Replies 7 Views Jul 21, tims. Ransomware Protection in Windows Replies 3 Views Jul 5, Intuit. Have you been referenced on Security Now! Barry Wallis Nov 30, Jul 1, Lob. Locked Contains 2 staff post s on steve's lost crypto. Replies 22 Views 2K. Jun 28, Mervyn Haynes. Renaming the Security Now podcast. Jun 19, Richard1. A fix for QNAP. Jun 13, aaron. Request for feedback: Tavis Ormandy on Password Managers.
Astr0b0y Jun 10, Replies 2 Views Jun 11, Astr0b0y. Jun 10, miquelfire. Some wonderful news for the Open Source community, a bit of miscellany, some listener feedback, and a screenshot of the final replacement for SpinRite's "Discovering System's Mass Storage Devices Then we revisit the Microsoft Exchange disaster, another week downstream and still drowning. Hafnium This week we look into last week's critical Chrome update and also cover the wackiest-but-true Chrome extension of all time.
We look at Google's new funding of Linux security development; a surprisingly undead, long-unheard-from media player that just received a massive collection of updates; and, yes, still another way of abusing Intel's latest processor microarchitecture. We need to update everyone on our Dependency Confusion topic from two weeks back because there's big news there.
We have several bits of identical listener feedback all wanting to be sure that I knew something had happened. Then we're going to cover the world's latest global crisis which we first mentioned as breaking news in the middle of last week's podcast.
It was breaking then. It's badly broken now. CNAME Collusion This week we discuss a welcome change coming soon to the Chrome browser, and a welcome evolution in last week's just released Firefox We're going to look at questions surrounding the source of the original intrusion into SolarWinds servers, and at a new severity vulnerability affecting Rockwell Automation PLC controllers.
We'll touch on VMware's current trouble with exploitation of their vCenter management system, and I want to share a recent code debugging experience I think our listeners will enjoy and find interesting. Then we're going to conclude with some information about something that's been going on quietly out of sight and under the covers which must be made as widely public among web technologists as possible.
We look at a clever new means of web browser identification and tracking and at a little mistake the Brave browser made that had big effect. I want to remind our listeners about the ubiquitous presence of tracking and viewing beacons in virtually all commercial eMail today. We'll look at Microsoft's final SolarWinds Solorigate report and at another example of the growing trend of mobile apps being sold and then having their trust abused.
I'll share a post from the weekend about a dramatic improvement in SSD performance after running SpinRite, but also why you may wish to hold off on doing so yourself. And then we're going to look at what everyone will agree was -- and perhaps still is -- a breathtaking oversight in the way today's complex software products are assembled which creates an inherent massive vulnerability across the entire software industry.
This week we'll begin by following up on last week's headline-making attack on the Oldsmar, Florida water treatment plant with new details that have since come to light. We'll then take a look into last week's Patch Tuesday event and at some of the sadly broken things that have once again been fixed. We're going to look at a dangerous Android App with 1. I'll briefly update about my past eventful week with SpinRite, which includes a second movie of new SpinRite code running.
Then we'll take a look at the recent discovery of the largest list of email and password combinations ever compiled, and what we can each do about it. We look at a high-profile Windows Defender misfire, and at new WordPress plugin nightmares. We check in on the world of DDoS attacks and cover the meaning of three new critical vulnerabilities in SolarWinds software.
We have a bit of closing-the-loop feedback from our listeners, an update on my work toward the next SpinRite, and then we look at a near-miss disaster in a poorly designed industrial control system. NAT Slipstreaming 2. We cover a number of serious new vulnerabilities including an urgent update need for the just-released Gnu Privacy Guard; another supply chain attack against end users; a disastrous year-old flaw in Linux's SUDO command; and, thanks to Google, some details of Apple's quietly redesigned sandboxing of iMessage in iOS I'm going to share something that I think our listeners will find quite interesting about some recent architectural decisions for SpinRite, and then we'll conclude with a look at the inevitable improvement in NAT bypassing Slipstreaming.
Comparative Smartphone Security This week we look at the updates in release 88 of both Chrome and Edge with their evolving password manager features. We also look at two recent headshaking consequences of the hard end of life for Adobe's Flash. Ransomware gangs have added another new incentive for payment, and additional details continue emerging about last year's SolarWinds attacks. We have newly disclosed discoveries from a Google Project Zero researcher, and I spend a bit of time wondering out loud how we're ever going to change the low priority that's currently being given to serious security problems that don't directly inconvenience end users.
And we finish by examining a very useful analysis of the comparative security of iOS and Android recently published by Johns Hopkins' Matthew Green and team. Where the Plaintext Is This week we look at one aspect in which Chrome and Chromium differ, and then at a bit of growth news from the DuckDuckGo folks. Google's Project Zero reports on some terrific detective work, and we look at last week's Patch Tuesday. There's also Microsoft's pending change to the flaws which enabled last year's Zerologon debacle, and the NSA's interesting statement about enterprises and the DoH protocol.
We look at the research that cracked the secret key out of Google's supposedly uncrackable Titan FIDO U2F dongle, and we catch up with a bit of listener feedback.
Then we wrap up by looking at various aspects of the frenzy caused by WhatsApp's quite predictable move to incorporate its users' conversation metadata into Facebook's monetization ecosystem. Out With the Old This week we address critical updates for Firefox and all Chromium-based browsers and a potentially unwelcome, but reversible, change coming to Firefox.
We look at another new tactic being employed by ransomware gangs; an update on ransomware's profitability; a bogus-seeming announcement from Intel during yesterday's CES; and the first use, on this podcast, of the term "teledildonics. SolarBlizzard This week we open the New Year taking a longer look at fewer topics since the bad guys were apparently enjoying their New Year holiday, too. So we look at an interesting kludge that's been forced upon Chrome by ill-mannered antiviral scanners.
We need to warn all enterprise users of Zyxel network border security products of another recently discovered built-in backdoor. We look at the rise in IoT compromise swatting attacks and a series of new flaws and vulnerabilities in the PHP Zend and Yii frameworks. And we'll conclude by catching up with what will hopefully be the last news, for a while at least, of the disastrous SolarWinds breach and intrusions.
And then we look at everything more that has come to light three weeks downstream from the first revelations of the SolarWinds-based massively widespread network intrusion and compromise. The Best of This week is our annual holiday best of the year wrap up. SolarWinds This week is crammed with news leading up to our holiday break. Chrome is throttling ads. There's new cross-browser as insertion malware.
We have a new term in the ransomware world. We have last week's Patch Tuesday, a jaw-dropping policy leak from Microsoft, trouble for Cisco's Jabber, an embarrassing vulnerability in many D-Link VPN servers, the brief Google outage, more horrific news of IoT network stack vulnerabilities, another WordPress mess, the Pwnie Awards, the welcome end-of-life of Flash, JavaScript's 25th birthday and free instruction classes, a bit of closing the loop, and SpinRite news.
Then we take a full reconnaissance dive into what happened with the monumental and in so many ways horrific SolarWinds supply chain security breach. Amazon Sidewalk At the beginning of this podcast, you're going to receive some details about another update to Chrome, and news of a few new high-profile ransomware victims.
You'll learn about a breathtaking, remotely exploitable zero-click complete iPhone security compromise, as well as another significant big step forward for DNS privacy beyond DoH. We'll explain the nature of another serious and probably lingering problem within many Android apps. I have a few interesting bits of miscellany and SpinRite news to share. And before this is over, you will have obtained a full working sense for exactly what it is that Amazon has created and why, with their Amazon Sidewalk neighborhood IoT network concept, coming soon to all of your Amazon devices.
I'll quickly run though some new and notable ransomware casualties, including a couple of follow-ups. We'll look at a critical flaw in the Drupal content management system, the big trouble with generic smart doorbells, an interesting attack on Tesla Model X key fobs, CA's adaptation to single-year browser certs, several instances of leaked credential archives, a critical RCE in a major MDM server, a bit about the Salvation Trilogy, and some extremely promising news about SpinRite's future.
Then we'll wrap up by taking a look at the consequences of the increasing consolidation of DNS service providers. It's not good if staying on the Internet is important to you. Cicada This week we have a bunch of news on both the Chrome and Firefox fronts with patches, updates, and new features.
We have a comical bit of news from the ransomware front, and more troubling ongoing WordPress attack specifics, including a weird eCommerce site spoofing attack. We look at the future consequences of ongoing vulnerability announcements coupled with their very incomplete patching, and Android's bold move right into the middle of the unbreakable end-to-end encryption controversy.
And then we'll conclude with a look at a large, multiyear as in year advanced very-persistent threat state-based attack perpetrator known as "Cicada. We have two interesting bits of ransomware meta news including a new tactic. We update after last week's Super Tuesday patch marathon, and examine new research into the most common source of Android malware to see where most unwanted apps come from and it's not what we would likely guess.
We'll share a bit of listener feedback and an update on my work on SpinRite. Chrome's Root Program This week we examine a serious newly revealed Windows zero-day flaw, a public service reminder from Microsoft, Google's newly announced plan to get into the VPN service business, CERT's unappealing plan for automatic vulnerability naming, and a real mess that WordPress just made of an incremental security update to million sites.
Then we'll close a loop, I'll update about SpinRite, and we'll finish by examining Google's new plan to go their own way with a new Chromium browser certificate Root Store. The 25 Most Attacked Vulnerabilities This week we examine a recently patched zero-day in Chrome and a nice new feature in that browser. We look at the site isolation coming soon to Firefox, and Microsoft's announcement of Edge for Linux. We have some movement in the further deprecation of Internet Explorer, and a potentially massive SQL injection attack that was recently dodged by more than one million WordPress sites, despite the fact that some admins complained.
Then we have a bit of miscellany, closing-the-loop feedback, and an update on my work on SpinRite. We end by looking at the NSA's recently published list of the top 25 network vulnerabilities being used by malicious Chinese state actors to attack U.
We look at the revelations and fallout from last week's Patch Tuesday, and at Zoom's latest announcement of this week's roll-out of end-to-end encryption.
We make sure everyone knows about the latest horrific SonicWall vulnerability and Microsoft's pair of not-that-worrisome out-of-cycle patches. We share a bit of miscellany and closing-the-loop feedback. Then we examine an actual Ryuk Ransomware intrusion and attack We touch on several recent ransomware events and on the consequences of not logging free WiFi users in France. We look at the results of an amazing bit of hacking of Apple, give an update on the enduring Zerologon threat, introduce the revenge of DNT with legislation-enhanced GPC, and describe another renewed attack on undecryptable E2EE now by seven countries.
Why Win7 Lives On This week we examine several new and welcome Google initiatives aimed at improving Android general web browser security. We look at Microsoft's solution for updating aging Windows offline images with the latest Defender definitions. We note some surprising network behavior from Windows second Subsytem for Linux.
We check-in on Exchange Server updates after eight months. Then we have a bit of errata and a GRC forums update. And we conclude by sharing the results of an interesting poll which illuminates the many reasons why Windows 7 refuses to die. We see that an enterprise's choice of VPN gateway really does make a difference.
We drop in for an update on what would have to be called the new ransomware gold rush, and we examine the implications of Ring's latest announcement of their flying spy drone I mean webcam. Then we learn how much Vitamin D Dr. Then we conclude with the required big update to the Zerologon story which we began last week. And we've often talked about how some comments you're writing for yourself, some comments you're writing for whoever it is that gets stuck with the task of maintaining the code that you wrote.
And of course ideally people who come along later will augment the comments that they find with more to keep them current. Anyway, so this is a comment block that reads: "Dear programmer: When I wrote this code, only god and I knew how it worked. Now only god knows. Leo: Oh, my god. So anyway, I just thought that was a hoot.
So, yes. If you encounter this, and the count is large, maybe you should consider not bothering to optimize Leo: Do we know where this came from? This is awesome. Steve: No, I don't. Isn't it great? I love it. Leo: Oh, man. Steve: So, okay. It turns out today, even though Windows 10 free upgrade ended on the 29th of July , you can still upgrade Windows 10 for free. And so I just wanted to mention that because I imagine maybe this month, maybe next month, because after all, as we know, middle of next month, middle of January is the last security update which Microsoft will be providing for Windows 7.
Now, we say that assuming that they're going stick to, and it seems likely that they will, stick to their determination to force anybody who wants more updates into the paid plan for the following three years. At the same time, we've seen them reach back even to Windows XP if something really horrific like BlueKeep, in this example, had happened.
Because of course they did go back and patch even Windows XP because the BlueKeep vulnerability in the desktop server was so bad that they wanted to go back and fix it. So presumably updates stop after the middle of next month, January And so I don't recall exactly what it was, or I did know as I was starting to do this research, but I remembered that there was some kind of, I don't know, skeezy way that you could still get an update that didn't really seem copacetic that Microsoft was making available.
And I didn't know, if that was still available, what was going on. And of course it never really was clear to me why this was time limited in the first place, why they were, after all this massive push - remember there was the, well, of course my own freeware, Never And then there was also the GWX, Get Windows 10, that was unwanted software that was being downloaded that was really pushing people.
And for a while you could push it off, and then it sort of stopped giving you a choice. You had to hit the X button to close the dialog because you then were only left with a choice of upgrade now or upgrade tonight. And it's like, wait, what happened to "No, thanks"? So after all that, then they suddenly said, okay, we're going to give you a deadline.
And I guess the point was to give people the impression that this was really it. And then if you didn't get it now, then you're never going to be able to get it for free. And in fact, if you want Windows 10 Pro, oddly enough, the Download Windows 10 takes you to this page where, first of all, they're trying to sell you their Surface hardware because you fill out a questionnaire about whether Windows is fast or slow, whether you run one thing or more than one thing at a time. It sort of does this weird profiling of you.
Basically the answer always comes up, oh, you should upgrade to a Windows Surface thing. But if you answer the questions in some way, then it will also give you the choice of, well, okay, we guess if you just upgrade to Windows 10 you'll be happy enough. So it turns out that Leo: By the way, I don't know what page you're going to.
But I don't see that on this page. If you go down Leo: Windows 10 confirm. Steve: No, I think if you scroll down further because there was something about having to get the license, to qualify for a license or purchase the license. Leo: You don't even really need to do that because you don't need a license, is the point.
Steve: Correct. And that ends up being the case. Leo: So I didn't have to do any of that. I'm just going to download right here the ISO, bit. The key is in the past we've always thought, well, if you do that, you're going to have to enter a serial number. And they say you're going to. Leo: And they say you're going to. But you don't. Steve: Yes. And are you running this from Windows 7? Leo: No, this is on a Mac. Steve: Oh, okay. So maybe it's different if you're running it from Windows 7.
Leo: I've not seen - there may be other entry points. I just googled "Windows Media Creator Tool" and went right to that page. There may be other entry points that you've gone through. Steve: Well, so I created a shortcut for our listeners, grc. So that takes you to - that's just a shortcut to the official Windows 10 software download, which does eventually take you to the Media Creators Tool. That's where it gets to. Leo: Well, yeah. So don't follow your link.
Just google "Media Creation Tool. This is the number one link, and I didn't have any of that crap. It's a simple click. So I think you're maybe going in through a sales portal of some kind. Steve: Create Windows 10 installation media. Leo: Maybe you're right. Maybe if you're on Windows 7 it senses. It has a sense. But in any event, you don't need to have a key.
It'll download it for you. Their theory is, well, you're going to download a trial version. Eventually you'll need a key.
You'll have to activate it in, I think, 90 days. But apparently not. He wrote that he had decommissioned a machine back in , a little Intel small form factor PC. And he was curious about the whole upgrade process.
And so he went through this process and was told that he was going to have to have, like, purchase a license to Windows But to his surprise, as he wrote, once he went through this upgrade process, he was greeted with a screen that I have in the show notes just saying "Windows 10 Pro.
Windows is activated with a digital license. But it just moves you along. So you and I have both told our listeners what I wanted to, which is, even today, even though they sort of say you need to purchase a license - and last night when I was doing it from a Windows 7 machine, I was following through the Download Windows 10, and it took me through this purchase process.
Leo: Yeah. I clicked your link. And for me on this Mac it did the same, the proper page without any upsell. So I think it's because you were on Windows 7. Steve: That would make sense. Leo: Now, there should be a caveat issued here because nobody - Ed Bott, Paul Thurrott - nobody has been able to verify that this is Microsoft policy.
What's not clear - and I just want to say it's not guaranteed to work because Microsoft says it doesn't work. Leo: It seems to work with everybody we talk to. Leo: But here's the reason I say that. If it doesn't work, you're now going to have installed Windows 10 on top of your Windows 7, and that may be a pain in the butt for you.
There is a rollback; right? Steve: Yes, yes. You are able to Leo: Okay. So you could theoretically roll back. Steve: Yes, you are able to back out.
Leo: I'd still back it up before you do this would be my advice. Steve: And I did also pursue the state of the online dialogue about this. And the only problem that anyone reported was the typical, like the upgrade hung because of some random hard drive or the USB, I mean, like there are various reasons why Windows 10 upgrade just fails. And so when it succeeds Leo: Microsoft hasn't fixed that part yet.
Steve: No. So when it succeeds, you seem to be golden. But as a consequence of the fact that it sometimes fails, all of that rollback stuff is there. Leo: And you'll be glad if you have an image, too. So just for safety's sake. That would be a good thing to do. Make an image. But I just wanted our listeners to know, if they're feeling like, oh, boy, I sure do wish I had gotten it when I could, well, I don't think it'll ever not be available. Leo: I did see one post on Reddit from somebody who says he worked in the Windows division, and that this is always - you probably saw it, too.
This has always been the policy. But he said it comes from Terry Myerson, who's been gone for about a year from Windows, who really was trying to get the upgrade numbers, the percentage of upgrades high, didn't really care. Revenue, Windows revenue is no longer that important to Microsoft. They may be a little bit more nervous about having a lot of Windows 7s out in the wild.
I would be. Steve: Well, yeah. And remember we covered it at the time. They were pushing to their shareholders or their stockholders like all of the, what was it, the monetization opportunities which would be made possible by all the things in Windows 10 that all of us dislike. So it's like, okay, well, that's all still there. So, yeah. Leo: The other thing that's a question mark is whether you need to install on top of an existing Windows 7, or you can do a clean install.
And most of the people I've seen say best to just install on top of. I would also do that because it might not know. I mean, so you have the option. You will be presented with the option of creating installation media or just upgrading this system that you're running on. And for the sake of preserving and essentially promoting your Win7 or Win8 license to Win10, I would say just upgrade over.
But yes, make an image first. Leo: Some people have done clean installs and it's worked. Steve: Oh, good. Leo: The other thing I would say that's important for everybody to know is the way activation now works, once Windows 10 is activated on a machine, at that point you can wipe it, you can do anything you want.
You have what Microsoft calls an "entitlement" to Windows That machine for thereafter, as long as you don't change major system components, will be activated for Windows So a clean install after the fact is fine. And you and I have always been believers of clean install.
I don't think I have, in fact I am sure I have never once in my life done a major Windows version upgrade. It's like, it's not worth it. Just start over. Leo: If you have a version of 7 installed, go ahead and install on top of it. If you don't, go ahead and try because people in the chatroom are saying, no, no, it works with a clean install, too.
So this is what's so strange. Microsoft has been dead silent on all this. Leo: And who knows? After they hear this show, they may flip off the switch; right? Steve: Whoops, we forgot about that page, yeah. Leo: But for now it works. Now, here's the real question, Steve. Should you upgrade to Windows 10? Steve: Hmmm. That is a question. I mean, I'm liking Leo: Would you? Steve: Not immediately, as we know.
It just decided, okay, I'm tired. Leo: But you're a security expert. I wouldn't recommend most people run XP online; right? Steve: No, no, no. No, no. And I absolutely agree. I've made peace with Win I have it on a bunch of systems. I'm comfortable with it.
I have access, thanks to my MSDN subscription, to the long-term servicing channel, so I'm able to install a machine that doesn't have any of the cruft on it. And I have decruftified a number of standard Win10 Pro machines to get the Candy Crush Soda Saga and all that other nonsense off of it.
Leo: There's a PowerShell one-liner that will delete all of those apps. Leo: That's what I always do. I mean, complaints some people have had, I know you've had, is that you can't really fully turn off the telemetry, the phoning home that Windows does.
But I don't know. If you're going to use Windows, you might as well live with that. And of course we know that there are some small percentage of people who have real problems with it.
But again, it's a small percentage. They're loud. And Paul and Mary Jo cover those sorts of things when they happen. Leo: Oh, yeah. We hear from them. Steve: And unfortunately it does create reputation damage for Windows 10 because people hear that, and they go, I don't want any of that.
Leo: I honestly, personally, I think it's as good as Windows 7, which I think was the best version of Windows Microsoft ever made. I think 10 is fine. I'm not a Windows fan.
But 10 is no worse than any other Windows, and it's better than most. How about that? Yeah, I agree. And the only thing I wish is that this whole rolling Windows forward thing, which continually creates instability, I wish they'd just let it alone. And I heard Mary Jo saying that last week.
Steve: Just leave it alone for a year instead of continuing to fuss with it. Leo: They kind of did this. The most recent update, , was barely a feature update.
It was really more just a cumulative update of bugs. And I think that that - everybody loved that. Everybody said, oh, thank you. To me Steve: Did you see that they've announced now formally what the next one is going to be? Leo: , yeah. Steve: I said to Lorrie, yeah, I said to Lorrie last night, now, this is not going to confuse anybody. Leo: No. Steve: Because we're going to have Windows 10 It's like wait, what? Leo: Huh? Steve: In we're going to get the version of Windows 10? Leo: Yeah, Paul and Mary Jo don't like it either, yeah.
Steve: What are they thinking? Well, speaking of numbers, we are now counting down to , which the programmers among us know is 15 bits in binary. So half that is Unfortunately, due to a mistake in the firmware running a large set of Hewlett Packard Enterprise Class SSDs, the instant the total power-on running time of any of those SSDs crosses 32, hours, , which is three years, days, and eight hours, all of those drives will simultaneously become totally and unrecoverably offline, taking all of their stored data with it.
That's terrible. Steve: It's a catastrophe. They all fail at All of them. In fact, it even suggests that, if the drives were simultaneously commissioned into a fault-tolerant RAID, they would probably all fail at the same time. Leo: Now, these are enterprise drives. So I'm going to guess they're probably not in the kinds of PCs our listeners are buying, unless they Steve: Well, we've got, as we know, we have a lot of high-end listeners.
Leo: But not like in your HP laptop. That's even a different company these days. Steve: Right, right. Steve: Yeah, that'd be handy - "of this critical fix. By disregarding this notification and not performing the recommended resolution" - get this - "the customer accepts the risk of incurring future related errors.
Leo: Oh, so it wasn't HP software. Their supplier. Steve: Yeah, exactly, " Leo: That sounds like a Simpsons name. Steve: SimpliVity. There it is, SimpliVity, yes, so well named, SimpliVity. It hard bricks itself at 32K hours. So in the disclosure they list the 20 SSD model numbers.
So anyone who's listening who worries they may be affected, I would take this seriously. So wow. And it's not clear that everybody who has these is on the mailing list and is going to see this announcement. So I do hope that this information gets picked up and covered enough that people aren't going to be hurt. Leo: I'll say it on all our shows through the rest of the week because there's people need to hear it, yeah.
This Week in Enterprise Tech is the ultimate podcast for the enterprise professional. It's a must-listen for any technology pro or the devoted geek. Stay on top of relevant issues and the latest developments in the enterprise IT world. Follow the tech industry from an Apple-centric perspective with MacBreak Weekly. Expert industry watchers discuss all news Apple and Apple-adjacent.
They don't miss a beat covering tech breaking news, niche topics, historical perspectives, the competition, regulatory and legal developments, social impact, and a whole lot more.
They do it all with a sense of humor that you're sure to find entertaining as much as informative. Get a big-picture view and detailed analyses of technology issues with This Week in Google. This podcast is much more than an examination of all things Google.
The tech giant's reach extends well into every facet of our connected world, so everything technology touches are game for discussion. A diverse and opinionated panel scrutinizes technology products and services, Big Tech's corporate leadership and competition, policies and internal workings, emerging tech, global impacts, and more. No one explains tech better than Leo Laporte. He takes questions from all kinds of callers and answers them on the spot on The Tech Guy show every weekend.
0コメント