How masked domain owners can be unmasked through ICANN's new Registration Data Request Service (RDRS) WhatsApp's addition of Secret Code for extra privacy protection in Chat Lock Iranian hackers exploited default passwords in programmable logic controllers at US water facilities Attempt by Montana to ban TikTok statewide was stalled by a federal judge ruling Over 1 billion Android devices now have RCS messaging enabled EU Cyber Resilience Act will improve security of Internet of Things...

Adobe Flash Player Updater is (still) desperately trying to update Veracrypt password security Firefox moves to 120 with a bunch of very nice new features Do-Not-Track is back on track "ownCloud" -or- "PwnCloud" ? CrushFTP Critical Vulnerability Bypassing fingerprint authentication ApacheMQ TransUnion & Experian both hacked Show Notes - https://www.grc.com/sn/SN-950-Notes.pdf Hosts: Steve Gibson and Ant Pruitt Download or subscribe to this show at...

Privacy and Funding Challenges Facing Signal Messaging App Loss of Advertisers for Twitter After Controversial Tweet by Elon Musk Ransomware Group Files SEC Complaint Against Breached Company Europe Opening Up Radio Encryption Standard TETRA for Public Review Apple Announcing Adoption of RCS Messaging for iPhones Steve's Progress on Dynamic Code Signing for SpinRite Releases Removing Suction Cup Barnacles from Windshields Recommendations for Benchmarking USB Drive Read/Write Speeds...

Privacy Badger blocks trackers on news sites and prevents browser exposure to unwanted domains like TikTok and Datadog. No major updates on EU's controversial Article 45 in eIDAS 2.0. Industry pushback continues as implementation would threaten encryption. Cryptocurrency exchange Poloniex lost $130M in a hot wallet hack, the 14th largest crypto theft. Decentralized finance platform Raft lost $3.3M due to an exploit. Crook operated website iotaseed.io to generate wallet seed phrases, then...

Microsoft announced storing their Azure keys in an HSM after previously losing control of a private signing key A quartet of new 0-day vulnerabilities in Exchange Server that Microsoft declined to fix Apache ActiveMQ servers under attack exploiting a 0-day, with over half of publicly exposed servers vulnerable Update on the Citrix Bleed vulnerability with evidence of hackers gaining access and post-exploitation activity CVSS version 4 released with new metrics for better granularity and...

What caused last week's connection interruption? Router was rebooting intermittently, but why? David Redekop of AdamNetworks explained their enterprise network security solution aims to only allow known safe connections, blocking everything else. iMessage gets Contact Key Verification to confirm new devices added to an account belong to the contact. Public Interest Research Group asks Microsoft to extend Windows 10 support beyond 2025. HackerOne breach bounties surpass $300M total payout....

How fake drives continue to be sold on Amazon despite negative reviews Microsoft is discontinuing support for the VBScript language The 30-year old NTLM authentication protocol will eventually be removed from Windows Two new vulnerabilities found in cURL A new Cisco router vulnerability rated CVSS 10.0 was used to hack over 40,000 devices Debate over whether "lib" should rhyme with "vibe" or "air" Instructions for accessing the SpinRite 6.1 pre-release version Feedback on passkey...

ValiDrive release follow-up Passkeys exportability and phishing risk Passkeys for device verification like SSH keys Possibility of hobby browsers vs. production browsers Availability of SpinRite 6.1 pre-release Filling drives with crypto noise using VeraCrypt Steve and Leo's favorite OTP apps Google Docs link rewriting could be to prevent referrer leakage Abusing HTTP/2 Rapid Reset Show notes: https://www.grc.com/sn/SN-944-Notes.pdf Hosts: Steve Gibson and Leo Laporte Download or...

Steve announces the release of his new freeware utility ValiDrive for detecting fake drive capacities. 23andMe claims a recent data breach exposed customer info due to credential stuffing attacks. Key stats from Microsoft's 2023 Digital Defense Report on cyberattacks, including increased attacks on open source software, growth in business email compromise, and more password attacks. Brave lays off 9% of its staff amid the tough economic climate, despite its efforts to diversify revenue...

Exim email server ignored ZDI's responsible disclosure of critical remote code execution flaws for over a year, putting millions of servers at risk. Malicious ads are appearing in Bing Chat responses, promoting fake sites distributing malware. Windows 11 now natively supports passkeys, though browser support may make this redundant. Researchers exploit WiFi beamforming side-channel to potentially reveal keystrokes, but practicality is limited. The ECH TLS extension encrypts the...

Apple has quietly removed support for Postscript in macOS Ventura over security concerns with the outdated interpreter language. China has formally accused the NSA of hacking and maintaining access to Huawei servers since 2009, based on documents from Edward Snowden. A misconfigured Azure Shared Access Signature token resulted in 38TB of sensitive internal Microsoft data being exposed, including employee backups with passwords. The Signal messaging platform has added a post-quantum...

Last week's news about evidence of LastPass vault decryption targeting cryptocurrency keys, and the UK's backing down on its encryption monitoring legislation. How hardware security modules (HSMs) allow cryptographic operations like code signing without exposing private keys. Browser identity segregation using multiple profiles rather than separate browsers. Requirements and best practices for securely wiping data from modern solid state drives. A countdown clock for the 32-bit UNIX time...

UK government appears to back down on demands to break encryption in Online Safety Bill Microsoft reveals how China-based hackers acquired secret key used to breach Outlook accounts Multiple flaws allowed key to improperly leave highly secure environment Mozilla research finds all major auto brands fail on privacy protection Evidence suggests LastPass encrypted vault data is being decrypted Researchers tie $35M in crypto thefts to compromised LastPass accounts Brute force feasible on...

Steve provides an update on ValiDrive, his new freeware utility for testing USB drives. It identifies bogus mass storage drives and performance differences between drives. There has been another sighting of Google's Topics API, this time on Android phones. It allows apps to get information about users' interests based on recent app usage. Apple has opened up their iPhones to security researchers through their Security Research Device program since 2019. Researchers get access to customize...

Picture of the Week: Steve shares a funny "what we say vs what we mean" image about tech support conversations. WinRAR v6.23 fixes: Steve explains that updating to the latest WinRAR is more important than initially thought, with two critical vulnerabilities being actively exploited by hackers since April to install malware. HTTPS for local networks: Responding to listener email, Steve agrees HTTP is fine for local network devices like routers but notes risks in larger corporate networks....

OpenSUSE goes private. Android to get satellite comms. SanDisk and Western Digital in hot water. You're asking for it: YouTube children's privacy. Whoopsie! 8Base. Where the money is. The TSSHOCK vulnerability. BitForge. A Quantum resilient security key. Removed Chrome extensions notifications. HTTPS by default? WinRAR 6.23 final released. Closing the Loop. When Heuristics Backfire. Show Notes - https://www.grc.com/sn/SN-936-Notes.pdf Hosts: Steve Gibson and Leo Laporte ...

Picture of the Week. Security Now!'s 18th birthday! Closing the Loop. Firefox Multi-Account Containers. A question about Full Disk Encryption on SSD's. Should I run SpinRite before I back up my drives to a NAS? Overly complex password rules. DuckDuckGo's email alias. The new Russian Astra Linux based OS can not legally be possible. Regarding satellite crowding: The skies won't be darkening anytime soon. This is what came to mind on the Voyager 2 segment with the shout. Can you...

Picture of the Week. NASA "shouted" at Voyager. Another view of Microsoft. What about this Chinese attack? AI meets Keyboard Acoustic Side-Channel attacks. Closing the Loop. Revisiting Global Privacy Control. Show Notes: https://www.grc.com/sn/SN-934-Notes.pdf Hosts: Steve Gibson and Leo Laporte Download or subscribe to this show at https://twit.tv/shows/security-now. Get episodes ad-free with Club TWiT at https://twit.tv/clubtwit You can submit a question to Security Now at...

Picture of the Week. Satellite Turla: APT Command and Control in the Sky. OS 17 to further crack down on device fingerprinting. Android to start warning of "unknown trackers". The 7th branch of the US military. Russia criminalizes open source project contribution. VirusTotal's 2023 report. Closing the Loop. TETRA:BURST. Show Notes - https://www.grc.com/sn/SN-933-Notes.pdf Hosts: Steve Gibson and Leo Laporte Download or subscribe to this show at...

Picture of the Week. R.I.P. Kevin Mitnick. Apple says: "Thanks, but we'd rather leave." Web Environment Integrity. Web Analytics under the spotlight. More progress on the IoT security front. The "Expeditionary cyber force". Ransomware payouts being made much less often. MOVEit Update. TikTok + Passkeys. Closing the Loop. SpinRite. Satellite Insecurity, Part 2. Show Notes: https://www.grc.com/sn/SN-932-Notes.pdf Hosts: Steve Gibson and Leo Laporte Download or subscribe to this...

Picture of the Week. Kaspersky on Microsoft's Patch Tuesday. As the worm turns: WormGPT. Microsoft revokes 100+ malicious drivers. MOVEit Update. Does Dun & Bradstreet know you? No Threads for you! (or EU!) All Bitcoin addresses look alike. Twitter changes DM settings. Closing the Loop. SpinRite. Satellite Insecurity, Part 1. Show Notes: https://www.grc.com/sn/SN-931-Notes.pdf  Hosts: Steve Gibson and Leo Laporte Download or subscribe to this show at...

Picture of the Week. Another Critical Unauthenticated SQLi Flaw Discovered in MOVEit Transfer Software. And as for MOVEit... What's a "Rug Pull" ?? "Avast, ye Matey" China's OpenKylin v1. TootRoot! Firefox 115. Did Russia Disconnect? Use some honey if you want to catch some flies. Cryptocurrency losses. International Consumer Data Transit. Apple's emergency update retraction. Syncthing Revisited. Closing the Loop. SpinRite's first RTM release. RTOS-32. Rowhammer Indelible...

Picture of the Week. Catching Leo up to speed from last week. DuckDuckBrowse. And an updated Tor Browser. Opera, now enhanced with "AI". The KasperskyOS Phone. The cost of doing business in Russia. Slowly turn the wheels of justice. The US to create a new "Cyber Force". Apple.com now supports Passkeys. Selective GDPR enforcement? Facial Recognition is Photo Recognition. Google cybersecurity clinics. Progress/MOVEit sued. Closing the Loop. SpinRite. Operation Triangulation....

Picture of the Week. Patch Tuesday. Does EVERYTHING leak?? Closing the Loop. SpinRite gets version 7.1! The Massive MOVEit Maelstrom. Show Notes: https://www.grc.com/sn/SN-928-Notes.pdf Hosts: Steve Gibson and Jason Howell Download or subscribe to this show at https://twit.tv/shows/security-now. Get episodes ad-free with Club TWiT at https://twit.tv/clubtwit You can submit a question to Security Now! at the GRC Feedback Page. For 16kbps versions, transcripts, and notes...