
  • And we take a deep dive into cracking authenticator keys

  Show Notes - https://www.grc.com/sn/SN-1009-Notes.pdf

  Hosts: Steve Gibson and Leo Laporte

  Download or subscribe to Security Now at https://twit.tv/shows/security-now.

  Get episodes ad-free with Club TWiT at https://twit.tv/clubtwit

  You can submit a question to Security Now at the GRC Feedback Page.

  For 16kbps versions, transcripts, and notes (including fixes), visit Steve's site: grc.com, also the home of the best disk maintenance and recovery utility ever written Spinrite 6.

  Sponsors:

  • vanta.com/SECURITYNOW
  • bitwarden.com/twit
  • threatlocker.com for Security Now
  • veeam.com

• SN 1008: HOTP and TOTP - SyncThing, Auto-Updates, Sci-Fi Recs

  • Meta winds down 3rd-party content filtering. Is encryption soon to follow?
  • Taking over abandoned Command & Control server domains (strictly for research purposes only).
  • IoT devices to get the "Cyber Trust Mark" — Will anyone notice or care?
  • "SyncThing" receives a (blessedly infrequent) update.
  • Government email is not using encryption? Really?
  • Email relaying prevents point-to-point end-to-end encryption and authentication.
  • Just because Let's Encrypt doesn't support email doesn't mean it's impossible.
  • What Sci-Fi does ChatGPT think I (Steve) should start reading next?
  • To auto-update or not to auto-update? — is that one question or two?
  • And, until today, we've never taken a deep dive into the technology of time-varying 6-digit one time tokens.

  Show Notes - https://www.grc.com/sn/SN-1008-Notes.pdf

  Hosts: Steve Gibson and Leo Laporte

  Download or subscribe to Security Now at https://twit.tv/shows/security-now.

  Get episodes ad-free with Club TWiT at https://twit.tv/clubtwit

  You can submit a question to Security Now at the GRC Feedback Page.

  For 16kbps versions, transcripts, and notes (including fixes), visit Steve's site: grc.com, also the home of the best disk maintenance and recovery utility ever written Spinrite 6.

  Sponsors:

  • canary.tools/twit - use code: TWIT
  • uscloud.com
  • joindeleteme.com/twit promo code TWIT
  • 1password.com/securitynow
  • zscaler.com/security

• SN 1007: AI Training & Inference - Unencrypted Email, Doom Captcha

  • The consequences of Internet content restriction.
  • The measured risks of 3rd-party browser extensions.
  • The consequences of SonicWall's unpatched 9.8 firewall severity.
  • The incredible number of still-unencrypted email servers.
  • SonicWall vulnerability patching
  • Shadowserver Foundation & eMail Encryption
  • Salt Typhoon Evicted
  • HIPAA gets a long-needed cybersecurity upgrade.
  • The EU standardizes on USB-C for power charging. What?
  • Believe it or not, a CATCHA you solve by playing DOOM.
  • And... what I learned from three weeks of study of AI

  Show Notes - https://www.grc.com/sn/SN-1007-Notes.pdf

  Hosts: Steve Gibson and Leo Laporte

  Download or subscribe to Security Now at https://twit.tv/shows/security-now.

  Get episodes ad-free with Club TWiT at https://twit.tv/clubtwit

  You can submit a question to Security Now at the GRC Feedback Page.

  For 16kbps versions, transcripts, and notes (including fixes), visit Steve's site: grc.com, also the home of the best disk maintenance and recovery utility ever written Spinrite 6.

  Sponsors:

  • bitwarden.com/twit
  • expressvpn.com/securitynow
  • veeam.com
  • threatlocker.com for Security Now

• SN 1006: Best of 2024 - Apple's Secret Backdoor, CrowdStrike Catastrophe, Recall's Privacy Nightmare

  Leo revisits some of the year's top Security Now segments of 2024.

  • 956. Apple's Hardware Backdoor: Steve reflects on the previous week's 'The Mystery of CVE-2023-38606' deep-dive. Did Apple deliberately designed a secure backdoor?
  • 960. Unforeseen Consequences of Google's 3rd-party Cookie Cutoff: As Google moves to phase out third-party cookies, the advertising industry scrambles to find new ways to track users, potentially leading to more intrusive methods like requiring users to create accounts on websites.
  • 961. Bitlocker: Chipped or Cracked?: A clever hacker demonstrates how BitLocker-encrypted drives can be compromised on systems using separate TPM chips, highlighting the importance of integrating TPM functionality directly into the CPU.
  • 964. So, What Is Apple's PQ3?: Steve analyzes Apple's new "PQ3" post-quantum safe iMessaging protocol, uestioning whether it truly offers superior security compared to Signal's existing solution.
  • 976. Recall - The 50 Gigabyte Privacy Bomb: Examining Microsoft's new "Recall" feature that records users' screens every few seconds, raising significant privacy concerns.
  • 984. CrowdStruck: A look at the disastrous global IT outage caused by a faulty CrowdStrike Falcon update, affecting airports, hospitals, banks, and more.
  • 1000. Steve and Leo reflect on 1000 episodes of Security Now.
  • 1001. Artificial General Intelligence: Steve and Leo discuss the challenges in achieving artificial general intelligence (AGI) and the debate surrounding its potential timeline and societal impact.

  Host: Leo Laporte

  Download or subscribe to Security Now at https://twit.tv/shows/security-now.

  Get episodes ad-free with Club TWiT at https://twit.tv/clubtwit

  You can submit a question to Security Now at the GRC Feedback Page.

  For 16kbps versions, transcripts, and notes (including fixes), visit Steve's site: grc.com, also the home of the best disk maintenance and recovery utility ever written Spinrite 6.

• SN 1005: 6-Day Certificates? Why? - Android Anti-Tracking, MFA lLogin Bypass, BIMI

  • Is AI the Wizard of Oz? Or is it more?
  • Microsoft's long standing effective MFA login bypass.
  • Is TPM 2.0 not required after all for Windows 11?
  • Meet 14 North Korean IT workers who made $88 million from the West.
  • Android updates its Bluetooth tracking with anti-tracking.
  • The NPM package manager repository has had 540,000 malicious packages discovered hiding in plain sight.
  • The AskWoody site remains alive, well, and terrific.
  • My iPhone is linked to Windows and it's wonderful. Yay.
  • How has email been finding logos before BIMI?
  • If we use Him and Her for people, how about Hal for AI?
  • Another very disturbing conversation with ChatGPT.
  • What's going on with the new ChatGPT o1 model? It wants to escape? What??
  • Let's Encrypt plans to reduce its certificate lifetime from 90 to just 6 days. Why in the world?
  • And all the best holiday wishes. See you in January

  Show Notes - https://www.grc.com/sn/SN-1005-Notes.pdf

  Hosts: Steve Gibson and Leo Laporte

  Download or subscribe to Security Now at https://twit.tv/shows/security-now.

  Get episodes ad-free with Club TWiT at https://twit.tv/clubtwit

  You can submit a question to Security Now at the GRC Feedback Page.

  For 16kbps versions, transcripts, and notes (including fixes), visit Steve's site: grc.com, also the home of the best disk maintenance and recovery utility ever written Spinrite 6.

  Sponsors:

  • joindeleteme.com/twit promo code TWIT
  • 1password.com/securitynow
  • bigid.com/securitynow
  • canary.tools/twit - use code: TWIT